When even those who built the internet as we know it are warning of its insecurities and the deep privacy challenges it poses for society, you know things are very broken indeed.
The name of Dr Paul Vixie, inducted into the Internet Hall of Fame in 2014, sits alongside those such as "Father of the Internet" Vint Cerf, inventor of the worldwide web Tim Berners-Lee, Linux creator Linus Torvalds, founder of CERFnet Susan Estrada, and Irish physicist and internet pioneer Dennis Jennings.
Vixie, described fondly by one member of the tech community as a “geek’s geek” – a term you guess he would likely not reject – designed several Domain Name System (DNS) protocol extensions and applications used throughout the internet. This is the hierarchical decentralised naming system for computers and things that connect to the internet or a network.
In his latest role, he is founder and chief executive of California-based Farsight Security, which uses real-time, contextual information about domain usage and the registration of domain names – an adversary “mapping structure” – to provide threat detection and to help organisations fight potential cyber-crime. Its flagship solution is a six-year historical database of over 13 billion DNS records, which Vixie says is the biggest such source ever built.
“We decided to invest and make a long, multi-year strategic investment in trying to create a system that would put back pressure on the real source of trouble, which is that these things [domains] are too cheap,” he says.
He is also a pioneer in anti-spam measures, having co-founded the not-for-profit Mail Abuse Prevention System (MAPS) in 1998.
"We did not stop spam – you may have noticed you're still getting it, so I failed," Vixie says frankly during a short visit to Dublin recently ahead of Data Privacy Day on January 28th.
But he says the innovation in that anti-spam system was “the idea of distributed reputation systems”.
“That’s the way of the world now but at the time we were doing it, we were the first. And it was quite controversial – there were a lot of lawsuits. We eventually sort of recast that idea so instead of doing that kind of reputation work for email, we did it for domain names,” he says.
On the issue of security threats to ordinary consumers, Vixie agrees that they can come from the almost unlimited number of devices that people can now connect to the internet in their homes, their offices and their cars through the Internet of things.
“I call it ‘shiny object syndrome’,” he says.
“We are barely evolved monkeys, and everyone who has descended from monkeys is likely to be fascinated by a shiny object. But this thing where we are willing to trade off safety for convenience did not used to be true.”
He recalls a recent advertisement in the US for a pick-up truck that has Amazon’s Alexa voice-activated assistant built into the dashboard, and suggests people do not understand the implications of just how their data is processed downstream.
“That for me would be a reason not to buy that truck. Because I used to be a programmer, I know how many defects remain after you’ve found and fixed everything you can, and even if I didn’t have to worry about Amazon’s intentions, I would worry about everything else that’s going on there,” he says.
“The problem with that truck is not, strictly speaking, Alexa. The problem is the nut behind the steering wheel. We need to get that person to understand something they won’t – and they can’t. So we live in a world where a lot of people are going to make pretty bad choices and then they and their lack of privacy will become a threat to us even if we don’t participate,” Vixie says.
“That’s the way it’s going to be with technology. We’re going to be ruled by the masses.”
He says he believes technology “decades ago” outstripped the average person’s ability to understand its implications.
“When it comes to something like genetics, or something like Big Data, big data analytics, de-anonymisation, there is no hope that [the average person] could possibly give informed consent about how their DNA is used. They can’t.”
He is not therefore sure where the balance lies when it comes to enabling research in such areas, he suggests.
GDPR is in my opinion a well-structured law. Some thought went into making sure that it had teeth
“ Does [it] lead to nanny-stateism where the rest of us think we can make the decision for them in the form of a law? That may not be the right answer, or it may be the right answer. I’m not sure how we are going to reason about this.”
Vixie also says he is “somewhat unique” in Silicon Valley in believing that the EU’s General Data Protection Regulation (GDPR) is a good law and not the “death by regulation” of which others complain.
“GDPR is in my opinion a well-structured law. Some thought went into making sure that it had teeth, making sure that if you tried to evade it in this way then you end up running into this other provision. And so that shows that some political experience went into its drafting,” he says.
“I think it’s interesting right now [that] the first generation of knee-jerk reaction to GDPR among the American tech companies is to try to evade the intent of the law.”
Change in behaviour
Asked about the future of regulation for multinationals such as Facebook and Google and whether it will require the co-operation, for example, of data protection authorities and consumer protection bodies, Vixie points out that previous antitrust actions have shown that regulators can prove there is monopolistic behaviour in a certain area, but this hasn't always forced a change in behaviour.
Noting the recent €50 million fine levied against Google by the French data protection authority the CNIL, he adds: “I don’t think $57 million is going to change Google’s point of view at all – but 4 per cent of their revenue would. So we’ll see. There are going to be a lot more issues – this is really just the tip of an iceberg.”
He suggests there are “ebbs and flows” in terms of how much power a regulator will have, which will also sometimes depend on the economic circumstances and what the “political fads” of the day are.
“I’ve seen evidence of over-regulation; I think right now we are seeing evidence of late regulation – I don’t know if it’s under, exactly.”
Vixie says Farsight’s database of DNS records do not involve collecting personal data – although it’s worth noting the definition of what does constitute personal data has been held in EU law to be exceptionally broad.
He says the company made two commitments early on: that it would not collect personally identifiable information and that it was not in the “good-versus-evil reputation feed business”.
Child abuse material
This, he understands, could be a “little frustrating” for someone in law enforcement who wants to figure out if a particular domain name was used to host something such as child abuse material.
His system cannot identify the owner, he says.
We're on the slippery slope toward losing the fundamental freedoms that in the West, in general, were inviolate
“I don’t know. I never had the data in order to delete it – I never collected it in the first place. If you ask me why not, it’s not because I like online child abuse materials, it’s because I needed to build the biggest network I could. I can’t do that if everybody knows I have a record of what everybody did. That’s a choice.”
Drawing on an analogy from Prof Shoshana Zuboff's new book The Age of Surveillance Capitalism, he likens the current challenge to tame Big Data to the fight against Big Tobacco.
“America had its day of reckoning with Big Tobacco and we’re going to have to have it now with Big Data. I don’t love that we’re having this problem but I do love that everybody finally wants to talk about it, because it’s been clear for a long time that we’re on the slippery slope toward losing the fundamental freedoms that in the West, in general, were inviolate.”