OSD 137: Centralization and decentralization, the two problems that keep solving each other

It's a cycle. The question is which direction the cycle spins.

The government of California passed a new data privacy bill into law a couple weeks ago. Like many such laws, this one was both underdiscussed and noteworthy. The unique part about it was the reason why it’s noteworthy. Turns out this data privacy law requires certain data not to be private:

[Assembly Bill 173] requires the California Department of Justice to supply information identifying firearm and ammunition purchasers to a newly created research center at the University of California Davis or any other university that requests it. The information includes details such as the buyer’s name, address, date of birth, what they purchased, when and where they bought it, and more.

“This bill would name the center for research into firearm-related violence the California Firearm Violence Research Center at UC Davis,” the bill’s text reads. “The bill would generally require that the information above be made available to the center and researchers affiliated with the center, and, at the department’s discretion, to any other nonprofit bona fide research institution accredited by the United States Department of Education or the Council for Higher Education Accreditation, as specified, for the study of the prevention of violence.”

California already records all gun and ammunition transactions performed by a licensed dealer in a state registry. This law expands that level of record-keeping by requiring the registration of “firearm precursor parts.” It then makes all registry data available to researchers.

The objection-response cycle on that goes something like this:

Objection: The stated reason that California created a gun registry was so that it could solve crimes around the illegal transfer of guns to people who are prohibited from having them. Let’s leave aside that, empirically, the registry hasn’t done that. It’s wrong for the state to release private data which people were forced by law to give to the state.

Response: This is in the same spirit. But it’s even better! This new law doesn’t try to solve any particular crime, it tries to solve all gun crime because it helps researchers study the prevention of violence in general.

Objection: (Channeling David Yamane) This conflates the study of guns with the study of gun violence, which is a questionable choice since ~99.9966% of guns aren’t used in, say, a murder. So it’s a poor way to understand something to focus all the research on the 1 in 29,000, with essentially zero study of the other 28,999. But even leaving that aside, who are these researchers? How are they going to use the data? How are they going to secure it? What if they’re up to no good?

Response: Don’t worry…

… And now the discussion rabbit-holes into the details of the trustworthiness of the researchers, data security measures that some future law could require, and so on.

There’s a fork at this point. The details are important if you grant that the law is a good idea. But if you haven’t granted that, then the details obscure a bigger question. You could discuss this in one of two modes:

  1. Is this law a good idea or a bad one?

  2. Should the law even be possible?

Mode #1 is the hobbits debating what to use the One Ring to accomplish. The implicit premise is that the ring itself isn’t a problem, the problem is what people might do with the ring.

Mode #2 is someone going, “Chuck this thing into Mount Doom.”

The California law introduces a question of motives, since the state’s government has an … adversarial relationship with gun rights. So this might seem like it just comes down to the intent of the database owner. But that’s functionally irrelevant. To illustrate that, let’s look at the case of the database owner who unequivocally likes guns — say, a web platform which exists entirely to help people buy and sell guns:

The personal information of more than 100,000 UK-based firearm owners appears to have been leaked online.

The data was reportedly published on the blog of an animal rights activist in the form of a reformatted CSV file. When imported into Google Earth, the file showed individual home addresses where guns were believed to be stored, along with owners’ zip codes, phone numbers, IP addresses and email addresses.

Blog readers were encouraged to “contact as many [gun owners] as you can in your area and ask them if they are involved in shooting animals.”

News of the leak follows firearm e-tailer Guntrader’s confirmation in July of a data breach impacting more than 100,000 of its customers.

tldr Guntrader got hacked and everybody who bought or sold something on the platform between 2016 and July 17, 2021 has their PII posted in a CSV online now.

This is the part of the essay where we say, “This is why large, centralized databases are inherently dangerous. Chuck them into Mount Doom and decentralize everything. Whether it’s an accident, intentional misuse by whoever has the data, or action by a hostile third party, bad things are going to happen.”

And that’s true. Bad things are going to happen. But the hard part is that centralization exists because it solves problems that decentralization introduces.

To use a non-gun example: cryptocurrency used to be fully decentralized. Then people built centralized structures and companies on top of it, because users wanted things like break-glass transaction reversals, insurance, protection from theft and fraud, etc. Then those centralized levers became handy attack vectors for actors who were hostile to the underlying decentralized infra. So then people started working on decentralized replacements for those centralized levers. Rinse and repeat.

You see the same dynamic in internet infra, with content policies that started at the fluffiest parts of the product layer now having cat-and-moused all the way down to the level of cloud hosting.

You see it with encryption, where every few years there’s a debate about whether strong encryption is going to remain legal, and the response is that governments and big companies shoot holes in it. Then decentralized actors run around up-armoring the ecosystem before the next wave of attacks on centralized choke points.

This stuff is a drunken walk, tottering back and forth between centralization and decentralization. If you get upset about those swings, you’re going to have a bad time, because the swings are inevitable. The high-order bit isn’t whether the swings happen, it’s whether they tend in any particular direction over time. The drunk totters between centralization and decentralization, but does each swing leave him a little bit closer to decentralization?

To use another metaphor: you’ll lose your shirt betting on a truly random coin. But a coin that you know comes up heads 50.1% of the time will make you rich. Over time, small trends make a big difference.

Centralization can be really useful. Not in the case of, say, a gun registry, but it’s hard to run a gun-selling platform without inevitably creating some amount of centralized data. (At least until crypto commerce gets a bit further along.) It’s not always near-term possible to disaggregate every platform. But the trick is to make sure that the decentralized infra underneath it is always getting stronger and harder to replace.

This week’s links

A handy color-coded diagram of gun laws across Europe

Huge credit to u/Greikers for this clean map of a complicated legal patchwork.

For gun-related reasons, Bank of America, Citigroup, and JPMorgan Chase have lost their business in the Texas municipal bond market

Wall Street’s three biggest municipal-bond underwriters have seen business grind to a halt in Texas after the state enacted a law that blocks governments from working with banks that have curtailed ties to the gun industry.

Since the Republican-backed law took effect on Sept. 1, neither Bank of America Corp., Citigroup Inc. or JPMorgan Chase & Co. has managed a single municipal-bond sale in the state, according to data compiled by Bloomberg. It was the first time that’s happened since at least late 2014.

Interview with the president of Rare Breed Triggers, the creator of the FRT-15

FRT-15, a.k.a. Schrodinger’s machine gun.

OSD office hours

If you’re a new gun owner, thinking about becoming one, or know someone who is, come to OSD office hours. It’s a free 30-minute video call with an OSD team member to ask any and all your questions.

Book an office hours time


Top-quality shirts, hats, and patches with if-you-know-you-know ✨vibes✨. You’ll look sharp and support OSD at the same time.

Get some merch


Like what we’re doing? You can support us at the link below.