Desert of My Real Life

{February 20, 2016}   Apple vs. The FBI

I’ve been reading a lot about the controversy surrounding the court order compelling Apple to help the FBI break into the phone used by one of the San Bernardino killers, Sayed Farook. I think at this point, I mostly understand the technical issues although the legal issues still confound me. And there’s a significant question that I’m not seeing many people discuss but would help me to understand the situation better.

Here’s what the case is about. The iPhone used by one of the killers is owned by his employer, San Bernardino County. The FBI sought and received a court order to confiscate the phone with the intention of gathering the data stored on it. The County willingly turned the phone over. As an aside, there is currently a controversy with the FBI saying that a County employee, working on his own, reset the password for the phone after giving it to the FBI which means one possible method for retrieving the data from the phone is no longer available. The County claims that its employee reset the password under the direction of the FBI. Somebody is lying. If the FBI really did direct the employee to reset the password, they need to hire more adept technologists. The news stories about this controversy neglect to mention that the method in question would only have worked if Farook had not changed his password after he turned off the automatic iCloud backup. I think that’s pretty unlikely.

So, the FBI has physical access to the iPhone but the problem is that the phone has two layers of security. The first is that it will automatically delete all of its data if someone enters an incorrect password 10 times. The second is that the data on the phone is encrypted which means that it can’t be read unless the password is entered. The FBI sought and received a court order to require Apple to “bypass or disable” the feature that wipes the phone clean. Doing so would then allow the FBI an unlimited number of password attempts to decrypt the data stored on the phone. Apple’s response to the court order is that to comply would be to put the data of every iPhone user in jeopardy.

One of the things that confused me about this story was that I kept hearing and reading reports about Apple helping law enforcement to unlock iPhones many times in the past. The folks over at Tech Crunch helpfully explained that Apple’s current response is not hypocritical. For iPhones running the operating system iOS 7 (and previous versions of iOS), Apple had the ability to extract data from the phones. And so it complied with court orders requiring it to extract data from iPhones. For iPhones running iOS 8 and later, Apple removed that capability. Apple has stated that the company wants to protect its users’ data even from Apple. The iPhone in question is running iOS 9. So Apple does not currently have to capability to extract data from the phone in the ways that it has in past cases. In order to comply with the court order, Apple would need to write some new software, a version of iOS with the phone wiping feature disabled, and then install it on the iPhone in question. The court order requires Apple to provide “reasonable technical assistance.” Is writing new software “reasonable technical assistance”?

But here’s the question that I haven’t found an answer for. Is there a precedent for the government compelling a person (remember: corporations are people so Apple is a person, right?) to build something that doesn’t already exist? The case that’s being cited as a precedent seems to me (admittedly, not a lawyer) to be pretty different. In that case, the Supreme Court said that the government could compel The New York Telephone Company to put a pen register (a monitoring device) on a phone line. But the telephone company already had the technology to monitor phone lines so it wasn’t as though they were being compelled to create a new technology. Apple is being asked to write a new piece of software, to build something that doesn’t already exist. This diversion of resources is one of their grounds for objecting to the court order. So, John McAfee has offered to write the software for free. It isn’t clear, however, that writing the software is enough since iPhones will only work with software that has been signed by Apple. Even if McAfee was successful, the government would still need Apple’s cooperation. And that’s unlikely since Apple’s philosophy is that their products should provide their customers as much data security as possible.

Ultimately, I agree with Bruce Schneier that the American public is best served if Apple does not comply with the government’s order. The government says that this request would be a one time thing, that they would not ask for such assistance again. I don’t believe that. Even if I did believe that the government would not ask again, I don’t think we can keep such software, once it exists, out of the hands of the many, many hackers who want to steal your data. That is a threat to our everyday lives that far outweighs the threat of terrorism.

Addendum (2/21/16): I’ve read some articles that take issue with Apple CEO Tim Cook’s “slippery slope” argument. His argument has been that if Apple complies with this order to circumvent the iPhone feature that wipes the phone clean after 10 incorrect password attempts, they will have no basis to refuse to do so in the future. Every time the US government asks them to circumvent the feature, they will have to do so. Government lawyers have said that this request is about this phone only and that they won’t ask in other cases. Tell that to Cyrus Vance, Jr., the district attorney in Manhattan. On Weekend Edition this morning, Vance argued that Apple should comply with the order because they are circumventing law enforcement’s ability to view the data on more than 175 phones related to criminal investigations. If this software is available for use by law enforcement officials, it will be available for use by the “bad guys.” That puts everyone’s data in jeopardy. Apple is protecting your ability to keep your data out of the hands of hackers (whether they work for the government or not).

{June 19, 2013}   Software Controls Users

I’m often surprised that some of the most valuable lessons I learned back in the late 1980’s have not become standard practice in software development. Back then, I worked for a small software development company in Western Massachusetts called The Geary Corporation. The co-founder and owner of the company was Dave Geary, a guy I feel so fortunate to have learned so much from at a formative stage in my career. He was truly ahead of his time in the way that he viewed software development. In fact, my experience shows that he is ahead our current time as most software developers have not caught up with his ideas even today. I’ve written about these experiences before because I can’t help but view today’s software through the lens that Dave helped me to develop. A couple of incidents recently have me thinking about Dave again.

I was talking to my mother the other day about the … With Friends games from Zynga. You know those games: Words With Friends, Scramble With Friends, Hanging With Friends, and so on. They’re rip-offs of other, more familiar games: Scrabble, Boggle, Hang Man, and so on. She was saying that she stopped playing Hanging With Friends because the game displayed the words that she failed to guess in such a small on her Kindle Fire and so quickly that she couldn’t read them. Think about that. Zynga lost a user because they failed to satisfy her need to know the words that she failed to guess. This is such a simple user interface issue. I’m sure Zynga would explain that there is a way to go back and look for those words if you are unable to read them when they flash by so quickly. But a user like my mother is not interested in extra steps like that. And frankly, why should she be? She’s playing for fun and any additional hassle is just an excuse to stop playing. The thing that surprises me about this, though, is that it would be SO easy for Zynga to fix. A little bit of interface testing with real users would have told them that the font and speed at which they displayed the correct, unguessed word was too small and too fast for a key demographic of the game.

My university is currently implementing an amazingly useful piece of software, DegreeWorks, to help us with advising students. I can’t even tell you how excited I am that we are going to be able to use this software in the near future. It is going to make my advising life so much better and I think students will be extremely happy to be able to use the software to keep track of their progress toward graduation and get advice about classes to think about taking in the future. I have been an effusive cheerleader for the move to this software. There is, however, a major annoyance in the user interface for this software. On the first screen, when selecting a student, an advisor must know that student’s ID number. If the ID number is unknown, there is no way to search by other student attributes, such as last name, without clicking on a Search button and opening another window. This might seem like a minor annoyance but my problem with this is that I NEVER know the student’s ID number. Our students rarely know their own ID number. So EVERY SINGLE time I use this software, I have to make that extra click to open that extra window. I’m so excited about the advantages that I will get by using this software that I am willing to overlook this annoyance. But it is far from minor. The developers clearly didn’t test their interface with real users to understand the work flow at a typical campus. From a technical standpoint, it is such an easy thing to fix. That’s why it is such an annoyance to me. There is absolutely no reason for this particular problem to exist in this software other than a lack of interface testing. Because the software is otherwise so useful, I will use it, mostly happily. But if it weren’t so useful otherwise, I would abandon it, just as my mother abandoned Hanging With Friends. When I complained about this extra click (that I will have to make EVERY time I use the software), our staff person responsible for implementation told me that eventually that extra click will become second nature. In other words, eventually I will mindlessly conform to the requirements that the technology has placed on me.

Dave Geary taught me that when you develop software, you get the actual users of that software involved early and often in the design and testing. Don’t just test it within your development group. Don’t test it with middle management. Get the actual users involved. Make sure that the software supports the work of those actual users. Don’t make them conform to the software. Make the software conform to the users. Otherwise, software that costs millions of dollars to develop is unlikely to be embraced. Dave’s philosophy was that technology is here to help us with our work and play. It should conform to us rather than forcing us to conform to it. Unfortunately, many software developers don’t have the user at the forefront of their minds as they are developing their products. The result is that we continue to allow such software to control and manipulate our behavior in ways that are arbitrary and stupid. Or we abandon software that has cost millions of dollars to develop, wasting value time and financial resources.

This seems like such an easy lesson from nearly thirty years ago. I really don’t understand why it continues to be a pervasive problem in the world of software.

{September 9, 2012}   Communicating for Change

The university where I work, like most universities, is facing significant challenges from multiple fronts. To meet these challenges, we’re finding that we need to change the way we do business. The question that I’ve been pondering is how to get people on board with change, especially when that change means an increase in work load. In the last year and a half, I have been persuaded that some efforts that I had not originally supported were good changes for the University. Proponents of other efforts, however, have been unable to persuade me that the extra work required for implementation would be worth the effort. There is currently a change on the table and the proponents of the change have done a poor job of communicating the benefits of the extra work involved in making the change. So I’ve been thinking about how that group could have done better in getting the community to commit to making the suggested change. Here’s what I think you need to do to gain support of people whose (work) lives are affected by a change you are proposing:

1. Clearly identify the problem you’re trying to solve. Make sure your stakeholders understand why the problem is a problem for them or for groups that they care about. This step is also important so that you can later determine whether the change you are proposing actually solves the problem you’ve identified. Saying “we need to do better” is not a clear articulation of a problem. What do we need to do better? Why do we need to do better? What are the negative consequences of the way we’re currently doing things? Who thinks we need to do something better? Try to figure out why not doing better negatively impacts on the various stakeholders. How could their lives be better if we changed the way we’re doing things?

2. Initiate an inclusive process for generating solutions to that problem. You and your group can sit in a room and think up solutions to your now clearly identified problem but you’re all likely looking at the problem from a similar perspective. Identify other groups to explain the problem to and ask them to generate some solutions. Send out surveys, run focus groups, attend meetings of a variety of stakeholders. Ask for feedback in a bunch of different ways. Keep track of all of the possible solutions generated, even the ones that seem kind of crazy at first.

3. For each solution, identify pros and cons and the overall impact of those pros and cons. There may be some solutions whose cons are so great that they create bigger problems than the original problem you’re trying to solve. Make sure you understand how these solutions will impact each group of stakeholders.

4. Choose the solution that solves the biggest portion of the problem but that also generates the fewest additional problems. Try to think about unwanted, unintended consequences. There’s no sense in solving a problem only to create larger, worse problems. Go back to the groups who generated your list of solutions and ask them what they think about the solution that you think is best. Ask them what the consequences will be. And don’t ignore any of the feedback you receive. You can use the feedback to anticipate objections to the solution when you propose it to the larger community.

5. Develop an implementation plan that acknowledges the difficulties with implementing any significant change. Be sure to weigh whether those difficulties are worth the effort given the original problem that you are trying to solve.

6. Share the entire process that you’ve gone through to develop a solution with the people who will be affected by the change. Listen to their feedback and try to deal with as many of their concerns as possible, either by making them go away (by changing the solution or the implementation to address the concern) or by acknowledging the concern but explaining why the solution will make their overall lives better, so that whatever their concern is will be dwarfed by the relief in having solved the original problem.

7. Although you will never be able to please everyone, only implement solutions that actually solve the problem identified. If you can’t articulate how the solution solves the problem in a way that gets people to understand what you’re doing and why, perhaps the solution is not a good one.

The group that is currently proposing a change has not done any of these steps. They have proposed a solution to a problem that they have not clearly articulated. The solution was generated by their group alone and when they brought the idea to another group that I’m a part of, they got feedback that the proposed change had a lot of problems, including some probable unintended, unwanted consequences. But then they have ignored that feedback and told us that they are implementing the change anyway, without even acknowledging that they got any negative feedback at all.

I’m hoping that I can use my better understanding of what I think should happen for buy-in to occur to explain to the group why what they’re doing is problematic, so that they’ll go back to the drawing board and reexamine the issue. And I hope I can keep this lesson in mind the next time I’m part of a group that wants to initiate change.

et cetera