Skip to main content

Songs on the Security of Networks
a blog by Michał "rysiek" Woźniak

Introducing: rysiek's law of unavoidable consequences

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

For some time now I’ve been missing a short and succinct way to indicate why things like centralization at the service level are not entirely good ideas, regardless of how much we trust their operators.

So here it is – rysiek’s law of unavoidable consequences:

If it’s technically possible, it’s practically unavoidable.

Wait, what?

Well, the idea is simple. If, say, a given software project promises something (e.g. that it will not spy on users), we should not rely only on a promise. It should be technically impossible to break that promise, otherwise it will get broken sooner or later.

Here’s a longer, more verbose version:

If some undesirable actions or outcomes are technically possible, they should be assumed to be unavoidable.

There are many reasons this can happen: a break-in; a change of heart of the owner; a change of owner; law being changed, used or misused. Regardless of the reason, if it’s possible, it will happen.

The corollary being:

If there are some undesirable outcomes you want to avoid
make them technically impossible (or very hard).

Test drive: Ello

Let’s take Ello on, for instance. Ello promises some neat things – like “no ads” and being “privacy-friendly”. But is it technically possible for Ello to introduce ads to the network, and sell their users’ privacy out?

Well, yes. Yes it is.

So, once the management changes or decides they need some more money, there is nothing stopping them from doing just that.

Compare and contrast: Diaspora

Can Diaspora creators introduce ads and sell-out users on privacy?

Well, it’s much more complicated. The developers can introduce ad functionality to the code, but will server admins (who are not usually directly connected to the developers) introduce that code to their instances? Dubious. Because there are many different servers, users can pick and choose, and move to servers that do not support ads. Tl;dr being: it’s much harder, and much less possible.

Similarly, selling out users on privacy would rather be possible for the server admins instead of the developers (who do not have access to users’ private data). But:

  • no single server admin has access to private data of all Diaspora users;
  • if a given server is caught red-handed, users can just… move to a more privacy-friendly server, without much hassle.

These mean that server admins have a strong incentive, based (among others) in technology itself, to not do nasty things; and it is technically not possible at all to do it at the same time in the whole network.

A broader perspective

If you think about it, this is exactly the reason why we have separation of powers. It’s not that we do not trust our current powers that are, it’s that we really don’t know who will be in power in a few short years. Separation of powers is the “technical” way of making sure we don’t have to rely only on trust.

And remember this?

The Net interprets censorship as damage and routes around it.

Censorship is technically impossible (or rather extremely hard) because of how the Internet is engineered. Had it been any other way, we would have a completely different Net.

Even the Kerckhoffs’s principle is an example of a more specific version of the corollary.

Now we need to engineer this into software.