Hello. Thanks for join­ing me this morn­ing. I’m a lit­tle shaky. I spent a lit­tle too much time and ener­gy at the speak­er’s din­ner last night. So bear with me if I have to stop for water a few times.

So I’ll be talk­ing to you today about the state of the Internet, or as I am call­ing it the net­work of sor­rows.” And I think Shakespeare real­ly does help us under­stand the tech­ni­cal under­pin­nings of our cur­rent Internet when he says, When sor­rows come, they come not sin­gle spies, but in battalions.”

So, let’s go back to the begin­ning, or close to the begin­ning of the Internet. It starts as a sim­ple sys­tem, very aca­d­e­m­ic. And in this world, the secu­ri­ty mod­el of the Internet was when some­one did some­thing bad, you called their advi­sor and yelled at them. We’re still work­ing with the same mod­el of the Internet. 

So when our first worm hit, the Morris worm (this is the pic­ture from the Computer History Museum with the source code of the Morris worm), that was basi­cal­ly how it was han­dled, even though it became in the US the first con­vic­tion under the Computer Fraud and Abuse Act, it was still basi­cal­ly just call some­one’s advi­sor and yell. And that’s kind of all we have to this day as a net­work secu­ri­ty model.

And what­ev­er your par­tic­u­lar fla­vor of big adver­saries on the Internet, what­ev­er you pre­fer to be afraid of, what­ev­er APT you decide to describe, it is very impor­tant to remem­ber that these big adver­saries that get a lot of media press, that get a lot of atten­tion, they tar­get a very small num­ber of peo­ple. A very small num­ber that con­cen­trate wealth, or pow­er, polit­i­cal pow­er in the world. Little adver­saries, the lit­tle wiseass adver­saries that we’re deal­ing with every day, they tar­get lit­er­al­ly every­one in the world. Everyone. And you know, the mot­to of this con­fer­ence is Nothing’s beyond a good hack.” But let’s all admit that almost noth­ing is beyond like, ass­hats with a phish­ing script and a spell check­er. That’s kind of where we’re at.

So fast for­ward from some­thing like the Morris worm to today, or close to today. This is McAfee’s num­bers for 2014. We’re talk­ing about esti­mates of up to half a tril­lion dol­lars. Now, this infor­ma­tion is extreme­ly dif­fi­cult to be sure about, and what counts as loss, and there’s all these dif­fer­ent fac­tors that go into it. But half a tril­lion dol­lars glob­al­ly two years ago.

Screenshot of a webcam application, showing an image of the user with face blurred

The pre­dic­tions for this year from some analy­sis is that we’ll hit seventy-five bil­lion in ran­somware alone by the end of the year. Some esti­mates say that the loss glob­al­ly could be well over a tril­lion this year, but it’s hard to say what a real num­ber is. Because in many ways these fig­ures can’t touch the real cost of inse­cu­ri­ty on the Internet. The cost of humil­i­a­tion and iden­ti­ty theft and pri­va­cy trad­ed away. The lost time, the wor­ry. The myr­i­ads of tiny per­son­al tragedies that we’ll nev­er hear about.

I have to say, when I was look­ing for this I was look­ing for a web­cam pic­ture of some­one pick­ing their nose, and it took me a while to find one that was­n’t blurred out. Also, I was too lazy to blur it myself. 

One media report in the US esti­mat­ed 8,500 schools in America have been hit with ran­somware this year. Now, the rea­son why I think it’s real­ly inter­est­ing to point out the American fig­ures here is this is also a nation­al sys­tem where as of last year, half of all stu­dents in US pub­lic schools qual­i­fy for pover­ty assis­tance. Those are the peo­ple pay­ing these ran­somwares. And it’s hard to get a real fig­ure because most schools are hid­ing this when it hap­pens. One sur­vey I was look­ing at showed that half of hos­pi­tals in that sur­vey had been hit with mal­ware, often mul­ti­ple times. How do we quan­ti­fy that kind of dam­age? How do you quan­ti­fy when duty nurs­es are too ner­vous and stressed out to get their pro­ce­dures quite right? What is the cost in that?

In tra­di­tion­al stalk­ing as we’ve known it, this gets real­ly dark real­ly fast. And those are the fig­ures for what we think of as tra­di­tion­al stalk­ing. Of course, the Internet has added a new lay­er to that. But also nobody how sol­id fig­ures yet for sure in how the Internet is chang­ing stalk­ing, except that it’s mak­ing it a lot eas­i­er. Weirdly, pos­si­bly the biggest losers in that are men, whose rate of stalk­ing is dou­ble online what it is offline. 

And this trans­lates into a lot of creepy moments that cross these bar­ri­ers on what makes you feel safe in the world. Because what hap­pens with com­put­er inse­cu­ri­ty, what hap­pens with small adver­saries, is they tend to meet and ampli­fy our basic human flaws.

And in the end, some of the most ter­ri­ble things are the fam­i­ly and inti­mate part­ner vio­lence that we see all over the world, whether we call it spousal abuse in the West, or hon­or killings in Pakistan, or gay kids who can’t find help, or teen girls who can’t find health and birth con­trol ser­vices because of con­tent fil­tra­tion, because of man­age­ment by fam­i­lies, admin­is­tra­tors, schools, com­mu­ni­ties. All these things are part of the cost of small adver­saries. Perhaps the great­est and hard­est to quan­ti­fy cost of our ter­ri­ble, ter­ri­ble secu­ri­ty cul­ture is the sense that so many peo­ple have—even the peo­ple in this room—that they have to fear the very thing that they must rely on for their lives and livelihood. 

So, this is obvi­ous­ly a very dif­fer­ent land­scape from most of what we’re see­ing in the media. And most of what we’re see­ing in the media these days espe­cial­ly, post-Snowden and so on and so forth, is this dis­cus­sion of these super-powerful actors who are spy­ing on every­one but hon­est­ly not doing that much. And we’re still look­ing at this par­a­digm com­ing from law enforce­ment and from glob­al gov­ern­men­tal con­flict that kind of talks about these things in terms of good guys and bad guys and dis­crete crim­i­nals. But treat­ing adver­saries on the Internet like dis­crete crim­i­nals is ridicu­lous. It’s bring­ing a gun to a locust swarm. The Internet will always make more ass­hats. I promise you that. The ass­hats are end­less. And that means that essen­tial­ly what we’re doing in secu­ri­ty is threat mod­el­ing our envi­ron­ment real­ly real­ly wrong.

I don’t know how clear­ly you can read this but it’s some­body ask­ing a teenag­er why they’re using Snapchat. And we’ll come back to this point. But this teenag­er is threat mod­el­ing very well. I believe it’s a her, but she’s say­ing yeah, that she does­n’t care what gov­ern­ments do. Parents always been the OG Big Brother. And I think one of the things that this points at that is real­ly impor­tant is that we live in an [as above, so below] net­work, that what big guys do, small guys emu­late. And what small guys do, big guys pick up. It’s all tra­vers­ing this hier­ar­chy much more like an ecosys­tem than we often think it is.

Nobody can real­ly tell us who’s act­ing for sure. And some­thing that say, a big actor puts out there, the small actors can find. They can pick up. They can use it direct­ly, or they can emu­late it. I mean, we’re work­ing in the first threat envi­ron­ment, basi­cal­ly in his­to­ry, where gen­er­al­ly the things peo­ple throw at each oth­er, they can just pick up and use again. Now, it’s not the first time. This is an idea that goes all the way back to Rome ver­sus Carthage, when Carthage was win­ning because they fig­ured out how to put togeth­er all their ships like IKEA flat packs and Rome caught one of them and found out what the num­ber­ing sys­tem was for putting the ships togeth­er. And in a way, what we’ve done is we’ve tak­en that same threat mod­el, that we’ve tak­en that same prob­lem and moved it into our infinitely-replicating machines. It’s the prob­lem that we have every on every desk­top. It’s the Carthaginian fleet being tak­en over by the Romans. 

But in an envi­ron­ment where every­body can pick up every­body’s tools, we’re all weird­ly empow­ered now. And I mean kind of weird in an almost fey sense like, our pow­ers are weird, they make us weird, and they make our con­flicts weird. It’s again that idea that our tools are inter­act­ing with our human flaws in real­ly real­ly inter­est­ing ways.

And let’s talk about some of the tools, because we all know these tools. They’re remote admin­is­tra­tion tools— The tools of small adver­saries are the same tools that we are rec­om­mend­ing to peo­ple that they use against small adver­saries. Remote admin­is­tra­tion, encryp­tion, email phish­ing, ads. We told peo­ple to install AVs and updates to their machines, and now mal­ware often looks like AV and updates.

And every­thing in our fields is dual-use. Everything that we can use to help some­body can lat­er be repur­posed to hurt them. Our sor­rows come in bat­tal­ions these days.

And even our own under­stand­ing of how our tools are work­ing gets real­ly con­fused. This is just one of my favorite tweets recent­ly. For secu­ri­ty rea­sons, I can’t give you SSH access to the box, but you can use TeamViewer via my desk­top.” The fun­da­men­tal mis­un­der­stand­ing. It’s a sign that we’ve kind of lost the thread of how these sys­tems are work­ing. We want to fix things, but the most com­mon com­plaint I hear are this dis­con­nect between the infor­ma­tion that can help and the actions that can imple­ment that infor­ma­tion. Understanding a sys­tem and then act­ing on it in a way that cre­ates change. And these are the places in which both naïve and sophis­ti­cat­ed users are dis­con­nect­ed, at this point.

A kitten in the palm of someone's hand, captioned "It's dangerous to go alone! Take this."

So this is all real­ly heavy stuff, and I want you to go ahead and take a moment with a kit­ten pic­ture so we can stop think­ing about bad sys­tem admin­is­tra­tors and peo­ple being killed by their exes. Or we can keep. I don’t know. 

But I do want to empha­size in this that most peo­ple who are pulling a pay­check in this field are not inter­act­ing with the pain that most peo­ple are expe­ri­enc­ing from net­work inse­cu­ri­ty. Because you end up work­ing for peo­ple who pay. And that high school… That was a 1925 pic­ture of my own high school. That high school can’t afford any­one in this room. And that means that so much of this pain and inse­cu­ri­ty in the world isn’t read­i­ly vis­i­ble to the peo­ple who work in the field, who are sup­posed to be fix­ing it. 

It’s not entire­ly on you guys, or on even the crap­py pro­gram­ming that makes this hap­pen in the world that so much pain is caused by the net­work these days. But it is the fact that we are all going to have to be part of the solu­tion to this project if the 21st cen­tu­ry net­work is to improve.

Now, I want to turn around a bunch of this heavy stuff and start talk­ing about where we start to fix these sys­tems. Because the truth is we have, as a field—and I don’t want to lim­it that just to secu­ri­ty. I think this is true of all of tech­nol­o­gy. We have left the biggest and best tool we have on the table. Each and every one of these machines on the Internet at some point has con­nect­ed to it the most com­plex and sophis­ti­cat­ed pat­tern match­er that we have yet found in this uni­verse. It’s got a human attached to it. And they’re not part of our secu­ri­ty mod­els. As a mat­ter of fact, we gen­er­al­ly see the human as a liability.

But we’re leav­ing a huge amount of com­pu­ta­tion­al pow­er on the table right there. Right now, your users should be the ones who are advo­cat­ing for the secu­ri­ty changes that you want to see in the world. And they’re not. Right now there’s a lot of con­flict between the peo­ple who are try­ing to secure things and the peo­ple who are try­ing to use things. And that’s ridicu­lous, because you have the same goals.

One of the things that I’m always baf­fled about is when we’re try­ing to fig­ure out what’s going wrong with a sys­tem, we’re not ask­ing the per­son who knows what should be hap­pen­ing on that sys­tem. Should there be a bunch of traf­fic going to IRC? Well, I actu­al­ly know whether or not there should be a bunch of traf­fic going to IRC on this box. But no one has ever asked me, in any of these sys­tems. No one has ever kicked up some­thing say­ing, Does this look right to you?” And yeah, we’d have to find a lan­guage to do that, but what an amaz­ing piece of infor­ma­tion you don’t have in a sys­tem when you’re not ask­ing the human if that’s what they’re doing right now.

Humans love to respond. I mean both as ani­mals, and as employ­ees. They love to respond to the restric­tion of sys­tems. So one of the things that I’ve won­dered in the past few years is why we don’t take sys­tems of data that we don’t want exfil­trat­ed and put them on nar­row band­width con­nec­tions? Let that get annoy­ing. If you’ve got like a giant patient data­base, why not put it on your net­work under a 56k con­nec­tion? So if some­body’s try­ing to pull it all, some­one’s gonna notice. Because there’s no rea­son. When you have vast amounts of peo­ple’s per­son­al data, there is basi­cal­ly no rea­son to pull it all at once. If some­body’s doing that it should hurt the net­work. And peo­ple can respond to that pain.

That’s like one exam­ple. I think prob­a­bly if we brain­stormed enough, we could come up with a hun­dred exam­ples of ways in which peo­ple could respond to what’s hap­pen­ing on the net­work in ways that would be faster and eas­i­er than try­ing to get the machines to respond. Because peo­ple have con­text. People can match pat­terns. People know which kit­ten is cute. Machines don’t do that. Machines are good at adding things. We’ve got a sys­tem that’s good at pat­tern match­ing, and a sys­tem that’s good at math, and we keep try­ing to tell humans to do more math. And com­put­ers to do more pat­tern match­ing. That seems like we’re miss­ing a few oppor­tu­ni­ties there.

And then, one of the biggest things that we need more of between users and tech­ni­cians in the 21st cen­tu­ry is more respect and more lis­ten­ing. We spend a lot of time telling users they should lis­ten to us, but we don’t spend near­ly as much time lis­ten­ing to users. And part­ly that’s because users don’t nor­mal­ly speak the lan­guages of tech­ni­cians. But that does­n’t mean that they’re not pass­ing you infor­ma­tion. Even in con­sumer choic­es, users are pass­ing you a lot of infor­ma­tion. If you look at these appli­ca­tions here, appli­ca­tions and behav­iors, they’re try­ing to solve the same prob­lems that secu­ri­ty teams and sys­tem admin­is­tra­tors are try­ing to solve. 

They’re try­ing to go through things like Dropbox to get away from the prob­lems of of mali­cious attach­ments. They’re try­ing to reclaim pri­va­cy with things like Snapchat and WhatsApp. And I think that these behav­iors on their part are fan­tas­tic and should be encour­aged. A lot of peo­ple will step in and go, But you know, it’s all lies and there’s all these oth­er prob­lems.” But that does­n’t mean that that was the inten­tion of the user. The inten­tion of the user was to fix the sys­tems they were in. And that inten­tion, that’s inter­est­ing. That means we’re on the same side. 

So if Snapchat is lying to its users, then we need to take these lies and make them true, in the famous words of George Michael. We need to take these tools to the places where the users are and help them under­stand what state they’re in at any giv­en time. You know, we went to Google mail, and part of the rea­son peo­ple went to Google mail was because this shit was not work­ing for them. Because they’re try­ing to solve their own prob­lems. And they went to these very spe­cif­ic behav­iors. Like our four­teen year-old girl who went to Snapchat to avoid her par­ents. Like the myr­i­ad of teenagers who have hopped from social net­work to social net­works so that they could describe a safe space for themselves.

You know, we live in an age where ass­hat mar­keters will tell us that kids and peo­ple don’t care about their pri­va­cy. They’ll trade it away for a coupon. But it’s just not true. I don’t know if you remem­ber being a teenag­er, but teenagers are incred­i­bly privacy-seeking. How many of you always were cool with your par­ents walk­ing straight your room? Was that cool? I mean, if it was total­ly cool, raise your hand. I’ll point you out. 

But for most of us, we def­i­nite­ly want­ed—every one of us has doors on our bath­rooms. We all want pri­va­cy. So why is there a dis­con­nect with the Internet? A lot of it has to do with dig­i­tal lit­er­a­cy. And a lot of it has to do with what’s going on. And the fact is we need our tools to work for us, first and fore­most. While all of you have a door on your toi­let, all of you will use a toi­let with­out a door if you need to. I promise. And that’s one of the things I want you to think about when we’re talk­ing about secu­ri­ty stuff. Because in the end, one of the con­flicts that comes up over this, one of the rea­sons why users are seen as a point of inse­cu­ri­ty, is because get­ting the job done is more impor­tant than get­ting it done secure­ly. And that will always be in con­flict. You will always be ready to use [a toi­let with­out a door]. If you real­ly need to. 

So, peo­ple are not stu­pid about their secu­ri­ty and their pri­va­cy. But they’ve been lied to. And that’s part of the prob­lem that we as a com­mu­ni­ty are in a posi­tion to help with, to fix. And one of the oth­er things I think gets dis­con­nect­ed between tech­ni­cians of all stripes and the peo­ple who are not in their fields is that we often think peo­ple don’t lis­ten or don’t care because we for­get that this isn’t oth­er peo­ple’s jobs. If you are sit­ting in this room, to some degree peo­ple are pay­ing you to use a long pass­word. People are pay­ing you to to wor­ry about key man­age­ment. If you are a trash col­lec­tor or radi­ol­o­gist or a lawyer, this takes away from your work day.

So hon­est­ly, one of the rea­sons we want to bring good tools to where peo­ple are is because if you have a radi­ol­o­gist, you don’t want your radi­ol­o­gist to learn PGP. I promise. You want your radi­ol­o­gist to look at your frickin’ scans. You want them to look at it again. You don’t want them to wor­ry about whether their com­mu­ni­ca­tions with you are encrypt­ed. Because that’s time that they’re going to take away from try­ing to spot some­thing on your lungs. Which would you real­ly rather they do?

So, we spe­cial­ize in soci­ety for a rea­son. Because we real­ly want peo­ple to pick up our trash. We real­ly want peo­ple to defend us, or pro­tect us, from the law. We real­ly want doc­tors to find the things and fix them that are wrong with us. And we real­ly don’t want those peo­ple tak­ing their time away from that to learn how to do what we do. Until you are ready to go spend a day of the week pick­ing up every­body else’s trash, you’re not in a posi­tion to tell every­body else to learn how to do your job.

Screenshot of an elaborate walled castle built in Minecraft

And I think one of the things that is kind of a cul­tur­al dis­con­nect for our cen­tu­ry is that nobody got into com­put­ers because they want­ed to deal with non­de­ter­min­is­tic sys­tems. I mean, even from like age nine when I start­ed, the great thing about com­put­ers ver­sus every­thing else in my life was that they did exact­ly what I told them to do. So we in soci­ety in gen­er­al, one of the ways of talk­ing about human his­to­ry is that we were in this crazy state of nature where lots of things could hap­pen and eat us, or crawl inside our bod­ies and kill us. And we cre­at­ed these walled cities, we cre­at­ed these civ­i­liza­tions to get more con­trol over that environment. 

And then inside of those bar­ri­ers of civ­i­liza­tion, we start­ed cre­at­ing more and more and more com­plex­i­ty until we final­ly cre­at­ed a net­work that is no longer deter­min­is­tic. So right inside of all that civ­i­liza­tion, we cre­at­ed the weird again. And so that’s where we are now. We’re inside of a civ­i­liza­tion that has cre­at­ed a net­work that is eco­log­i­cal­ly weird again. So I’m sor­ry. We got onto this because we like deter­min­ism, but we’re going to have to deal with non­de­ter­min­is­tic sys­tems. And part of that non­de­ter­min­ism that we’re all fac­ing is the human appetite, it’s the human mind. And it’s the pow­er of the human mind.

So, I think we all kind of think of our­selves a lot of the time as like, edg­ing on to math and physics. But clos­er, I think, we’re deal­ing with biol­o­gy. So I think all of you are slow­ly trans­form­ing into real­ly weird biol­o­gists. And when you’re inside of non­de­ter­min­is­tic sys­tems, and when you’re talk­ing to biol­o­gists, one of the things you will find out is that the first job of biol­o­gists is to lis­ten. It’s to lis­ten to these sys­tems. And to let go of a cer­tain amount of con­trol. Not just to the words peo­ple say, but to the needs that they’re describing.

You know, one of the rea­sons that we live in a secu­ri­ty night­mare is because every­body still needs to use email. Usually to pass files and to get to things that are not their email. If we all just used text email it would­n’t be quite so bad. So how do we meet those needs, per­son­al­ly and orga­ni­za­tion­al­ly, for pass­ing files on the Internet? And yes, I still wake up a lot of morn­ings say­ing, It’s 2016. Why can’t we still pass files on the Internet? Why is this still a prob­lem?” I def­i­nite­ly thought this prob­lem would be solved by you know, the mid-90s.

So, when I talk to peo­ple about this stuff, and I take time to explain sys­tems to them, I also get them to describe the sys­tems to me that they’re inter­act­ing with. And even when they’re wrong, they’re not wrong. They’re describ­ing their expe­ri­ence. And one of your jobs, if you’re try­ing to cre­ate a sys­tem that works alto­geth­er, is to fig­ure out what they’re describ­ing about that sys­tem through their experience. 

One of the one of the ear­ly ones that I did many many years ago was that I inter­viewed a bunch of peo­ple about their expe­ri­ence of cer­tain soft­ware, and they would con­sis­tent­ly say, Oh, this is the part where it thinks. The com­put­er has to think here for a while.” Most of the peo­ple I was inter­view­ing were old­er, in this par­tic­u­lar user set.

And what I real­ized was that what they were telling me con­sis­tent­ly when they say my com­put­er has to think about it right now” is that my com­put­er is swap­ping. And this was the 90s. Swapping was kind of a big­ger deal in some ways at that point. But I was able to learn some­thing about the archi­tec­ture of the soft­ware from this very col­lo­qui­al way of talk­ing about com­put­ers. There’s so much more there. There’s so much we could be gath­er­ing from how peo­ple are using sys­tems, what they need. And when we meet those needs, or work with peo­ple to meet those needs, we start cre­at­ing mech­a­nisms for them to under­stand their own lives, and behave bet­ter in the sys­tems that we’re work­ing with, and we get more free time. 

Because peo­ple, I’ve got to say, peo­ple are bril­liant. They’re amaz­ing­ly bril­liant. I mean, the same peo­ple who think they’re idiots know how to fill out forms and dri­ve. Which is kind of amaz­ing when you think of start­ing off as hunters and gath­er­ers. We’re real­ly inter­est­ing, adapt­able people. 

We’re leav­ing a lot of inter­est­ing tech­niques on the table as well. Ways of teach­ing our users things. My favorite form of soft­ware inter­faces is games. And not just because games. But because games have lots of inter­est­ing prob­lems to solve and they just went through and solved them. And we should prob­a­bly be pick­ing up some of these techniques.

So these are some screen shots from tuto­r­i­al modes of dif­fer­ent games. And what we’re doing here is we’re let­ting quite com­plex sys­tems explain them­selves to a user. And this is some­thing that the gam­ing field has spent a lot of time work­ing out. Complex, internally-consistent sys­tems being taught to the user at the very begin­ning of use. And I mean, some of it is fan­tas­tic and brings in humor, and then it’s like, the bot­tom here is actu­al­ly explain­ing to you what a jump is. At the same time, when explains to you what a jump is, it’s both humor­ous and it makes a con­nec­tion to things that you know from your own phys­i­cal life into into a gam­ing envi­ron­ment. So these tools are out there. We can start study­ing them. We can start pick­ing them up. 

A Communications Primer,” by Charles & Ray Eames (1953)

And gen­er­a­tions have been scram­bling. Generations even with­in our grand­par­ents’ time have been scram­bling togeth­er a lot of the infor­ma­tion that we need to cre­ate these lit­era­cies. Like, fun­da­men­tal lit­era­cies about the world we’re liv­ing in. This is a screen­shot from the Eames’ primer on com­mu­ni­ca­tion the­o­ry. When I start to work on dig­i­tal lit­er­a­cy, I don’t start with tools. I start with the basic frame­works of think­ing that the tools fit into. Because then peo­ple ask me the right ques­tions. Then peo­ple ask me things like, But wait. If I start using encryp­tion and nobody else is, don’t I stand out?”

When I hear that ques­tion, I’m thrilled. Because what that tells me is the oth­er per­son is start­ing to mod­el the sys­tem in their head. Which is how humans work. So the thing I hear con­sis­tent­ly is that nobody wants to learn this stuff. John Oliver’s line, You smell like canned soup. Leave me alone.” I hear from secu­ri­ty peo­ple that we can’t teach them. We can’t teach them dig­i­tal lit­er­a­cy. But I think that we also have to rec­og­nize that secu­ri­ty requires respect, a mutu­al respect. And right now there’s not a lot of respect between the users of the Internet and the tech­ni­cians of the Internet, either way. And some­body’s going to have to start bridg­ing that.

And it all feels real­ly impos­si­ble to a lot of peo­ple. And there’s a lot of peo­ple who’ve said that it’s just not doable, we’re going to have to fig­ure out how to have a 21st cen­tu­ry Internet with nobody know­ing how to use com­put­ers. And I don’t think that’s either true, or possible.

Max Roser and Esteban Ortiz-Ospina (2016) – Literacy’

And I want to pull you back into the last, I think, great projects that was like this. It was the great polit­i­cal project of the 19th cen­tu­ry, which was are cre­at­ing democ­ra­cies. Devolving pow­er from aris­toc­ra­cies into democ­ra­cies. And there was a real­iza­tion pret­ty ear­ly on in that process that you could­n’t have illit­er­ate democ­ra­cies. So one of the great projects of the 20th cen­tu­ry was to teach every­one how to read. And if you think teach­ing every­one what a com­put­er is is hard, try tak­ing bil­lions of peo­ple and teach­ing them how to read. That’s a big ask. But this is what we did. We went from a 20% lit­er­a­cy rate in 1900 to over 80% lit­er­a­cy rate by 2000.

Max Roser and Esteban Ortiz-Ospina (2016) – Literacy’

And if that’s not impres­sive enough, let’s take it from look­ing at those per­cent­ages to look­ing at absolutes. That’s the lit­er­a­cy rate. That’s what it did. That was an amaz­ing project that human­i­ty pulled togeth­er to do. And in case you want an even more impres­sive num­ber, let’s look at that absolute fig­ure at the end. Because that’s 7.2 bil­lion basi­cal­ly lit­er­ate peo­ple in less than two hun­dred years. That was real­ly hard. We had to pull togeth­er a lot of resources. We had to get a lot of peo­ple who weren’t tra­di­tion­al­ly talk­ing to edu­ca­tors and weren’t tra­di­tion­al­ly edu­ca­tors into being edu­ca­tors. We invent­ed a lot of insti­tu­tions for that.

And here’s the great thing. We, in the 21st cen­tu­ry, get to reuse those insti­tu­tions. We don’t have to build them again. We can start bridg­ing between the peo­ple who work in the com­pa­nies that we work for, but also the schools that work in the area that we’re in. I real­ly want to get more peo­ple in this com­mu­ni­ty talk­ing to edu­ca­tors. Starting to bring in that gen­er­al­ized knowl­edge, that con­cep­tu­al knowl­edge. Start get­ting it in there ear­ly. And that’s when we’ll real­ly start see­ing this land­scape change. It’s not just get­ting every­body to install a Flash update. It’s get­ting them to under­stand what all those words mean so they’ll fig­ure out to do it themselves.

And then we get to have a real­ly awe­some Internet. Because right now your biggest ene­my, and one of the biggest ene­mies in the 21st cen­tu­ry, isn’t evil hack­ers, or APTs, or big gov­ern­ments, or orga­nized crime, or even lazy pro­gram­mers and apa­thet­ic man­age­ment. Your biggest ene­my is the fun­da­men­tal fear and help­less­ness peo­ple feel when they pick up their Turing machines. When we start to beat that, we’ll real­ly be get­ting somewhere.

Thank you, and I’m hap­py to turn this into a dis­cus­sion and take questions.

Moderator: So. Lots to think about, as usu­al when Quinn’s around. Questions?

Audience 1: I mean, if you learned to read in the 50s, you know how to read now. But if you learned how to use a com­put­er in the 90s, you don’t know how to use a com­put­er now. So com­put­er lit­er­a­cy is much hard­er to [report?].

Quinn Norton: I fun­da­men­tal­ly dis­agree. Because I think in my life­time, the fun­da­men­tals of dig­i­tal lit­er­a­cy have not changed. You know, when it comes to under­stand­ing the— This is why I don’t teach tools. Yeah, if I taught you one book about how the world works in the 1950s— And I have a book actu­al­ly from 1900 which was a ref­er­ence book of all the things you would need to know from the 20th cen­tu­ry. It’s great. If that was your only book, absolute­ly your lit­er­a­cy would not help.

But if you’re get­ting the idea that you can kind of read future books because you’ve got this one book— If you can under­stand what a Turing machine is— And this is the thing, is like, I find when I am teach­ing, that when I start by explain­ing what a net­work is and what these machines are, then things start to make sense. Then I can say okay, here’s a tool. I’ll tell you what the tool is, you tell me what it’s doing. And that knowl­edge is life­time. Because frankly, Claude Shannon is going to be right until the heat death of the universe. 

Audience 2: A ques­tion comes to mind when I speak to some peo­ple about encryp­tion or whether or not we can com­mu­ni­cate over PGP or Signal. This is some­thing that I thought was a pop­u­lar way of think­ing before the Snowden rev­e­la­tions, but it still per­sists, which is why don’t we com­mu­ni­cate over sig­nal, why don’t we use PGP? And they’re like, Well, I don’t want to be sus­pi­cious.” And I’ve spo­ken to a num­ber of peo­ple, for exam­ple who work on Iran and they fear that the US gov­ern­ment might be spy­ing on them. They’re like, Well, we have noth­ing to hide so we’re okay with them read­ing all of our stuff any­ways.” And this sort of stance towards pri­va­cy still exists, and I just want to know how you sort of approach this.

Norton: Yeah. And I encounter this quite a bit. I mean, one of the one of the first-offs on this, and and I like to point out that the most suc­cess­ful encryp­tion that we’ve ever done is the one that we did­n’t have to get any­one to use, that was that was kind auto­mat­ic, which was SSL. Like, the only big adop­tion win the secu­ri­ty com­mu­ni­ty has ever had is SSL. So, explain­ing to peo­ple that they’re already using it is one of the— You know, if you shop online, if you read your email over some­thing that’s encrypt­ed, if you log into things… If you log into things, you’re already using encryp­tion. Because it’s infrastructure.

So get­ting peo­ple to under­stand that it’s infra­struc­tur­al gets them I think much faster past the point of let’s just stick anoth­er lev­el of infra­struc­ture on our com­mu­ni­ca­tion. I feel like this is start­ing to change in a pos­i­tive way also, because of peo­ple start­ing to devel­op tools for deal­ing with con­text col­lapse, which is a whole nother talk. But like, that idea that their stuff can be tak­en out of con­text is a rea­son why you can get peo­ple to… Seeing their stuff tak­en out of con­text gets peo­ple to the point where they’re much more inter­est­ed in encrypt­ing things that they don’t want tak­en out of con­text. And that for me has been the win with peo­ple who want to live very open lives. Like, I will say live your open life where you want it to be open, but where you don’t want to be recon­tex­tu­al­ized let’s use encryp­tion. And that helps so that they can see that the minu­tia of life is often the thing you want to encrypt much more­so than the big dec­la­ra­tions of life. 

But again, for me it always comes back to explain­ing the infra­struc­ture. Explaining the under­ly­ing thing. That’s where I get all my wins when I’m doing train­ing. If you log into things, you’re already using encryp­tion. You do have some­thing to hide. It’s not…a shame­ful thing, it’s just your pass­word. I hope that helps.

Audience 3: I’ve got a ques­tion, Quinn. You ask peo­ple to get involved with the local edu­ca­tors. How do you rec­om­mend them doing that? There’s lots of brains in this room. Lots of skills and expe­ri­ence. How can every­body in this room go out and get involved with the local educators?

Norton: You know, this is very coun­try and loca­tion depen­dent. Well, there’s a lot of youth edu­ca­tion in hack­er spaces. And if there isn’t local youth edu­ca­tion in hack­er spaces, I think it’s worth­while to kind of set some­thing like CoderDojo up in your city. Take a lit­tle time on that. And that’s a begin­ning, because it starts to kind of get into kid space with this sort of stuff, where you’re start­ing to kind of just get­ting peo­ple inter­est­ed in a very non-threatening way.

I mean, it’s entire­ly pos­si­ble to talk to local edu­ca­tors, just for­mal­ly either talk to the dis­trict or I don’t know the shape of it where you live. But talk to a school, talk to a dis­trict, and say, Hey, I’m inter­est­ed in help­ing with dig­i­tal lit­er­a­cy issues.” And right now I’ve got to say I’ve spo­ken to edu­ca­tors around a lot of the world, and there’s nobody that’s like, Digital lit­er­a­cy? We’re not inter­est­ing in that. I don’t see how it’s rel­e­vant.” There’s not a sin­gle school dis­trict any­where in the world that is say­ing that right now. Everyone is des­per­ate­ly try­ing to grap­ple with these problems. 

And every­one’s kind of try­ing dif­fer­ent approach­es, and a lot of it’s very hap­haz­ard. And very very lit­tle of it is con­nect­ed with the peo­ple who are doing this work in their day-to-day lives. How many of you have done, are con­nect­ed with, or are doing any work with edu­ca­tors at this point? Raise your hand. How many of you have kids? Right.

So a few of you have a bit more in this fight than the oth­ers. So if you’ve got kids and they’re get­ting involved with schools, one of the places you can start is the schools where your kids go. And if they can’t work with you because of often bureau­crat­ic things, say Where do I go next?” I know that we don’t have a lot of time in any of our lives, but this is kin­da worth it. This is worth at least tak­ing a lit­tle bit of time. And even if you get to the point where you can’t do a lot, even if you know where the inter­faces are and you can tell oth­er peo­ple where they are, that starts get­ting the infor­ma­tion out. And it starts con­nect­ing the two com­mu­ni­ties. If you just find out this is the per­son that you talk to at the school or at the dis­trict if you want to be help­ful in these things, if you want to con­tribute to a cur­ricu­lum or some­thing like that.

There’s also real­ly real­ly inter­est­ing stuff going on in places like YouTube, where peo­ple are doing a lot more fas­ci­nat­ing and edu­ca­tion­al mate­r­i­al. If you’re ambi­tious, you can put stuff up there. If you’re less ambi­tious, you can advise peo­ple who are try­ing to put that sort of thing togeth­er. Just get­ting the knowl­edge out there, being a resource, I think is one the places you can start, and find­ing the peo­ple who need you as a resource.

Moderator: Any more are ques­tions? No?

Norton: Well, thank you very much.