Who Controls the Killswitch?
The Blockchain Socialist | 2024-10-21 | 1:04:22
I spoke to Eric Alston again! Eric is a professor at University of Colorado and recently completed a fellowship with the Summer of Protocols studying the governance of killswitches. His report is titled "Killswitch Protocols: Or On Engineering Recursive System Death" and co-authored with Seth Killian and Garrette David. During the interview we discussed the history of killswitches, the many ways they can be governed and the implications of the governance system they lie in like in blockchain...
Top Keywords
No salient keywords identified yet for this episode.
Transcript
Speaker 0
0:00 – 0:12
I became increasingly interested in protocols because I saw them as the almost the equivalent of a constitution
Speaker 1
0:13 – 0:34
in digital context. So there is, you know, things just go. Oftentimes, they go without the ability to stop unless that is, like, built into it in a kill switch. That is especially true in the blockchain world where as long as, like, you know, miners or stakers or validators are continuously producing blocks, and that keeps going. The DAO hack also emphasizes
Speaker 0
0:35 – 0:55
a risk associated with not specifying a kill switch function. Not everyone agreed with it. And so often, you want to exercise kill switches predicated on a sufficient risk. You don't want the actual harm to materialize. You instead wanna intervene
Speaker 1
0:56 – 1:08
prior to the harm materializing is the ideal case. Probably one of the more difficult designs to make of a kill switch is, like, how would we make a kill switch more democratic?
Speaker 0
1:08 – 1:19
As our lives become increasingly intertwined with these platforms, I don't want the only choice of governance model to be the hyper centralized platform.
Speaker 1
1:32 – 1:45
Hello, everyone. You're listening to the Blockchain SOS podcast. I am Josh, and I am here with I think maybe this is your second or third time, Eric? Second. Second. You're a two timer.
Speaker 0
1:46 – 1:47
Todd Waltz. He is,
Speaker 1
1:48 – 2:15
a professor at the University of Colorado and a fellow of the summer of protocols, which was a program that I believe the Ethereum Foundation, helped fund. And he did some really interesting research on kill switches, which will go into a lot of detail in a minute. But maybe before we go into that, if, Eric, you want to kind of explain a bit what actually is the summer of protocols, and how did you get into it?
Speaker 0
2:16 – 4:40
Yeah. And so I became increasingly interested in protocols because I saw them as the almost the equivalent of a constitution in digital context. Blockchain protocols in particular have several desirable features that make them a lot like constitutional orders, something I had studied for a long time prior to even knowing what blockchain was. And so given that, I I saw somebody passed across my, my transom a, an advert for the summer of protocols program. And it was basically saying, we think the increasing importance of protocols in coordinating human behavior is underappreciated. A lot of people aren't even aware that they're a thing, yet they're materially governing outcomes for those people day in, day out, whether it be algorithmic filtering of con content, you know, like automation of criminal enforcement, the use of algorithms and sentencing and bail decisions. You name it. These the increasing protocolization of our human world in both private and public sector context is kind of a big deal. And computer scientists, they're like, yes. This is why we're passionate about this stuff. No no crap. You know? And so they definitely get the point, but this is a program saying we wanna welcome people from a a much wider range of disciplines and profess professions and ultimately, you know, get them to work on protocol related topics. They had a set of core researchers who devoted themselves full time to the program and specific topics therein. My kill switch protocols piece, sites directly to several of them surrounding protocol death, or the death of digital worlds, dangerous protocols, as well as swarm protocols. Those are all different core research projects with the summer of protocols program. I came on as an affiliate and got to go to a a very nice retreat outside of Seattle on a lake
Speaker 1
4:40 – 4:41
and
Speaker 0
4:41 – 6:26
Nice. Was learned then of a particular program requirement that I probably just missed in in in the email. I'm not good at reading all of all of my emails. And they were like, you should produce an artifact. And I'm like, I okay. And so I got together with, both, Seth Killian, one of the lead designers of Fortnite, as well as Garrett David, who's kind of a a a crypto investor and, you know, expert on all things crypto from my perspective. And we were talking over glasses of wine at the retreat and kind of gelled around the importance of kill switch protocols in part due to our discussions and advising of the three projects I listed. And so there was fellows and affiliates, although they ran the program again this summer, and it had a slightly different, structure in terms of there was a very applied projects that, you know, span the entire summer and were quite lengthy. And there were kind of shorter, I think they were called protocol pills that were, you know, much smaller bite sized chunks of work. Again, from people spanning an incredible range of disciplines from cryptography to, wildfire management in the Western United States. Just to give you an idea of, like, there's very physical world protocols as well as very digital protocols. And this program is dedicated to a better appreciation of and understanding of the importance of this particular tool. I view them as a particularly rigid subset of human institutions more generally, which is what I study sort of at a fundamental level that animates all of my research output.
Speaker 1
6:27 – 6:41
Right. So when you say that you're, you're saying for like, digital protocols are specifically, like, very rigid, human, like, instances of human Yep. Or was it? Yeah. Yeah. Human institutions.
Speaker 0
6:42 – 8:09
And so any it it it to me, I define governance as rule based ordering of people and natural resources. And those rules are fundamentally I place in two buckets. The protocols are formally protocols are formally specified. They're, you know, they're definitely written down or increasingly encoded in a way that is legible to third parties. And so protocols have a very institutional flavor of them. And, ultimately, I might quibble with some characterizations of a particular set of rules that are nondigital. What a lot of people call those laws, regulations, policies, contracts. And but they also do call them protocols sometimes, including with diplomatic protocols and other rule based articulation in human systems. Again, we're probably getting down a rabbit hole in terms of if you call it a protocol and I call it an institution and it's the same darn thing and it's important, probably doesn't matter that we're disagreeing over verbiage in and I certainly am not disagreeing with the extent to which protocol is the term of choice in digitally governed contexts.
Speaker 1
8:10 – 8:31
Mhmm. Mhmm. I guess when I when I think of protocols, like, in, like, human context, I definitely imagine something, like, quite rigid. Like like, in diplomatic things, there's sort of, like, you know, I don't know. You, like, have an article of, like, oh, you know, the president, like, lifted his pinky in this, like, out of the protocol of what he wasn't supposed to do. You know?
Speaker 0
8:32 – 9:17
Diplomatic protocols are very, very rigid in part because of the kind of the representative authority that the engaging parties are vested with. Like, they are trained, and it is instilled in them that they are not themselves in that moment. They are actually the representative of an entire sovereign nation of people. Yep. However odd and reductive that, like, that that notion is in in in terms of the true diversity of any constituency, nonetheless, they are, you know, they're representing much more than themselves, and therefore, the rules are very much this happens, then this happens, this is received, and then this, you know, great this show of gratitude occurs, etcetera, etcetera.
Speaker 1
9:18 – 10:37
Yeah. And I guess yeah. There's definitely a lot a lot where you're saying that, like, brings up to me, like, the, you know, code is lost stuff, and why I think, you know, in part, a lot of the blockchain the questions that blockchains have brought forward are not necessarily new ones, but they are intensified, I guess, especially when it comes to protocols and, like, code is law. Like, you know, there there are protocols for, like, you know, HTTP or, like, you know, when you are on a platform and how that works, and that is sort of, like, in a digital context, very automated. So there is you know, things just go. Oftentimes, they go without necessarily without the ability to stop, unless that is, like, built into it in a kill switch perhaps. But in that is especially true in the blockchain world where as long as, like, you know, miners or stakers or validators are continuously producing blocks, and that keeps going. So I think it's, you know, interesting that it took I mean, it took the Ethereum Foundation, I guess, or, like, from this perspective of of crypto to get to the point to where we're kind of taking protocols digital protocols and their effects, like, more seriously, I guess, and and more more yeah. Give given it the the attention it probably deserves.
Speaker 0
10:38 – 15:28
No. No. And it I mean, there's a lot to unpack in terms of kill switches and blockchains in particular. And, you know, a a kind of a a blockchain native response depending on their preferred network is it doesn't and should never have a kill switch. Yeah. That's, yeah. I don't know if you've read yeah. Not to get into it. Like, the Nick Land stuff that he's written on, like, unlike Bitcoin. But, yeah. And and, I mean, it good luck shutting that network down absent some sort of, like, a god in, like, outside of the machine in terms of an electromagnetic pulse, like, taking down the Internet for a period or something. But Right. It's it's designed not to be able to be shut down. And, I mean, there is no after the fact intervention when things go wrong. And I lost $80 of Bitcoin in a hard drive crash in 2013, and that's final. So thank you. To my deep chagrin today. But, you know, like, it it definitely there is no one who can sort of say, alright. We're dialing things back. We're, you know, getting you your private key again. It's like that is all gone. There is no ability to intervene in any type of centralized way in that network in particular. And so to me, that being said, that may or may not be a good thing for all networks. And the example I use is that of the validator intervention following the original DAO hack on the Ethereum network. Right. And that poses to me two important points. One, the ubiquitous emergence in sufficiently complex human engineered systems, the ubiquitous emergence in those systems of unforeseen, undesirable downstream outcomes. And that is the sort of the animating reason for the existence of kill switches in human engineered systems is exactly that. But the DAO hack also emphasizes a risk associated with not specifying a kill switch function. Mhmm. That was sufficiently delegitimizing to many people the more code is law. Let it execute. Let this be a costly lesson to not deploy buggy code with a recursive callback problem in it. You know, basically, let this be a costly lesson and a reminder of the finality of code. But, you know, it's letting a hacker get away with a lot of money, a massive percentage of network resources at the time, and the downstream consequences for, you know, adoption. I mean, you see people citing FTX as a failure of block chain technology to deter people from adopting it, an actual network failure of that scale due to a buggy contract in that particular DAO, it would have probably been quite bad for adoption. And so the need to punish bad actors in a public way, we have this power and we can utilize it, was very in the moment. And so had procedures been debated, contemplated, and dare I say, kind of formalized for how to respond in the case of such a circumstance, it probably wouldn't have had as delegitimizing of an effect. I'm not arguing that's what they per se should have done. I think hindsight is very much twenty twenty. And, again, there's a way in which contemplating and then actually embedding the ability to roll back the blockchain is a level of centralization of authority that one is at odds with a lot of the animating principles of these networks, and two, might be something regulators have a lot to say about when it comes to where actual governance authority is constituted for a given network. And so it's more I I try to be more agnostic in understanding institutions. And unless I'm in kind of, you know, an active voting or, you know, otherwise constituent member of a community, I try not to have a normative perspective on what was the right decision. And that it I I wanna understand what happened, the relevant trade offs underlying, you know, the institutional design that was in place and what might have been in place to ameliorate downstream outcomes. And so I think that one in particular is quite interesting when it comes to the case of kill switches even as there may have been nothing it they could have done other than respond the way they did in real time.
Speaker 1
15:28 – 15:54
Right. Right. Right. So maybe let's if we take a a slight step back, how would you kind of define what a kill switch is? It is simply just something that is this only, like, in the in a in, like, an automated system, I guess, or in a system that is, like, ongoing and then simply finding a way to stop that is whatever that is, a kill switch?
Speaker 0
15:55 – 19:43
So that's one of the most familiar forms of kill switches. And we actually perform in our in our summer of protocols research piece a bit of a kind of, like, etymological analysis, which was a fun kind of side fling for me, but trying to trace the emergence of the words kill switch, fail safe, override, and circuit breaker in the English language. Because these all have effectively a, you know, a similar function that we, frankly, for the purposes of kind of marketing and sexiness, you know, label all of these are kill switches. If we're being historically accurate, it's a circuit breaker that emerges first. And with the advent of electricity came the possibility that enough of a sort of change in the amount of electricity surging through a set of wires, there was enough dust around a particular area, you name it, it it it could cause fires. And so this miraculous sort of invention of modernity, the ability to harness energy in a specific form that can then be transformed to power all types of appliances and other even more complex systems was it directly created a need for a kind of a fallback, something that you can say, we don't know when the system will surge. We don't know when there will be a faulty wire. We don't know when, you know, in a particularly dusty area that in like, an area surrounding a wire will become, you know, filled with enough junk that that might actually combust if enough heat is applied to it in a dry place. And so all of these are we can't predict that, but we know that will happen. We don't know when it will happen, but something bad will happen if we don't try to solve this problem. And so by embedding a weak circuit that once enough current passes through it, it melts and no longer is electricity transmitted through the rest of the system, that is the circuit breaker. And so what comes after that is the emergence of human engineered complex systems that we can't foresee all downstream outcomes associated with their continuous operation. And so given that, we effectively embed a variety of fail safes, and they're called different things in different circumstances, but they're serving the same function that we think is more ubiquitous than people give it credit for. And so a great example is speedboats near the coast. If a large enough wave either knocks the driver out of the boat or incapacitates them, you don't want that boat to continue running at full speed. It's filled with, you know, in many instances, like racing gasoline and heading directly for a populous beach. And so the driver has something attached to their life vest that is plugged into the, to the engine console. So if they get knocked out, it comes out. If they get knocked out of the way, it comes out and shuts off the engine automatically. And so it's kind of a it's a fallback that is is saying, whatever the case may be, we don't want it to continue running under certain circumstances, and how can we effectively intervene in a set of circumstances to prevent that outcome?
Speaker 1
19:44 – 19:53
Yeah. That's why I was actually thinking that even, like, a lot of treadmills have, like, a little, you know, like, car to, like, pop out and you're supposed to hold on to it and maybe fall off.
Speaker 0
19:54 – 20:47
Yeah. Once you start, like, looking for kill switches, it's like, oh, wow. They're kinda there's a lot of those things, And and I'm glad they're there. I'm glad they're there. Final point at kind of an a definitional level is this analysis helped crystallize for me that human organizations being coordinated by a set of rules also have their own equivalents of kill switches. And so unions general strikes, capital markets in terms of prices oscillating enough in one direction or another or the whole market dropping enough in one or going in one direction or another. And similarly, constitutions, both in terms of their emergency provisions as well as their amendment provisions, I view those as a kind of institutional override.
Speaker 1
20:47 – 21:59
Mhmm. Mhmm. Yeah. I thought it was interesting in the in the paper that you wrote that you you mentioned labor strikes as a kind of kill switch, like a a human kill switch that that can be turned on once there's enough, like, collective power to kind of it's like rather than a kind of, like, a button that you press, it is it's a button that is that has maybe, like, pushback. And in order to press that button, you need, like, enough people on board to, like, push down on the way to or I don't even have whatever analogy you want to use, to get that to actually, happen. And that, you know, I think it just shows that, it's actually been pretty probably natural in human history to have kill switches. And maybe part of, you know, this is maybe me going off a little bit, but, like, kind of the, you know, accelerationist kind of ideas circulating around. And, like, I think libertarianism maybe more broadly could maybe be seen as, like, this desire to remove kill switches on the market. That markets should not have kill switches, that they should that capital should be able to keep going no matter what. You know?
Speaker 0
22:00 – 25:07
Well and, I mean, the analog exists both in in kind of an anarcho capitalist stance like you're articulating, but also it it generally under more communist and at least ideologically socialist motivated countries, there is no limit to government authority. And so to me, it's it's the it effectively both sort of ideological endpoints contain an element where they're like, this is supreme. This should not be the expression of the collective will in communist societies as reified by the communist party itself is seen as fundamentally, like, it it's supreme just as anarcho capitalists are like property rights and any exchange thereof should be ultimately supreme within their preferred system. And so that to me though is is just as individual voters, including expressing their economic interests, check the absolute power of the sovereign in market societies, so too does that sovereign on many, many margins check the ultimate power of capital within those systems. Maybe not to your preferred level or in the right ways. That's not a narrative of saying, like, we're in an optimal equilibrium by any means. But I do see both, like, you know, the this is this is a kind of stylized interpretation of a theory called the theory of the double balance put forth by North Wallace and Weingast in violence and social orders, one of my favorite books. And so they basically are like what what leads to certain levels of both economic development and government capacity, and they're like, the two integrally depend on one another. And so for them, they're like, it's absent reliable, credible, impartial third party enforcement by a capable government, an economy can only grow so large. That's Hernando de So to's, you know, kind of mantra for a very long time. And they're like, that's true. But absent a certain level of economic development, a government can only derive so many revenues and so much capacity. And so they view the two as ideally in a symbiotic relationship with one another even though there are many examples where that relationship isn't functioning well. So, again, it's not saying everything is always good everywhere all of the time in market societies. They're just saying some societies seem to have much more capable governments and much stronger economies, and they're like, that is not a coincidence. That's actually that's both are a necessary component to achieving a more beneficial equilibrium, however imperfect it might be. And so it's not it's not a narrative of these systems are utopian. They're saying in a relative sense, they seem to be doing better both politically and economically. And they're like, it's probably the case that those are not separable, margins of performance.
Speaker 1
25:09 – 25:25
Yeah. Sure. Sure. I think it's like, yeah, perhaps kind of ongoing struggle of where do we put the kill switches and how many of them and who gets to control them and, you know, what activates, you know, the kill switch and where against who.
Speaker 0
25:26 – 25:59
And I think I view the union general strike as part of a solution for ultimately different digital governance dilemmas, especially surrounding data stewardship and data intermediation in particular. And so to me, libertarians don't have to be opposed to labor unions because it's a question of which liberty you find more important, liberty of association and liberty of contract.
Speaker 1
25:59 – 26:01
And so They're like, the American
Speaker 0
26:02 – 29:45
or European definition. We wanna contract away your ability to have a union. And there are certain things that we're not allowed to contract away under most market societies. Again, an an anarcho capitalist would be like, you can contract anything away including your own life. Generally, that's not, like, that's not the widely held position of even more market oriented types. And so to me, at least in private sector context, I think there are strong economic arguments about the incentive alignment that unions can potentially create. Today's debates about the current dock workers strike where, you know, if you look at the income distribution of those dock workers, it's it's it's not clear to me that they're necessarily, bargaining for fairer returns versus the fact that all goods come through these, basically, one perception on that outcome is everyone will pay more for their goods, and so it's a redistributionary move as opposed to aligning the incentives. And but this is part of the problem is they're kinda negotiating with semi public authorities in the case of ports. And so I think in private sector context, unions in particular serve an important incentive alignment function, which is you don't want the general strike to be exercised. And knowing that, it induces this sort of powerful counterparty to bargain in good faith with, make no mistake, the very centralized union representative, and boy, do they wield a lot of power. And so those two parties, it's thought to better align their incentives and can be defended under the freedom of association. But I think in digital context, there's an interesting analogy. You don't like what Facebook's doing with your data? You can rage quit today. And Facebook's like, sorry to see you go. You're one of billions. You know? And so, effectively, they they have all of the bargaining power in a relationship when it comes to uses of people's data. And so I think the analogy of a kill switch is useful because it's a design element of a data trust that I help to constitute, and the superset trust, as it's called, to constitute. And the superset trust, as it's called, basically monitors the uses, users, revenue, security, and privacy of data practices that third party data users are doing with data contributors' data. And they can batch revoke all data contributors' consent from third parties if they decide it's being put to uses that are inappropriate. This economizes on attention costs. It effectively concentrates and enables specialization in the monitoring function, but, critically, it's an independent organization. So it's not like Facebook's internal oversight board. It's not dependent fundamentally within the organization, and similarly, unions are independent organizations. They are not paid by the corporate entity with whom they are, you know, negotiating. And so the threat of a general strike, we call that a circuit breaker in our data trust context. And for obvious reasons, given what I'm talking about in terms of kill switches, fail safes, overrides, and circuit breakers, it ideally is never exercised. But its presence better aligns the incentives of potential third party users of data contributors' data.
Speaker 1
29:46 – 32:52
Hey there, listeners. Before we jump back into today's episode, and help us continue our mission of providing a voice for alternative and radical viewpoints on crypto. As a creator, there are typically three main ways to generate revenue, advertising, affiliate sponsors, and audience funding. For us, the first two options don't align with our values or the radical nature of our content. That's why we rely on audience funding to pay for the costs associated with producing the show. By becoming a patron on Patreon, you're not just providing financial support, you're actively participating in the growth of a community dedicated to creating high quality content on the crypto and blockchain space from a political point of view. Your contributions to Patreon enable us to create more in-depth content, bring on amazing guests, and exploit issues that matter to you without the constraints of traditional sponsorship. When you join us on Patreon, you'll receive access to exclusive content, blockchain socialist swag, and a copy of my critically acclaimed book, Blockchain Radicals in digital format. More importantly, you'll play a vital role in sustaining your community of like minded people who share your passion for meaningful change in the blockchain space. If you're looking for a more decentralized option, consider joining TBS DAO, which is a crypto alternative to Patreon by paying in BREAD, a post capitalist cryptocurrency, which you can find more information on my website. However you support your contributions, make a real impact. Together, we can amplify the voices pushing the boundaries of what's possible and help spread the message that blockchain does not need to be used to further entrench capitalist exploitation if we put our efforts into it. So if that message resonates with you, I hope you'll consider helping out. I really wanted to go, you know, a little bit deeper into the role of governance of a kill switch system and how is it oftentimes governed. I think you you spoke a little bit in what you had written, the reports about how nuclear reactors, how their kill switches get engaged. That was really interesting and kinda brought to mind for me this paper by Langdon Winner, who wrote a piece called do artifacts have politics, which is really interesting in which he talks about how, you know, technology is inherently political, based on how they're designed. You know, they can be, like, more authoritarian or democratic and uses the analogy of or the example of nuclear reactors as being an inherently authoritarian technology because of how centralized they are, how much centralized governance they require in one way one interpretation of it. Whereas, you know, things like solar power are more democratic because they don't, they don't require such intense authoritarian governance, and anybody can kind of, like, just own a solar panel, and it's not that big of a deal versus owning your own personal nuclear reactor. Yeah. I was curious what you thought about, you know, the the role of governance and how these things are governed, especially in, like, very intense situations like a nuclear reactor.
Speaker 0
32:53 – 44:13
And so I I broadly agree with the contention that most technology is political on certain margins. And in particular, it it for the governance of kill switches, they can range from the automated to the highly distributed. What do I mean by that? We've already discussed an automated kill switch that of if enough power courses through this wire, it will melt immediately, reliably and predictably. And so above a certain threshold, power is shut off to this home. And that's, you know, both beneficial because it removes all human discretion and detrimental because it removes all human discretion. Right. And so, ultimately, it's it's anyone who's had a circuit breaker flip on them knows that they don't always go in cases that felt truly dangerous. Big question is, like, could you even see what was happening in terms of the power load? But I push my, you know, basement, vinyl setup a little too hard, and I flipped that kill switch in the circuit breaker box with surprising regularity. And so the problem is is there are many contexts where we don't want the automated exercise of a kill switch simply because it's either a sufficiently nuanced question of whether its exercise is desirable, and it's something that you can't predict ex ante. And so we can predict power being above this level as driving a much higher likelihood of electrical fires and destruction of sensitive, you know, electronic equipment. And so we know enough in a relative sense, that's a simple context compared to, say, a nuclear power plant. And so the set of forces that can lead to negative outcomes, a tsunami in Japan, to take but one example, are not fully subject to the foresight, let alone control of those that are actually governing the system. And so given that predictable likelihood of something might go wrong, we don't fully we can't fully see all downstream outcomes. Therefore, we probably wanna exercise this kill switch. To me, like all human governance dilemmas, both the design of the governance itself as well as the exercise of that governance authority pose deep trade offs. Mhmm. One is a highly specialized and well trained engineer in front of a red button, how many seconds, probably less than two, does it take them to hit the button? Maybe five seconds if they're like, this is a big deal. Wanna make sure that I'm, like, legitimately exercising it. If you're Homer Simpson, maybe longer. But Yeah. No doubt. And we actually in our draft, we had an AI generated, Homer Simpson and then realized, like, I would not want to welcome the wrath of the copyright holders of that particular valuable enterprise They will kill switching around. Letting that, let alone bringing it down on the Ethereum Foundation at the same time. They'd be like, we used to like Eric, and then and then we had a legal nightmare created by his injection of a Homer Simpson looking enough AI art image. But you're right. Absolutely. Like, that also poses the question of, is the person exercising the kill switch specialized and competent enough? And so for very technical, you know, and time constrained environments, you may well want a very centralized exercise of that kill switch, but it's also you know, it it it does rely in a really on the capacity and the uncorruptibility of that particular individual. That being said, the trade off for more distributed systems is, you know, how many imagine it was subject to a vote. Well, for a distributed system like a blockchain network that's all over the world, what percentage of the necessary voters are even awake and are even paying attention. So that gives rise to the attention cost problem, but it what? You can't exercise the kill switch if enough people don't vote because another major trade off with distributing authority for it is not corruptibility, but adversarial exercise of the kill switch due to capture. And so if you don't have a quorum on your voting on a democratic exercise of a kill switch, then some people will be like, let's perhaps the network's competitors, perhaps just people who want to mess around and find out as they say, basically, you're like, yeah. Let's shut this system down because we can muster, you know, enough to exercise the kill switch. But the problem is is if you have a healthy quorum, how long does it take you to even hit the quorum to say, yes. Let's exercise the kill switch. And chances are the bad things have already happened. And this is exactly why you see things like emergency powers contemplated in constitutions. Because they're like, sometimes the executive, especially in war, can't wait for a vote of congress to authorize every decision they make every single day. They need to actually act in real time. Again, that's not to say that the use of emergency powers is always and everywhere good. Their ubiquitous contemplation in constitutional documents is a testament to their necessity, But their very existence sort of betrays the danger associated with a lot of centralized exercise of authority, which is you tend to see states of emergency extended on very thin pretexts in a lot of countries. Because the executive is like, this is wonderful. I don't have to wait for the parliament or the legislature to act. I just I do whatever I want whenever I want, and it's a state of emergency. This is great. And so it it it it's definitely not a defense of many of the uses of the emergency power, but the emergency power, I think, can properly be understood as a kind of constitutional override, which is in times when we need to act urgently enough, this other more burdensome democratic apparatus is suspended for a period. And in some cases, your rights are suspended because you making a claim against the government for violating your rights, if it's severe enough, typically a court that you make that claim to will say, hey, government agency. Cease your actions until we can try whether or not this is a rights violation. Granted, there's an interesting kind of kill switch filter at the beginning of court proceedings, which is if the case is obviously, you know, on baseless grounds or the way the facts are pled is like, this is not this is not a colorable tort in this particular jurisdiction. The court can dismiss the case immediately. Motion for summary judgment is what it's called in in civil procedure. And so, ultimately, they're like, once you begin looking for kind of overrides that enable discretionary intervention tailored to make a complex system work more in line with the intent of original designers and those subject to it, once you start looking for those things, it's like they're kind of everywhere. But finally, back to the is technology political, I'd say yes. And I have a piece in the MIT computational law report entitled governance as conflict. What did the DAO hack provoke within the Ethereum community? The need to intervene, and boy was that decision to intervene controversial. Not everyone agreed with it. And so often you want to exercise kill switches predicated on a sufficient risk. You don't want the actual harm to materialize. You instead wanna intervene prior to the harm materializing is the ideal case. But that means it's a game of expectations. And so naturally, people, especially if their interests are implicated within a system differently, will disagree about what is the right level of observed expected harm, What is the right level of observed risk, so to speak, that is sufficient for the exercise of a kill switch? Because make no mistake, it's costly. The system stops running. Whatever it was supposed to run-in furtherance of is no longer being produced or coordinated over in that period. And however long it takes to kind of resolve and restart the system is very costly. And and, the more complex and kind of far reaching the system I mean, imagine if, like, the SWIFT network went down or global financial institutions couldn't coordinate. Even for two days, I think that would have, like, incredible knock on effects in terms of, like, economic and financial activity that would take, like, at least a month, if not months, to unwind. And so shutting these systems down is itself very, very costly even as we recognize the need to do so in many instances. And because of that, those conversations are a function of people's beliefs, interests, and preferences surrounding why they're part of the system, why they want the system to be, like, running, etcetera. And so, therefore, the exercise of a kill switch both is it centralized, dude with a red button, or is it much more distributed these five different, you know, department heads all have to ascent to one thing, and then the kill switch is exercised? Getting five people to even be awake at the same time is hard, and getting them all to agree on something is hard. And so, naturally, the more decentralized the kill switch, the more democratic it's exercised, that both raises efficiency questions. How quickly can you act? Probably gonna be a more representative decision. Make no mistake. But how quickly can you act, and, ultimately, is the distributed exercise sufficiently specialized to understand the expected risk that is predicating a need for, the exercise of the kill switch. And there's the question of, does a more democratic system enable capture adversarial intent? And we talk about this in terms of activist shareholder takeovers in corporate governance context. Anyone can buy the shares, and if they buy enough of them, they can actually oust, you know, management.
Speaker 1
44:14 – 47:42
Yep. Yep. Kind of like the half thought that's going on in my head is that there seems to be, I mean, we seem to know more about kind of what I can only yeah. I guess, like, collective kill switches within, human processes or largely or purely human processes and institutions. With digital ones, it's a lot more complex to the point to where I think it feels probably very difficult to have kind of collective forms of kill switches. That's why we see this kind of, like, kinda like the circuit breaker, like, protocolized versions of it or, maybe more a particular guy is able to turn it on or off. And which is interesting, like, the so, like, with in relation to, like, digital systems generally, like, on platforms, that's definitely the case. Like, I think it's probably very difficult to, like, one, there's no culture of collectivity or democratic management on platforms effectively in in mainstream kind of design of platforms. But then with the blockchain space, I think that that question, like, opens up a little bit perhaps because you have more of a maybe defined public in some way or, like, others have the power besides the the guy who started it kind of thing. So it it seems like, yeah, there there perhaps this question is becoming more and more interesting because the question of kill switches are now, like, there there has been a little bit of an expansion of, like, what is possible perhaps in the case of blockchains. And so we see, like, in two two examples that are that I mean, one, you've kind of, like, talked about before, which is, like, people who run nodes, whether it's a miner or validator, turning off or, like, forking something or, not wanting to run a particular code in the client and the protocol. And then on the other side, there are also, like, you can think of, like, multisigs that control entire protocols, like bridges, like I mean, so many different things, and they're oftentimes held by multisigs. And that's and, like, the on one side, there's, like, course, lots of debate about the security of these things, but there's, like, the larger the multisig, the more secure generally thought of as or, you know, higher percentage of the multisig and a larger multisig kind of, interaction. Or you have, like, like, potentially, like, token voting as part of this as well. You had the example of, I don't know if you know of, like, Juno Network, this project, in the Cosmos hub where they effectively did the same thing as a DAO hack in a sense where they took back a bunch of money that, you know, even though the protocol was allowed, like, the social rules were meant to be so that this person was not to get so much, like, in an airdrop. And so they took it. They basically took seized it from him. They did some, you know, forcible collective redistribution. In the process, it's not, like, super interesting. It's, like, another form of of of kill switch, I guess. So, yeah, I guess the the there's plenty of research space now in this, with this analogy of kill switches and and now more collective social institutions.
Speaker 0
47:43 – 54:17
Yeah. And I would first say part of my interest in distributed network governance is not based in the effective coordination of the exchange of abstract network native units of account and derivative instruments built upon them. And so, granted, I think blockchains are very good at coordinating something that is entirely native to an internal ledger. Mhmm. And so, naturally, what is like, we were very like, our money was already digital. It's already just numerical balances on ledgers maintained by tightly regulated financial institutions in The United States, not as tightly regulated in other parts of the world. But that is something that is very tractable to complete definition internal to a particular networked environment. The state of the ledger is what the Bitcoin network says because it is engaged in the process of issuing and then faithfully tracking those fully network native units of account. And so I see that as the very natural first step in figuring out what more distributed networks can productively coordinate and govern in furtherance of. And my interest, therefore, is much broader because as our lives become increasingly digital, entwined with the digital, coordinated by network protocols as we began this conversation, protocols are becoming more important. Because of that, that means I don't think the only model of governance that I want is akin to a hopefully benevolent dictator. And I think in many instances, these platforms' incentives are pretty well aligned, not at all, mind you. But in many instances, they don't want to betray their users because they'll lose their users, they'll lose the data, and they'll lose the entire thing that they make money off of. And so that's not again, I'm not saying everything's okay under the hood of the platforms, but I think for some purposes, centralized governance works fine. But as our lives become increasingly intertwined with these platforms, I don't want the only choice of governance model to be the hyper centralized platform. And I use the example of the Canadian truckers protesting their government. And I'm agnostic about the validity of their protest. I'm not Canadian. I wasn't subject directly to those policies, and I definitely don't want on this podcast to, like, wade into the appropriate COVID response or not because, boy, that's not in my area of expertise. But what I do see what is in my area of expertise is how you protect political and civil liberties within a constitutional system and not allowing warrantless seizure of property without appropriate or without an eminent domain proceeding. So there's three ways the government can take your property broadly construed. One, they're like, there's a sufficiently important public purpose for it, and we're condemning it using imminent domain. The second is you were engaged in criminal activity, and this property was also the direct fruit of or part of your engaging in that criminal activity. So they initiate a criminal proceeding against you and attach that property to you. The third, and it's a pretty disturbing area of law, the more you wade into it, they can actually seize your property and say, you have to prove its innocence before the court, but we think this property is the fruit of criminal activity. And that's civil asset forfeiture law. Canadian truckers are making the, you know, Canadian government's life harder when it comes to the implementation of their COVID policies. They're directly saying they're unjustified, ineffective, or in violation of their rights. They're causing economic harms. And whether or not that was true, I do think a really important civil liberty is the ability to protest government activity. And so then these protests turn out to be more popular with a much broader set of people than the Canadian government may have predicted. And so they raise a bunch of money on a crowdfunding platform, millions of dollars. The Canadian government, not through eminent domain, not through criminal or civil proceedings, calls the crowdfunding platform and says, could you go ahead and freeze that money? Make it so that the Canadian truckers that were receiving this money to continue protesting, they still needed to eat, they still needed a place to, like, you know, rest, they effectively shut down the financial arm, the backing of that protest. And so for me, that has much broader implications than whether or not that was a well, like, founded protest. Mhmm. So I see silly things being protested all the time. And for the people protesting them, they're not silly. They're their political or religious beliefs. And so for me, in a world where our lives are increasingly intertwining with the digital, where they can freeze your economic and financial livelihood with the press of a button, I'm like, I would like different governance models out there. And so the development of different governance models and this is to me like an interesting case of, like, a speculative frenzy resulting in high frequency innovation in how we have different distributed network governance models. I don't think most of the current cryptocurrency networks that are out there will persist. We certainly don't need 4,000 of them. But given that, I still think there will be benefits because it's like literally just clicking into slightly different models for governing networks in a more distributed fashion. And I suspect the benefits of that will not be limited to the issuance and faithful exchange of network native units of account.
Speaker 1
54:18 – 54:58
No. Yeah. I can definitely agree with a lot of what you said. Yeah. I spoke about the the Canadian truckers in my book as well in case people wanna check it out. But, yeah, maybe to kinda start to to to wind it down, I'm curious to hear from you. Based on all this research, are there any, like, lessons to be drawn on the design of cool switches you believe? Like, if we assume perhaps especially if we took take in the direction of, like, the probably one of the more difficult designs to make of a kill switch is, like, how would we make a kill switch more democratic, based on your research?
Speaker 0
54:59 – 61:06
And so to me, it's the continuum of governance choice ranging from fully automatic to and there's benefits to having no discretion in certain contexts. Two, very distributed. But that poses a number of different trade offs that any system designer should consider before designing the specific intervention that a kill switch will take, but who gets to make that decision. That's the governance of the kill switch itself is, you know, what is your system coordinating in furtherance of? What is it producing? What is it doing when it's producing? Because the people that are interacting with your system, the thing it's producing, if you're producing nuclear power, you need a nuclear reactor, and that creates very specific risks, very specific capabilities that are needed to assess those risks, as well as a very urgent need for intervention swiftly if things seem like they're going sideways. And so that particular purpose that that system is producing or in in organizational context is coordinating in furtherance of tells you a lot about the risks that you will have to be monitoring in order to prevent the negative outcome from occurring that you can sufficiently foresee or have time to intervene in terms of, you know, the DAO hack. They just rolled back the blockchain in terms of all of the money that went into the DAO originally, effectively. They didn't to my understanding, they didn't technically roll it back, but, I'll leave that that question for somebody much more versed in the protocol layer of the Ethereum network itself. But that is to me the things that the system is coordinating in furtherance of will inform, including the participants that it's attracting in that ecosystem, especially if it's coordinating humans, will determine the risks that are being faced. That is likely to tell you how urgently do you need to intervene, how specialized of knowledge does that intervention require, because those are two of the context that you tend to see more centralization of kill switch authority relative to very decentralized exercise of kill switch authority. But make no mistake, you know, there are recall elections for public servants. And so there are definitely contexts where democratic exercise of that democratic input to the exercise of a kill switch is desirable. But those are often periodic. You can have extraordinary ones under certain circumstances in some political systems, but how long do you need in advance to tell people that there's going to be a recall election? How long should your voting window be open in order for that democratic decision to be wrought? It probably shouldn't be a three minute window at 3AM on a Tuesday. And so the more you actually say you wanna distributed exercise of some type of, you know, override of the system, the more it's likely to take time to truly yield a representative decision that is not subject to capture. Because I alluded to the need for a quorum earlier to effectively prevent against a very, very tiny minority of a group forcing something through because no one was paying attention. But a quorum then runs up against some other very thorny issues, which are some of these systems people just aren't paying attention, including in political systems. The participation rates in noncompulsory voting systems around the world, those participation rates are, you know, like, shocking to people who don't study them. You know, depending on the election, sub 40, you know, is is is fairly common. And so if your quorum's at 40 to exercise a kill switch and people just don't show up because they aren't paying attention, then that's not a very effective kill switch function. And so there's this deep tension between, you know, hyper centralized and the ultimate kind of centralization is systems designers automate away the ability for discretionary intervention in real time. In some systems that are sufficiently simple and we can predict enough of the relevant risks, that's pretty cool. But the more complex and the more human involved the system is that the people are being coordinated by, the less likely it is that you can fully automate Axante a, you know, the right decision. This is the unpopularity of traffic cameras and other automated means of criminal enforcement is, you know, sometimes someone's speeding because they're intoxicated or they're reckless. And sometimes somebody's speeding because they're in a really deep human emergency, and do we wanna punish them for rushing their, you know, like, very prematurely birthing wife to the hospital? Those are distinguishable circumstances, but not to the camera that's just taking the photo. And so there are many circumstances, especially those involving humans, that it's you know, every rule is over and under inclusive is the way that legal legal scholars refer to this problem. Some people will obey the letter of the law even though they're doing something that's at odds with everyone's intent in enacting the law, and other people will violate the law. And everyone's like, that shouldn't be punished. That's definitely a violation, but, like, let's let this one go. And that that very need for human discretion in interpreting things is real time and often after the fact. But effectively, that means we can't fully define the set of triggers for the execution of a kill switch protocol in many, many complex human engineered systems.
Speaker 1
61:07 – 61:40
Right. I think, to me, it seems like the if you wanna be a designer, be aware of the pros and cons. There's no perfect system. We can't, like, engineer something perfect, that human, intervention is sometimes important, that, you know, maybe you have less legibility. We have the ability to, have certain types of oversight, and digital systems don't really have nuance. They're highly legible, but lacking in in a lot of nuance that only a human can really provide if they have that information.
Speaker 0
61:40 – 63:08
Yep. And I recently published a piece entitled norms, institutions, and digital veils of uncertainty, exploring, this particular question, which is protocols are incomplete just as all human institutions are incomplete. And someone saw it on Twitter, and they were like, ah, that's why your Twitter handle is incomplete rules. And so to me, the thing that kill switches are driving at, that fail safe circuit breakers and overrides are driving at, is something fundamental to human systems, which is our foresight is imperfect, and that poses a really, really deep dilemma for institutional designers, including protocol designers, which is they can't the messiness of human intent as mapped to the action space of the system they've created, the messiness of human intent always creates the circumstances that they couldn't predict. The edge cases of, like, do we want this rule to execute? Do we want this hacker who is playing by the poorly specified rules to make off with all of this money. Because make no mistake, that was consistent with the rules, but that was not a desirable outcome by any stretch. And from the perspective of enough validators, enough constituents of that ecosystem that they were like, let's actually change the rules in real time to prevent that person from making away with the money.
Speaker 1
63:09 – 63:23
Yeah. Yeah. Thanks for spending the time and teaching us about kill switches. Maybe you want to, share with listeners where they can read the full reports of your work and where they keep up with you.
Speaker 0
63:24 – 63:48
Yeah. It's at summerofprotocols.com, and it's found under module five, supplementary materials. But I'd encourage folks, if they're interested in protocol design, if they're interested in, like, the increasing extent to which protocols are governing our lives, they should definitely dig into the many other materials from the folks I was lucky enough to work around and learned a lot from.
Speaker 1
63:49 – 64:01
Yeah. Sure. Yeah. Thanks so much for again, I am now going to engage the kill switch, which is centrally governed by me to turn off the recording. Thank you.