Six Lines

Will Teaching People to Code Improve Privacy?

Posted by Aaron Massey on 14 Dec 2013.

Jathan Sadowski wrote an opinion piece for Wired on the possible effects of the “Learn to Code” movement, exemplified by Code.org which attempts to teach computer programming skills to anyone interested in learning them. I disagree with Sadowski on most of the points he makes in that piece, and this post is written as a response to his. You may want to read his post before reading mine.

Several organizations are dedicated to the goal of teaching people how to code: Codecademy, Treehouse, Code School, and many others. These movements have certainly garnered a lot of press. This past week was Computer Science Education Week, and I’ve seen quite a lot of press for the “hour of code” movement to get five million students to spend an hour programming this week. This isn’t the first time “Learn to Code” has made headlines. Learning to code became New York City Mayor Michael Bloomberg’s 2012 New Year’s Resolution, but this week another, higher-profile politician shared his thoughts on the subject:

In short, the “Learn to Code” movement is persistent and somewhat mainstream. But is it ultimately a good thing? In his piece for Wired, Sadowski rightly points out that learning to code isn’t a panacea to our problems:

Knowing how to code — the narrative goes — will help us navigate life, snag a lucrative job, and stay competitive with other countries. And then there’s the digital version of the “teach a man to fish” adage where a software engineer decided he would teach a homeless man to code. Though it caused a vitriolic reaction amongst tech bloggers, the homeless man was reportedly on his way to finishing up his first app.

That is, until he was arrested and his belongings were seized by the NYPD. Because “fairy tales don’t scale” in the real world.

All that compiles is not gold. Coding is only a panacea in a world where merit is all it takes to succeed. In other words, a starkly different world from the one we actually live in where social structures, systemic biases, and luck may matter more.

Computers are tools, and simply knowing how to use tools alone do not solve a lot of problems. Having a hammer and knowing how to pound in a nail with it doesn’t mean that you’ve solved all the problems that could be solved by using a hammer and a nail. Eventually, you need to ask yourself where, exactly, the nail should be hammered, and at that point you realize how useless knowing how to do the hammering is to answering the question at hand. Sometimes simply identifying the cause of the problem is far more challenging than actually solving it. If that was all Sadowski said, I wouldn’t have written this blog post.

Where I start to disagree with Sadowski comes next:

The problem is elevating coding to the level of a required or necessary ability. I believe that is a recipe for further technologically induced stratification. Before jumping on the everybody-must-code bandwagon, we have to look at the larger, societal effects — or else risk running headlong into an even wider inequality gap.

Sadowski then cites English literacy as an example of an even more fundamental skill that we’re failing to impart to our citizens. This is an important consideration. Many Computer Science educators view programming skills as roughly equivalent to 21st Century literacy. I’ve been lucky enough to see Mark Guzdial talk about this several times since I started my postdoc at Georgia Tech. Here’s his TEDxGeorigaTech talk on the subject:

Unfortunately for Sadowski’s argument, no one in the learn to code movement would argue that learning to code is more important than basic literacy. Just because programming is an essential skill for the 21st century doesn’t mean that English literacy isn’t essential anymore. It’s worth noting other similarities between language literacy and computing literacy. We don’t teach English because we expect everyone to become full-time authors. Similarly, those arguing that everyone should learn to code aren’t expecting everyone to become full-time programmers. Regardless, Sadowski isn’t alone. “We have bigger fish to fry” is the generic argument against the Learn to Code movement, and I won’t spend time repeating what others have already said well.

I will, however, add this thought: Consider the Morrill Land-Grant Colleges Acts, passed in 1862. Colleges formed under it are required to maintain colleges in agriculture and engineering. Why would the federal government, at the beginning of an expensive Civil War, spend all that money to build universities that would require those subjects? Because the world was changing quickly in the mid-19th Century. It was called the Industrial Revolution, and it was changing the set of skills that were critical to success.

Right now, today, the world is at the beginning of another revolution. I don’t care if we call it the Information Age or the Digital Revolution or whatever. The point is that, once again, the skills critical to success are changing. And how has education responded? Well, we’re still trying to figure out if Computer Science should count as a Science in the Common Core standards for high school students. Even people who disagree with the Learn to Code movement’s plan to get everyone coding would probably cede that Computer Science should count as a Science.¹ But we’re not there yet. Talk about picking winners and losers.

Sadowski’s next concern is about resources. If we’re trying to teach everyone to code, and we’re already failing to teach other critical skills like literacy, then how do we do that without additional resources? Here’s his argument from the Wired article:

We have enough trouble raising English literacy rates, let alone increasing basic computer literacy: the ability to effectively use computers to, say, access programs or log onto the internet. Throwing coding literacy into the mix means further divvying up scarce resources. Teaching code is expensive. It requires more computers and trained teachers, which many cash-strapped schools don’t have the luxury of providing. As software engineer Chase Felker has argued:

“I’m not sure it’s even possible to teach everyone how to code, but I do know that to mandate programming as a general education requirement would displace something else that we’re already failing to teach, and that’s not good, either.”

Focusing on the additional, costly skillset of coding — rather than the other more essential, but still lacking, types of literacy — is the product of myopic technical privilege. There’s a reason such arguments arise primarily from the digerati: In that world, basic access is rarely a problem.

I disagree with Chase Felker and other software engineers who take the position that not everyone should learn to code, and I think they are missing the point of the movement. No matter how critical a skill is, society would lose the benefits of dividing labor if we all attempted to do one skill professionally. If everyone were a doctor, who would farm the food we eat? Of course it’s ridiculous to expect everyone to become professional-caliber programmers. That’s simply not the point of the movement. Here’s how one of the articles Sadowski cites states² it:

Although the speakers didn’t suggest that everyone become an expert in code right away, they all agreed that basic programming literacy would empower anyone who uses a smartphone or computer. It isn’t just about the job security or a hefty paycheck. Instead of blindly accepting and utilizing the technology we are given, learning basic programming would help us to interact more mindfully with the world around us.

In short, the point of the learn to code movement is that when people don’t understand technology we get things like this:

Or SOPA, or the ECPA, or the CFAA, etc… And those are just examples from politics. Sadowski is likely familiar with these and other examples, given his interest in tech policy. I’m certain there are equally harrowing misunderstandings of technology in businesses. The goal of the learn to code movement isn’t to turn everyone into professional cartographers; the goal is to teach them the world isn’t flat anymore.

When Sadowski says this:

If coding becomes a required skill to navigate a technological environment, then a large part of the population without the privilege of becoming fluent in code will be left behind. It will be the gap between the coding haves and have-nots.

…he’s got it exactly backwards. Coding is already a required skill to successfully navigate a technological environment. We already have a gap between the coding haves and the have-nots; it’s called the digital divide, and it’s been around for some time. Teaching people to code doesn’t make coding a required skill and somehow grow the digital divide; teaching people to code accepts that coding is a required skill and lessens the digital divide.

Let’s take privacy as an example. Here’s what Sadowski has to say about the impact of the learn to code movement on privacy:

What’s more, a society where people are expected to know how to code is one where powerful players like big corporations and government are more likely to ignore responsible design obligations — design decisions such as building in privacy protections and making sure technologies have a degree of transparency about how they operate. It would be like saying safety-enhancing features in vehicles aren’t necessary because everyone learned the basics in driving school… or worse, who needs to learn when autonomous cars do it for us anyway?

Again, this is almost exactly backwards.³ The more people know about coding, the more they would realize the incredible amount of effort that has gone into things like tracking individual consumers from website to website over a stateless protocol like HTTP. If you don’t know anything about technology, you might just assume that killing privacy was the cost of building the Internet. It wasn’t, and a great many of the hackers who actually built the Internet care deeply about privacy. If people started to learn how to code, they might begin to recognize that it is a profession, and that it comes with professional obligations. Here’s one from the ACM’s Code of Ethics:

1.7 Respect the privacy of others.

Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies.

The problem with the seat belt analogy is that currently technologists are the only people that even realize that ‘seat belts’ are important for computers. This is why computer scientists pick stronger passwords and use browser plugins like Ghostery or NoScript. The learn to code movement is similar to teaching people that seat belts save lives. People won’t protect themselves online if they aren’t aware of the danger involved. With some knowledge comes responsibility, but people can’t be discerning consumers of computer hardware and software without that knowledge either. Even big corporations and governments respond when people understand the dangers and demand safety. This is why cars no longer come with fuel tanks positioned to turn a relatively minor rear-impact collision into a giant fireball of death. To answer the title question of this post, yes, teaching people to code improves privacy.

Let’s take choosing passwords as an example. Understanding the basics of computer programming fundamentally changes the way people choose passwords. If you don’t know anything about computers, then you might rely on urban legends or questionable advice. If you understand the basics of how computers work, then you will at least be able to evaluate this advice.

For example, you may have heard that longer passwords are better, which is generally true. Under a brute force attack, where an attacker attempts to guess passwords based on all possible valid combinations of characters up to some length, longer is definitively better. However, under a dictionary attack, which guesses common, memorable words and phrases before resorting to completely random guessing, longer may not be better at all. Consider these two passwords: “rosesarered” and “6c8QUXgGew”. The first one is one character longer than the second, but it would be far more likely to be in a dictionary attack because it is a common, memorable phrase.

Other pieces of advice on choosing passwords are even more harmful to security and privacy. For example, almost everyone has been told that they should never write their passwords down. This is wrong. You should write down your passwords. Most attacks will be remote attacks, so it’s better to have a hard to remember password written down than it is to have one that’s easy to remember and easy to guess. Besides, securing a small piece of paper isn’t hard. Periodically changing your password is another piece of advice that’s mostly outlived its usefulness. There are some advantages in rather specific situations, but for the most part, picking a strong password is far more important than changing your passwords regularly. People who understand computing can evaluate advice like writing down passwords or changing them regularly. If you don’t understand computing, you essentially have to blindly choose whether you want to trust the advice or not.

Another huge advantage understanding provides over advice is that security is fundamentally adversarial. Advice eventually breaks in an adversarial system, but understanding can adapt. If some piece of advice is proffered, it affects the way passwords are cracked. Some years ago, the popular comic XKCD suggested what’s become known as the ‘correct-horse-battery-staple’ scheme for password creation. Like many schemes before it, this one was tested by academics and incorporated into password guessing algorithms. People who understand computing can find a better way to pick them or are better able to see the value in tools like 1Password or Password Safe.

Passwords are a good example of the privacy and security advantages provided by understanding computers, but it is not nearly the only example. Other examples include questions like:

1. What are the privacy advantages or disadvantages of accessing Facebook with a browser as opposed to an application on a mobile device?
2. How can I surf the Internet anonymously? What are the trade-offs of the tools?
3. How secure is my email? What are the benefits of encrypting my email?
4. What effect would clearing my cookies have on my ability to be tracked online?

Computer literate people also know what to demand from big companies and governments. Data breaches at large or high profile organizations (ChoicePoint, AOL, LinkedIn, Living Social, and many others) have caused concerned citizens to seek recourse in the courts, through the creation of new laws and regulations, and as more discerning consumers. Computer literacy is the difference between, “Well, we I guess it’s just not possible to keep all that information secure” and “Security is hard, but storing passwords in plain text is obviously irresponsible!”

Much of the modern world revolves around technology. Not understanding the fundamental rules of how technology works is a serious liability to everyone. The notion that better societal understanding of computers might, someday, lead to worse privacy and security protection is ridiculous. Currently, the fact that so few people are even aware of privacy and security problems is an actual, serious liability. And it’s one that the learn to code movement could correct.

Sadowski misunderstands the movement again with his conclusion:

But a world where coding dictates the future is not inevitable. Instead of making people adapt to technologies — in the process leaving behind large swaths of society — technologies should adapt to our needs and values. As the media theorist Marshall McLuhan said, “There is absolutely no inevitability as long as there is a willingness to contemplate what is happening.” There’s still plenty of room for our contemplation — and deeper consideration — of how to advance our future without leaving anyone behind.

I completely agree that technology must adapt to the needs and values of society. Too many tech companies don’t get it. Technology alone isn’t enough; technology must be tied to something human for it to succeed. Steve Jobs probably said it best:

However, this does not mean that people don’t have to adapt to technology as well. They do. When technology transforms the way we communicate, people have to update the laws and regulations that govern what society accepts as acceptable communications practices. When technology transforms the way we work, play, learn, and entertain ourselves, people will have to adjust. The learn to code movement supports those trying to understand the nature of the changes that have taken place. I would argue the Marshall McLuhan quote Sadowski closes with speaks more strongly in favor of the learn to code movement than it does against it. How are people to contemplate what is happening if they aren’t afforded an opportunity to learn about it? There are fundamental principles that govern computer science. How can someone ponder the inevitability of technology if they don’t understand these principles? It seems to me that this is exactly the problem the learn to code movement is trying to solve.