information security

The slow, alienated death of blockchain

As a preface to this, there are good people doing great things with blockchain in good faith and this is not an essay targeting these people but a polemic in their defense. There are too many people, though, lost in fog about what blockchain is and not enough people telling the truth about what it is not.

It would be crazy to say you won’t hear about blockchain again, and perhaps the worst blockchain fatigue is ahead of us. Rather, we have arrived at an inflection point where the emerging viral big idea is that blockchain has lost its way, been applied to problems for which it has no utility, carelessly dropped as a buzzword with no meaning, incorporated into all manner of scams, not only over-hyped but radically mis-hyped, and warped by these trends into something that will now struggle to fulfill its original real potential.

The amazing power of blockchain has been its power purely as a word - a word about which one can say anything, arbitrarily disingenuous or poorly informed, and profit from the statement presuming the claim is sufficiently grandiose, intimidating, and FOMO-inducing. There is apparently vast power for “disruption” in using blockchain to record supply chain information where a centralized server would be demonstrably superior. Apparently, blockchain has a unique relationship with quantum computing despite being composed of very conventional classical cryptography. Apparently, blockchain can save your business by “decentralizing” when your business was really an effort at centralization by its very nature and no one can even explain in plain English what decentralization means and why it is good business. Apparently, blockchain can hugely improve your information security by reproducing your sensitive data across many servers each with the same vulnerabilities as any other centralized server. By etymology, to say something is apparent suggests it has appeared, but we are still waiting and we will continue to wait forever because these claims range from optimistic distortions to outright lies.

There are a great many lies that have become so pervasive that they have been widely repeated by honest people. This is a real tragedy, and this essay is not a polemic targeting these people but a polemic in their defense.

Blockchain came into the world in step with “decentralization” and if we actually maintain discipline about what these words mean, this is absolutely sensible and correct. The problem is much of the wealth and power in our society is centralized and the power of blockchain as a word is too useful a tool in chasing it. Corporations are centralized organizations - decentralization is what the Department of Justice does to your firm if it decides you don’t have enough competition to treat consumers decently. Governments are centralized organizations - decentralization is what happens when people decide they’ve had enough and find ways to be governed less and more locally. Venture capital firms are centralized organizations - if you take the money of a group of wealthy investors and centralize it one place to invest all at once, you’re on the way to founding a venture capital firm. One can’t say that blockchain will never have anything to offer these groups, but many promises made could never have been anything but empty because decentralization is contrary to the nature of these organizations. And neither centralization nor decentralization is intrinsically good or bad.

Too many organizations have been presented with blockchain the magical spell, the voodoo word for inciting fear of falling behind the times and missing out. Blockchain has been presented to many in bad faith not as information technology but as psychological manipulation. It is well attested the companies that have merely added blockchain to their name have seen their stock price soar, in some cases criminally (in the literal sense) absent any effort to implement any version of the real technology at all. Any application you might pitch to an investor that involves a database might as well involve a blockchain, and such is the power of the word that many can’t resist. But why did your application need to be on the blockchain? It didn’t, and it may have been a poor architecture decision that it was.

Experimentation in blockchain architecture continues, and while much of it is interesting and valuable, there is a sector that strongly resembles efforts to find a centralized server that resembles a blockchain enough to avoid lawsuits. Why be bothered to work with the challenging, real technology when one can work with the awesome persuasive power of the word alone?

Blockchain is not dying in the sense that it will disappear tomorrow. It is dying in the sense that it is mutating carelessly towards no constructive end, wasting time and money and human intellect and human emotion as it does. The real tragedy is that it is dying not because it has no potential but because no one can resist the potential it does not have.

ABCs of PII

by Alexander C. Mueller

What is personally identifiable information, abbreviated P.I.I. or PII, and why is it important?

It’s easiest to break down backwards. First, it is Information, and typically the information so discussed is held by a large corporation of a government agency. Second, it Identifies some individual Person apart from the others. The term PII can sometimes refer by law to specific types of data, but the term is used broadly to refer to a broad category of data about everyday people that large organizations commonly end up storing.

Your name is the ultimate everyday example of PII. If you are standing next to someone else, a person who wanted your attention would say your name and not theirs - they’ve just used a small piece of information (your name) to identify you as one person apart from another.

Phone numbers are a bit more interesting. They do have a practical purpose, but they are also a good way to keep two people with the same name from getting confused in your database. Often, a business that collects this information on you is doing it for this sort of reason and not to actually try and call you. Phone number is thus another example of PII, information used to identify one person apart from another.

Thinking about data in this way is valuable because there are many white collar crimes and other misdeeds for which this sort of information is absolutely necessary to get started. Identity theft is the obvious and familiar example. However, there are many more scams you can only begin after you have enough information to target specific individuals and not groups of people. Imagine you are a foreign spy agency looking to recruit informants. Which is more helpful to you: 1) knowing that there are indebted people living in a particular city 2) a list of names, addresses, and phone numbers of indebted people in a particular city?