Why the Internet is Terrible

Saturday, the sixteenth of November, A.D. 2024

I just got done deleting ~30 bogus user accounts from my personal Gitea insteance. They all had reasonable-ish-sounding names, one empty repository, and profiles that looked like this. Note the exceedingly spammy link to a real site (still up as of writing) and the ad-copy bio.

Obviously this is just SEO spam. My Gitea instance got found by some automated system that noticed it had open registration,

1 The more fool I.
so it registered a bunch of bogus user accounts, added links to whatever sites it was trying to pump, added related text in the bio, and then sat back and waited for search engines to pick up on these new backlinks and improve the reputation of said sites, at least until the search engines catch on and downgrade the reputation of my Gitea instance.

This particular problem was easy enough to deal with: Just remove the offending users, and all their works, and all their empty promises. But it got me thinking about the general online dynamic that everybody online is out to get you.

The Internet is terrible, and everyone knows it

This isn’t a news, of course. People go around saying things like:

Here are the secret rules of the internet: five minutes after you open a web browser for the first time, a kid in Russia has your social security number. Did you sign up for something? A computer at the NSA now automatically tracks your physical location for the rest of your life. Sent an email? Your email address just went up on a billboard in Nigeria.

and everyone just smiles and nods, because that’s what they’ve experienced. I’ve encountered people who are highly reluctant to pay for anything online via credit card—they would much rather use the phone and give their credit card number to a real person who is presumably capable of stealing it, should they so desire—because the general terribleness of the internet has become so ingrained into their psyche that this feels like the better option, and you know what? I can’t even blame them.

Anyone who works on web applications for a living (or a hobby) is especially aware of this, because odds are that they’ve been burned by it already or at least are familiar with any number of existing examples. The very existence of sites like Have I Been Pwned is predicated on the inescapable terribleness the permeates every nook and cranny of the Internet.

Of course, people trying to take advantage of the careless and clueless isn’t a new phenomenon. The term “snake oil salesman” dates back to the 18th century and refers people who would go around selling literal snake oil

2 Probably not harvested from actual snakes, but they sure told people it was.
as a miracle cure, hair restorative, and whatever else. I’m fairly confident that as long as money has existed, there have been unscrupulous people making a living off of tricking it out of other people.

But something about the Internet makes it much more present, more in your face, than old-timey snake-oil salesmen. I’ve seen no hard numbers on this, and I don’t know how you would even begin to estimate it, but but I would guess that the incidence rate of this sort of thing is vastly higher online than it’s ever been in meatspace.

So what is it about the Internet that makes deception so much more prevalent? Ultimately, I think it boils down to three things: availability, automation, and anonymity. The Three A’s of Awfulness, if you will.

You’re in the bad part of town

Have you ever wondered why physical locks are so easy to pick? It takes some know-how, but from what I can tell, most commonly-sold locks can be bypassed within a minute. I’m just going to say it right here, and I don’t think this is a controversial take: For a web application that would be an unacceptably low level of security. If it took an attacker less than a minute to, say, gain administrative access to a web application, I’d consider it just this side of “completely unsecured”.

But! Meatspace is not the internet. The constraints are different. Over the lifetime of a given lock, the number of people who will ever be in a position to attempt to pick it is usually quite low, compared to the number of people who exist in the world. Of course, the circumstances matter a lot too: A lock in a big city is within striking distance of many more potential lock-pickers than the lock on a farm out in corn country somewhere, which is part of why people in cities are frequently much more concerned about keeping their doors locked than people in rural areas. And within a single city, people who live in the bad parts of town tend to worry more than people who don’t, etc.

But on the Internet, everyone is in the bad part of town all the time! That’s right, there’s nothing separating your podunk website from every aspiring journeyman member of Evil Inc. except a few keystrokes and a click or two. It doesn’t take Sir Scams-A-Lot any longer to send an email to you than to your less-fortunate neighbors in the housing projects, and so on.

3 This is also my beef with this xkcd comic. The real danger isn’t that people will do things to the physical environment to mess with self-driving cars (like repainting lines on the road), but that they’ll do something remotely from the other side of the world, and no one will know until their car drives off a bridge or whatever. And sure, most people aren’t murderers. But even if there are only a few people in the world who are sufficiently unhinged as to set up fatal traffic accidents between total strangers, if your self-driving car is Internet-connected then those people might have the opportunity.

In other words, the size of the “target pool” for someone who has a) an Internet connection and b) no conscience is literally everyone else with an internet connection. At last count, that number was in the billions and rising. This alone would make “online scurrilousness” a far more attractive career choice than “cat thief”, but don’t worry, it gets even worse!

Their strength is as the strength of ten

You might be tempted to think something like “Sure, being online gives the seamier sort of people immediate access to basically everyone in the world. But that shouldn’t really change the overall incidence of these sorts of things, because after all, there are only so many hours in the day. A hard-working evildoer can still only affect a certain number of people per unit time, right? right?” But alas, even this limitation pales before the awesome might of modern communications infrastructure.

In meatspace, you can only be in one place at a time. If you’re over on Maple Street burglarizing Mr. and Mrs. Holyoke’s home, you can’t also be selling fake stock certificates on Jefferson Ave, or running a crooked blackjack game in the abandoned warehouse off Stilton. But we aren’t in meatspace any more, Toto. We’re online, where everything is done with computers. You know what computers really love doing? Endlessly repeating the same boring repetitive task forever. The Internet is a medium uniquely suited to automated consumption. In fact, approximately 30% of all internet traffic comes from automated systems, according to Clouflare, and they should know.

So what does a clever-but-unscrupulous technologist do? That’s right, he goes looking for vulnerabilities in widely-used platforms like Wordpress, finds one, then sets up an automated system to identify and exploit vulnerable Wordpress installs. Or he uses an open-source large language model like Llama to send phishing emails to every email address he can get his hands on, and maybe even correspond with susceptible people across multiple messages,

4 This is something I’m sure we’ll see more and more of as time goes on. I’m sure it’s already happening, and it’s only going to get worse.
or just tricks people into clicking on a link to a fake Log In With Google page where he snarfs up their usernames and passwords, or whatever. There are a million and one ways an unethical person can take advantage of others without ever having to personally interact with them. This acts as a force-multiplier for evil people, and I think it’s a major contributor to the overwhelming frequency with which you encounter this sort of thing online.
5 Astute readers may realize that while you can’t automate meatspace in exactly the same way as you can automate computers, you can still do the next-best thing: get other people to do it for you. This is the fundamental insight of the Mafia don, and organized crime more generally. Thing is, though, all of these subsidiary evildoers have to be just as willing to break the law as the kingpin string-puller, so it doesn’t quite act as a force-multiplier for evil in the same way.

Interestingly, the automate-ability of anything that happens over the Internet seems to have leaked back into the phone system as well. I don’t think anybody would disagree that scam phone calls are far more common than they used to be.

6 Unless “Dealer Services” has developed a truly pathological level of concern for the vehicle warranty I didn’t even know I had.
I suspect, although I don’t have any hard evidence to back it up, that this is largely due to the ease with which you can automate phone calls these days via internet-to-phone bridge services like Twilio. The hit rate for this sort of thing has to be incredibly low—especially as people start to catch on and stop answering calls from numbers they don’t know—so it only makes sense for the scammer if it costs them virtually nothing to attempt.

One might ask why this wasn’t the case before the Internet, since auto-dialing phone systems certainly predate the widespread use of the Internet,

7 The Telephone Consumer Protection Act attempted to regulate them as far back as 1991!
so why didn’t this happen then? I suspect that again, this comes down to ease of automation. In the 90s, you needed expensive dedicated equipment to set up a robocalling operation, but today you can just do it from your laptop.

The scammer with no name

There’s a third contrast with meatspace that makes life easier for people whose moral compass has been replaced by, say, an avocado: Nobody knows who you are online. In real life, being physically present at the scene of a crime exposes you to some degree of risk. There might be witnesses or security cameras, your coat might snag on a door and leave some fibers behind for the forensic team to examine, you might drop some sweat somewhere and leave DNA lying around, and of course there are always good ol’ fingerprints.

8 Once again, the Mafia model demonstrates how you might insulate yourself from some of these risks, but again, it’s not quite as complete because somebody has to be there, and that somebody might talk. And yes, the Mafia took steps to remedy that problem as well, but that’s why Witness Protection was invented.

All of this is much less of an issue online. In fact, one of the loudest and most attention-seeking hacking groups literally just called themselves Anonymous. Of course, then a bunch of them got arrested, so maybe they weren’t quite as anonymous as they seemed to think they were. Still, I think it’s safe to say that it’s a lot easier to stay anonymous when you’re committing crimes online vs. in person. Or from another angle, it takes (on average) significantly more law-enforcement effort to de-anonymize a criminal online than in person.

9 I can’t seem to find it any more, but I’m pretty sure I remember reading an article a while back that talked about how the NSA/FBI/etc. managed to identify people like Silk Road higher-ups. From what I recall, it was pretty resource-intensive and not really realistic except for high-priority targets.

I’m pointing out the downsides here, of course, but it’s worth noting that online anonymity is a coin with two faces. It’s fundamental to the question of privacy, especially from governments who would love nothing better than to know every sordid detail of their citizens’ lives forever.

10 Don’t believe me? Just look at how hard any number of major governments have been trying to effectively outlaw things like end-to-end encrypted chat apps. Here’s the UK, US, Australia, etc. They don’t give a crap about “safety” or “exploitative content”. This is about surveillance.
In general, anything that improves privacy (such as end-to-end encryption, VPNs, proxies, etc.) also makes anonymity easier for people whose motives are less laudable than “I don’t think the government should know everything bout me.”

The economics of evil

In the end, you can think of this all as a question of economics.

11 Seems like you can think of anything as a question of economics, if you try hard enough. Even theology.
The Internet is rife with scams, thievery, and general scum and villainy because it brings down the cost of doing such things to the point that it becomes worth it. There’s no need to spend time or money moving from place to place, because you can do it all from the comfort of your own home. Instead of spending time on each individual operation you can put in the effort to automate it up-front and then sit back and reap the benefits (or keep finding more things to automate). The risk of doing all of this (which is a form of cost) is significantly lower than it would be to do something equivalent in real life. And all of this you get for the low, low price of your immortal soul! What’s not to like?

Will it ever change?

The Internet has often reminded me, alternately, of a) the Industrial Revolution and b) the Wild West. It reminds me of the Industrial Revolution because there are great examples of unscrupulous people taking advantage of a new set of economic realities to make tons of money at the expense of poor everyday folk who are just trying to live their lives. And not just straight-up criminals like we’ve been discussing, but also exploitative businesses and corporations (adtech, anybody?) that hearken back to the days of e.g. factory owners profiting from the slow destruction of their workers’ lives. But the Internet also calls to mind the Wild West of the mid-to-late 1800s. Like the Wild West, it’s a huge new swathe of unexplored territory rich with opportunity, if a little uncivilized.

But eventually, both the Industrial Revolution and the Wild West settled down and got a little more civilized. Eventually people developed things like labor unions and OSHA regulations,

12 Which I never thought I’d be holding up as a good thing, because in my personal experience they’ve mostly been a source of frustration. But something tells me that if I were a worker in a 19th-century textile factory, I would have been very glad for some basic safety requirements.
and the world of heavy industry got a little more equitable. And eventually, the Wild West became civilized enough that you couldn’t just walk into a saloon and shoot someone just because you felt like it.
13 Please note, I have no idea if this was ever really possible, I’m basing it mostly on spaghetti Westerns and the like.

Will the same thing happen to the Internet? I don’t know. It might! Already you can start to see a sort of social “immune system” developing with regard to things like phishing emails and calls. For instance, I know plenty of people who have a policy of never answering their phone at all if the call is from a number they don’t recognize.

14 Consumer Reports claims that this is actually 70% of US adults, which is a staggering number. Heaven help us if the scammers figure out how to reliably spoof numbers from people you know.
Unfortunateloy it’s harder to make this work for something like poorly-secured web services, because it isn’t easy to tell before you sign up for a service whether it’s likely to get breached and leak your personal info in six months.

Ultimately the only workable solutions will have to a) increase the cost of carrying out these attacks, or b) reduce (on average) the reward. In the end it probably won’t be solved completely, much like crime isn’t solved today. But I’m hopeful that, much like today’s Texans don’t have to worry much about their stagecoach being waylaid by bandits, we’ll see less and less of it as time goes on.