Archives for category: Media

There’s been a lot of talk in the media recently about governments requiring technology companies to provide “keys” to any encryption they use. This is a really bad idea. Here’s why:

To start, let’s all imagine we can agree that:

  • Bad guys exist
  • Bad guys use encryption to hide what they’re doing
  • It’s law enforcement’s (we’ll call them The Government) job to catch and prosecute the bad guys
  • We want law enforcement to catch and prosecute the bad guys

[Those assumptions don’t hold for everyone, but I think they’re a reasonable starting point for most of us, so that’s what I’ll use.]

So, The Government says, “Encryption is making it harder for us to do our job, so we must stop people using encryption.”

And people respond, “Hang on… we need encryption so we can safely buy things on the internet without people stealing our credit card details, and, well, just for our own privacy.”

Then The Government responds, “Ok, you can have some encryption for banking and so on, but we need to be able to decrypt your the Bad Guys’ communications, otherwise we’ll all be killed.”

This sounds reasonable to some [a lot?] of people because, even if you realise that “we’ll all be killed” is over-the-top hyperbole, we still want The Government to catch and prosecute the bad guys.

But let’s think this through.

I’ll write this next bit with the US government playing the role of The Government (even though I’m not American, nor living in the US), mainly because it’s easy for people in other countries to relate to, and the US’s decision will affect a lot more people throughout the world than a similar decision by, say, Australia.

In this scenario, the US government are The Good Guys, and their motives are pure. [Use your imagination, if you have to!] They’ve passed a law compelling US tech companies to provide a way to decrypt their users’ private information.

Some Bad Guys plan to do some Bad Stuff, and the Good Guys find out and need to get access to the Bad Guys’ emails so they can find them and prosecute them. So the Good Guys go to a tech company and say, “We need you to provide the unencrypted version of these people’s information because they are bad people. Here, we’ve got a warrant from a court.” [Yes, I know that last part is really stretching your imagination, but bear with me. I’m trying to show that even when the Good Guys do only good, handing over the keys is bad.]

And, because the tech company has a way to decrypt any of their customers’ information, they comply. And the Bad Guys get prosecuted and everyone lives happily ever after.

Yay! The system works! USA, USA!

So far, so good.

But then another government—one of the USA’s major allies, let’s say the UK—comes to the tech company and they say, “We found out about some Bad Guys too. Our friend and ally, the USA, told us that you are able to decrypt people’s information. We need you to provide the unencrypted information because they are bad people. Here, we’ve got a warrant from a court.”

What now? Well, they’re an ally, and a “nice country”; they’re one of the Good Guys too, so why not comply. And more Bad Guys are prosecuted and everyone lives happily ever after.

And then another government—one of the countries the USA is not so close to, let’s say China—comes to the tech company and they say, “We found out about some Bad Guys too. We’ve read that you are able to decrypt people’s information. We need you to provide the unencrypted contents of these people’s information because they are bad people. You don’t really have a choice, because it’s the law, but we know you’d like to help us voluntarily because you do a lot of business here.”

Hmmm, this is starting to get a bit… awkward for the tech company now. Firstly, they know that their own government, the USA, is not going to be happy with China getting access to people’s information. And the Chinese definition of “Bad Guys” aren’t necessarily bad guys in America’s eyes. Plus, in this scenario, at least, they’re not using a court warrant to get access to the people’s information; they’re using a combination of legislation and coercion. But what can the tech company do? They’re a legitimate government, asking for the exact same thing that other governments have asked for, and been given. They don’t really have a choice, so they comply. And more “Bad Guys” are arrested, and they are put on trial and then shot.


And then another government—this one is formally at war with the US, North Korea [there’s been an armistice between the two countries since 1953, but they’re officially still at war]—comes and says, “We are the legal government in North Korea, and some people have been using your service to do bad things to our peace-loving, beautiful country. We must stop these Bad People, and we need you to decrypt their information.”

Now, the tech company doesn’t want to help and, fortunately, this time they’ve got a really good excuse: “We’re sorry, but our country is at war with yours, and we’re prohibited from providing you with the keys you’ve asked for.” So that’s the end of that!

Ah, no.

For brevity, I’ve not mentioned all the other countries repeatedly asking for (demanding?) decryption keys from the tech company. Everyone knows that it’s possible to get the communications decrypted, and the keys to do so have been passed on to lots of different governments and levels of government, always for good, legitimate reasons. Now the secrets aren’t so secret. So, although North Korea can’t get the keys directly from the tech company, they can probably still get them. And they do. And the “Bad Guys” are rounded up, and are never seen again.

Nobody cheers this time.

There are around 200 countries in the world; all can claim to be a legitimate government and can legally request and/or compel companies that do business in their jurisdiction to hand over encryption keys to help them catch “the Bad Guys.” This is the thing to remember: there are more countries in the world that are not your country, and there are more people in the world who are not your citizens. And not all these countries get on with your country and, even among allies, there will be differences of opinion about who “the Bad Guys” are.

If there are decryption keys, or backdoors, there’s a near certainty that they will be used by a government in a manner that you don’t agree with. At some stage, someone you think of as a “Good Guy” will be called a “Bad Guy” by a government, and they will have the power to compel/coerce/threaten a tech company to hand over keys and/or decrypted contents of communications. It may not be by your government—at least, not this time—but there’s 200 other governments out there too.

In all this discussion, we’ve assumed that the countries are asking for specific keys for specific individuals. What is more likely is that they’ll just say, “Hand over all the keys, and any new ones you create.” And we haven’t even mentioned quasi-states like ISIS, nor criminal organisations that can afford to buy/bribe/steal encryption keys. Nor hackers breaking into the increasing number of organisations that have keys for this tech company’s customers’ information. Nor have we mentioned people who have legitimate access to the keys using them for personal purposes. Almost nobody will try to brute-force break the encryption; it’s so much easier and cheaper to buy/bribe/steal them.

The only way to prevent this is for the tech companies to not have keys they can hand over, and no way to decrypt people’s communications. This is what some companies have already implemented. It’s call end-to-end encryption and it’s used by Apple in FaceTime and iMessage, WhatsApp, Snapchat, and Line. [There are probably others too.]

But it’s not used by Gmail (although Google is looking at implementing it) nor Skype nor Facebook Messenger.

But what about the Bad Guys? They’ll literally get away with murder!

Firstly, there aren’t that many Bad Guys. But there are billions of us Good Guys.

Secondly, law enforcement has for millennia tracked down and prosecuted Bad Guys without having access to every conversation that the Bad Guys had. They can continue to do so. They won’t literally get away with murder, (at least, not at a rate greater than they already do).

I don’t think anyone would class me as a Bad Guy; I’m not a criminal and don’t have anything to hide. But I don’t want someone from The Government reading my emails or texts; I don’t want some criminal in another country accessing my bank accounts; I don’t want some creep drooling over pictures of my 2-year-old niece that my sister sends me. All of that needs to be protected by simple end-to-end encryption, without backdoors.

If you have the keys to decrypt private information, you take away the privacy. The keys will be used by people they were never intended for, and they’ll be used in ways you don’t like.

Governments requiring technology companies to provide keys to any encryption they use is a Really Bad Idea™.


I saw a recent article about carriers in Europe planning to block ads, which has prompted me to write this blog post. I’ve been thinking about advertising for quite a few years now, and I want to get this down.

The players

To start, I want to be clear about who the players are when I’m talking about them:


Advertisers are people/business with a product to sell.

They may also want to build up brand awareness, in order to induce future sales.

Ad Networks

These are the Googles of the world, but also some Mad Men-style advertising companies. There are the companies that can get and advertiser’s ad published in multiple sites by publishers.


Publishers produce the thing where the ad will be viewed. It could be a billboard, newspaper, magazine, blog, web site, game, app, TV show, cinema, etc.


I use the term “viewers” as a catch-all to mean viewers, readers, listeners, etc. It’s us, normal people, the people economists refer to as “consumers” but whom I normally refer to as “people.”

What about me?

I’m just a guy. I have no background in advertising.

I have been an advertiser; I’ve made products that I wanted to sell, and had brands I wanted people to know about. So I’ve advertised. And I can honestly say, I’m not that good at it.

I have never worked for an ad network, and I’ve never really dealt with one.

I’ve had the opportunity to be a publisher, but I chose not to be one. I’ve made apps, and one of the ways to get paid for your app is by publishing ads. However, this business model didn’t really fit with any of the apps that I’ve made, so I’ve never chosen to go this route.

And all my life, I’ve been surrounded by ads: on TV, in newspapers and magazines, on the web, in apps, along the side of roads as I drive alone, on the sides of buildings as I walk past; everywhere, always, advertisers have wanted me to look at their ads.

As part of deciding whether or not to include ads in my apps, I spent a lot of time thinking about ads and how they work. I came up with my own taxonomy of the various types of ads there are, and what they’re useful for.

Who tells who what?


The Truth

Viewers don’t want to see ads!

Note that the publishers never say to the viewers, “Come and view our ads!” and the viewers never say to the publishers, “I really want to see the ads you’re showing!”

The most common kind of extension installed in web browsers is an ad blocker.

Content ain’t king

Although all publishers say that they just want viewers to see their content, when push comes to shove, many publishers really just want them to see the ads. They will cover the content with pop-overs or full-screen ads or force viewers to sit through an unwanted ad to get to the content.

Most ads don’t work

Normally the word “most” means “more than 50%.” We need a new word that means “the overwhelming majority.”[1] Because ad click-through rates—the industry’s preferred metric for measuring whether an on-line ad has “worked”—are nowhere near 50%. They’re not near 5%, nor even 1%. In the USA, according to Rich Media Gallery, the rate is 0.081%! That’s less than 1 click for every 1,200 ads.

This article talks about so-called “native advertising”—ads that look like content—and says that “they work” because viewers see them. But that’s not what ads are for; ads are there to get people to buy things. What they mean by “they work” is that the publisher gets paid, not that more people buy the advertised product.

It’s not my job to make your business model work

Ben Thomson[2] has recently been making the argument (which is fairly common around the internet) that using ad-blockers is morally wrong, and that “the appropriate way to avoid advertisements is to not visit the sites that host them.”

I disagree. I think that, given the discussions in Who tells who what? above, viewers are quite entitled to take publishers at their word, and focus their attention only on the content.

Another common argument goes that, the only way publishers can monetise[3] their site/channel/newspaper/magazine/whatever through advertising.

My response is, it’s not my job, nor anyone else’s[4], to make your business model work.

Where this is all heading

I wish I knew!

You might have the impression from the above that I’m against advertising altogether. I’m not.

I’ve been an advertiser; I know what it’s like to have a product, and you want people to know about your product because it could really make their lives better, or solve a problem for them. I know what it’s like to want people to know who you are, and what your product is, so that, next time they’re looking to buy something similar, they’ll think of you. Advertising solves these problems.

They’re legitimate and reasonable desires for any business. And it’s legitimate and reasonable to go to professionals and have do this for you, just as businesses go to accountants and lawyers (and other outsourcers) to do their jobs, so the business can focus on its own products and competencies.

All of this, though, is solving a problem for the advertiser; it’s not solving a problem that the potential buyers of this product have. Sure, if they knew about it, they could buy it and be better off, but most of them are happy enough not knowing about the business or its products. So they’re not asking to be better informed. They don’t want to see these ads!

But I do think the industry—the ad networks and the publishers—are doing a really poor job.

Ad networks need to help businesses decide what kind of advertising they should do: if they’re looking for sales, focus on what I call “Yellow Pages”-type ads; to build brands, do more “Coca-Cola”-style ads.

What I think will happen

We’re already seeing some of this. People are moving away from ad-infested content. We see this with TV, where there was movement to TIVO and other DVRs, and now the move to internet-based TV, and the rise of non-ad-supported TV from Netflix, HBO and others. Newspapers and magazines, both printed and on-line, are losing readers.

When it comes to shopping, people in “buying mode” are moving to apps, especially comparison apps for each segment (e.g. Amazon, app, etc) where you can compare and, importantly, actually buy your choice directly and immediately. I think businesses with products to sell would be well advised to ensure that their product(s) are available for comparison and purchase in the appropriate apps for their industry. Having your own app to sell your product is probably not as important as being in the apps that people are using when they’re looking for your kind of product.

For businesses that want to “build brand recognition” (which, despite its slightly wanky connotations, is actually a useful way to increase sales), I suspect that product placement will become an important part of brand advertising. Celebrity endorsement—celebrities actually being seen to actually use the product/service in public, genuinely and repeatedly—will be another form of this.

Augmented Reality products seem like a technical solution that can provide this, and will probably be sold to advertisers as a solution, but—like all forms of this kind of advertising—people don’t actually want to see these ads, so they’ll probably look for ways to block them (or choose not to use the AR products).

An interesting alternative has been taken by Red Bull with their content creation arm, Red Bull Media House), which produces content aimed at a specific demographic, in which their product features prominently.

  1. Maybe there’s a German word we can borrow?  ↩

  2. I haven’t been able to find an appropriate link for this on Ben’s site, Stratechery, as most of the discussion has been in his subscriber-only emails, and on his podcast, Exponent, both of which I can thoroughly recommend.  ↩

  3. I hate the word “monetise!” (And, in case you’re wondering why I didn’t spell it “monetize,” it’s because I’m not American.)  ↩

  4. Except yours  ↩

I often hear the argument that only journalists from large organisations are capable of putting in the time and effort to research long stories (and this is the part where it is apparently mandatory to mention the Watergate investigation), and that bloggers don’t have the time, resources and skills to do this.

And then I look around and see what is actually produced by professional journalists and by bloggers.

While there is certainly a lot of vacuous crap produced by bloggers, it doesn’t seem to occur in any greater proportion than by professional journalists.

From this “analysis,” it appears that the basic thesis—that only journalists from large organisations are capable of putting in the time and effort to research long stories, and that bloggers don’t have the time, resources and skills to do this—gets it the wrong way around.

Instead of producing original stories, investigations and in-depth stories, the large media organisations employing professional journalists seem almost exclusively to output recycled stories from other outlets, or reprinted press releases.

Bloggers, on the other hand, were producing almost exclusively original stories, usually based on in-depth analysis which had taken multiple days to produce.

Of course, not all bloggers do this, and the large media organisations do, of course, still break stories based on their own in-depth investigation.

But the days of the large media organisations being the only source of in-depth, professional-quality and critical analysis are gone.

One thing to notice about the bloggers I follow: almost all of them do their writing as a “labour of love;” they have a “real job” to pay the bills, and their blog is something they write because it interests them, not because it is their primary source of income.