- System hacks - [Criminals, foreign states, etc] - Hacked accounts, device, OS or App with the goal of gaining access, information or resources - Mass account hacks at the provider side are a high-scale special case.
- Inconvenience - The proliferation of identity systems, depending on user name and passwords, across service providers covering the many aspects of our digital lives, has made managing our credentials more and more difficult.
- Value extraction - [BigTech] - exerted through prediction and selling or conversion of insights into profits, and may also be known as surveillance capitalism in popular culture. This most commonly manifests itself as part of rent seeking behaviors.
- Monopolization - [BigTech] - Often accompanies problems such as customer lock-in, rent-seeking, stifling innovation.
- Censorship - [BigTech] - Denying access to citizens associated with undesirable groups or taking away their access to common platforms due to social and political pressure.
- Systematic political suppression - [BigGov, BigTech] - Occurs when the power of government agencies such as intelligence, law enforcement and military are concentrated on aim of suppressing specific political movements through surveillance, threats and force.
- Recoverable events - Undesirable and unintended events such as loss of account, data, credentials or other artifacts that can be mitigated through a set of recovery steps.
- Sybil attacks - [Criminals] - Simulating a human being on the internet can be low cost, and can yield significant profit in various scenarios, such as product reviews, social media influence, political debates and voting, etc.
For the subset of these harms that originate from attacks, the sources of attacks are often put into the following categories:
- BigTech - Large technology product companies with outsized market power
- BigGov - Governments with varying tendencies to intrude and exert influence and force in the lives of citizens. To varying degrees, the government intelligence, military and/or law enforcement agencies, sometimes with cooperation from private technology product companies, work together to surveil and influence citizens' behaviors.
- Criminals - Independent criminal persons and/or organizations taking advantage of vulnerability and monetary opportunity where available.
- Foreign states - Military and foreign intelligence agencies exerting costs onto foreign adversaries through unconventional warfare, sometimes compromising foreign citizens' privacy or access in the process.
One of the most significant negative impacts digital technology and the internet have had on society has been an unintended one, a much higher possibility of system compromises.
As a result of the vast reduction of cost in information transmission and information storage, we now rely on systems that digitize and replicate our interactions and are commonly always-connected to the internet. This means that the compromise of our personal information, and our access to these systems is more likely than ever, especially when compared to the paper-based bureaucratic systems of the past. The negative effects have been compounded since more aspects of our lives have been automated through these technologies compared to the past.
The specific methods of system compromise include but are not limited to the following:
- Hacked accounts - Occurring on the service provider side, it gives the attacker access to the service's functionality as well as the user's personal information and application data.
- Hacked devices or operating systems - Occurring locally on the user's device, it gives the attacker administrator access to the device's operations, and allows them to have access to the user's entire phone functionality, all personal information and application data.
- Hacked apps or sites - Occurring on app stores or the site host, this is often used by attackers to subsequently attack the users' devices through the execution of an app or site.
The above methods can also be daisy chained depending on the hacker's attack approach, topology of the attack, and the final target of the attack. For example a device can be directly hacked through a text message link, through a browser exploit executed from a hacked well-known site, or through other devices on the same network.
There are at least 5 major categories of stakeholders performing cyber attacking operations:
- Independent hacker - Any one person from anywhere in the world with access to the internet, advanced security technology chops, and little other resources, can take a shot at compromising valuable systems and resources for monetary gain.
- Criminal organization - Where cyber attacks require additional resources and investment, hackers act as part of larger criminal organization to carry out cyber operations for monetary gain of the organization.
- Law enforcement - Law enforcement agencies may compromise systems and manipulate them as part of investigations into crimes, most often of the cyber nature, to investigate or recover lost resources.
- Intelligence agency - Intelligence agencies are always looking for more valuable information, especially related to foreign adversaries. As such, cyber operations have become one of the most cost effective methods of gathering intelligence.
- Military - Military forces are most concerned with defending nations, although they do sometimes engage in asymmetric offensive and destructive operations. One of the most cost effect of these methods has become using cyber operations.
The proliferation of identity systems, all depending on user name and passwords, across service providers covering the many aspects of our digital lives, has made managing our credentials more and more difficult.
The cost of these set of problems are enormous as they affect all consumers, even if cost to each individual were relatively small. As a result we have ranked this theme as one of the top two affecting the Web 2.0 identity ecosystem.
Of course password managers are very useful in this regards, but they also introduce other issues such as lack of interoperability across devices and platforms, as well as security risks around a central repository of very sensitive information.
The digital technology industry partly consists of a number of monopolized sub-markets. Given that identity (amongst others such as data, connectivity, device and web user interfaces, etc) is a basic underlying layer of all technology products, identity systems are often used effectively to reinforce monopoly in a number of ways.
- Switching friction - Identity and data stickiness are amongst the most effective deterrents to switching.
- Social graph identities - When identity is combined with a social graph with massive network effects, it creates an almost unbreakable habit.
- App bundling - Bundling identity systems with other dominant first party apps such as messaging, online discussion boards or marketplaces further strengthens monopoly.
- App integration - Encouraging third party apps to integrate with a given platform's identity systems results in higher stickiness.
Monopoly is generally achieved through supporting of factors such as:
- Network effects - Network based products, especially two sided platforms connecting two or more sets of customers, provide the level of network benefits that is very difficult to provide for any new market entrants with a smaller initial network size.
- Bundling - Comes from the act of tying together products serving separate markets together, especially tying an already monopolized market to others for the purpose of promoting their use, and creating customer lock-in
- Incompatibility - Is the condition of a customer or user not being able to migrate their application data from one provider to another, due to incompatibility issues. This means that customers will take on some costs if they ever where to switch
- Scale - The economics of scale, especially for offerings requiring a high CapEx investment, will naturally benefit providers that already dominate a large part of the market already.
Monopolization is often synonymous with the following simultaneous and interrelated problems:
- Customer lock-in - Keeping customers from moving to other providers through high switching costs.
- Rent-seeking - Abuse of power in the form of forcing customers to pay unfair and uncompetitive fees with limited choice of alternatives.
- Unfair barriers for new entrants - Erecting barriers to entry of new competitors through the use of market forces discussed above, or through influencing new regulation to favor large players.
- Stifling innovation - Preventing advances to industry state of the art, through not investing in innovation and preventing new entrants from doing so.
- Uncompetitive markets and prices - Lack of competition in a market and benefits incumbents who can effectively set their price thus exhibiting rent seeking behaviors.
Generally identity systems make up part of larger technology products. Providers of these products have come to rely on value extraction through identification, surveillance and sales of generated insight as a means of monetization. The negative effects of such practices include loss of privacy and the incremental loss of agency as a result of the influence brands exert on a given user's choices.
Value extraction is most effective when done without getting the customers' knowing or considering its effects costly. As such it is always beneficial for the extractor to downplay the said effects.
There are cases where in fact the extraction may exert minimal costs to the customer, however even in these cases, the customers' ignorance robs them of a chance to benefit from multiple service providers competing for them.
The rise and ubiquity of digital communication and publishing platforms has made access to them all the more crucial. For most people being denied access to these platforms has significant costs in terms decreasing one's ability to reach others through direct communication or to express and market one's ideas through published content.
As such, the providers of these platforms wield enormous power when they choose to give up neutrality and make judgements about the fitness of a given platform member. Historically these judgement have primarily been designed to follow a set of rules of principles. However, in practice, judgements are influenced by the company's interests, internal culture, external political forces, governments, the public at large, or many other factors.
This type of suppression when the power of government agencies such as intelligence, law enforcement and military are concentrated on aim of suppressing specific political movements through surveillance, threats and force.
In cases where a significant concentration of a government's power, typically from the law enforcement, intelligence and/or military organizations, focuses on preventing or eliminating the growing political power of a given part of its own society, we see examples of systematic political suppressions. Popular technology platforms may be forced to cooperate with the authorities to increase the effectiveness of their surveillance programs.
Often the agents of these effort claim they are only fighting crime or terrorism. However the extent of the target group's position in society and their relevance to a significant culture, ethnicity, class, or ideology, should be the real measure used for judging these claims.
Simulating a human being on the internet can be low cost, and can yield significant profit in various scenarios, such as product reviews, social media influence, political debates and voting, etc.
Many social and commercial systems depend on the ability to identify unique humans in roles such as citizens, customers, etc. And so it is possible to break the rules of these systems by breaking this assumption, through simulating unique human beings, especially on the internet.
There are a number of ways to mitigate against this type of attack, and most of them involve verifying identities outside of cyber-space, and securely tying them to a specific digital identity, with some degree of certainty.
These verification steps often conflict with desired ease of onboarding or censorship resistance, as they are bound to introduce at least some friction. In case of product reviews, online retailers take a few steps to verify customers by their addresses, purchases, financial accounts, etc. In case of social media networks, they do a less effective job, but they detect clear signs of automation and fraud such as identical activity across multiple accounts.