Why You’ll Be Hacked One Day
I’ve always been worried about being hacked. Or not so much worried: I simply assumed it was an inevitability that one day I’d wake up and find my email inaccessible, my bank account cleared out, and so on. When others told me of scams they’d encountered I would (hopefully only silently) react with the sort of resigned sadness appropriate for when the inevitable happens.
I’d long kind of thought this worry and outlook was mild paranoia, or an irrational fear. I don’t really follow cyber security, either in any technical sense or in the sense of reading newspaper articles about people being hacked. Most people I know haven’t been severely hacked; I certainly haven’t been the target of it sufficiently to warrant my attitude (someone cleared out a prepaid debit card once when I was in the US, and someone got access to my bank account and ordered lots of Justeat, but that’s it.)
But last night, just as I was going to sleep, I thought of what seems to me quite a solid argument for thinking that eventually I will be seriously hacked. It’s quite a cool argument, and and involves quite foundational issues about security, service-providing, the value of information, and the economics of online existence, and so I thought I’d sketch my elaborated on night-time thoughts.
Let me begin with a story to illustrate the point. Imagine a very simple, unmodern set up. You access your bank using simply just your email, a password, and an answer to some security questions. There’s one communications medium we all use. Call it Chat. We use Chat just to chat. Chat can be hacked, but it’s non trivial. Maybe it requires some brute forcing of … something, I don’t know enough to fill in the details. Then this seems reasonable: the longer one uses Chat, the greater the chance you’ll reveal enough about yourself to enable a hacker to guess your password and security question for your bank. Eventually, you’ll end up talking about your first pet, or your favourite teacher, or whatever — you can only talk about the pandemic so much, after all.
Then this seems true:
Principle. The more data you put on Chat, the greater the chances are that among that data is your bank password and the answers to your security questions.
That seems plausible. Moreover, a hacker can estimate a dollar amount that it will take them to brute force access to your Chat account, call it $H, and a number $S that is the savings you have in the bank. For the hacker to make money, it has to be the case that $S-$H>0.
In order to decide whether to hack, they need to assess both how much they’d make if they suceed, which is to say the value of $S-$H as well as the probability that they will succeed, which is to say the chance that among your Chat logs are the bank login details and password.
Now here’s the crucial fact. As you continue to use Chat, the probability of success for the hacker will always increase. You’ll always be adding new information, thus always increasing the chance that among that information is the login details and password. Call the outcome that the hacker successfully get your back log-in details by hacking O. So pr(O), the probability that O eventuates, increases in time. By contrast, we can assume that $S-$H, for most people, is mostly roughly constant.
We can consider the expected payoff decision-theoretically, at a given time, as pr(O)x($S-$H)+pr(~O)x(-$H). And this expected payoff will only increase in time, as you chat more, because chatting adds information, thus increases the chances that the information resulting from a hack will contain your bank details.
At a certain point, the expected payoff from hacking will be bigger than $H, the fixed cost of bruteforcing access to your chat logs, and at that time, you will be hacked. (I assume that the ‘market’ for hacking is sufficiently efficient that when such opportunities arise, they are taken.) The key thing is that the determinant of this is simply time — the longer you use Chat, the larger the expected payoff gets, until it becomes bigger than $H and a hacker will hack you.
Running through some examples might help. Imagine you’ve just started using Chat, and this is known. Then it’s very unlikely that among the Chat logs are your details. That means that pr(O) is very small, and pr(~O) very large, because that just represents how likely it is that your bank login info is among the Chat logs. Say pr(O) is 1%. Then even if the hacking software is only 50 (whatever currency, doesn’t matter), and your savings are 3000 (ditto), it still doesn’t make sense to hack, because
0.01*(3000–50)+0.99*(-50)=-20
Take a look at the below diagram for an intuitive way of looking at how the expected value of hacking will change over time. While obviously hyper-unrealistic, I think it gets at a solid underlying intuition: the more time we spend on the internet, the more data we give, the more valuable it becomes to hack us, and so we should assume that always, the chances we’re going to get hacked is bigger tomorrow than today, and that for hacker we’ll eventually click over the inflection point in the graph where it becomes profitable for them to hack us.
Perhaps, however, the above suffers from being so wildly simplified as to seem pointless in modelling the real world. I actually think we can make it a bit better. So, first, I assumed a very antiquated online banking system: nothing works like that these days, and we can rely on n-factor verification for important things. So in fact the chance of getting bank access from chat logs is zero for all of us.
That doesn’t mean, though, that the information that the system accretes about us from our day-to-day activities on it isn’t valuable. Another thing hackers can do is blackmail: they can get juicy personal information about us and threaten to reveal it if we don’t pay. And I think the same dynamics play out in the blackmail case: as time progresses, for any system, the chance that we reveal information that could be used to blackmail us increases, so the expected value of hacking us increases, so tomorrow we’re less safe than today. To me that seems like a pretty solid bit of a priori reasoning.
But its solidity should give us pause. Most of us in fact haven’t been disastrously hacked. Perhaps this fact reveals another simplification in the model. I assumed that the cost of hacking was fixed: I assumed it was 50 in whatever units we’re using for all time. But that’s empirically and theoretically wrong. Again, just think of multi-factor authentication: ubiquitous now, non-existent a decade or so ago. We’ve gotten better at protecting ourselves — we devote more money to security these days.
So a more realistic model would have the cost of hacking increase in time along with the probability of successsfully getting actionable hacked information. I’m not smart enough to work out the formulas and graphs, but what it suggests to me is that we’re in an invisible arms race. Although our internet life may seem to be calm and untroubled, really the net is dark and full of terrors, and many hacking possibilities are not revealed to us because they’re being fought against by the banks, the email providers, and so on. Although I said we’ve gotten better at protecting ourselves, that’s not right. Others have got better at protecting us.
And if this is so, then we really need to hope that the non-hackers continue to win this invisible fight. And we need, in addition, to worry about the mere fact that it happens, that this is our reality. You, reader, presumably don’t carry out this fight. Your email account, which increases in hacker-value with each day, is protected at greater and greater cost (we infer that from silence: from the fact you haven’t yet been hacked). But you don’t bear that cost, and aren’t even really aware of it.
That’s a good thing to bear in mind. One of the great hopes of what people call web 3.0 is that it offers the possibility of getting away from the centralized services that sell your data. But perhaps that’s overly naïve. If indeed we can posit the invisible hacking war and assume that the belligerents on our side are provided by the big platforms, then maybe in selling our data we’re getting something in exchange for it, protection against a powerful enemy, who wants to use our stored information as a weapon in our online life.
A final twist of the screw. Imagine what I said above is true. In using a free commercial email, we get protected by them — it’s a big line item in their budget we don’t hear about, perhaps defrayed by the ads they serve us. But if that’s so, our safety online is contingent on the economics of adverts, and the particular platforms we choose to exist on. Personally, that doesn’t comfort me that much.
Imagine this apocalyptic scenario. Your life-long email stops being profitable. It has everything: your banking, your employment, your family, your dildo purchases, your favourite teacher’s surname. The hacking battle continues, but the provider no longer has the capacity to fight against the new attacks, the service moves into legacy mode, creeks, totters, and is duly hacked. This, it seems to me, is a possibility we can’t rule out.
I started off this post claiming I’d be hacked. But I think the eventual conclusion I’ve ended up with is a bit more general. The logic of existing on the internet suggests that I’ll eventually be hacked. If I am not eventually hacked, it’s because I’ve been protected. But if I have been protected, that protection is plausibly dependent on the economic workings of platform capitalism, and so my safety online, as secure as it can seem, is deeply contingent in a worrisome way.
