Google’s BeyondCorp, Reddit’s Anti-Harassment Policy, Speech and Abuse on the Internet

Good morning,

Some of Stratechery’s earliest annual members have started receiving renewal notices; that’s just a courtesy as I don’t want you to be surprised — and because I want you to stay around because you find value, not because I tricked you!

Arguably, though, I did trick you when it came to physical items. For the first month of sales I offered a t-shirt and other goodies; unfortunately I had a lot of problems with getting t-shirts printed in particular. In retrospect, most of my issues mirrored the trouble I had with the first run of the membership program: trying to get too fancy instead of going with the straightforward service.

To that end, finally I’ve simply set up a Teespring campaign. It’s right here. T-shirts are $25/piece, and as you can see from the back, I’d really like to keep this sale limited to Stratechery members, so please don’t spread the URL. For the ~150 members who are entitled to a (long-delayed) shirt, keep your eyes out for a follow-up email from me later this morning explaining how I’ll take care of what you’re owed — I certainly don’t expect you to pay more for what is yours!

Again, the biggest motivation here is doing right by those original members, not to make money, but if any other members want in here’s your chance (you have five days).

On to the update.

Google’s BeyondCorp

From the Wall Street Journal:

Google Inc., taking a new approach to enterprise security, is moving its corporate applications to the Internet. In doing so, the Internet giant is flipping common corporate security practice on its head, shifting away from the idea of a trusted internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials.

The new model — called the BeyondCorp initiative — assumes that the internal network is as dangerous as the Internet. Access depends on the employee’s device and user credentials. Using authentication, authorization and encryption, the model grants employees fine-grained access to different enterprise resources, wrote Google’s Rory Ward and Betsy Beyer in a paper published in December.

(The paper isn’t too long and is very approachable; it’s a good read).

One of my favorite observations is that one’s strengths are often the exact same as one’s weaknesses, an axiom that applies not just to individuals, but also to companies and even something as abstract as the Internet. While it’s actually a myth that ARPANET, the U.S. Defense Department funded initiative that was the forebear of the modern Internet, was created to withstand a nuclear attack on communications, the very structure of the Internet has always maximized openness and resilience. These are incredible strengths and are why the Internet has come to pervade every part of life, enabling applications and behaviors far beyond what anyone could have imagined. However, the total lack of centralized control and, well, openness, has also meant the Internet has always been incredibly insecure, and as the Google paper notes, the rise of mobile and cloud computing has made things worse:

The perimeter security model works well enough when all employees work exclusively in buildings owned by an enterprise. However, with the advent of a mobile workforce, the surge in the variety of devices used by this workforce, and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy. Key assumptions of this model no longer hold: The perimeter is no longer just the physical location of the enterprise, and what lies inside the perimeter is no longer a blessed and safe place to host personal computing devices and enterprise applications.

“Key assumptions…no longer hold.” There is a lot of power in that statement, and Google’s proposed solution makes a lot of sense: security is based on individuals, not location or some other identifying factor that doesn’t scale to mobile. What is interesting, though, is that I just described this shift in this week’s article on the future of digital advertising:

The locus of tracking and measurement is shifting from devices to users. It echoes the shift in advertising from publishers to ad networks, which is to say from content to users. Targeting and serving ads to individual users is the goal, and, as Ms. O’Holleran excitedly declared in 2010, the holy grail is some sort of “super-cookie” that a user can’t turn off.

It’s all about individuals — known individuals, at that. And that brings me to Reddit:

Reddit’s Anti-Harassment Policy

From the New York Times:

The company announced on Thursday that it was updating its site-wide policies to explicitly prohibit harassment against users, a move that the company said would promote free expression on Reddit without fear of retribution from a vocal minority.

“We’ve heard a lot of complaints and found that even our existing users were unhappy with the content on the site,” said Ellen Pao, chief executive of Reddit, noting a study the company conducted this year with more than 15,000 users, or so-called redditors. “We don’t think this behavior represents what Reddit is.”

I rather agree: I think that most people are decent, and that a few bad apples spoil the bunch. The problem for Reddit, though, is its foundation of anonymity: it’s great the site will potentially ban abusive users (after the victim bears the burden of documenting and reporting boorish behavior, and then, maybe), but there is nothing stopping said users from simply creating a new account and engaging in bad behavior all over again. Twitter suffers from this same problem: unlimited anonymous accounts which need only an @-address to deliver insults and threats directly to the phone or desktop of their target.

It’s interesting to contrast both networks to Facebook: the latter has had its issues with abuse, but it pales in comparison to Reddit and Twitter and a big reason is because Facebook is built around identity. The “real-name” policy has its downsides, to be sure, but it is more effective both by ensuring abuse is tied to your name and by making a ban much more devastating. And, as I noted in that digital advertising article, it makes for a better business as well.

Business is certainly a concern for Reddit. As the NYT notes:

The changes are not coincidental. After years of being run by only a few employees and little resources, Reddit raised a $50 million round of financing last October, backed by well-known venture capital firm Andreessen Horowitz, among a host of others. Reddit has poured resources into expanding its mobile offerings and bulking up its advertising sales organization, with the aim of Reddit eventually growing into a bigger business.

It does feel like we’re at an inflection point when it comes to free: “free as in speech” and “free as in beer” — which on the Internet usually means ad-supported — are going to be increasingly in conflict. Reddit wants to actually be a business, but the unpredictable nature of Reddit’s content makes it exceptionally hard to sell advertising against, and the abusive behavior of some of its users limits growth. And so Reddit is limiting its “freedom of speech” in pursuit of freedom of beer.

Speech and Abuse on the Internet

I put “freedom of speech” in quotes for a reason: Free speech is, as many tend to forget in these episodes, a restriction against government action to police speech; it does not apply to businesses. Nor, frankly, should it: the entire reason we ought not allow the government to restrict speech is because speech is uniquely potent; it is an essential check against the power possessed by a government. The potency of speech, though, demands its own check: the ability to marginalize and drown out that which is abusive and objectionable.

This is where forums like Reddit and especially Twitter have so badly failed: the commitment of both companies to free speech is admirable, but incomplete. In the case of Twitter, the fact anyone in the world can effectively speak directly to anyone else anywhere is incredibly powerful; it is incredibly irresponsible that Twitter hasn’t provided tools to restrict that sort of personal access, say to accounts you follow, or accounts with >100 followers, or accounts whom people you follow follow, or accounts that were created more than N days ago. Granting that sort of ability isn’t limiting free speech: it’s limiting the right to be heard, which isn’t even a right — it’s a privilege.

Twitter too has been making noise about improving here: the company made it marginally easier to report abuse last December (note again how the burden is till on the victim), and CEO Dick Costolo said in an internal memo:

We suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years. It’s no secret and the rest of the world talks about it every day. We lose core user after core user by not addressing simple trolling issues that they face every day.

I’m frankly ashamed of how poorly we’ve dealt with this issue during my tenure as CEO. It’s absurd. There’s no excuse for it. I take full responsibility for not being more aggressive on this front. It’s nobody else’s fault but mine, and it’s embarrassing.

I was called out for not addressing the issue of harassment in my piece calling for new leadership at Twitter, and the criticism is fair: if a core part of my criticism of Twitter is its lack of user growth, then it’s worth addressing a problem that certainly impacts the number of users, particularly those “core users” in Costolo’s words who are leaving the platform.

More broadly, though, I increasingly think the fundamental issue is identity: there’s only so much a service like Twitter or Reddit can do when they don’t know who they are fighting, just as it’s increasingly impossible to secure a corporate network without knowing who is accessing it, or just as it’s hard to sell an advertisement for profit without knowing who is seeing it. Good businesses of all types may be increasingly correlated with good identity management.

This is certainly a trade-off: there are real costs that come from enforcing identity, including increased centralized control, increased surveillance and tracking, and decreased freedom, particular for those who live under totalitarian regimes (whether said regimes be the government, their community, or even their family — a “real name” policy is a real problem for battered women, for example). Over time I expect there will be a backlash, and a continued growth of a shadow Internet even more expansive than what exists today, with its own social networks, its own mores, and its own currency. And, arguably, its own big businesses.

Thanks for being a supporter. If you enjoy these Daily Updates and find them useful, please send a friend here to sign up as well! In addition, if you would like to order multiple copies for your team, please contact me directly.

Have a great day!

Discuss this Daily Update on the Stratechery Forum