This isn’t the first time we’ve met this combination of hidden links and highly connected hubs. These are the same network quirks that made the pre-2008 financial system vulnerable, allowing seemingly local events to have an international impact. In online networks, however, these effects can be even more extreme. And this can lead to some rather unusual outbreaks.
Not long after the millennium bug came the ‘love bug’. In early May 2000, people around the world received e-mails with a subject line that read ‘ILOVEYOU’. The message carried a computer worm, which was disguised as a text file containing a love letter. When opened, the worm corrupted files on that person’s computer and e-mailed itself to everyone in their address book. It spread widely, crashing the e-mail system of several organisations, including the UK parliament. Eventually IT departments rolled out countermeasures, which protected computers against the worm. But then something odd happened. Rather than disappear, the worm persisted. Even a year later, it was still one of the most active bits of malware on the internet.[30]
Computer scientist Steve White had noticed the same thing happening with other computer worms and viruses. In 1998, he’d pointed out that such bugs would often linger online. ‘Now here’s the mystery,’ White wrote.[31] ‘Our evidence on virus incidents indicates that, at any given time, few of the world’s systems are infected.’ Although viruses persisted for a long time in the face of control measures, suggesting they were highly contagious, they generally infected relatively few computers, which implied they weren’t that good at spreading.
What was causing this apparent paradox? A couple of months after the love bug attack, Alessandro Vespignani and fellow physicist Romualdo Pastor-Satorras came across White’s paper. Computer viruses didn’t seem to behave like biological epidemics, so the pair wondered if the structure of the network might have something to do with it. The previous year, a study had shown that there was a lot of variation in popularity on the world wide web: most websites had very few links, while some had a vast number.[32]
We’ve already seen that for STIs, the reproduction number of an infection will be larger when there is a lot of variation in how many sexual partners people have. An infection that would fade away if everyone behaved identically can persist if some people have a lot more partners than others. Vespignani and Pastor-Satorras realised that something even more extreme can happen with computer networks.[33] Because there is huge variability in the number of links, even seemingly weak infections can survive. The reason is that in this kind of network, a computer is never more than a few steps from a highly connected hub, which can spread the infection widely in a superspreading event. It’s an exaggerated form of the problem that banks faced in 2008, with a few major hubs able to drive the entire outbreak.
When outbreaks are driven by superspreading events, it makes the transmission process extremely fragile. Unless an infection hits a major hub, it probably won’t go very far. Yet superspreading can also make an outbreak more unpredictable. Although most outbreaks won’t take off, those that do can stutter along for a surprisingly long time. This explains why a handful of computer viruses and worms have continued to spread, despite not being that transmissible at an individual level. The same is true of many trends on social media. If you’ve ever seen a strange meme spreading and wondered how it could have persisted for so long, it probably has more to do with the network itself rather than the quality of the content.[34] Thanks to their structure, online networks are giving infections an advantage that they don’t have in other areas of life.
On 22 march 2017, web developers around the world noticed that their apps weren’t working properly. From Facebook to Spotify, companies using the JavaScript programming language found themselves unable to work parts of their software. User interfaces were broken, visuals wouldn’t load, updates wouldn’t install.
The problem? Eleven lines of computer code – which many people didn’t even know existed – had gone missing. The code in question had been written by Azer Koçulu, a developer based in Oakland, California. Those eleven lines formed a JavaScript program called ‘left-pad’. The program itself wasn’t particularly complicated; it just added some extra characters at the start of a segment of text. It was the sort of thing most coders could have created from scratch in a few minutes.[35]
Yet most coders don’t create everything from scratch. To save time, they use tools that others have developed and shared. Many of them do this by searching an online resource called ‘npm’, which collects together handy bits of code like left-pad. In some cases, people incorporate these existing tools into new programs, which they subsequently share. Some of these programs then feed into other new programs, creating a chain of dependency with each one supporting the next. Whenever someone installs or updates a program, they will also need to load everything in the dependency chain, otherwise they’ll get an error message. Left-pad lay deep within one of these chains. In the month before it disappeared, the code had been downloaded over two million times.
On that day in March, Koçulu had pulled his code from npm after a disagreement over a trademark. Npm had asked him to rename one of his software packages after another company complained; Koçulu protested and eventually responded by removing all of his code. That included left-pad, which meant that any chains of programs that relied on Koçulu’s tool were suddenly broken. And because some of the chains were so
