about 10 years on 2008-10-10


dear president obama,

i hear you have been having some connectivity issues... may we suggest you use drop.io

we spend a ton of time at drop.io thinking about how private information should and does work.  the recent discussion of whether or not president obama can use a blackberry while in the white house is, on this basis, fascinating.  on the one hand, as countless people have pointed out, it is relatively absurd that the chief executive of the country can't use a $50/month device which is at the core of corporate communication.  on the other hand, the information he is dealing with is ever so slightly more important than the design templates for the next version of drop.io...  the central question that i keep coming back to is, what is the fundamental difference between the president sending and receiving a written letter vs. making and receiving phone calls vs. sending and receiving physical mail.  presidents have been writing letters for centuries, and making phone calls for decades, why can't they email?

four categories of differences come to mind in answer to this question:

1.  they have different set of security risks.
2.  they are differently falsifiable.
2.  they have different audit properties.

security risks
  each form of communication has a different set of security risks associated with it.  phone lines can be 'tapped', emails can be 'sniffed' and physical mail can be 'intercepted' - 'intercepting' physical mail requires corrupting a trusted courier of the information (i am not sure whether the president uses the us postal service or just a carrier).  i am not sure how 'secure' phone lines can be, but i assume that there is relatively sophisticated ways the government has to 'go to a secure line' -- but what about email?  blackberries have some serious encryption (i am sure 128 bit +).  the messages do route through rim 'nocs' in canada -- but they are supposed to be highly secure... banks use them, senators use them, generals use them.  so, either there is something we don't know about foreign governments being able to reasonably crack 128 bit encryption, or it really isn't a 'security' issue. 

identity risks what about falsifying correspondence?  it actually should be relatively easy to passably spoof a letter from the president, though very hard to spoof a letter well enough that an expert given time couldn't confirm or deny the validity of the correspondence.  falsifying a call would be a bit harder, but probably not un-doable.  the voice and speech patters of a call carry a serious amount of meta-data which makes it hard but not impossible to spoof.  email?  it is quite possible that it is easier to spoof than other channels, but it doesn't seem like a step change.

audit has to be the real issue.  interacting with email has some interesting properties which differ significantly from other means of communication.  namely, interacting with a blackberry it is quite easy to keep track of things like which messages get read and/or are not read.  further, sniffing the click stream of a president seems like a real risk.  if i send the president a letter, it is relatively hard to prove whether or not he read it, and how long he spent looking at it.  phone calls might leave slightly more detailed footprints, but it is hard to associate the core information of a call with metadata about a call.  email carries with it the ability to match the content of a message against how it was handled.

think about it this way - xobni would be a huge risk for a president.  what if he doesn't respond to emails from generals fast enough or spends too much time looking at an email from a lobbyist.  what if bush had a message literally in his inbox about september 11th attacks and didn't open it? 

the ability to so specifically audit how information is treated must be the unspoken central reason why obama can't have a blackberry.  it is too much of a liability to have that metadata trail hanging around to be subpoenaed.

the solution, obama - get a drop  i will even reserve drop.io/obama for you, so you can have obama@drop.io -- there is no audit trail of how you are interacting with messages posted to you on the site -- you don't have to 'open' messages... you simply navigate to your private page just as you would navigate to youtube or the new york times.  you can even give people access to your hidden uploader to send you files directly over http... no identity needed.  it is a clear example of how changing the metadata wrapper changes how information can flow.

happy thanksgiving.

original swl blogposts and letters 2007-2010