Playing chicken with cat.jpg

In a game of chicken, which is the better strategy: Writing a lengthy and detailed "persistence policy" guaranteeing that you'll persist in your course and will not, under any circumstances, swerve to avoid your opponent; or ostentatiously removing your steering wheel and throwing it out the window? As noted by innumerable game theorists over the past fifty years, the latter strategy is the only one which is useful: Humans can't be — and aren't — trusted to follow their stated intentions.

I was reminded of this by 37signals' response on Monday to last week's cat.jpg privacy failure. To be clear, I have a lot of sympathy for 37signals: Once someone looked in their logs and saw "cat.jpg" as the name of the one hundred millionth file they had stored, I'm sure the resulting fit of laughter significantly impaired the possibility of rational thought; and their response is certainly better than finding a scapegoat or trying to cover up the mistake. Nevertheless, their response — revising their privacy policy — seems like a poor solution.

People drive in excess of the posted speed limits. People enter intersections on yellow lights even when they could have safely stopped. People make illegal copies of music, movies, and software. People click checkboxes labelled "I have read and agree to the terms and conditions". People "bend the rules" on (i.e., violate) non-disclosure agreements. Men (and women, in some states) cheat on their wives. And all around the world, people treat privacy policies — and every other sort of policy — more as setting out lists of things to not get caught doing than as rules which must be followed.

I will never announce here that the one hundred millionth file stored to my Tarsnap online backup service is a picture of a cat. I won't post to say "I haven't looked at the contents of the file, but it's named 'cat.jpg'" either. I won't even post to announce that the one hundred millionth file has been stored. This isn't simply because of a privacy policy: This is because I have no way to obtain that information. The contents of files, their names, and even the location of boundaries between files in an archive is all hidden from me by Tarsnap's strong client-side encryption.

37signals bemoans the fact that "trust is fragile"; as far as I'm concerned, they're missing the point. The answer isn't for 37signals to prove that they can be trusted; the answer is to ensure that their customers don't need to trust them. In Tarsnap I might take this to an extreme — in addition to the aforementioned encryption, I encourage users to read the tarsnap source code rather than trusting that I got everything right (even to the point of offering bug bounties) — but even if 37signals doesn't want to offer cryptographically secure storage, they could at least remove the temptation to look at file names in log files by not writing sensitive information to log files in the first place.

Humans are, well, human. The best way to avoid privacy breaches is not to formulate a detailed privacy policy; it's to reduce your capabilities so that you're unable to violate anyone's privacy. To toss a metaphorical steering wheel out the window, in other words.

Posted at 2012-01-19 13:00 | Permanent link | Comments
blog comments powered by Disqus

Recent posts

Monthly Archives

Yearly Archives


RSS