The Dope Cycle and the Two Minutes Hate

[Updated with extra links at the bottom.]

There’s a cycle that happens as you engage on the internet. You post something, and wait, hoping, for the likes, the favorites, the shares, the kind comments to come in. You hit reload incessantly even though the site doesn’t need it, hoping to get that hit that jolt even a little sooner. That dopamine release.

A Vicious cycle of pain, cravings, more drugs, and guilt

Site designers refer to this by benign names, like engagement or gamification and it doesn’t just happen on “social media” sites like Twitter or Instagram. It is fundamental to the structure of LinkedIn, of Medium, StackExchange, of Flickr. We are told how popular are the things we observe, and we are told to want that popularity. Excuse me, I mean that influence. That reach. And that brings me to the point of today’s post: seven tips to increase your social media impactfulness. Just kidding.

Not kidding: even when you know you’re being manipulated into wanting it, you want it. And you are being manipulated, make no mistake. Site designers are working to make your use of their site as pleasurable as possible, as emotionally engaging as possible. They’re caught up in a Red Queen Race, where they must engage faster and faster just to stay in place. And when you’re in such a race, it helps to steal as much as you can from millions of years of evolution. [Edit: I should add that this is not a moral judgement on the companies or the people, but rather an observation on what they must do to survive.] That’s dopamine, that’s adrenaline, that’s every hormone that’s been covered in Popular Psychology. It’s a dope cycle, and you can read that in every sense of the word dope.

This wanting is not innocent or harmless. Outrage, generating a stronger response,
wins. Sexy, generating a stronger response, wins. Cuteness, in the forms of awwws, wins. We are awash in messages crafted to generate strong emotion. More, we are awash in messages crafter to generate stronger emotion than the preceding or following message. This is not new. What is new is that the analytic tools available to its creators are so strong that the Red Queen Race is accelerating (by the way, that’s bait for outraged readers to insist I misunderstand the Red Queen Race, generating views for this post). The tools of 20th century outrage are crude and ineffective. Today’s outrage cycle over the House cancelling its cancellation of its ethics office is over, replaced by outrage over … well, it’s not year clear what will replace it, but expect it to be replaced.

When Orwell wrote of the Two Minutes Hate, he wrote:

The horrible thing about the Two Minutes Hate was not that one was obliged to act a part, but that it was impossible to avoid joining in. Within thirty seconds any pretense was always unnecessary. A hideous ecstasy of fear and vindictiveness, a desire to kill, to torture, to smash faces in with a sledge hammer, seemed to flow through the whole group of people like an electric current, turning one even against one’s will into a grimacing, screaming lunatic. And yet the rage that one felt was an abstract, undirected emotion which could be switched from one object to another like the flame of a blowlamp.

I am reminded of Hoder’s article, “The Web We Have to Save” (4.4K hearts, 165 balloons, and no easy way to see on Medium how many sites link to it). Also of related interest is Good-bye to All That Twitter and “Seattle author Lindy West leaves Twitter, calls it unusable for ‘anyone but trolls, robots and dictators’” but I don’t think Twitter, per se, is the problem. Twitter has a number of aspects which make trolling (especially around gender and race issues, but not limited to them) especially emotionally challenging. Those are likely closely tied to the anticipation of positivity in “mentions”, fulfilled by hate. But the issues are made worse by site design that successfully increases engagement.

I don’t know what to do with this observation. I have tried to reduce use of sites that use the structures of engagement: removing them from my reading in the morning, taking their apps off my phone. But I find myself typing their URLs when I’m task switching. I am reluctant to orient around addiction, as it drags with it a great deal of baggage around free will and ineffective regulation.

But removing myself from Twitter doesn’t really address the problem of the two minutes hate, nor of the red queen race of dope cycles. I’d love to hear your thoughts on what to do about them.


[Update: Related, “Hacking the Attention Economy,” by danah boyd.]

[Update (8 Feb): Hunter Walk writes “Why Many Companies Mistakingly Think Trolls & Harassment Are Good for Business,” and I’d missed Tim Wu writing on “The Attention Merchants.”]

Gamifying Driving

P90115441 highRes 640x419

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range and in less than 1.2 seconds. Super-slick gear changes prompt a “Perfect change up” message on the on-board monitor, while a “Breathtaking U-turn” and a masterful touch with the anchors (“Well-balanced braking”) are similarly recognised with top marks and positive, MINI-style feedback.

For more, see “MINI Connected Adds Driving Excitement Analyser.”

Now, driving is the most dangerous thing most of us do on a regular basis. Most Americans don’t get any supplemental driving instruction after they turn 17. So maybe there’s actually something to be said for a system that incents people to drive better.

I can’t see any possible issues with a game pushing people towards things that are undesirable in the real world. I mean, I’m sure that before suggesting a U-turn, the game will use the car’s adaptive cruise control radar to see what’s around, even if the car doesn’t have one.

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route.

Control-alt-hack.jpg

From the website:

Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS).

Age: 14+ years
Players: 3-6
Game Time: Approximately 1 hour

You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical (a.k.a., white hat) hackers who perform security audits and provide consultation services. Their motto? “You Pay Us to Hack You.”

Your job is centered around Missions – tasks that require you to apply your hacker skills (and a bit of luck) in order to succeed. Use your Social Engineering and Network Ninja skills to break the Pacific Northwest’s power grid, or apply a bit of Hardware Hacking and Software Wizardry to convert your robotic vacuum cleaner into an interactive pet toy…no two jobs are the same. So pick up the dice, and get hacking!

Some Chaotic Thoughts on Healthcare

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US for optional procedures), etc.

I am glad that some of the worst elements of the American health care system are getting reined in. I can think of few worse ways to accomplish that goal, and many better ones. People thinking as I do are why the system perpetuated in the form that it did.

I am pessimistic that the system proposed will achieve its broader goals. The Massachusetts model is cumbersome and ineffective. Optimistic ideas about how prices would fall in a regulated market did not come to pass. The likely next step is a government run health system with supplemental insurance available. I expect this will come to pass in 10-20 years. Medicare seems reasonably well run for an American government program.

The Republican failure to push a coherent and principled alternative will haunt them. Going into the next election cycles, 32 million people will have some idea that the Democrats gave them bread and circuses health care. David Frum describes it as a Waterloo. I’m hopeful but not optimistic that the Tea Bagger Party will follow in the tradition of the Know Nothings and just fade away. I used to be hopeful that the Libertarians would split from the Republicans, but they’ve failed to. I would not be surprised to see the Republican minority shrink in 2010 and 2012, and I think some (but not all) of the shrillness I hear is people who fear that outcome is now inevitable.

I do expect that removing the health care impediment to entrepreneurship will be very positive for smaller companies. I wish we’d apply that same thinking to health care, enable people to make choices for themselves, and let the government own the residual risks, as it does today. But no one offered a credible way to un-couple employment and insurance that would let people keep their doctors, short of nationalization.

Anyway, there’s my negative 8 cents on the bill.

Please keep comments civil.

A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house.
The email explains that the display was taken down after two days in large part because so many people were stopping to help, in some cases at risk to themselves.
After pausing a moment to reflect on the evil genius behind this idea, I immediately wondered how the willingness of passers-by to assist might vary according to the amount of traffic on the road passing the house. The notion, exemplified in the infamous Kitty Genovese murder, is that the willingness of people to “get involved” decreases as the (individually-perceived) number of possible interveners increases. If a passer-by knew the route was well-travelled, she would (so one theoretical formulation goes) be less likely to stop, whereas on an infrequently-used byway, she would be more likely to assist. (I later realized that the “cul-de-sac”scenario is more complex, in that drivers/walkers on such a road are much more likely to (think they) know the victim AND to think that their action or inaction will become known by others).
After having these thoughts, I was left chuckling at myself. Would most sane people have analyzed a prank in these terms? Maybe it was because I was reading Luce and Raiffa before breakfast…

Poker Faced?

poker-cheat.jpgIn “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best online players in the world by being “hyperaggro:”

About a week later I was sitting at tables without any action when Isildur showed up at one of my 25/50 NL tables. I was bored and willing to play anything, so when he offered to play 6 tables (although usually I max out at 4), I decided to take him up on his offer and play a serious NLHE HU match for the first time in a long while. As the match progressed, all of what I’d heard about him being hyperaggro and barrelly checked out, but as I watched the lines he took to bluff, valuebet, and the way he reacted to my betting patterns, he seemed uncannily perceptive. Nevertheless, within the first hour or so I had won about 30k and was feeling pretty confident. He sat out on all of the tables and I assumed that the match was over and was about to check out. But about a minute later he said “brb,” and so I decided to wait for him and continue the match.

One idea, seems obvious to me, is that Isildur is collaborating with the servers to know what everyone’s cards are. Maybe the server operators are involved, maybe not.

Either way, the post is an entertaining read.

Untitled photo by allfangs and elbows

Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we should bang out the best deal we can before the rest of the banks in the US come falling like dominos. As Bagehot said, no bank can withstand a crisis of confidence in its ability to settle. I think that knowing how distasteful and expensive it is, and with far better things to do with the $5,000 or so it will personally cost me as a taxpayer. (That $2,300 figure is per person.) I also think that knowing how poorly this administration has done in handling crisis from 9/11 to Katrina, and how poorly it does when forced to act in a moment of crisis. (Sandy Levinson has some interesting comments at “A further Schmittian (and constitutional?) moment.”) Finally, we are not bailing out the banks at the cost of a free market in banking. We gave up on a free market in banking in 1913 or so, after J.P. Morgan (not his eponymous bank) intervened to fix the crises of 1895 and 1907.

What I did want to look at was the phrase “more regulation,” and relate it a little to information security and risk management.

US banks are already intensely regulated under an alphabet soup of laws like SOX, GLB, USA PATRIOT and BSA. They’re subject to a slew of additional contractual obligations under things like PCI-DSS and BASEL rules on capital. And that’s leaving out the operational sand which goes by the name AML.

In fact, the alphabet soup has gotten so thick that there’s an acronym for the acronyms: GRC, or Governance, Risk and Compliance. Note that two of those three aren’t about security at all: they’re about process and laws. In the executive suite, it makes perfect sense to start security with those governance and compliance risks which put the firm or its leaders at risk.

There’s only so much budget for such things. After all, every dollar you spend on GRC and security is one that you don’t return to your shareholders or take home as a bonus. And measuring the value of that spending is notoriously hard, because we don’t share data about what happens.

Just saying that measurement is hard is easy. It’s a cop out. I have (macro-scale) evidence as to how well it all works:

  • Bear Stearns
  • Fannie Mae
  • Freddie Mac
  • Lehman Borthers
  • AIG
  • Washington Mutual
  • Wachovia
  • (Reserved)

I have a theory: in competition for budget within GRC, Governance and Compliance won. They had better micro-scale evidence as to their value, and that budget was funded before Risk was allowed to think deeply about risks.

There’s obviously immediate staunching to be done, but as we come out of that phase and start thinking about what regulatory framework to build, we need to think about how to align the interests of bankers and society.

If you’d like more on these aspects, I enjoyed Bob Blakley’s “Wall Street’s Governance and Risk Management Crisis” and
Nick Leeson, “The Escape of the Bankrupt” (via Not Bad for a Cubicle. Thurston points out the irony of being lectured by Nick “Wanna buy Barings?” Leeson.)

I’m not representing my co-author Andrew in any of this, but at least as I write this, his institution remains solvent.

Write Keyloggers Professionally!

keylogger.jpg

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

I'm Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker:

Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation has spiraled.]

The real questions as I see it are

1) Leaving aside the issue of cost, what are the pros and cons of introducing self-signed certificates into the current browser model of SSL?

2) If the advantages of introducing self-signed certificates into this model outweigh the disadvantages, what is the best approach (from a technical and user experience perspective) to introduce self-signed certificates into the current SSL model?

3) If there is a good technical/UX approach to introduce self-signed certificates into the current SSL model, what is the likelihood of such an approach being adopted on a universal basis (i.e., by all browser vendors), and how might this be made more likely?

I’d argue that these are the wrong questions: the real questions underlying our disagreement are probably “do certification authorities do what they’re purported to do, and (if we agree they don’t), what do we do about it?”

I think we do two things: One, we stop investing so much in them, and second, we investigate the heck out of the alternatives, including persistence and organizational CAs, including CAs run by groups like the American Bankers Association. These are both in direct contradiction of the CA business model, and so they’ve been stillborn.

I’m not going to claim that either will have better user experience than the current SSL model, and that’s a low bar.

So I’m wrong, the issue isn’t really self-signed certs, it’s the CA model.

There were another points raised, by both Frank and Andy Steingruebl about my bookmark model, which is that it breaks PayPal. There are two ways to read this model: One is “always use bookmarks.” the other is “never click on a link in email.” I intended the first, the second is unclear, given the prevalence of webmail. Perhaps we could address this by having merchants send transactions to PayPal, and then if I choose to login via a bookmark, I get a list of pending activity.

The final point that Andy raised is organizations with lots of web sites. A reasonable point, and one I’m not sure how to address. Part of how I’d address it is that most of us don’t see all of those brands. I would be happy to see some of the brand profusion go away, which of course, doesn’t mean it would happen. (I consulted for a bank for several years, I can’t keep track of all the brands that they present around my retirement accounts.) If I can’t keep track of them when they’re ‘not’ security critical, I surely can’t keep track when they are, and it is unreasonable to expect me to.