I’m excited and honoured to be speaking on “Trust in Protocol Design” to the IETF’s Human Rights Protocol Considerations Working Group next week at IETF103. I’ll be talking about my research into the role of trust in the design and operation of the Border Gateway Protocol, and how my work might inform a human rights perspective on protocol design.
Update: here’s the video from the talk. My presentation starts at about 38 minutes in, but the whole thing is worth a watch.
I’m excited to have been invited to present at the 2018 NSF Cybersecurity Summit! I’ll be talking about my research into trust, cooperation, and learning in information security, as part of a panel on incident response communications.
I’ve just published an article for EDUCAUSE Security Matters, “How Can We Trust”, on the importance of social trust and communities of practice for the development of information security as a professional field.
I’ll be presenting my research in a talk titled “Geographies of Trust and Practice in Internet Infrastructure” in the Design@Large series at the UC San Diego Design Lab on April 11th, 2018.
I’m very happy to announce the publication of a report on my research into trust, cooperation, and learning in information security: “A Fragmented Whole: Cooperation and Learning in the Practice of Information Security”. You can read the executive summary here, and the full report here. Here’s the abstract:
Of the many problems faced by the field of information security, two are particularly pressing: cooperation and learning. To effectively respond to threats and vulnerabilities, information security practitioners must cooperate to securely share sensitive information and coordinate responses across organizational and territorial boundaries. Yet there are insufficient numbers of personnel who have learned the competencies necessary to build information security teams.
Current policy responses to these issues treat cooperation and learning as independent problems to be dealt with through institutional arrangements. In this view, cooperation may be enabled by industry associations or government agencies that act as hubs for coordination and information sharing; and learning may be addressed by appropriate degree and certification programs. In contrast, we argue that cooperation and learning in information security are fundamentally connected problems which must be addressed together.
Through ethnographic and survey research, we found that information security relies to a significant degree upon interpersonal trust relationships – rather than only institutional arrangements – for both cooperation and learning. The more sensitive the information to be shared (as is typically the case with novel threats and vulnerabilities), the more likely it is that cooperation will take place within tightly bounded trust circles, in which participants know and trust each other. Learning the more sophisticated competencies of information security relies upon access to these bounded social contexts, in which skills and knowledge circulate securely. In order to cooperate effectively and engage in more sophisticated learning, information security practitioners must build their connections to the interpersonal trust relationships that structure the field of information security. Our research indicates that institutional arrangements can provide the foundations for interpersonal trust relationships, but cannot substitute for them; just as interpersonal trust relationships cannot substitute for the functions that institutional arrangements offer.
Information security is a fragmented whole, composed of strongly bounded, sparsely connected trust groups and organizations that seek to ensure the trustworthiness of participants. We suggest a substantially different set of policy interventions to support cooperation and learning in information security, focusing upon building interpersonal trust relationships, as much as on building institutional arrangements. Our recommendations include suggestions for stronger information sharing communities, for building relationships between educational institutions and information security practitioners, and for supporting diversity.
I’ll be presenting a paper at AOIR 2017 in Tartu, Estonia, as part of what promises to be an interesting session interrogating the metaphors through which we make sense of “the Internet”.
“For the Good of the Internet”: The Imagined Communities of Internet Infrastructure
The Internet is unusual among global infrastructures in the degree to which its operation relies upon volunteer work and contributions. In this paper, I explore the nature of volunteer work in Internet infrastructure through a focus on the provision of Internet Exchange Points (IXPs), which are physical locations at which computer networks interconnect to form the Internet. I draw from two years of ethnographic fieldwork as a volunteer with a non-profit IXP in the San Francisco Bay Area, SFMIX, to ask why it is that Internet infrastructure workers are willing to volunteer their time and money to provide services which could be provided as a for-profit offerings. I argue that volunteer work in Internet infrastructure is made possible through the ideal of acting “for the good of the Internet”. I build on Markham’s analysis of metaphors of the Internet, and Anderson’s notion of “imagined communities”, to show how acting “for the good of the Internet” functions as a way of being for Internet infrastructure workers, and serves to construct a political consciousness that allows them to imagine themselves as being part of a global community which acts “for the good of the Internet”.
I’m delighted to have the opportunity to present my work at King’s College, London, and the University of Tampere later this month:
Geographies of Trust and Practice in Internet Infrastructure
Since its origins, the Internet has been imagined as a space which is “everywhere and nowhere” (Barlow 1996): a virtual “space of flows” separated from the physical “space of places” (Castells 1996). These are politically charged imaginaries, as the virtual spaces of the Internet are often thought to intrinsically encode a democratic participatory politics, surpassing the the seemingly more limited democratic possibilities of the territorial space of the nation state. However, as the Internet has evolved, the problems of increased participation have become readily apparent, with attention today turning to questions of legitimacy and trustworthiness, whether in terms of “fake news”, or privacy and security in online settings.
In this talk, I connect the seemingly disparate problems of trust and space in the Internet through an analysis of the underlying mechanisms involved in the production of virtual space. I locate these mechanisms in the sociotechnical organization of Internet infrastructure: the practices, institutions, and cultures of the technical personnel responsible for the reliable, stable operation of the thousands of interconnected computer networks which comprise the Internet. I draw from two research projects for my analysis, in which I studied network operators and information security personnel, in sites spanning North America and South Asia.
As I found, the infrastructure of the Internet is stabilized and ordered through practices which rely upon social relationships of trust, across organizational and territorial boundaries. This reliance on trust relationships makes the Internet quite unusual in comparison to other global infrastructures (such as shipping, airlines, or telephone systems) which rely primarily upon state and market arrangements for governance. Indeed, I argue that it is critical to understand the geographies of trust and practice which govern Internet infrastructure if we are to develop a trustworthy and secure future Internet.
I had a great conversation with Violet Blue at Engadget about the recent Equifax breach, and the gendered conversations about the qualifications of the Equifax CISO (who happens to be a woman). Read the story here:
Why Equifax’s error wasn’t hiring someone with a music degree
So here’s a fun fact, which delighted old friends and new acquaintances alike at AOIR 2016: in an alternate timeline, the Internet could have been known as the Catenet. Allow me to present Exhibit A, “The Catenet Model for Internetworking”, an early Internet design document, written in 1978 by Vint Cerf (commonly known as one of the founding figures of the Internet). The term catenet was coined several years earlier by Louis Pouzin during his pioneering work developing packet-switched networking in the French CYCLADES project.
The central problem that both Cerf and Pouzin were dealing with was how to interconnect individual computer networks into a larger whole. Pouzin considered this to be a concatenation of networks, a catenet. The term history has given us, alas, comes from the work of Cerf and others who sought to interconnect networks to form an internet. Friends, I submit to you that we should reclaim our proud past, and henceforth speak only of the Catenet!
Incidentally, this is also why I insist on capitalizing the “I” in Internet, to the consternation of my colleagues engaging in Internet research. The Internet is simply the largest instance of an internet, currently composed of over 55,000 interconnected (or should I say, concatenated?) computer networks. If you’re interested, you can find the latest number of networks (known as “autonomous systems”) visible in the Internet’s routing tables under the entry “Number of ASes in routing system” in the CIDR Report. And for those now imagining felines frolicking with frothy alcoholic drinks: CIDR has nothing to do with cider, honest!
I’ve just had my paper, The Myth of the Decentralised Internet, published in the Internet Policy Review. I’ve long been bothered by claims that the Internet will bring about a more just world simply through the force of its “decentralized” technology, which cannot be controlled (or so the claims say). This paper is my attempt at debunking this myth; and hopefully contributing to a conversation in which technology is only one component of a larger set of social-political-economic elements which structure power on the Internet.