Headbook: Medical Marijuana Comes Out of the Gray

It seems like cannabis is always on the leading (and sometimes bleeding) edge of social evolution, which is why I find it interesting -- as a market anarchist, I often see cannabis trends as indicative of the whole "building the new society in the shell of the old" approach.

Just in the last 15 years or so, cannabis has gone from an entirely "black market" (illegal, period) product to legality in some states (for medical purposes, at least) with what appears to be a robust "gray" market -- legal but often traded through unofficial/unauthorized channels because official/authorized channels are vulnerable to red tape and foot-dragging by the politicians/bureaucrats and to attempts to exercise supervening force by the feds.

And as the plant steadily plods toward fully "legal" status (California will almost certainly get there in this decade, with other states racing it toward that finish line), those involved in the cannabis market are continuing to break new ground that benefits everyone else precisely because they have to operate both openly enough to get the job done but carefully enough to protect both consumers and providers.

Thus Headbook, a new social network for California medical marijuana patients.

It's not like Silk Road, a Tor-protected site for "black market" exchange of pharmaceuticals and such.

It's a publicly accessible site specifically for a product of changing / indeterminate / evolving legal status, which means its operators [see disclaimer about my relationship with them here] have to find ways to keep it "open" while at the same time protecting its users and their information.

The "open" part is demonstrable -- type the URL into any browser, and there you are at the site. No special software needed. No chasing down changing IP addresses. Anyone can surf over to Headbook any time.

The "protection" part is less visible, but it's there.

All connections to Headbook run through the https protocol rather than unencrypted http, and are encrypted with the AES algorithm at a key length of 256 bits. How secure is that? Well, it's what Wikileaks used for its "insurance" file a couple of years ago, and I haven't heard of that file being cracked yet.

On-site data is kept encrypted to what a company press release states is 1028 bits (algorithm not specified). It is, in fact, "military grade" -- a term I've seen a couple of people have a laugh over, but a factually correct term as those familiar with the old ITAR export restrictions on strong crypto will remember.

I am not a data security expert. I cannot personally guarantee that Headbook's data or transmissions are invulnerable to the kinds of attacks that can be mounted by, say, large government organizations. But they're obviously at least trying to secure their data and communications (a good thing) and publicly saying that that's what they're doing (an even better thing -- anyone who gives government spies the finger in public gets a +1 in my book).

Beyond all-transmission and whole-data encryption, there's a third layer of security in Headbook, in a section of the site called "The Vault."

The Vault is where medical marijuana patients and providers can get together to facilitate the movement of product into patients' hands and money into providers' wallets. This is obviously a much more sensitive area than the part of the site where users can post "it's always 4:20" or "free the weed" comments.

You don't get into The Vault without being vetted and established as an actual patient or legitimate provider. Headbook has contracted out the first layer of that vetting to a third party enterprise, has an MD on staff to examine any questionable claims, and includes an eBay-like "rating" system for additional crowd-sourced security.

Being neither a patient nor a provider, I haven't been through that vetting process or into The Vault.  And to be realistic, let's stipulate that if the feds want to mess with Headbook's users, they can probably fake up convincing "patient" or "provider" credentials that would last long enough to cause trouble before the rating system took them out of play. But the vetting/rating system will probably at least make large-scale sting ops more difficult.

The only security down side that I see here -- apart from the obvious, that being that the whole enterprise is operating in the light of day, but that's the whole point, right? -- is that Headbook's servers are located in the US. My advice would be for them to move those servers offshore, into some jurisdiction that's cannabis-friendly and/or US-government-unfriendly. That would help create some additional walls between the users and frivolous subpoenas and such.

All in all, though, I have to say that Headbook is an encouraging development on both the medical cannabis front and the counter-economic front. It's not "black market." It's barely even "gray market." It's "free market, in the state's face." That's very, very cool.

Disclaimer: I was invited by Steve Kubby to have a look at Headbook and write an article about it if I felt like it. I've known Steve for years. We're close friends. We've worked together on various political projects (and I have been paid for work on some of those projects). We share some business interests as well (I own a very small stake in his cannabis pharmaceuticals development firm), and I should probably assume that Headbook's fortunes may play a part in the fortunes of those other interests. I haven't asked him what his precise role in Headbook is, but presumably some kind of founder/owner status since he seems to be its public spokesperson. I am not being paid or otherwise compensated in any direct way for writing this piece, though, nor did I run it by him before posting it. By all means, take the article above with as much salt as you like. My own position on my bias is that I don't dig Headbook because Steve Kubby's behind it; rather I love Steve Kubby because he's always doing cool stuff like Headbook.