That's normal. No security measure (including billionaire-proofing the internet) is a "set and forget" affair. Any time you want something and someone else wants the opposite, you are stuck in an endless game of attack and defense. The measures that block your adversary today will only work until your adversary changes tactics to circumvent your defenses.

2/

For example, mining all the links on the internet to find non-spam sites worked brilliantly for Google, because until Pagerank, there were zero reasons for spammers to get links to point to their sites. Once Google became the dominant way of finding things on the internet, spammers invented the linkfarm. This principle can be summed up as "Show me a ten-foot wall and I'll show you an eleven-foot ladder."

3/

Security designers address this with something called "defense in depth": that's a series of overlapping defenses that are meant to correct for one another's weaknesses. Your bank might use a password, a 2FA code, and - for extremely high-stakes transactions - a series of biographical questions posed by a human customer service over a telephone line.

4/

I've written extensively about defending a new, good internet from billionaire enshittifiers. For example, in this post, I described how Bluesky could be made enshittification-resistant with the use of "Ulysses Pacts" - self-imposed, binding restrictions on enshittification:

https://pluralistic.net/2024/11/02/ulysses-pact/#tie-yourself-to-a-federated-mast

5/

A classic example of a Ulysses Pact is "throwing away the Oreos when you go on a diet." Now, it doesn't take a lot of work to devise a countermeasure your future, Oreo-craving self can take to defeat this measure: just drive to the grocery store and buy more Oreos. This even works at 2AM, provided you live within driving distance of an all-night grocer.

6/

That doesn't mean you shouldn't throw away those Oreos. Depending on how strong your Oreo craving is, even a little friction can help you resist the temptation to ruin your diet. We often do bad things because of momentary impulses that fade quickly, and simply airgapping the connection between thought and deed works surprisingly well in many instances.

7/

This is why places with fewer guns have fewer suicides of all kinds: there are plenty of ways to kill yourself, but none are quite so quick and reliable as a gun. People in the grips of a suicidal impulse who don't have guns have more chances to let the impulse pass (this is also why gun control leads to fewer all-cause homicides). So just because a measure is imperfect, that doesn't make it worthless.

8/

If you're trying to give up drinking, you throw away all your booze, but you also go to meetings, and you get a sponsor who can help you out with a 2AM phone call. You might even put a breathalyzer on your car's ignition system. None of these are impossible to defeat (you can get an Uber to the liquor store, after all), but they all create friction between the thing you want, and the thing your adversary (your addiction) is trying to get.

9/

They strengthen the hand of you as defender of the sober status quo, against the attacker who wants you to relapse.

Critically, all these defensive measures buy you time that you can use to organize and deploy more defenses. Maybe the long Uber ride to the liquor store gives you enough time to think about your actions so you call your sponsor from the parking lot. Defense is useful even when it only slows your adversary, rather than stopping your adversary in their tracks.

10/

Scaling up from personal defense to societal-scale security considerations, it's useful to think of this as a battle with four fronts: code (what is technically im/possible?), law (what is il/legal?), norms (what is socially un/acceptable?) and markets (what is un/profitable?). This framework was first raised a quarter-century ago, in Larry Lessig's *Code and Other Laws of Cyberspace*:

https://commons.wikimedia.org/wiki/File:Code_And_Other_Laws_of_Cyberspace_Version_2_0.pdf

11/

@pluralistic "normals (what is socially un/acceptable?)"

I think you meant "norms" not "normals" here.