Who is the REAL customer here?
It is always interesting to see large companies and their decision making processes. If you have ever worked for one of these companies you can attest to the fact that these companies are really just a collection of smaller entities who engage in lots of internal battles for resources and attention. They want notoriety, money, and personnel to effectively execute the mission they are given. Though more often than not they are “doing more with less.”
I can personally attest to the fact that this fits the Air Force perfectly. I have seen first hand the internal arguments about resources (money and personnel) and the DoD conducts resource planning 2 YEARS IN ADVANCE! As if in today’s fast-paced environment anyone can say what an organization will be doing in 2 years. Moreso, the commanders who conduct these fights only lead these organizations for 2 years! They won’t be around to reap the “rewards” of their lobbying efforts, much less be around to execute the mission they planned said resources for.
Even more interesting is when you see large tech companies making decisions that are so obviously myopic (near/short-sighted). For example, I give you the Google Face Unlock saga. Google engineers, sales teams, and executives saw no problem with a brand new release of hardware and software that allowed the phone to unlock based on someone’s face, even if their eyes are closed. Yes, this means someone can steal your phone, hold it up to your face while you are incapacitated (unconscious or asleep) and gain access to your phone, contacts, email, even the ability to make purchases. As the article states: “How does this kind of a very elementary mistake get past a lot of people paid to be smart about this exact kind of problem?”
Another recent example is Gitlab requiring administrators with self-hosted versions of their software to agree to send usage data to Gitlab or risk having their software locked. They started to implement these new features and only pulled back after massive negative publicity from both employees and customers. How did they even get to the place where anyone thought this was a good idea?
Another recent example is networking company Ubiquiti issuing a firmware update that includes similar features to Gitlab. Namely sending usage and diagnostics data for better product development. This decision was also eventually reversed after enough outcry from customers. How did we get to the place where tech companies have forgotten who the customer is?
The final example is Windows 10 updates. I can point to a hundred different articles over the past few years showing real quality control issues in the Windows 10 update process. Breaking a lot of systems and functionality, even after beta testing by internal and external organizations. Are they rushing features out the door just to show forward progress?
In Google’s case are they so hellbent on making sales deadlines, that they are releasing half-complete features? Are they spending the right resources to not only make a feature but make sure they should make the feature in the first place? In the case of face unlock, I think it is ridiculous. I know a whole bunch of Apple customers just sighed out loud. But let’s consider the security of a system that simply needs you to look at a camera for a split second. Is anyone else concerned about unlawful search and seizure by law enforcement, when they can unlock your phone by pointing it at your face? They instantly have access to your entire life, contacts, things you said (maybe even sarcastically online or in text)…
Cyber Security principles
recommend demand Multi-Factor Authentication in our modern and critical systems. This is the combination of multiple things to authenticate that you are the correct user with access to a system (something you have, you know, or you are). So in the case of a smartphone (which in many cases provides access to someone’s entire life) manufacturers have settled on biometric input (eyes, fingers, face), which is an example of something you are. It provides quick and easy access without needing a pin or password. So far a great start, but it is only one method of authentication. There is no secondary requirement to unlock a phone, and in many cases make a purchase or more.
Let’s at least rely on intent to unlock this device as a part of the authentication process. Placing a finger on a fingerprint reader on a phone will require a lot more intent on the part of a law enforcement officer, criminal, or regular user. Whereas you can see a future time when law enforcement said the phone simply unlocked itself and a visible message gave them probable cause to search the phone. I know I am talking about extreme cases here, so let’s consider if someone takes your phone and holds it up to your face and then runs away. It is now unlocked for their perusal.
In the case of Gitlab and Ubiquiti, their hunger for your usage data blinded them to the fact that you have your own privacy concerns and don’t necessarily want your data (however anonymized it may be) as a part of their database. Anonymized data sounds great, but what if it is simply encrypted? Encryption algorithms have been broken in the past and quantum computing promises a future where today’s encryption mechanisms are no longer effective. But more importantly, how are these companies making decisions without thinking about delivering value to you the consumer? Are they even thinking about second and third-order effects from their decisions?
I argue that there are lots of “customers” at play. Internal to an organization, sales teams are customers to engineering teams. Shareholders are customers of the company’s executives. The REAL consumer who buys the product becomes a necessary consideration when they raise their collective voices loud enough to get the attention of shareholders, executives, and sales teams. Then priorities are changed for engineering, but until then, they are just a voice in the crowd. I don’t mean to say engineering teams are blameless. They understand the security issues better than any of these teams and need to be raising concerns during feature planning.
I think the reality is no one is taking the time to think these things through as they just need to complete the sprint and push features into production. No one seems to be having philosophical debates about privacy, data, and consumer needs. This is definitely true in the case of Windows 10 Updates. They push updates out so fast and have had to reverse many of them in the past. But it doesn’t seem to make them take pause and consider whether the pace is simply unsustainable for their teams.
Conclusion: We need to slow down. As Brooks Hatlen said in The Shawshank Redemption, “The world went and got itself in a big damn hurry.” Our demands of tech companies are out of step with what is possible. To borrow from another great movie Jurassic Park, “… your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should” (Dr. Ian Malcolm).