Hello. Thanks for join­ing me this morn­ing. I’m a lit­tle shaky. I spent a lit­tle too much time and ener­gy at the speaker’s din­ner last night. So bear with me if I have to stop for water a few times.

So I’ll be talk­ing to you today about the state of the Internet, or as I am call­ing it the net­work of sor­rows.” And I think Shakespeare real­ly does help us under­stand the tech­ni­cal under­pin­nings of our cur­rent Internet when he says, When sor­rows come, they come not sin­gle spies, but in bat­tal­ions.”

So, let’s go back to the begin­ning, or close to the begin­ning of the Internet. It starts as a sim­ple sys­tem, very aca­d­e­mic. And in this world, the secu­ri­ty mod­el of the Internet was when some­one did some­thing bad, you called their advi­sor and yelled at them. We’re still work­ing with the same mod­el of the Internet. 

So when our first worm hit, the Morris worm (this is the pic­ture from the Computer History Museum with the source code of the Morris worm), that was basi­cal­ly how it was han­dled, even though it became in the US the first con­vic­tion under the Computer Fraud and Abuse Act, it was still basi­cal­ly just call someone’s advi­sor and yell. And that’s kind of all we have to this day as a net­work secu­ri­ty mod­el.

And what­ev­er your par­tic­u­lar fla­vor of big adver­saries on the Internet, what­ev­er you prefer to be afraid of, what­ev­er APT you decide to describe, it is very impor­tant to remem­ber that the­se big adver­saries that get a lot of media press, that get a lot of atten­tion, they tar­get a very small num­ber of peo­ple. A very small num­ber that con­cen­trate wealth, or pow­er, polit­i­cal pow­er in the world. Little adver­saries, the lit­tle wiseass adver­saries that we’re deal­ing with every day, they tar­get lit­er­al­ly every­one in the world. Everyone. And you know, the mot­to of this con­fer­ence is Nothing’s beyond a good hack.” But let’s all admit that almost noth­ing is beyond like, ass­hats with a phish­ing script and a spell check­er. That’s kind of where we’re at.

So fast for­ward from some­thing like the Morris worm to today, or close to today. This is McAfee’s num­bers for 2014. We’re talk­ing about esti­mates of up to half a tril­lion dol­lars. Now, this infor­ma­tion is extreme­ly dif­fi­cult to be sure about, and what counts as loss, and there’s all the­se dif­fer­ent fac­tors that go into it. But half a tril­lion dol­lars glob­al­ly two years ago.

Screenshot of a webcam application, showing an image of the user with face blurred

The pre­dic­tions for this year from some analy­sis is that we’ll hit seventy-five bil­lion in ran­somware alone by the end of the year. Some esti­mates say that the loss glob­al­ly could be well over a tril­lion this year, but it’s hard to say what a real num­ber is. Because in many ways the­se fig­ures can’t touch the real cost of inse­cu­ri­ty on the Internet. The cost of humil­i­a­tion and iden­ti­ty theft and pri­va­cy trad­ed away. The lost time, the wor­ry. The myr­i­ads of tiny per­son­al tragedies that we’ll nev­er hear about.

I have to say, when I was look­ing for this I was look­ing for a web­cam pic­ture of some­one pick­ing their nose, and it took me a while to find one that wasn’t blurred out. Also, I was too lazy to blur it myself. 

One media report in the US esti­mat­ed 8,500 schools in America have been hit with ran­somware this year. Now, the rea­son why I think it’s real­ly inter­est­ing to point out the American fig­ures here is this is also a nation­al sys­tem where as of last year, half of all stu­dents in US pub­lic schools qual­i­fy for pover­ty assis­tance. Those are the peo­ple pay­ing the­se ran­somwares. And it’s hard to get a real fig­ure because most schools are hid­ing this when it hap­pens. One sur­vey I was look­ing at showed that half of hos­pi­tals in that sur­vey had been hit with mal­ware, often mul­ti­ple times. How do we quan­ti­fy that kind of dam­age? How do you quan­ti­fy when duty nurs­es are too ner­vous and stressed out to get their pro­ce­dures quite right? What is the cost in that?

In tra­di­tion­al stalk­ing as we’ve known it, this gets real­ly dark real­ly fast. And those are the fig­ures for what we think of as tra­di­tion­al stalk­ing. Of course, the Internet has added a new lay­er to that. But also nobody how solid fig­ures yet for sure in how the Internet is chang­ing stalk­ing, except that it’s mak­ing it a lot eas­ier. Weirdly, pos­si­bly the biggest losers in that are men, whose rate of stalk­ing is dou­ble online what it is offline. 

And this trans­lates into a lot of creepy moments that cross the­se bar­ri­ers on what makes you feel safe in the world. Because what hap­pens with com­put­er inse­cu­ri­ty, what hap­pens with small adver­saries, is they tend to meet and ampli­fy our basic human flaws.

And in the end, some of the most ter­ri­ble things are the fam­i­ly and inti­mate part­ner vio­lence that we see all over the world, whether we call it spousal abuse in the West, or hon­or killings in Pakistan, or gay kids who can’t find help, or teen girls who can’t find health and birth con­trol ser­vices because of con­tent fil­tra­tion, because of man­age­ment by fam­i­lies, admin­is­tra­tors, schools, com­mu­ni­ties. All the­se things are part of the cost of small adver­saries. Perhaps the great­est and hard­est to quan­ti­fy cost of our ter­ri­ble, ter­ri­ble secu­ri­ty cul­ture is the sense that so many peo­ple have—even the peo­ple in this room—that they have to fear the very thing that they must rely on for their lives and liveli­hood.

So, this is obvi­ous­ly a very dif­fer­ent land­scape from most of what we’re see­ing in the media. And most of what we’re see­ing in the media the­se days espe­cial­ly, post-Snowden and so on and so forth, is this dis­cus­sion of the­se super-powerful actors who are spy­ing on every­one but hon­est­ly not doing that much. And we’re still look­ing at this par­a­digm com­ing from law enforce­ment and from glob­al gov­ern­men­tal con­flict that kind of talks about the­se things in terms of good guys and bad guys and dis­crete crim­i­nals. But treat­ing adver­saries on the Internet like dis­crete crim­i­nals is ridicu­lous. It’s bring­ing a gun to a locust swarm. The Internet will always make more ass­hats. I promise you that. The ass­hats are end­less. And that means that essen­tial­ly what we’re doing in secu­ri­ty is threat mod­el­ing our envi­ron­ment real­ly real­ly wrong.

I don’t know how clear­ly you can read this but it’s some­body ask­ing a teenager why they’re using Snapchat. And we’ll come back to this point. But this teenager is threat mod­el­ing very well. I believe it’s a her, but she’s say­ing yeah, that she doesn’t care what gov­ern­ments do. Parents always been the OG Big Brother. And I think one of the things that this points at that is real­ly impor­tant is that we live in an [as above, so below] net­work, that what big guys do, small guys emu­late. And what small guys do, big guys pick up. It’s all tra­vers­ing this hier­ar­chy much more like an ecosys­tem than we often think it is.

Nobody can real­ly tell us who’s act­ing for sure. And some­thing that say, a big actor puts out there, the small actors can find. They can pick up. They can use it direct­ly, or they can emu­late it. I mean, we’re work­ing in the first threat envi­ron­ment, basi­cal­ly in his­to­ry, where gen­er­al­ly the things peo­ple throw at each oth­er, they can just pick up and use again. Now, it’s not the first time. This is an idea that goes all the way back to Rome ver­sus Carthage, when Carthage was win­ning because they fig­ured out how to put togeth­er all their ships like IKEA flat packs and Rome caught one of them and found out what the num­ber­ing sys­tem was for putting the ships togeth­er. And in a way, what we’ve done is we’ve tak­en that same threat mod­el, that we’ve tak­en that same prob­lem and moved it into our infinitely-replicating machi­nes. It’s the prob­lem that we have every on every desk­top. It’s the Carthaginian fleet being tak­en over by the Romans. 

But in an envi­ron­ment where every­body can pick up everybody’s tools, we’re all weird­ly empow­ered now. And I mean kind of weird in an almost fey sense like, our pow­ers are weird, they make us weird, and they make our con­flicts weird. It’s again that idea that our tools are inter­act­ing with our human flaws in real­ly real­ly inter­est­ing ways.

And let’s talk about some of the tools, because we all know the­se tools. They’re remote admin­is­tra­tion tools— The tools of small adver­saries are the same tools that we are rec­om­mend­ing to peo­ple that they use again­st small adver­saries. Remote admin­is­tra­tion, encryp­tion, email phish­ing, ads. We told peo­ple to install AVs and updates to their machi­nes, and now mal­ware often looks like AV and updates.

And every­thing in our fields is dual-use. Everything that we can use to help some­body can lat­er be repur­posed to hurt them. Our sor­rows come in bat­tal­ions the­se days.

And even our own under­stand­ing of how our tools are work­ing gets real­ly con­fused. This is just one of my favorite tweets recent­ly. For secu­ri­ty rea­sons, I can’t give you SSH access to the box, but you can use TeamViewer via my desk­top.” The fun­da­men­tal mis­un­der­stand­ing. It’s a sign that we’ve kind of lost the thread of how the­se sys­tems are work­ing. We want to fix things, but the most com­mon com­plaint I hear are this dis­con­nect between the infor­ma­tion that can help and the actions that can imple­ment that infor­ma­tion. Understanding a sys­tem and then act­ing on it in a way that cre­ates change. And the­se are the places in which both naïve and sophis­ti­cat­ed users are dis­con­nect­ed, at this point.

A kitten in the palm of someone's hand, captioned "It's dangerous to go alone! Take this."

So this is all real­ly heavy stuff, and I want you to go ahead and take a moment with a kit­ten pic­ture so we can stop think­ing about bad sys­tem admin­is­tra­tors and peo­ple being killed by their exes. Or we can keep. I don’t know. 

But I do want to empha­size in this that most peo­ple who are pulling a pay­check in this field are not inter­act­ing with the pain that most peo­ple are expe­ri­enc­ing from net­work inse­cu­ri­ty. Because you end up work­ing for peo­ple who pay. And that high school… That was a 1925 pic­ture of my own high school. That high school can’t afford any­one in this room. And that means that so much of this pain and inse­cu­ri­ty in the world isn’t read­i­ly vis­i­ble to the peo­ple who work in the field, who are sup­posed to be fix­ing it. 

It’s not entire­ly on you guys, or on even the crap­py pro­gram­ming that makes this hap­pen in the world that so much pain is caused by the net­work the­se days. But it is the fact that we are all going to have to be part of the solu­tion to this project if the 21st cen­tu­ry net­work is to improve.

Now, I want to turn around a bunch of this heavy stuff and start talk­ing about where we start to fix the­se sys­tems. Because the truth is we have, as a field—and I don’t want to lim­it that just to secu­ri­ty. I think this is true of all of tech­nol­o­gy. We have left the biggest and best tool we have on the table. Each and every one of the­se machi­nes on the Internet at some point has con­nect­ed to it the most com­plex and sophis­ti­cat­ed pat­tern matcher that we have yet found in this uni­verse. It’s got a human attached to it. And they’re not part of our secu­ri­ty mod­els. As a mat­ter of fact, we gen­er­al­ly see the human as a lia­bil­i­ty.

But we’re leav­ing a huge amount of com­pu­ta­tion­al pow­er on the table right there. Right now, your users should be the ones who are advo­cat­ing for the secu­ri­ty changes that you want to see in the world. And they’re not. Right now there’s a lot of con­flict between the peo­ple who are try­ing to secure things and the peo­ple who are try­ing to use things. And that’s ridicu­lous, because you have the same goals.

One of the things that I’m always baf­fled about is when we’re try­ing to fig­ure out what’s going wrong with a sys­tem, we’re not ask­ing the per­son who knows what should be hap­pen­ing on that sys­tem. Should there be a bunch of traf­fic going to IRC? Well, I actu­al­ly know whether or not there should be a bunch of traf­fic going to IRC on this box. But no one has ever asked me, in any of the­se sys­tems. No one has ever kicked up some­thing say­ing, Does this look right to you?” And yeah, we’d have to find a lan­guage to do that, but what an amaz­ing piece of infor­ma­tion you don’t have in a sys­tem when you’re not ask­ing the human if that’s what they’re doing right now.

Humans love to respond. I mean both as ani­mals, and as employ­ees. They love to respond to the restric­tion of sys­tems. So one of the things that I’ve won­dered in the past few years is why we don’t take sys­tems of data that we don’t want exfil­trat­ed and put them on nar­row band­width con­nec­tions? Let that get annoy­ing. If you’ve got like a giant patient data­base, why not put it on your net­work under a 56k con­nec­tion? So if somebody’s try­ing to pull it all, someone’s gonna notice. Because there’s no rea­son. When you have vast amounts of people’s per­son­al data, there is basi­cal­ly no rea­son to pull it all at once. If somebody’s doing that it should hurt the net­work. And peo­ple can respond to that pain.

That’s like one exam­ple. I think prob­a­bly if we brain­stormed enough, we could come up with a hun­dred exam­ples of ways in which peo­ple could respond to what’s hap­pen­ing on the net­work in ways that would be faster and eas­ier than try­ing to get the machi­nes to respond. Because peo­ple have con­text. People can match pat­terns. People know which kit­ten is cute. Machines don’t do that. Machines are good at adding things. We’ve got a sys­tem that’s good at pat­tern match­ing, and a sys­tem that’s good at math, and we keep try­ing to tell humans to do more math. And com­put­ers to do more pat­tern match­ing. That seems like we’re miss­ing a few oppor­tu­ni­ties there.

And then, one of the biggest things that we need more of between users and tech­ni­cians in the 21st cen­tu­ry is more respect and more lis­ten­ing. We spend a lot of time telling users they should lis­ten to us, but we don’t spend near­ly as much time lis­ten­ing to users. And part­ly that’s because users don’t nor­mal­ly speak the lan­guages of tech­ni­cians. But that doesn’t mean that they’re not pass­ing you infor­ma­tion. Even in con­sumer choic­es, users are pass­ing you a lot of infor­ma­tion. If you look at the­se appli­ca­tions here, appli­ca­tions and behav­iors, they’re try­ing to solve the same prob­lems that secu­ri­ty teams and sys­tem admin­is­tra­tors are try­ing to solve. 

They’re try­ing to go through things like Dropbox to get away from the prob­lems of of mali­cious attach­ments. They’re try­ing to reclaim pri­va­cy with things like Snapchat and WhatsApp. And I think that the­se behav­iors on their part are fan­tas­tic and should be encour­aged. A lot of peo­ple will step in and go, But you know, it’s all lies and there’s all the­se oth­er prob­lems.” But that doesn’t mean that that was the inten­tion of the user. The inten­tion of the user was to fix the sys­tems they were in. And that inten­tion, that’s inter­est­ing. That means we’re on the same side. 

So if Snapchat is lying to its users, then we need to take the­se lies and make them true, in the famous words of George Michael. We need to take the­se tools to the places where the users are and help them under­stand what state they’re in at any given time. You know, we went to Google mail, and part of the rea­son peo­ple went to Google mail was because this shit was not work­ing for them. Because they’re try­ing to solve their own prob­lems. And they went to the­se very speci­fic behav­iors. Like our four­teen year-old girl who went to Snapchat to avoid her par­ents. Like the myr­i­ad of teenagers who have hopped from social net­work to social net­works so that they could describe a safe space for them­selves.

You know, we live in an age where ass­hat mar­keters will tell us that kids and peo­ple don’t care about their pri­va­cy. They’ll trade it away for a coupon. But it’s just not true. I don’t know if you remem­ber being a teenager, but teenagers are incred­i­bly privacy-seeking. How many of you always were cool with your par­ents walk­ing straight your room? Was that cool? I mean, if it was total­ly cool, raise your hand. I’ll point you out. 

But for most of us, we def­i­nite­ly want­ed—every one of us has doors on our bath­rooms. We all want pri­va­cy. So why is there a dis­con­nect with the Internet? A lot of it has to do with dig­i­tal lit­er­a­cy. And a lot of it has to do with what’s going on. And the fact is we need our tools to work for us, first and fore­most. While all of you have a door on your toi­let, all of you will use a toi­let with­out a door if you need to. I promise. And that’s one of the things I want you to think about when we’re talk­ing about secu­ri­ty stuff. Because in the end, one of the con­flicts that comes up over this, one of the rea­sons why users are seen as a point of inse­cu­ri­ty, is because get­ting the job done is more impor­tant than get­ting it done secure­ly. And that will always be in con­flict. You will always be ready to use [a toi­let with­out a door]. If you real­ly need to. 

So, peo­ple are not stu­pid about their secu­ri­ty and their pri­va­cy. But they’ve been lied to. And that’s part of the prob­lem that we as a com­mu­ni­ty are in a posi­tion to help with, to fix. And one of the oth­er things I think gets dis­con­nect­ed between tech­ni­cians of all stripes and the peo­ple who are not in their fields is that we often think peo­ple don’t lis­ten or don’t care because we for­get that this isn’t oth­er people’s jobs. If you are sit­ting in this room, to some degree peo­ple are pay­ing you to use a long pass­word. People are pay­ing you to to wor­ry about key man­age­ment. If you are a trash col­lec­tor or radi­ol­o­gist or a lawyer, this takes away from your work day.

So hon­est­ly, one of the rea­sons we want to bring good tools to where peo­ple are is because if you have a radi­ol­o­gist, you don’t want your radi­ol­o­gist to learn PGP. I promise. You want your radi­ol­o­gist to look at your frick­in’ scans. You want them to look at it again. You don’t want them to wor­ry about whether their com­mu­ni­ca­tions with you are encrypt­ed. Because that’s time that they’re going to take away from try­ing to spot some­thing on your lungs. Which would you real­ly rather they do?

So, we spe­cial­ize in soci­ety for a rea­son. Because we real­ly want peo­ple to pick up our trash. We real­ly want peo­ple to defend us, or pro­tect us, from the law. We real­ly want doc­tors to find the things and fix them that are wrong with us. And we real­ly don’t want those peo­ple tak­ing their time away from that to learn how to do what we do. Until you are ready to go spend a day of the week pick­ing up every­body else’s trash, you’re not in a posi­tion to tell every­body else to learn how to do your job.

Screenshot of an elaborate walled castle built in Minecraft

And I think one of the things that is kind of a cul­tur­al dis­con­nect for our cen­tu­ry is that nobody got into com­put­ers because they want­ed to deal with non­de­ter­min­is­tic sys­tems. I mean, even from like age nine when I start­ed, the great thing about com­put­ers ver­sus every­thing else in my life was that they did exact­ly what I told them to do. So we in soci­ety in gen­er­al, one of the ways of talk­ing about human his­to­ry is that we were in this crazy state of nature where lots of things could hap­pen and eat us, or crawl inside our bod­ies and kill us. And we cre­at­ed the­se walled cities, we cre­at­ed the­se civ­i­liza­tions to get more con­trol over that envi­ron­ment.

And then inside of those bar­ri­ers of civ­i­liza­tion, we start­ed cre­at­ing more and more and more com­plex­i­ty until we final­ly cre­at­ed a net­work that is no longer deter­min­is­tic. So right inside of all that civ­i­liza­tion, we cre­at­ed the weird again. And so that’s where we are now. We’re inside of a civ­i­liza­tion that has cre­at­ed a net­work that is eco­log­i­cal­ly weird again. So I’m sor­ry. We got onto this because we like deter­min­ism, but we’re going to have to deal with non­de­ter­min­is­tic sys­tems. And part of that non­de­ter­min­ism that we’re all fac­ing is the human appetite, it’s the human mind. And it’s the pow­er of the human mind.

So, I think we all kind of think of our­selves a lot of the time as like, edg­ing on to math and physics. But closer, I think, we’re deal­ing with biol­o­gy. So I think all of you are slow­ly trans­form­ing into real­ly weird biol­o­gists. And when you’re inside of non­de­ter­min­is­tic sys­tems, and when you’re talk­ing to biol­o­gists, one of the things you will find out is that the first job of biol­o­gists is to lis­ten. It’s to lis­ten to the­se sys­tems. And to let go of a cer­tain amount of con­trol. Not just to the words peo­ple say, but to the needs that they’re describ­ing.

You know, one of the rea­sons that we live in a secu­ri­ty night­mare is because every­body still needs to use email. Usually to pass files and to get to things that are not their email. If we all just used text email it wouldn’t be quite so bad. So how do we meet those needs, per­son­al­ly and orga­ni­za­tion­al­ly, for pass­ing files on the Internet? And yes, I still wake up a lot of morn­ings say­ing, It’s 2016. Why can’t we still pass files on the Internet? Why is this still a prob­lem?” I def­i­nite­ly thought this prob­lem would be solved by you know, the mid-90s.

So, when I talk to peo­ple about this stuff, and I take time to explain sys­tems to them, I also get them to describe the sys­tems to me that they’re inter­act­ing with. And even when they’re wrong, they’re not wrong. They’re describ­ing their expe­ri­ence. And one of your jobs, if you’re try­ing to cre­ate a sys­tem that works alto­geth­er, is to fig­ure out what they’re describ­ing about that sys­tem through their expe­ri­ence.

One of the one of the ear­ly ones that I did many many years ago was that I inter­viewed a bunch of peo­ple about their expe­ri­ence of cer­tain soft­ware, and they would con­sis­tent­ly say, Oh, this is the part where it thinks. The com­put­er has to think here for a while.” Most of the peo­ple I was inter­view­ing were old­er, in this par­tic­u­lar user set.

And what I real­ized was that what they were telling me con­sis­tent­ly when they say my com­put­er has to think about it right now” is that my com­put­er is swap­ping. And this was the 90s. Swapping was kind of a big­ger deal in some ways at that point. But I was able to learn some­thing about the archi­tec­ture of the soft­ware from this very col­lo­qui­al way of talk­ing about com­put­ers. There’s so much more there. There’s so much we could be gath­er­ing from how peo­ple are using sys­tems, what they need. And when we meet those needs, or work with peo­ple to meet those needs, we start cre­at­ing mech­a­nisms for them to under­stand their own lives, and behave bet­ter in the sys­tems that we’re work­ing with, and we get more free time. 

Because peo­ple, I’ve got to say, peo­ple are bril­liant. They’re amaz­ing­ly bril­liant. I mean, the same peo­ple who think they’re idiots know how to fill out forms and dri­ve. Which is kind of amaz­ing when you think of start­ing off as hunters and gath­er­ers. We’re real­ly inter­est­ing, adapt­able peo­ple.

We’re leav­ing a lot of inter­est­ing tech­niques on the table as well. Ways of teach­ing our users things. My favorite form of soft­ware inter­faces is games. And not just because games. But because games have lots of inter­est­ing prob­lems to solve and they just went through and solved them. And we should prob­a­bly be pick­ing up some of the­se tech­niques.

So the­se are some screen shots from tuto­ri­al mod­es of dif­fer­ent games. And what we’re doing here is we’re let­ting quite com­plex sys­tems explain them­selves to a user. And this is some­thing that the gam­ing field has spent a lot of time work­ing out. Complex, internally-consistent sys­tems being taught to the user at the very begin­ning of use. And I mean, some of it is fan­tas­tic and brings in humor, and then it’s like, the bot­tom here is actu­al­ly explain­ing to you what a jump is. At the same time, when explains to you what a jump is, it’s both humor­ous and it makes a con­nec­tion to things that you know from your own phys­i­cal life into into a gam­ing envi­ron­ment. So the­se tools are out there. We can start study­ing them. We can start pick­ing them up. 

A Communications Primer,” by Charles & Ray Eames (1953)

And gen­er­a­tions have been scram­bling. Generations even with­in our grand­par­ents’ time have been scram­bling togeth­er a lot of the infor­ma­tion that we need to cre­ate the­se lit­era­cies. Like, fun­da­men­tal lit­era­cies about the world we’re liv­ing in. This is a screen­shot from the Eames’ primer on com­mu­ni­ca­tion the­o­ry. When I start to work on dig­i­tal lit­er­a­cy, I don’t start with tools. I start with the basic frame­works of think­ing that the tools fit into. Because then peo­ple ask me the right ques­tions. Then peo­ple ask me things like, But wait. If I start using encryp­tion and nobody else is, don’t I stand out?”

When I hear that ques­tion, I’m thrilled. Because what that tells me is the oth­er per­son is start­ing to mod­el the sys­tem in their head. Which is how humans work. So the thing I hear con­sis­tent­ly is that nobody wants to learn this stuff. John Oliver’s line, You smell like canned soup. Leave me alone.” I hear from secu­ri­ty peo­ple that we can’t teach them. We can’t teach them dig­i­tal lit­er­a­cy. But I think that we also have to rec­og­nize that secu­ri­ty requires respect, a mutu­al respect. And right now there’s not a lot of respect between the users of the Internet and the tech­ni­cians of the Internet, either way. And somebody’s going to have to start bridg­ing that.

And it all feels real­ly impos­si­ble to a lot of peo­ple. And there’s a lot of peo­ple who’ve said that it’s just not doable, we’re going to have to fig­ure out how to have a 21st cen­tu­ry Internet with nobody know­ing how to use com­put­ers. And I don’t think that’s either true, or pos­si­ble.

Max Roser and Esteban Ortiz-Ospina (2016) – Literacy’

And I want to pull you back into the last, I think, great projects that was like this. It was the great polit­i­cal project of the 19th cen­tu­ry, which was are cre­at­ing democ­ra­cies. Devolving pow­er from aris­toc­ra­cies into democ­ra­cies. And there was a real­iza­tion pret­ty ear­ly on in that process that you couldn’t have illit­er­ate democ­ra­cies. So one of the great projects of the 20th cen­tu­ry was to teach every­one how to read. And if you think teach­ing every­one what a com­put­er is is hard, try tak­ing bil­lions of peo­ple and teach­ing them how to read. That’s a big ask. But this is what we did. We went from a 20% lit­er­a­cy rate in 1900 to over 80% lit­er­a­cy rate by 2000.

Max Roser and Esteban Ortiz-Ospina (2016) – Literacy’

And if that’s not impres­sive enough, let’s take it from look­ing at those per­cent­ages to look­ing at absolutes. That’s the lit­er­a­cy rate. That’s what it did. That was an amaz­ing project that human­i­ty pulled togeth­er to do. And in case you want an even more impres­sive num­ber, let’s look at that absolute fig­ure at the end. Because that’s 7.2 bil­lion basi­cal­ly lit­er­ate peo­ple in less than two hun­dred years. That was real­ly hard. We had to pull togeth­er a lot of resources. We had to get a lot of peo­ple who weren’t tra­di­tion­al­ly talk­ing to edu­ca­tors and weren’t tra­di­tion­al­ly edu­ca­tors into being edu­ca­tors. We invent­ed a lot of insti­tu­tions for that.

And here’s the great thing. We, in the 21st cen­tu­ry, get to reuse those insti­tu­tions. We don’t have to build them again. We can start bridg­ing between the peo­ple who work in the com­pa­nies that we work for, but also the schools that work in the area that we’re in. I real­ly want to get more peo­ple in this com­mu­ni­ty talk­ing to edu­ca­tors. Starting to bring in that gen­er­al­ized knowl­edge, that con­cep­tu­al knowl­edge. Start get­ting it in there ear­ly. And that’s when we’ll real­ly start see­ing this land­scape change. It’s not just get­ting every­body to install a Flash update. It’s get­ting them to under­stand what all those words mean so they’ll fig­ure out to do it them­selves.

And then we get to have a real­ly awe­some Internet. Because right now your biggest ene­my, and one of the biggest ene­mies in the 21st cen­tu­ry, isn’t evil hack­ers, or APTs, or big gov­ern­ments, or orga­nized crime, or even lazy pro­gram­mers and apa­thet­ic man­age­ment. Your biggest ene­my is the fun­da­men­tal fear and help­less­ness peo­ple feel when they pick up their Turing machi­nes. When we start to beat that, we’ll real­ly be get­ting some­where.

Thank you, and I’m hap­py to turn this into a dis­cus­sion and take ques­tions.


Moderator: So. Lots to think about, as usual when Quinn's around. Questions?

Audience 1: I mean, if you learned to read in the 50s, you know how to read now. But if you learned how to use a computer in the 90s, you don't know how to use a computer now. So computer literacy is much harder to [report?].

Quinn Norton: I fundamentally disagree. Because I think in my lifetime, the fundamentals of digital literacy have not changed. You know, when it comes to understanding the— This is why I don't teach tools. Yeah, if I taught you one book about how the world works in the 1950s— And I have a book actually from 1900 which was a reference book of all the things you would need to know from the 20th century. It's great. If that was your only book, absolutely your literacy would not help.

But if you're getting the idea that you can kind of read future books because you've got this one book— If you can understand what a Turing machine is— And this is the thing, is like, I find when I am teaching, that when I start by explaining what a network is and what these machines are, then things start to make sense. Then I can say okay, here's a tool. I'll tell you what the tool is, you tell me what it's doing. And that knowledge is lifetime. Because frankly, Claude Shannon is going to be right until the heat death of the universe.

Audience 2: A question comes to mind when I speak to some people about encryption or whether or not we can communicate over PGP or Signal. This is something that I thought was a popular way of thinking before the Snowden revelations, but it still persists, which is why don't we communicate over signal, why don't we use PGP? And they're like, "Well, I don't want to be suspicious." And I've spoken to a number of people, for example who work on Iran and they fear that the US government might be spying on them. They're like, "Well, we have nothing to hide so we're okay with them reading all of our stuff anyways." And this sort of stance towards privacy still exists, and I just want to know how you sort of approach this.

Norton: Yeah. And I encounter this quite a bit. I mean, one of the one of the first-offs on this, and and I like to point out that the most successful encryption that we've ever done is the one that we didn't have to get anyone to use, that was that was kind automatic, which was SSL. Like, the only big adoption win the security community has ever had is SSL. So, explaining to people that they're already using it is one of the— You know, if you shop online, if you read your email over something that's encrypted, if you log into things… If you log into things, you're already using encryption. Because it's infrastructure.

So getting people understand that it's infrastructural gets them I think much faster past the point of let's just stick another level of infrastructure on our communication. I feel like this is starting to change in a positive way also, because of people starting to develop tools for dealing with context collapse, which is a whole 'nother talk. But like, that idea that their stuff can be taken out of context is a reason why you can get people to… Seeing their stuff taken out of context gets people to the point where they're much more interested in encrypting things that they don't want taken out of context. And that for me has been the win with people who want to live very open lives. Like, I will say live your open life where you want it to be open, but where you don't want to be recontextualized let's use encryption. And that helps so that they can see that the minutia of life is often the thing you want to encrypt much moreso than the big declarations of life.

But again, for me it always comes back to explaining the infrastructure. Explaining the underlying thing. That's where I get all my wins when I'm doing training. If you log into things, you're already using encryption. You do have something to hide. It's not…a shameful thing, it's just your password. I hope that helps.

Audience 3: I've got a question, Quinn. You ask people to get involved with the local educators. How do you recommend them doing that? There's lots of brains in this room. Lots of skills and experience. How can everybody in this room go out and get involved with the local educators?

Norton: You know, this is very country and location dependent. Well, there's a lot of youth education in hacker spaces. And if there isn't local youth education in hacker spaces, I think it's worthwhile to kind of set something like CoderDojo up in your city. Take a little time on that. And that's a beginning, because it starts to kind of get into kid space with this sort of stuff, where you're starting to kind of just getting people interested in a very non-threatening way.

I mean, it's entirely possible to talk to local educators, just formally either talk to the district or I don't know the shape of it where you live. But talk to a school, talk to a district, and say, "Hey, I'm interested in helping with digital literacy issues." And right now I've got to say I've spoken to educators around a lot of the world, and there's nobody that's like, "Digital literacy? We're not interesting in that. I don't see how it's relevant." There's not a single school district anywhere in the world that is saying that right now. Everyone is desperately trying to grapple with these problems.

And everyone's kind of trying different approaches, and a lot of it's very haphazard. And very very little of it is connected with the people who are doing this work in their day-to-day lives. How many of you have done, are connected with, or are doing any work with educators at this point? Raise your hand. How many of you have kids? Right.

So a few of you have a bit more in this fight than the others. So if you've got kids and they're getting involved with schools, one of the places you can start is the schools where your kids go. And if they can't work with you because of often bureaucratic things, say "Where do I go next?" I know that we don't have a lot of time in any of our lives, but this is kinda worth it. This is worth at least taking a little bit of time. And even if you get to the point where you can't do a lot, even if you know where the interfaces are and you can tell other people where they are, that starts getting the information out. And it starts connecting the two communities. If you just find out this is the person that you talk to at the school or at the district if you want to be helpful in these things, if you want to contribute to a curriculum or something like that.

There's also really really interesting stuff going on in places like YouTube, where people are doing a lot more fascinating and educational material. If you're ambitious, you can put stuff up there. If you're less ambitious, you can advise people who are trying to put that sort of thing together. Just getting the knowledge out there, being a resource, I think is one the places you can start, and finding the people who need you as a resource.

Moderator: Any more are questions? No?

Norton: Well, thank you very much.

Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Square Cash, or even just sharing the link. Thanks.