Undermining the Credibility of an Investigation – A Game-Theoretic Analysis

January 3, 2018 10:21 am

Let’s suppose you were the subject of a serious criminal investigation.  Further suppose you were also a prominent and influential public figure.  You know a priori whether there’s anything damning that the investigation may find.  Should you choose to use your influence to affect the credibility of the investigation?  Should you bolster the credibility or undermine it?  Let’s take a game-theoretic approach.

Like almost all game theory analyses we’ll construct a payoff matrix to guide our analysis.  I suggest one axis capture the eventual outcome of the investigation: evidence of wrongdoing found (guilty) vs. no evidence of wrongdoing found (innocent).  The other axis will capture the subject’s three possible actions regarding using their influence: bolster credibility (bolster), do nothing (null), undermine credibility (undermine).

Payoff matrix for subject using influence to affect credibility of investigation – Empty
Bolster Null Undermine
Innocent
Guilty

We now need to consider each possibility in the matrix and assign a relative payoff.  The payoff value represents the utility of the scenario to the subject, that is, how much does the subject benefit based on the scenario represented by each cell.

I don’t think it’s particularly controversial to argue that any “Innocent” outcome will be good for the subject.  Better if the credibility has been bolstered, but slightly worse if the credibility is undermined.

Payoff matrix for subject using influence to affect credibility of investigation – Partial
Bolster Null Undermine
Innocent 20 10 7
Guilty

Again, it shouldn’t be controversial to assume that a “Guilty” outcome will be bad for the subject.  Worse if the credibility is bolstered, but slightly better if the credibility is undermined.

Payoff matrix for subject using influence to affect credibility of investigation – Complete
Bolster Null Undermine
Innocent 20 10 7
Guilty -20 -10 -7

At a global view, it seems like the only reason to actively undermine the credibility of the investigation is if you believe the outcome will be “Guilty” as it will increase your utility.  That should be concerning to anyone paying attention to current U.S. politics.

I think there is one potential argument for modifying the “Undermine” payoffs.  If the undermining is an attack on the biases and motivations of the investigation, the supporters of the subject may see an “Innocent/Undermine” outcome as better than “Innocent/Null” because “even the biased investigation couldn’t find anything.”  A similar argument could be made about the “Guilty/Undermine” payoff.  The increased nuance becomes important if you think that the subject’s actions are more directly tuned to either the supporters or opposers.

Payoff matrix for subject using influence to affect credibility of investigation – Supporters/Opposers
Bolster Null Undermine
Supporters Opposers
Innocent 20 10 14 0
Guilty -20 -10 0 -14

These supporter/opposer payoffs are probably up for much debate, but I think this is probably a good ballpark.

With an “Innocent/Undermine” outcome, opposers will use the attacks on the credibility of the investigation against the subject.  But, supporters will see it as stronger evidence of innocence (“even the biased investigation couldn’t find anything”).

With a “Guilty/Undermine” outcome, supporters will see it as “proof” that the investigation was biased and not valid.  Opposers will see it as an attempt to evade justice.

What’s interesting is if the subject cares only about supporters then the only better possible outcome than undermining the investigation is to bolster an investigation that finds the subject innocent.  If the subject, knowing a priori the truth of their actions, believes that the likelihood of the investigation concluding “Innocence” is almost zero and cares most about their supporters’ response then undermining the investigation becomes overwhelmingly the best action to take.

Does the President care so little about those who oppose him that he’s willing to take another hit from them in the event that the Mueller investigation finds nothing?  Or is he expecting the investigation to find evidence of wrong-doing and he’s laying the groundwork to salvage the only group possible?  Or is my analysis completely wrong?

Stop the Escalation of Stupidity

October 23, 2017 10:22 am

New reports over the weekend discussed that the U.S. Air Force is making preparations to return the global strike force of nuclear-weapon bombers to a 24-hour alert deployment schedule (which hasn’t been done since 1991).  This follows weeks of inane bluster from the U.S. President about raining down “fire and fury like the world has never seen” upon North Korea.

Can we please stop with this escalation of stupidity already?

Even a cursory analysis of the situation between North Korea and the United States reveals that North Korea literally has nothing to gain by launching a first strike of nuclear weapons against the United States.  Not only would doing so guarantee their own annihilation, no other country in the world would feel particularly bad about it happening–and many would help carry it out.

For a country in North Korea’s position, nuclear weapons can only serve as an insurance policy to encourage other countries (namely, the U.S.) to leave them alone.  If we briefly look at all the nations that have been invaded or bombed by the U.S. in the last 50 years (a disturbingly large number), you’ll notice a pretty clear trend that we haven’t touched any nation with a nuclear arsenal.  North Korea developing a nuclear arsenal, especially one that can threaten mainland U.S. cities, is an eminently rational move.

I am not remotely concerned about a first-strike nuclear attack from North Korea.

Unfortunately, I am concerned the U.S. President will create a situation where he feels compelled to do something stupid in order to save face.  Or will create a situation where North Korea feels like they are being existentially threatened and decide to take a few million people with them as punishment.

Acting irrationally and unpredictably can be a rational strategy.  North Korea has a good reason for appearing to be irrational and unpredictable because it can keep countries like the U.S. from engaging in overly threatening actions (like say, flying a squadron of nuclear-armed B-52s toward North Korea).  Such an aggressive act could be misinterpreted as an attack and a seemingly irrational and unpredictable leader in North Korea may order a retaliation rather than waiting to see where the planes are going.

Acting irrationally and unpredictably as the leader of the a country like the United States is foolish.  You have nothing to gain.  Instead, you stand to lose credibility on the international stage.  Allies will become reluctant to support your cause if they believe your big mouth is what got you there in the first place.  No one feels particularly bad when the bully is waving his finger in someone’s face, yelling, screaming, and threatening and the victim decides to punch them in the nose first.

I have no idea whether Trump really is a petulant child with a short temper and over-inflated sense of self-importance or not.  But acting like it is not making our country or the world a better place to live in.

Who’s waging war against HTTPS?

March 30, 2017 10:52 am

In April 2016, Let’s Encrypt went live.  Let’s Encrypt is a group making it significantly easier to encrypt web traffic.  Some entity seems to have begun waging a war of public opinion against them.

Previous to their existence conveniently securing web traffic meant paying money to a company which would then provide you with a “certificate” for your website.  Servers and browsers use these certificates to create a secure communication path between them.  This secure path (denoted by URLs starting with “https://” rather than “http://”) prevents entities between your computer and the website from seeing or altering the data being sent to and from the website.

Because of the cost and inconvenience many websites used unsecured connections.  However, places like banks, shopping, and healthcare providers have pretty much always used secure connections.  It took a few years but eventually social media websites began using secure connections by default as well.

Before Let’s Encrypt, millions of websites only had their content available via unsecured communications.  For many people, like myself, running websites without any goal of making money from them the expense and hassle of certificates wasn’t worth it.  Now, my websites are all available through secured connections, for free, thanks to Let’s Encrypt.  (To be clear, many websites still haven’t taken advantage of this service yet, but they at least have the option now.)

But, if banks and such use secure connections anyway, why do we care about Let’s Encrypt, should I care if “someone” can see that I’m reading this blog post?

Maybe.

On March 28 Congress voted to repeal FCC regulations that prevented your Internet Service Provider (ISP) from spying on your web traffic and using that information to their financial benefit.  The regulations also prevented ISPs from altering your web traffic for similar purposes (e.g., injecting ads into a webpage when you view it).

Maybe you don’t care if Comcast, or AT&T, or Verizon knows you like to knit and shop at JoAnn’s Fabrics.  But maybe you’d be concerned if they started selling information to other companies about you visiting cancer treatment websites, or rape support groups, or divorce attorneys, or any number of kinds of sensitive information.

Using encrypted connections doesn’t solve this problem entirely, but it makes the information available to your ISP a lot less useful.  For example, your ISP would still be able to tell you’re looking at Amazon.com, but they wouldn’t be able to tell if you’re looking at knitting needles or books about infertility treatments.

Regardless of your stance, someone seems to be working hard to turn public opinion against Let’s Encrypt and again make it harder to encrypt web traffic.  Articles like this one: “14,766 Let’s Encrypt SSL Certificates Issued to PayPal Phishing Sites” have been showing up all over the Internet recently, all making similar claims that it is Let’s Encrypt’s fault that people are falling for fake PayPal scam websites.

I don’t think it’s actually PayPal behind these articles, because this problem is nothing new, but the concerted, direct attack on Let’s Encrypt is new.

Let’s Encrypt does not verify the identity of the person requesting a certificate (which other certificate providers will do for steep fees, $300+ per year, these “verified” certificates are significantly different than the “non-verified” certificates issued by Let’s Encrypt).  Instead Let’s Encrypt verifies that you control the website for which you’re requesting a certificate, slightly different.

The argument made by these articles is that now someone can get _a_ certificate for “paypall.com” and people will think that the green lock icon on their browser means they’re connected to “paypal.com” instead.  Which it doesn’t and never has.  The “verified” certificates show up differently in your browser.  For example, on this blog you’ll see something like this:

With a “verified” certificate you’ll instead see something like this:

This indicates that the company issuing the certificate verified that the company requesting the certificate is “PayPal, Inc.” and the certificate is for “paypal.com”.

The articles want you believe Let’s Encrypt is somehow at fault if people end up at “paypall.com” with a green lock and think it’s “paypal.com”.  Let’s Encrypt isn’t providing “verified” certificates or trying to solve that problem.  The problem they’re trying to solve is that too much web traffic is unencrypted by default because certificates were expensive and inconvenient.

Someone with a vested interest in being able to read and/or modify your web traffic has been working really hard to get these articles out and make it look like some kind of “public safety” issue.

I have no idea who that entity may be, but it’s making me really annoyed.  Let’s Encrypt is a good thing for anyone that thinks that their Internet communications should be private by default.

Update 3/31: Engadget just ran one of the attack pieces too: “When the ‘S’ in HTTPS also stands for shady“.  Which is the most mainstream source running these articles that I’ve seen thus far.

To be completely clear, when a URL starts with HTTPS it only means that your connection is encrypted between your computer and the website–it has never meant anything about who is running the website is or whether the website operator is trustworthy.

Line in the Sand

December 14, 2016 1:36 pm

In February 2016 Donald Trump emphatically told the world, “I’d bring back waterboarding and I’d bring back a hell of a lot worse than waterboarding.”

I’ve previously stated how unacceptable the use of torture is by our country.

So here’s my line in the sand:

I am a software developer supporting the mission of counter-proliferation of weapons of mass destruction.  I am a member of the Intelligence Community.  If Trump reinstates the use of torture by American personnel I will resign from my job in the Intelligence Community in protest.

If we come to such a point, I may keep working at the Lab, but I will not work on intelligence projects and have my efforts in any way used in support of such despicable behavior.

Waterboarding is torture.  Anything “a hell of a lot worse than waterboarding” is torture.  I will not spend my time and energy on projects that imply that such treatment of prisoners is acceptable.

We should be better than that.

I am better than that.

What do you stand for?  What is your line in the sand?

Worry, Concern, and Hope

December 9, 2016 10:51 am

I worry.

I worry the country will be a worse place when my girls grow up.

I worry our nation will blind itself to its faults.

I worry that anger and violence will increase.

 

I recognize that surrounding every atrocity has been a society of good people quietly saying, “That will never happen here.  We’re better than that.  Let’s just keep our heads down and get through this.”

How does one find a balance between wariness, activism, fear, and over-reaction?

I don’t know.

Are people in the U.S. currently over-reacting to President-elect Trump’s language, decisions, and actions?  I hope so.  For it to be an over-reaction means things aren’t really as bad as they might seem.

Four years ago I wrote about the dangers of nationalism.  That post is more relevant now that it was then.  Please go read it.

I am greatly concerned that President-elect Trump regularly, publicly attacks, demeans, and insults any opposition to his actions or opinions.  No one likes being the subject of public ridicule and I am concerned people will keep their mouths shut to avoid this treatment rather than oppose him.

I am concerned that dissent will be suppressed.

I am concerned that President-elect Trump seems to be gathering a body of “loyalists” to surround him in Washington rather than competent and qualified individuals (even if I disagree with their views).

I am concerned that many people no longer feel safe going about their day.

I am concerned that an elected State Representative was harassed and berated for her religion and ethnicity during a cab ride in the nation’s capital.

I am concerned that the next few years may be marked by conflict escalation between Trump supporters and opponents.

I am concerned that the next 20 years in the United States may subject us to some type of nationalistic violence within our borders.

 

I hope these concerns are unfounded.

I hope for peaceful dissent and respectful disagreement.

I hope for a nation that can recognize it has faults even if we disagree on how to fix them.

I hope the country is a better place for my girls when they grow up.

I hope.