I enjoyed reading Prof. Cohen’s book. I found it interesting, illuminating, and challenging. Like some others who have commented, I would have been more pleased with the book if it had employed more simple, concrete examples of the concepts. Instead of trying to address the book as a whole, in this post I would like to tackle one chapter that particularly interested me: “Rethinking ‘Unauthorized Access.’”
First of all, one example of an instance in which a concrete example would have helped me to understand the concept: on pages 190-191, Cohen talks about borders in the geography of networked spaces. I had a hard time understanding what those borders are or might be.
More substantively: I liked her description of the relationship between situated user and network technology on page 201: “Everyday practice is the day-to-day process of negotiating the dialectical relationship between constraint and possibility.” One example that comes to mind — and which fits with much of Cohen’s discussion in the chapter — is my use of Microsoft Word’s auto-correct feature. When I come across a lengthy word or phrase that I anticipate using repeatedly over a period of time, I create a shorthand version of the word and add it to the software’s auto-correct. So when I type “jsd,” Word automatically changes it to “jurisdiction.” This translation of my shorthand is a form of unremarkable computing[1] — albeit, one that I control by entering the shorthand into the auto-correct feature.
Cohen notes two recognized problems with unremarkable computing: balancing ease-of-use with complexity-of-function, and security of personal information.[2] She then introduces a third issue: “[W]hat if users were to want access to the ways that the technologies of unremarkable computing work?”[3]
In my example, Word does provide me some access to the way that auto-correct works. I can enter new commands that alter the unremarkable computing. The feature comes with some pre-programmed settings, as well. For example, one that has proven particularly annoying when drafting legal documents is the automatic replacing of “(c)” with the copyright symbol, “©.” Again, Word provides the user access to the feature and allows the user to disable that command. So it provides an initial baseline of unremarkable computing — the set of pre-determined words that are included in auto-correct — and allows the individual user to shift that baseline. This might be a model for other kinds of unremarkable computing, but as Cohen notes, achieving the model requires examining the access regime to decide whether to give the user access to the technology’s inner workings, and if so, how much.
For example, my CTA Chicago Card Plus automatically debits my checking account when the card runs out of funds. When setting up the card I am allowed to set an amount to be withdrawn from the account: $10, $20, or $40. That provides some access to the technology, but should it provide more? During the summer, I was using CTA every day, so it made sense to withdraw the maximum possible so that I had fewer transactions. But now, I use CTA once per week, at most. So a smaller withdrawal would be my preference. What if the technology automatically adjusted to recent usage patterns and withdrew a corresponding amount? Or, more in line with Cohen’s argument, what if it notified me of the lack of funds and asked me to enter desired withdrawal amount every time? The transaction costs go up, but I have more access to the technology.
Now, this probably isn’t the type of access that Cohen is arguing for. One of the most compelling applications of unremarkable computing today is what Cohen calls the PDN — personal digital network.[4] It allows seamless authorization across a variety of technologies. The problem that I see with allowing users more access to network technology like this is that it gives them a roadmap for work-arounds, which compromises security. If I use my phone to authenticate all my devices, including garage-door opener, then a would-be thief can simply use his access to the technology to crack my authentication “code” and open my garage. Or if he’s merely a prankster, he can change the channel on my TV while I am watching it.
This tension between ease-of-use and security is reflected in Cohen’s statement on page 216:
“[T]he momentum toward regimes of authorization is so strong precisely because we are not driven to embrace them by coercion. Our relationship to these developments is ambivalent, driven in equal parts by fear and desire, and cemented by growing habituation. … The networked self in the age of authorization seeks safety, to be sure, but also the convenience that authentication and personalization bring.”
I found this insight illuminating and important, but I didn’t find any workable suggestions for resolving the tension or drawing a line. This all happens with law in the background — DRM technology is based on property rights conferred by copyright law, for example, and presumably the law should be ready to step in when private interests misuse unremarkable computing. But I would be interested to know more about how the law can help users and providers negotiate the rough waters of “unauthorized access.”
Comments