CrowdStrike, Antitrust, and the Digital Monoculture

EFF update
1 month 3 weeks ago

Last month’s unprecedented global IT failure should be a wakeup call. Decades of antitrust inaction have made many industries dangerously reliant on the same tools, making such crises inevitable. We must demand regulators break up the digital monocultures that are creating a less competitive, less safe, and less free digital world.

The Federal Trade Commission (FTC) solicited public comments last year on the state of the cloud computing market. EFF made it clear that the consolidation of service providers has created new dangers for everyone and urged the commission to encourage interoperability so customers could more easily switch and mix cloud services. Microsoft cautioned against intervention, touting the benefits of centralized cloud services for IT security.

A year later, a key cloud-based cybersecurity firm released a bug unique to Microsoft systems. Vital IT systems were disrupted for millions worldwide. 

This fragility goes beyond issues at a specific firm, it results from power being overly concentrated around a few major companies.

What Happened

The widespread and disruptive tech outage last month happened thanks to an overreliance on one particular tool, CrowdStrike's Falcon sensor software. While not a monopoly, this tool is the most popular in end-point protection platforms.

This niche service often used by companies is best understood as an antivirus tool for devices, controlled by a cloud platform. “End-point” computers run the agent with very deep system permissions to scan for security issues, and the company CrowdStrike regularly pushes remote software updates to this tool. This setup means many devices rely on a single source for their security, leveraging shared insights learned across devices. It also means that many devices share a single point of failure.

Instead of an inconvenience for a few companies, it more closely resembled a government shutdown or a natural disaster.

An early sign of this problem came last April, when a CrowdStrike update disrupted devices running Debian and Rocky Linux operating systems. Linux “end-point” devices are uncommon, let alone those running these specific distributions with CrowdStrike software. What should have been a red flag in April was instead barely a blip.

Last month CrowdStike disrupted two other operating systems with a bad update: Windows 10 and 11. This time it spurred a Y2K-like collapse of crucial computer systems around the globe. Airlines, hospitals, financial institutions, schools, broadcasters, and more were brought to a standstill as an erroneous update on CrowdStrike’s platform caused system crashes. Instead of an inconvenience for a few companies, it more closely resembled a government shutdown or a natural disaster.

Both cases had similar impacts to devices, but the later case was an absolute disaster for infrastructure because of a digital landscape dominated by a few key players. Having so many sectors rely on a handful of services for the same operating systems makes them all susceptible to the same bugs, with even systems running absurdly old versions of Windows gaining an advantage for providing some diversity.

Whatever went wrong at CrowdStrike was just a spark. Last month it ignited the powder keg of digital monocultures.

Digital Monoculture

All computers are broken. Every piece of software and hardware is just waiting to fail in unexpected ways, and while your friendly neighborhood hackers and researchers can often hold off some of the worst problems by finding and reporting them, we need to mitigate inevitable failures. A resilient and secure digital future can’t be built on hope alone.

Yet, that’s exactly what we’re doing. The US has not just tolerated but encouraged a monopolistic tech industry with too little competition in key markets. Decades of antitrust policy have been based on the wrongheaded idea that sheer size will make tech companies efficient and better able to serve customers. Instead, we have airports, hospitals, schools, financial systems, and more all reliant on the same software, vulnerable to the same bugs and hacks. We created a tech industry that is too big to fail.

The lack of diversity makes the whole ecosystem more fragile

We live in the age of the digital monoculture, where single vulnerabilities can tear through systems globally; sabotaging hospitals and city governments with ransomware; electrical systems with state-sponsored attacks; and breaching staggering amounts of private data. Name a class of device or software, and more often than not the majority of the market is controlled by a few companies—often the same ones: Android and iPhone; Windows and Mac; Gmail and Outlook; Chrome and Safari.  When it comes to endpoint security products three companies control half of the market, the largest being Microsoft and CrowdStrike.

Much like monocultures in agriculture, the lack of diversity makes the whole ecosystem more fragile. A new pest or disease can cause a widespread collapse without a backup plan. The solution, conversely, is to increase diversity in the tech market through tougher antitrust enforcement, and for organizations to make IT system diversity a priority.

Allowing an over-reliance on a shrinking number of companies like Microsoft will only ensure more frequent and more devastating harms in the future.

How we got here Broken Antitrust

As EFF has pointed out, and argued to the FTC, antitrust has failed to address the realities of a 21st-century internet.

Viewing consumers as more than walking wallets, but as individuals who deserve to live unburdened by monopoly interests.

Since the 1980s, US antitrust has been dominated by “consumer welfare” theory, which suggests corporate monopolies are fine, and maybe even preferable, so long as they are not raising prices. Subtler economic harms of monopoly, along with harms to democracy, labor rights, and the environment are largely ignored.

 For the past several years, the FTC has pressed for a return to the original intent of antitrust law: viewing consumers as more than walking wallets, but as individuals who deserve to live unburdened by monopoly interests.

But we have a long way to go. We are still saddled with fewer and less adequate choices built on a tech industry which subsidizes consumer prices by compromising privacy and diminishing ownership through subscriptions and restrictive DRM. Today’s empires of industry exert more and more influence on our day to day life, building a greater lock-in to their monoculture. When they fail, the scale and impact rival those of a government shutdown.

We deserve a more stable and secure digital future, where an error code puts lives at risk. Vital infrastructure cannot be built on a digital monoculture.

To do this, antitrust enforcers, including the FTC, the Department of Justice (DOJ), and state attorneys general must increase scrutiny in every corner of the tech industry to prevent dangerous levels of centralization. An important first step would be to go after lock-in practices by IT vendors.

Procurement and Vendor Lock-In

Most organizations depend on their IT teams, even if that team is just the one friend who is “good with computers”. It’s quite common for these teams to be significantly under-resourced, forced to meet increasingly complex needs from the organization with a stagnant or shrinking budget.

Lock-in doubles down on a monopoly’s power and entrenches it across different markets.

This squeeze creates a need for off-the-shelf solutions that centralize that expertise among vendors and consultants. Renting these IT solutions from major companies like Microsoft or Google may be cost-effective, but it entrusts a good deal of control to those companies.

All too often however, software vendors take advantage of this dynamic. They will bundle many services for a low initial price, making an organization wholly reliant on them, and then hinder the ability of the organization to adopt alternative tools while later raising prices. This is a longstanding manipulative playbook of vendor lock-in.

Once locked in, a company will discover switching to alternatives is costly both in terms of money and effort. Say you want to switch email providers. Rather than an easy way to port over data and settings, your company will need to resort to manual efforts or expensive consultant groups. This is also often paired with selective interoperability, like having an email client work smoothly with a bundled calendar system, while a competitor’s service faces unstable or deliberately broken support.

Lock-in doubles down on a monopoly’s power and entrenches it across different markets. That is why EFF calls for interoperability to end vendor lock-in, and let IT teams choose the tools that reflect the values and priorities of their organization.

Buying or building more highly-tailored systems makes sense in a competitive market. It’s unlikely a single cloud provider will be the best at every service, and with interoperability, in-house alternatives become more viable to develop and host. Fostering more of that internal expertise can only bolster the resilience of bigger institutions.

Fallout from The Cloud

Allowing the economy and the well-being of countless people to rely on a few cloud services is reprehensible. The CrowdStrike Falcon incident is just the latest and largest in a growing list of hacks, breaches, and collapses coming to define the era. But each time everyday people endure real harms.

Each time, we see the poorest and most marginalized people face costly or even deadly consequences. A grounded flight might mean having to spend money on a hotel, and it might mean losing a job. Strained hospital capacity means fewer people receive lifesaving care. Each time these impacts further exacerbate existing inequalities, and they are happening with increasing frequency.

We must reject this as the status quo. CrowdStrike’s outage is a billion-dollar wake-up call to make antitrust an immediate priority. It's not just about preventing the next crash—it's about building a future where our digital world is as diverse and resilient as the people who depend on it.

Rory Mir

【フォトアングル】蓮舫氏の最終街宣、熱気は凄かったが‥‥=7月6日・新宿駅東南口、伊東良平撮影

日本ジャーナリストクラブ(JCJ)
1 month 3 weeks ago
 7月7日に投開票が行われた東京都知事選は小池都知事が3選を果たした。写真は投票前日の7月6日夜に新宿で行われた蓮舫氏の最終街宣。駅前を埋めた溢れんばかりの聴衆に最後の訴えをアピールして盛り上がった。熱気が凄く、若い人たちが多く参加してこれまでとは違う雰囲気で、支援者が投票を呼び掛けて各地で展開した「ひとり街宣」の方たちも見受けられ選挙結果に期待が高まった。しかし無党派票を石丸伸二氏に多く持っていかれての敗北。今回はネットやSNSの連動が投票効果をより上げることも実感したが、..
JCJ

La Unión Europea usará inteligencia artificial para controlar los flujos migratorios en las fronteras

Statewatch
1 month 3 weeks ago

"Esas controvertidas exenciones casan con la estrategia de defensa de la UE. Entre 2007 y 2022, Bruselas destinó 341 millones de euros a investigar las tecnologías de IA en las fronteras, según un informe de Statewatch, desde robots autónomos de control migratorio a enjambres de drones de videovigilancia. Esos fondos han financiado el despliegue de sistemas biométricos en España o el desarrollo de un sistema de predicción algorítmica de flujos migratorios desarrollado en Catalunya. "Europa se está fortificando de todas las formas posibles y la ley de la IA es clave para ir a más (...), una capa extra de la discriminación y violación flagrante de derechos que ya se da en la frontera", valora Judith Membrives, técnica de digitalización y experta en IA en Lafede.cat."

Full story here, citing our report: A clear and present danger: Missing safeguards on migration and asylum in the EU’s AI Act

Statewatch

Atlanta Police Must Stop High-Tech Spying on Political Movements

EFF update
1 month 3 weeks ago

The Atlanta Police Department has been snooping on social media to closely monitor the meetings, protests, canvassing–even book clubs and pizza parties–of the political movement to stop “Cop City,” a police training center that would destroy part of an urban forest. Activists already believed they were likely under surveillance by the Atlanta Police Department due to evidence in criminal cases brought against them, but the extent of the monitoring has only just been revealed. The Brennan Center for Justice has obtained and released over 2,000 pages of emails from inside the Atlanta Police Department chronicling how closely they were watching the social media of the movement.

You can read all of the emails here.

Atlanta is one of the most heavily surveilled cities in the United States.

The emails reveal monitoring that went far beyond when the department felt that laws might have been broken. Instead, they tracked every event even tangentially related to the movement–not just protests but pizza nights, canvassing for petition signatures, and reading groups. This threatens people’s ability to exercise their first-amendment protected right to protest and affiliate with various groups and political movements. The police overreach in Atlanta will deter people from practicing their politics in a way that is supposed to be protected in the United States.

To understand the many lines crossed by the Atlanta Police Department’s high-tech spying, it’s helpful to look back at the efforts to end political spying in New York City. In 1985, the pivotal legal case Handschu v. Special Services Division yielded important limits, which have been strengthened in several subsequent court decisions. The case demonstrated the illegality of police spying on people because of their religious or political beliefs. Indeed, people nationwide should have similar protections of their rights to protest, organize, and speak publicly without fear of invasive surveillance and harassment. The Atlanta Police Department’s use of social media to spy on protesters today echoes NYPD’s use of film to spy on protesters going back decades. In 2019, the New York City municipal archives digitized 140 hours of NYPD surveillance footage of protests and political activity from the 1950s through the 1970s. This footage shows the type of organizing and protesting the APD is so eager to monitor now in Atlanta.

Atlanta is one of the most heavily surveilled cities in the United States. According to EFF’s Atlas of Surveillance, law enforcement in Atlanta, supported financially by the Atlanta Police Foundation, have contracts to use nearly every type of surveillance technology we track. This is a dangerous combination. Worse, Atlanta lacks laws like CCOPS or a Face Recognition Ban to rein in police tech. Thanks to the Brennan Center, we also have strong proof of widespread social media monitoring of political activity. This is exactly why the city is so ripe for legislation to impose democratic limits on whether police can use its ever-mounting pile of invasive technology, and to place privacy limits on such use.

Until that time comes, make sure you’re up to speed on EFF’s Surveillance Self Defense Guide for attending a protest. And, if you’re on the go, bring this printable pocket version with you. 

Matthew Guariglia