The Musk and twitter affair should teach us the importance of considering our digital lives not from a static point of view but from a dynamic one, that is, not considering the choices we make as facts pertaining just to the specific moment but rather to consider how they might evolve after some time.
Twitter was a publicly traded company with a good board of directors, a strong reputation as a well-administered system that cared about protecting users.
Musk’s acquisition concentrated ownership in one person, the moderation team was decimated as well as the regulatory compliance people.
Today Twitter is deliberately making actions taht will put them at odds with (at least) 3 European laws: the GDPR for data protection, the DSA for lack of moderation, and the Media Freedom Act for political interferences.
But what should raise our eyebrows the most is that, since he took office, he passed to journalists a selection of internal emails from some employees and associates tending to support a political conspiracy thesis of his own.
Something unthinkable, until it happened.
Who can assure us that the same will not happen in a near future for a selection of “direct messages” exchanged between users ?
It seems unthinkable, but direct messages are directly accessible to Twitter (they are not encrypted) and since all user-uploaded content is licensed for permanent and irrevocable use to twitter.
The point is that SAAS (Software As A Service) is always someone else’s computer, and we should not forget that.
I say a SAAS application and not “cloud” generically, because a virtual server is also a cloud service (IAAS, Infrastructure As A Service), but in that case the person administering it has full control of the system, the applications running on it and the data they contain. Using a virtual server to run our applications on, is definitely preferable to using a third-party online application, if we have the skills (more on this later).
Unfortunately, today it is increasingly difficult to understand which guarantees users have that the data they enter into the SAAS will not be used in the future in a different way than they would expect today.
It seems wise to always mantain a precautionary approach: we cannot rule out, twenty years from now (it seems like a long time but it’s a blink of the eye), if one of our kids -who may have administrative, political, or managerial positions- could eventually be blackmailed for some digital content that was thought to remain confidential.
For example, who knows that Adobe’s Lightroom online photo editor uses users’ photos to train machine learning models ? or that if we activate Microsoft 365 intelligent services features, for example to take advantage of the translator, the images we insert into documents are automatically shared with Microsoft, which analyzes them to determine their content ? Or again, that, by default, the edge browser sends every keystroke to Microsoft ? (yes, potentially even the passwords you type in).
No one has any doubt that these SAAS are best managed by competent people with adequate means, so the data will not be leaked and misused.
But tomorrow never knows
So is IAAS always better than SAAS ?
No. Managing a server is more complex than using a service; it is not within everyone’s reach (although less and less so every day), especially managing security at a decent level.
So if managing one’s own server is beyond the reach of the vast majority of users, surely its cost is within the reach of any small company.
If we invest in an alarm and an armored door, then we should consider managing our applications on our servers.
Then, as public policy matter, teaching in high schools a class on installing and administering servers, would certainly be a good idea.