Voices from the dashboard

All my life I've taken road trips, partly by natural inclination, partly by necessity.  It's a largely timeless experience.  Sure, the roads have improved (see the Grapevine Grade section of this page for a good example), the speed limits are higher, cars are faster and safer and there's not a lot of "local flavor" in most stopping points unless you actively seek it out, but for the most part road trips have been road trips since well before Kerouac.

One thing that has changed is the soundtrack, and not just because tastes in music have changed.  When I was a kid, any audio not provided by the car and its occupants came from the radio, and if you were on a long haul, it was the AM radio.  Keeping FM tuned in was and remains too much of a hassle.  An AM station, especially one of the "clear channel" stations (not to be confused with the media conglomerate) licensed to broadcast at high power, could be good for hours -- enough for a whole sports fixture, several runs through the news or all the whacked-out talk radio conspiracy theories you could eat.

The key feature here, particularly on a solo trip through, say, the desert southwest US, was the lack of choice.  You'd be doing well to have your pick of baseball, UFO speculation and the company of your own thoughts, and a hundred miles or so out of Albuquerque on a dark night with the game a blowout the UFO speculation starts sounding interesting and plausible.

By the time I was doing my own solo long hauls, cassette tape was an option, but a library of a few dozen albums can be limiting after a while -- and suppose you want to know what's going on in the world, or just let someone else handle the programming for a while?  The in-dash CD (briefly supplemented by a multi-disc changer in the trunk) increased one's options, but the same basic constraints applied.  Only with the advent of satellite radio was there little reason to tune in to local stations at all.

And now there's the web.  As long as you've got a smartphone, bars, a bit of cable and an aux input, you can listen to pretty much anything.  Stream your favorite home station.  Stream your favorite internet station.  Play your podcasts.  Dial up Pandora.  AM won't be completely disappearing anytime soon -- technologies written off as obsolete seldom do -- but the proportion of people who know or care must be steadily dwindling.  Likewise I'd rather not try to predict whether or when web audio will supplant satellite radio, but if I had to place long-term bets, I'd bet on the web.

It's hard to argue that having a huge palette of choices isn't progress of some sort, but there's something to be said for being drawn out of one's comfort zone because there's only one game in town.

In which a theorist discovers something unsettling, exhilarating or both

There seems to be a natural human compulsion to keep checking the soup to see if it's boiling, to check the weather, to check the latest sports scores and stock prices, to check for messages, and so on and so forth.  One of the less savory properties of the web is that it provides the means to indulge this compulsion to the nth degree.

I personally try to steer clear of this, which is the main reason I'm not on Facebook or Twitter (and not particularly active on Google+), but I'm certainly not immune. Are there any comments on Field Notes?  Has anyone read the latest brilliant post (there are at least three ways to check, each giving its own opinion)?  Anything new on the few sites I do follow?

Since I'm not on Facebook, I don't play Facebook games, but evidently a lot of people do.  Zynga's Farmville, for example, has over 80 million subscribers, still a small minority of the gazillion on Facebook, but a big number in most normal contexts.  This has irked traditional computer game creators, sucked up untold hours of human life, and intrigued computer gaming analyst/critic Ian Bogost.

Bogost noted that games like Farmville involve relatively little actual gameplay.  Rather, it's the social aspect that seems to dominate.  This is nothing new in gaming, but again the natural "I need to check what's going on" factor of the web in general and Facebook in particular acts to intensify this.  Bogost coined the term "Cow Clicker" to describe games like Farmville where the action seems to consist mainly in, for example, clicking on depictions of animals when various timers run out.

Unable to leave it at that, Bogost took the next logical step and created a Facebook game called Cow Clicker designed to distill the social gaming experience to its purest elements.  It goes like this:

• You have a picture of a cow on your page.
• You click on it.
• It does nearly nothing -- I think maybe it moos or otherwise makes a sound?
• You can't click again for six hours.

Yep.  That's my story and I'm sticking to it.

If you don't want to wait six hours, you could spend "mooney" -- Cow Clicker's own virtual currency -- to get the right to click sooner.  You could earn mooney by clicking on your cow, by having your friends click on feed stories about you clicking on your cow, or by paying a small amount of actual money.

People played this.  Not 80 million, but somewhere around 50,000, not too bad for a joke of a game with no marketing behind it.

Clearly the actual cow clicking is a MacGuffin.  No one cares much about it.  What people care about is whether their friends are also playing and clicking on their feed stories, thereby generating not just more mooney, but, crucially, another thing to check in on.

Bogost had mixed feelings about this.  Among other things, he found himself, despite his intentions, checking in on whether people were playing the game and what they wanted from it.

Naturally, people wanted upgrades.  They wanted their choice in cows.  Cowthulhu was a popular request.  Eventually Bogost put up an "app store" with a selection of cows, and (I gather) added another feature or two.  If you were really hardcore, you could pay $100 (or the equivalent in mooney from whatever source) for Bling Cow.  Why on earth would anyone do this?  Well, your friends would all know that you had splashed out for the Bling, and wouldn't they be envious?  Again, people actually did this.

Eventually, Bogost was unable to shake the feeling he'd created a monster, and so he brought about the Cowpocalypse.  At a preset time -- which players would hasten by actually playing the game but could defer by, yep, paying mooney -- the cattle would all be "raptured", leaving only the empty spaces on which they had once stood.  And so the Cowpocalypse eventually came to pass.

At this point, it may not come as a shock that people kept playing.  To recap: people were now paying (small amounts of) money for the privilege of clicking on an empty space and letting their friends know about it.

You couldn't ask for a better illustration that when economists talk about "rational consumers", they only mean people that behave as though there's some sort of "utility function", be it ever so screwy, that they're bent on maximizing.  "Rational" in the usual sense has got nothing to do with it.

If people were actually rational in the usual sense, Cow Clicker would never have happened, but of course they aren't.  We are, at a very basic level, social animals.  We want to know what other people are doing.  What in particular they're actually doing is often much less important to us than whom they're doing it with and the fact that we know this.  If the entirety of Facebook were pushing a button from time to time saying "I'm here", selecting people to notify of that and having the system tell people you're notifying know whom else you're notifying, it would not be outlandish to think people would still use it.

The cynic would say that that really is the essence of Facebook and "social networking" in general, but I wouldn't go quite that far.  I said above that what people are doing is often much less important than knowing it and knowing who knows, but that doesn't mean it's always more important.  Content can matter -- of course -- but it's worth noting that it doesn't always.

Yay! Yet another way to spam!

While buying something online today, I was presented with a popup asking me if I wanted to chat live with a representative about what looked like a loyalty program.  I went ahead and clicked, even though my spidey-sense told me not to.

PhineasTaylor is typing ... 

Hello there!  Thank you for taking a moment to chat with me about the wonderful opportunity of joining buyeverythingthroughus.com.  With buyeverythingthroughus.com, etc., etc.

OK, a little boilerplate to get things going.  Hang on though, there's more

PhineasTaylor is typing ...

Buyeverythingthroughus.com will improve your life in every possible way.  It will make you rich and famous.  It will cure dandruff and halitosis.  Children will love you.  Adults will want to be you.  Your friends will adore you.  Your enemies will envy you and then slink away in shame and fear, etc., etc.

Right ... anything else?

PhineasTaylor is typing ...

This P.T. person sure types a lot.

Buyeverythingthroughus.com will cure hunger.  It will bring about world peace and universal prosperity.  Yankees and Red Sox fans will embrace each other with love in their eyes [well, maybe it didn't go quite that far].

Since this is ostensibly a person typing, it's coming across slowly enough that there's plenty of time to go googling and find out that buyeverythingthroughus.com is about what you'd expect it is.

Knowing all that, what do you say to this exciting opportunity?

I said "No, thank you" and dismissed the chat window.  I couldn't help wondering, though, whether whoever coded this up had the chutzpah to submit a paper on an exciting new "intelligent agent".

Banking on web security

People do care about web security.  There are highly competent full-time professionals in the field.  There are conferences on the subject on a regular basis.  You'll see them in the press -- Experts Meet to Fix Security on the Web.

And yet, in large part because the problems to be solved are hard and involve significant non-techical factors, there is no shortage of things that could stand to be fixed.

• Authentication is a mess.  For the most part, we have passwords and security questions.  I've griped about this before, multiple times, and I'm sure I'll gripe about it again.
• Identity is a mess.  Everyone has scads and scads of identities -- logins here, there and everywhere. They can easily get confused ("That wasn't me, that was some other David Hull!").  There's no good way to say two random identities are or aren't the same.  I've griped and speculated about this before, too, and I expect I'll have more to say on that, too.
• Anonymity is problematic.  Everything you do on the web leaves traces, but unless you're paying extremely close attention you generally don't know exactly what kind, or whether they can be tied to your identity (whatever that is).
• Network infrastructure is scary.  Https with certificates is widely deployed, and most people probably at least know that some sites are "secured" and some aren't, but many fewer understand (or should need to understand) details like signatures, secure hashes and certificate authorities, or what can fail and what's less likely to.  Did I mention DNS?
• PCs are scary.  Viruses, rootkits, system crashes ... some platforms are better designed than others, but nothing's perfect.
• The cloud has its own problems.  Who owns what you put there?  Who's liable if data is lost or compromised?  Who can see what?  Who can see who sees what?
• Spam is a perennial problem, not helped by any of the above.

I could go on, but if it's so bad -- and it is -- how does it work at all?  People continue to be able to use credit cards both online and in person, people continue to email and text each other all sorts of sensitive information, people continue to turn to the web for all sorts of vital information.  Clearly Bad Things can happen to a person on the web, but just as clearly it's not bad enough often enough to put people off the web entirely.  Far from it.

My guess is that banks have a lot to do with it, at least in the US.  In particular

• Banks handle liability.  If someone steals your credit or debit card, whether physically or online, you can tell your bank and generally they will make sure you don't have to pay for things you didn't buy.  That's oversimplified, and there are certainly cases where that simple process has turned into a nightmare, but it's still a vital part of getting people to do business confidently online.
• Bank cards provide a de facto stable identity.  If you're buying something from my web site, I do care who you are (well, I would, and stores in general do seem to care what their customers are up to), but I certainly also care that your payment is going to go through.  To some extent I'm talking to you, but I'm also talking to your bank account.

On the first point, you're not responsible for keeping your bank accounts absolutely safe.  You're responsible for taking reasonable precautions, so that if someone does get hold of your account number and misuses it, they're clearly at fault (the usual "I'm not a lawyer" disclaimer applies here).  Putting the rest of the burden on the banks and legal system is a large part of what keeps the wheels turning.

On the second point, if I shop at store A and store B, it's important that my bank knows that those purchases both come out of my account, and I know that I'm the same person in both cases (at least on a good day).  It's less important that store A and store B know I'm the same person.  There may even be cases where I'd rather they didn't know.

In short, security and identity matter when money is at stake, in which case your accounts serve as your identity and you have legal protections that predate the web.

Security and identity also matter where reputation is at stake, that is in the social realm, be it email, social networks, Twitter or whatever.  The landscape is different there, but it's worth noting that most accounts and identities, including your bank accounts, don't play into that much.  If someone compromises my account at widgetco.com, they might be able to have a truckload of widgets sent to my address at my expense, but they won't be able to say embarrassing things about me on this blog.  Likewise if they compromise my bank account, though that would of course be bad for other reasons.

If you buy that, then you should make sure to use strong unique passwords and unique security questions for your bank accounts, your email accounts and your major social accounts, and use better security than that when it's available.  How much to worry about other accounts depends on how closely they're tied to the accounts that matter.  For example, if your city's online parking ticket paying site doesn't remember credit card numbers or your nefarious history of overparking, you probably don't care as much about security there.