The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.
Listen to Motherboard’s new hacking podcast, CYBER, here.
Justin Kosslyn leads product management at Jigsaw, a unit within Alphabet that builds technology to address global security challenges.
The Internet’s lack of friction made it great, but now our devotion to minimizing friction is perhaps the internet’s weakest link for security. Friction—delays and hurdles to speed and growth—can be a win-win-win for users, companies, and security. It is time to abandon our groupthink bias against friction as a design principle.
Highways have speed limits and drugs require prescriptions—rules that limit how fast you can drive a vehicle or access a controlled substance—yet digital information moves limitlessly. The same design philosophy that accelerated the flow of correspondence, news, and commerce also accelerates the flow of phishing, ransomware, and disinformation.
In the old days, it took time and work to steal secrets, blackmail people, and meddle across borders. Then came the internet. From the beginning, it was designed as a frictionless communication platform across countries, companies, and computers. Reducing friction is generally considered a good thing: it saves time and effort, and in many genuine ways makes our world smaller. There are also often financial incentives: more engagement, more ads, more dollars.
But the internet’s lack of friction has been a boon to the dark side, too. Now, in a matter of hours a “bad actor” can steal corporate secrets or use ransomware to blackmail thousands of people. Governments can influence foreign populations remotely and at relatively low cost. Whether the threat is malware, phishing, or disinformation, they all exploit high-velocity networks of computers and people.
It’s time to bring friction back. Friction buys time, and time reduces systemic risk. A disease cannot become an epidemic if patients are cured more quickly than the illness spreads.
Friction looks different across contexts. In the physical world, highways have speed limits to prevent catastrophic accidents, mortgages require inspections to prevent fraud, and certain jobs require background checks. In the digital world, there are a few ways of potentially adding friction to improve designs.
First, only urgent content should be fast. Most content is not urgent; not only does it not need a push notification, it could often be delayed and bundled with other similar content. Content that might contain phishing or malware could be extra-delayed to algorithmically look for patterns in suspicious links or attachments.
Second, automated systems should not be able to scale without human approval. For example, a piece of software should not be able to penetrate more than 10 percent of a corporate intranet without its growth being paused and an IT admin explicitly approving any additional installations. This approach might have limited the impact of the NotPetya virus.
Third, favor local content. When news, social media, and even apps are recommended more based on a person’s geographic location than their abstract interests, it fundamentally changes the structure of information ecologies. One positive effect is to slow the spread of disinformation campaigns by requiring them to engage at many local levels, rather than as national or global phenomena.
In each case, friction will be rejected by users if it impedes their goals. However, it is possible for friction to be a win for everybody.
The internet is facing real challenges on many fronts. If we truly want to solve them, engineers, designers, and product architects could all benefit from the thoughtful application of friction. The philosophy of the Internet has assumed that friction is always part of the problem, but often friction can be central to the solution.