Refusals

On December 13, 2020, the cybersecurity firm FireEye publicly disclosed that it had been breached, and that the attack vector was a trojanized update to the SolarWinds Orion network management platform — software used by some 18,000 organizations to monitor their own internal networks. Hours later, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-01 ordering every federal civilian executive branch agency to immediately disconnect SolarWinds Orion from their networks. The intruders had been operating undetected inside U.S. government and Fortune 500 systems for approximately nine months.

The list of confirmed victims included the U.S. Treasury Department, the Department of Commerce, the Department of Homeland Security, the Department of State, the Department of Justice, the Department of Energy — including the National Nuclear Security Administration — the National Institutes of Health, Microsoft, Intel, Cisco, and Deloitte. The attackers were later attributed to APT29, the cyber-operations arm of Russia's Foreign Intelligence Service. The most powerful intelligence apparatus on Earth could not detect a foreign intelligence service inside its own treasury for nine months — because the software it was using to monitor its own networks was the attack vector.

SolarWinds was not an aberration. It was a representative sample. One month before, in November 2020, Cybersecurity Ventures had published the projection that would frame the rest of the decade: cybercrime damages would reach $10.5 trillion per year by 2025, up from $3 trillion in 2015 — making cybercrime, if measured as a country, the third-largest economy on Earth, behind only the United States and China. Five months later, in May 2021, Russian-affiliated ransomware operators DarkSide shut down the Colonial Pipeline, the largest fuel pipeline on the U.S. East Coast. The pipeline operator paid $4.4 million in cryptocurrency ransom to restore operations. Gas stations ran dry from Florida to New York. Hospitals had been paying ransoms throughout the pandemic. Critical-infrastructure operators had been paying ransoms to keep water-treatment plants and oil pipelines running. The companies that built the architecture were making tens of billions of dollars per year selling defenses against the consequences of their own design.

The malware was not a defect of the internet. The malware was the predictable output of an architecture in which every endpoint is reachable, every identity is forgeable, every piece of software is an unverified payload, and every defender is asked to win a race against attackers who only have to be right once. The economy of cybercrime exists because the substrate permits it. The substrate is the answer.

On March 17, 2018, The Guardian, The Observer, and The New York Times published simultaneously the testimony of Christopher Wylie, a former Cambridge Analytica employee, who released a cache of internal documents showing that the company had obtained the personal data of 87 million Facebook users without their consent and used it to build psychographic profiles for political microtargeting in the 2016 Trump presidential campaign and the Brexit referendum. The story knocked more than $100 billion off Facebook's market capitalization in days. Mark Zuckerberg testified before the U.S. Senate Judiciary Committee on April 10, 2018. Cambridge Analytica collapsed in May 2018. In July 2019 the U.S. Federal Trade Commission imposed a $5 billion civil penalty on Facebook — the largest such fine ever issued against any company — for misrepresenting its data-sharing practices to users.

The architectural detail that mattered most was buried in the disclosures and was, in retrospect, the entire point. Cambridge Analytica did not breach Facebook. It used a feature Facebook had built. The data was collected through an app called "This Is Your Digital Life," developed by researcher Aleksandr Kogan. The app harvested data not only from the people who downloaded it, but — through Facebook's Open Graph API, designed by Facebook to let third-party developers reach into users' social networks — from every Facebook friend of every person who downloaded the app. Two hundred and seventy thousand consents produced data on more than thirty million users. Facebook did not call this a breach because, by Facebook's own architecture, it was not a breach. It was the platform working as designed. The architecture was the indictment.

By 2018 the disclosure cycle had already run its course. The Snowden documents had been five years old — PRISM, the Verizon metadata order, the bulk collection programs, all of it on the public record since June 2013. The Cambridge Analytica revelations did not break new conceptual ground. They simply made the same architectural fact undeniable in a different domain: whatever was being watched was being sold, and whoever was buying was using it to shape the future of the watched. Disclosure was not the corrective. The architecture was unchanged because the architecture was the business model. Every page loaded was a beacon. Every search was a confession. Every conversation in the proximity of a microphone was a candidate for indexing. Every location was a coordinate, every relationship was an edge in a graph, every moment of attention was an asset on someone else's balance sheet.

In 2019 the Harvard professor emerita Shoshana Zuboff published The Age of Surveillance Capitalism and gave the architecture its academic name. The category was now named, documented, and indicted in book form — on bestseller lists, in university curricula, in policy hearings. And nothing structurally changed. The same companies that had been caught participating in the surveillance economy were larger, more profitable, and more deeply embedded in the lives of more humans than ever before. The surveillance was not a bug, not a feature, not a regrettable side-effect of helpful services. The surveillance was the product. The user was the source material. The advertiser was the customer. The human at the center of the architecture was an extracted resource — exposed end-to-end, profiled in detail, and unaware of the scale of their own exposure.

On September 7, 2017, Equifax announced that hackers had operated inside its network for seventy-eight days — undetected, because an expired SSL certificate had disabled the company's own network monitoring — and had exfiltrated the Social Security numbers, names, dates of birth, addresses, and in many cases driver's-license numbers, of 147 million Americans. Roughly fifty-six percent of the U.S. adult population. The breach was eventually settled for $700 million — the largest cybersecurity settlement in U.S. history at the time — with the FTC, CFPB, and fifty state attorneys general. Affected consumers were entitled to claim up to $20,000 each. The CEO of Equifax, Richard Smith, received $19.6 million in stock bonuses after the breach — roughly one thousand times the maximum payout any individual victim could collect — plus lifetime medical coverage. The CIO of Equifax U.S. Information Solutions, Jun Ying, was separately charged with insider trading for selling Equifax stock between the discovery of the breach and the public announcement.

The breach was not an accident of the credit-reporting architecture. It was the architecture functioning as designed. The three U.S. credit bureaus — Equifax, Experian, and TransUnion — operate as a de facto cartel. They collect financial, employment, residential, and behavioral data on every American adult without consent, sell that data to lenders, employers, insurers, and landlords without compensating the humans the data is about, and profit twice when the data is breached: once selling the data, and again selling breach-recovery products to the same victims whose data they failed to protect. Free credit freezes did not become mandatory in all fifty states until after the Equifax breach — because until then, the bureaus had been charging fees to lock down data that was their fault to leak in the first place. The bureaus lobby continuously against consumer-protection legislation. They are not subject to the consent of the people they profile. The American adult is the product. The bureaus are the marketplace. The breach is just the price of doing business.

The Equifax breach was not unique. It was the loudest example. Capital One, July 2019, 100 million Americans and 6 million Canadians. T-Mobile, August 2021, 76 million Americans. UnitedHealth/Change Healthcare, February 2024, an estimated one-third of all Americans' medical records. The pattern is uniform: a corporation collects sensitive data on a population without that population's meaningful consent; the data is leaked through preventable failure; the corporation pays a fine that is a fraction of the revenue the data generated; the executives keep their bonuses; the population's data remains permanently exposed; and the next breach is on the calendar.

The human cost is not abstract. In 2023 the Identity Theft Resource Center reported that sixteen percent of identity-crime victims who contacted the organization had thought about ending their lives — up from ten percent in 2022, up from eight percent in 2020, an all-time high since the survey began. The CDC's nationally-representative survey for the same year found that 5.3 percent of U.S. adults reported suicidal thoughts in the prior twelve months. Identity-theft victims are reporting suicidal ideation at three times the rate of the general adult population. The data does not return when stolen. The recourse is letters, phone calls, hold music, denials, fees, time, and humiliation. The architecture treats the human as the failure point — as if it were the human's job to defend a perimeter that the architecture was designed to leak. Identity theft was not a crime against the system. It was the system functioning as designed, and the humans inside it were the raw material.

On March 28, 2017, the United States House of Representatives voted 215 to 205, on a strict party-line vote, to repeal the Federal Communications Commission's Broadband Consumer Privacy Rules. The Senate had passed the same resolution five days earlier on a 50-to-48 party-line vote. Six days later, on April 3, 2017, President Trump signed it into law. Congress used a procedural mechanism called the Congressional Review Act — before that year, used exactly once in its entire history — that does not merely repeal an agency rule, but permanently bars the agency from ever issuing a substantially similar rule again without new congressional authorization. The U.S. Congress did not just kill the privacy rule. It sealed the door shut behind it.

What Congress voted to allow internet service providers to sell — without customer consent, without disclosure, without breach notification — was, in the words of the repealed rule itself: web browsing history, app usage history, the contents of communications, geolocation data, financial information, health information, children's information, and Social Security numbers. The rule had also required ISPs to inform customers of data breaches. Congress voted to eliminate that obligation too. Comcast, AT&T, Verizon, and every other broadband provider in the country — companies that had unique access to every site a customer visited from their home connection — were now free to sell that record to anyone who would buy it. Disabling cookies could not stop ISP tracking. Adblockers could not stop ISP tracking. Encryption did not stop ISP tracking. The architecture of broadband itself was the surveillance vector, and Congress had just voted to monetize it.

By 2017 the open web had already become a tracking surface. Every page loaded scripts from companies the user had never heard of. Every search was indexed against the user's identity. Every video was timestamped, every scroll measured, every hover recorded. The user's phone knew where they slept and where they worked and what time they arrived at the gym and which aisle of the grocery store they lingered in. The user's car broadcast their driving patterns. The user's home thermostat reported on their comings and goings. The user's television watched them watching it. The data was extracted in volumes the human mind cannot hold. It was assembled into profiles the user had no access to. It was sold to advertisers, insurers, employers, debt collectors, divorce lawyers, political operatives, and foreign governments. The phrase "if you're not paying, you're the product" had been around since before the dotcom bust. By 2017 it had stopped being a critique and started being a description, and the U.S. Congress had just voted to expand the supply chain.

The tracking was not a defect. It was not a feature. The tracking was the entire commercial logic of the consumer internet, and the only branch of the U.S. government with the authority to constrain it had just voted, by a margin of ten Republican votes in the House and two in the Senate, to guarantee that constraint could never be imposed by regulation alone.

On June 17, 2014, the Proceedings of the National Academy of Sciences — one of the most prestigious peer-reviewed journals in the world — published a paper titled "Experimental evidence of massive-scale emotional contagion through social networks." The authors were Adam D. I. Kramer of Facebook, Jamie E. Guillory of Cornell University, and Jeffrey T. Hancock of Cornell University. The paper described a one-week experiment in January 2012 in which the researchers algorithmically manipulated the News Feeds of 689,003 Facebook users — without notifying them, without offering them the option to decline, without telling them after the fact — to determine whether reducing positive or negative content in their feeds would change the emotional content of what they themselves later posted. The researchers proved that it would. The paper was peer-reviewed and approved for publication by Susan T. Fiske of Princeton on March 25, 2014. The architecture had successfully run a controlled emotional-manipulation experiment on a population larger than the city of Boston.

The paper was internationally controversial within hours of publication. Researchers, ethicists, regulators, and ordinary Facebook users asked the obvious question: where was the informed consent? The Belmont Report, the foundational document of U.S. research ethics, requires it. Every university Institutional Review Board in the country requires it. Every peer-reviewed journal claims to require it. Facebook's response, published in the paper itself, was twenty-seven words long and is the entire indictment of the consumer internet's contractual model:

"[The work] was consistent with Facebook's Data Use Policy, to which all users agree prior to creating an account on Facebook, constituting informed consent for this research."

The 689,003 humans had not consented to be experimented on. They had clicked an "I Agree" button on a thirty-thousand-word document they had not read — in some cases, years before the experiment ran — and Facebook claimed that click as informed consent for psychological manipulation that no university IRB in the country would have approved. On July 3, 2014, PNAS itself issued an Editorial Expression of Concern publicly questioning whether the consent claim was valid. The paper remained published. The researchers kept their positions. The architecture continued.

The Facebook study was not an aberration. It was the loudest case of a universal mechanism. By 2014 every consumer-facing platform on the internet had quietly arrived at the same business model: extract maximum value from the user under cover of a Terms of Service agreement that the user had not read, could not have read, and would have rejected if they had. The agreements ran tens of thousands of words. They were updated unilaterally. They reserved the right to be updated unilaterally without notice. They claimed the right to use user content for any purpose, share it with any third party, disclaim all warranties, mandate arbitration in jurisdictions chosen by the company, and forbid class actions. They were contracts of adhesion — offered take-it-or-leave-it by parties with overwhelming bargaining power, presented to users with no functional alternative, and enforced by courts as if they had been freely negotiated. The legal scholar Margaret Jane Radin had documented the entire mechanism the year before in Boilerplate: The Fine Print, Vanishing Rights, and the Rule of Law — a book whose argument Facebook's twenty-seven-word defense made unanswerable. The "I Agree" button was not consent. It was the cost of access to the modern internet, and 689,003 people had just learned what they had agreed to.

On March 18, 2011, the Board of the Internet Corporation for Assigned Names and Numbers voted nine in favor, four against, with three abstentions to approve the .xxx sponsored top-level domain. The decision came after the same Board had rejected the same proposal three previous times — in 2006, in 2007, and again following a 2010 review — under sustained opposition from every population the new domain claimed to serve. Outside the San Francisco meeting hall, the Free Speech Coalition, the trade association of the U.S. adult industry, was protesting the vote. Inside, board member Rita Rodin Johnston prefaced her "yes" vote by saying she had "never felt this so poignantly" — "caught between a rock and a hard place." The vote passed anyway. The affected industry had explicitly refused the new domain. ICANN approved it over their stated opposition, by majority vote of a board the affected industry had no role in selecting.

The reason was visible in the financial projections circulated in the run-up to the vote. ICM Registry, the private company awarded the contract to operate .xxx, was projected to earn $200 million per year from three to five million domain registrations — a number that wildly exceeded any plausible demand from actual adult-content operators, because the model was not based on actual demand. It was based on defensive registration. The model assumed that every Fortune 500 brand, every famous person, every trademark holder, every university, every hospital, every government agency, every well-known organization in the world would feel commercially or reputationally compelled to pay ICM Registry to register or block their name in a namespace they did not want to exist, in order to prevent third-party squatters from doing so first.

ICANN then operationalized this directly. The registry's "Sunrise B" phase, running September through October 2011, was explicitly designed to let trademark owners who were not part of the adult industry pay roughly $500 per mark to ICM Registry to block their own trademarks from a top-level domain they had publicly opposed. The architecture monetized opposition to itself. The decision generated tens of millions of dollars in registration and blocking fees for ICM Registry, the registrar ecosystem, and ICANN itself — collected from the very parties who had spent years asking ICANN not to create the namespace at all. In November 2011, Manwin International (operator of YouPorn) and Digital Playground filed a federal antitrust suit against ICM in the Central District of California, alleging that "no competitive process" had been provided for awarding the .xxx registry contract.

The .xxx Lesson was not about pornography. It was the first dated, public, large-scale demonstration of the structure I had refused in 1998 functioning exactly as predicted. Thirteen years after the U.S. Department of Commerce handed namespace governance to ICANN under a Memorandum of Understanding, the privatized coordinator was imposing outcomes the affected populations had explicitly rejected, framing the imposition as the result of a fair process, and collecting rents from the imposition. A nominally neutral coordinator imposes an outcome the affected parties have refused, frames the imposition as the result of a fair process, and collects rents from the imposition. The pattern would repeat at every layer of the modern internet, in every domain it touched, for the next fifteen years. Every refusal above this entry on the wall is, at root, the same lesson learned again at greater scale.

This entry is dated to its origin and written from 2026. On November 25, 1998, the United States Department of Commerce signed a Memorandum of Understanding with the Internet Corporation for Assigned Names and Numbers — a newly created private nonprofit — formally transferring governance of the global Internet's namespace, root zone, and protocol parameters from public stewardship into private hands. The transfer was framed as multistakeholder. It was not. It was the privatization of a public infrastructure layer at the precise moment that infrastructure was about to become the substrate of every economic, civic, and personal interaction the human species would have with itself for the next century.

I was thirty years old. I had no platform from which to refuse. I had no architecture to offer in place of what was being taken. I had only the recognition that the structure being put in place was capturable, and that the people who wanted to capture it would. I refused it then in the only way available — privately, in conversations no one recorded, in arguments at industry tables where the people making the decision were already paid by the people who would benefit from the decision. The refusal had no force. The capture proceeded.

For the twenty-eight years that followed, I watched the predictable consequences accumulate. I watched the protocol layer of the internet pass quietly into the hands of corporations whose business model required them to extract everything they could from the humans who depended on it. I watched a generation grow up inside attention engines designed by people who, under oath in their own emails, knew what they were doing to the children using their products and chose the revenue. I watched ten and a half trillion dollars a year drain out of the global economy through cybercrime made trivial by an architecture sold to us as progress. I watched twenty-five percent of identity-theft victims tell researchers they had considered ending their lives. I watched the surveillance economy harvest a generation, and then I watched the same industry rebrand the next harvest as intelligence — pattern-matching machines trained on the work humans gave away free, sold back to those humans as the tools that will replace them.

Above this entry, on this same wall, sit twelve dated indictments documenting what followed from November 25, 1998. Each one names a harm. Each one points at the architecture that forecloses it on NeuraWeb. This is the entry that started the position. The position has not changed. The architecture has finally been built.

On August 31, 1955, John McCarthy, Marvin Minsky, Nathaniel Rochester, and Claude Shannon submitted a funding proposal to the Rockefeller Foundation requesting $7,500 for a two-month summer workshop at Dartmouth College. The proposal coined a new term: artificial intelligence. The Foundation funded it. The workshop ran in the summer of 1956. The term entered the academic and funding bloodstream of computer science and never left.

The term was a marketing decision. McCarthy chose it specifically to narrow the field away from the existing discipline of cybernetics, which had previously absorbed work he considered his own, and to attract funding under a new name. In a 1974 interview with Pamela McCorduck for her book Machines Who Think, McCarthy himself admitted: "I won't swear that I hadn't seen it before — a vague memory that someone else had used the word." The man credited with coining the term was not entirely sure he had coined it. He put it in a funding proposal because he needed a name and the funding required one. The name has been doing marketing work ever since.

The machines being described in 1955 were useful. The machines being described in 2026 are useful. None of them were intelligent. They did not understand. They did not judge. They did not bear responsibility for what they produced. They composed plausible outputs by finding patterns in vast quantities of data. The word intelligence had been earned by humans across two hundred thousand years of biology, language, consequence, and care — and was attached to a class of machines that had earned none of those things, in a funding proposal, by a man who could not remember whether he was the first to use the word.

Every consequence on this wall above this entry follows from that decision. Every product built under the name inherits the lie. Every contract signed with reference to artificial intelligence is a contract about a fiction. Every regulation written for AI safety is regulation aimed at the wrong target. The marketing decision of August 31, 1955 made every subsequent harm possible — not because the machines were dangerous in themselves, but because the name dressed them in moral and cognitive standing they did not have, and humans signed contracts, ceded authority, and surrendered livelihoods to a fiction.