Mat Honan recently described the ‘epic’ way that his Amazon, Apple, Gmail, and Twitter accounts were all successively hacked. Once the hacker(s) had access to his Apple ID, they used the ‘Find My iPhone’ and ‘Find My Mac’ features to wipe his devices’ hard drives clean, erasing every photo of his young daughter along with untold other data. In the end, it seems the hackers mainly wanted access to his Twitter username (@mat) simply because it was only three characters long.
If you haven’t already, go read Mat’s post before continuing. After that, go set up two-step verification for your Gmail account. If you are not convinced that two-step verification is necessary, read this. I’ll wait…
OK, now that you’re back–what does all this have to do with politics? When I read about Mat’s hacking experience, one of my main takeaways was “all that for a Twitter account?” The vandals could have taken so much more, including financial information and valuable contacts.
If all they wanted was his Twitter username they did not need to go to all the work. I am relatively certain that if the hackers contacted Mat asking for his username and showing that they were capable of destroying his online life, he would have turned it over without much of a fight to avoid all of the headaches that came with the security breach. But the hackers did not want to take the easy way–they wanted to show off.
This incident provides a great counter-example to an almost universal assumption in the conflict/security studies literature: that conflict is costly, so actors would rather avoid it. Dan Reiter summarizes (pdf, ungated) the idea this way:
In modern bargaining-model scholarship… this logic gets translated into the critical assumption that war itself—the actual fighting, aside from the political issues at stake—is always costly.
One prominent example of this assumption is James Fearon’s (1995) “Rationalist Explanations for War.” (pdf, ungated) In his words,
My main argument is that on close inspection none of the principal rationalist arguments advanced in the literature holds up as an explanation because none addresses or adequately resolves the central puzzle, namely, that war is costly and risky, so rational states should have incentives to locate negotiated settlements that all would prefer to the gamble of war.
Fearon gives three reasons why states still go to war even though it is costly (summary presentation here). First, there are information problems about which side is stronger. This does not apply in the Honan hacking case; although he did lack crucial information about some security flaws, he described the feeling of “kicking himself” for not doing more to protect his passwords. Second are commitment problems. Even if the hackers had promised not to violate Honan’s personal accounts if he turned over his Twitter username, he had no reason to trust them. The third problem is issue indivisibility: you cannot give access to “half” of a Twitter account, making the contest here an all-or-nothing proposition.
Even though the hack seems to have been relatively easy for the attackers, exploiting vulnerabilities in Amazon and Apple’s customer service protocols, this still presents a hard case for the rationalist assumption that negotiated settlements are to be preferred to conflict. Mat Honan could have turned over his username and avoided losing all of his data, and the hackers could have saved themselves some trouble. The fact that they chose not to go this route indicates that they derived pleasure from the attack itself. Assuming that conflict is costly might lead us down the wrong road.