Solving Privacy in the Information Age, Part 2

Published
by
Dan Guido
on February 14, 2007
in Privacy
.

(edit: I have been known to be crazy in the past, this may have been one of those times)

This is the 2nd part in a multipart series on Privacy. Part 1 is here.

In Part 2 of my series on Privacy, I’ll talk about an issue that’s just a tad bit scary to me. Without introducing it just yet, let’s take a look at some of the current issues with identity theft and what Mike’s solution in the last article solves and what it doesn’t.

Social Security numbers presently have an asymmetrical value - they’re nothing but tokens to be given out to any business that asks to us, but to criminals they represent a significant source of income. They only seem to take on a high value to us once they’re stolen. That’s caused a problem with managing them, since so many people have them, one database is likely to be exposed and accidently release the data to people we don’t want to have it. People might blame inferior technology, lacking security policies, or carelessness and some people just outright blame Microsoft for creating Access :-), but I don’t think it’s any of those things. Letting people have the data in the first place is the reason why it’s so bad.

A prominent information security blog recently looked at the data from the top 20 privacy breaches of 2006 and their causes, attributing none of the failures to inferior Microsoft technology. That study is at Emergent Chaos and I highly reccommend at least browsing through it before continuing.

Now that’s is clear that the current paradigm of letting so many people store so much personal information about you is a bad thing, let’s take a look at just how bad it really is. At the WEIS conference this year, 3 economists quantified the net negative affects identity theft has on the US economy. The results were astounding and go a long way towards establishing privacy as a social good worth protecting. This study will hopefully encourage people to start experimenting with and implementing strategies to contain identity theft like Mike’s solution in the previous article.

But what then? Social Security number’s will be much harder to get your hands on en mass, corporate break-ins won’t result in huge privacy breaches. The answer is that people will move on to utilizing other data to make a profit. What else is out there that isn’t your social security number, that’s private and that might be worth $’s if organized and presented to the right people? Let me give you a hint; this was the front cover of this week’s NY Magazine:

NY Mag Cover

For those without superhuman eye sight, that says “I am not interested in privacy. Online, I reveal everything - my breakups, my breakfast cereal, my body. My parents call it shameless, I call it freedom.” all covering a naked woman taking a picture of herself in bed. They’re no less pessimistic about it inside the magazine either, titling the actual article “Say Everything. Kids, the Internet, and the End of Privacy.” (emphasis mine)

They’re obviously talking about a different kind of Privacy than we just were, but it makes sense to discuss. A young generation of Internet users share similar feelings about posting personal data online. Some of the commonly held beliefs sound like this:

  • Who cares that I create an account at every website I go to and let them track all my interactions with them?
  • It’s a benefit readers of my current blog can easily follow links back to the one I had at age 13.
  • Everyone should know that who all my friends are, what my relationships with them are like, and that my favorite place to hang out is at the Barnes and Noble Starbucks.
  • Given my name, anyone should be able to find a current picture of my face online.
  • They post their lives online so that they can get their story out before anyone else does

If you’d like the full story, I highly reccommend you read the NY Mag piece. I think it does a great job of piecing together the mental state of people engaged in this type of activity online.

You might be thinking that this isn’t so bad, posting who your friends are online, what you ate today online, that sort of thing. No one is taking that information and using it to make mortages on my home with it, like what might happen if someone stole my Social Security number. But somewhere deep inside, if you’ve got your black hat on, you realize this data can be abused and profitted from. We can’t abuse it now (yet). There’s too much of this raw, natural language out there to draw useful conclusions from. But is it really that unorganized?

By some definitions, Web 2.0 is the “harnessing of network effects through an architecture of participation” although I would use harsher words. Web 2.0 websites track and database all your interactions with them and then mine the data to be publicly displayed. Sites like Digg and Flickr are huge data stores of transactional information that have already had conclusions drawn out from them (the content, subject, and popularity of photographs, the websites you like and dislike, etc). Even better, Web 2.0 websites generally bend over backwards to let developers utilize their data through public APIs. We’re already witnessing the potential data mining abilities of this architecture through “mashups” (a website that uses data from two sources and puts them together to draw better conclusions).

Back to my original point, it’s not possible to awesomely abuse the data available publicly on the web right now, but it’s slowly inching there. “Mashups” aren’t by nature evil, but I doubt they’ll all be angelic forever. Once the crowd that has profitted for so long through identity theft and spam sees a decline in that source of income, I see the abuse of publicly available data like those on Web 2.0 sites as being a logical progression. Further down the line, those uncensored blog posts will come back and bite you from behind.

I’m supposed to be a security engineer and at least point you in the right direction to make sure this doesn’t happen right? We haven’t even defined what the problem might be with all that information on your blog, so let’s forget about that for a moment. A much simpler problem to tackle are those thousands of accounts you have at all those Web 2.0 websites. What is the next evolutionary step in managing the information you store at those websites?

Have you heard of Microsoft Passport, the Liberty Alliance, or SixApart TypeKey? I have, and before this week I didn’t realize they’re already antiquated and superceded, some by multiple version numbers. A new class of systems are arising to help you get a handle on your personal information and it’s being called Identity 2.0, the leader of which, OpenID, made the news recently for its vote of support from Microsoft. Identity 2.0 is a very exciting thing and also very hard to understand. I’m not going to go into what it’s all about right here, but I will offer you two keynote speeches by Dick Hardt to get you started:

Dick Hardt, Founder and CEO of Sxip Identity, and his keynote presentations from OSCON 2005 and ETech 2006

We’re still left with a few questions. What’s going to come after OpenID? What about all that information on your blog? We live in a society today where, if you know certain things about me, you are me. I’d have lost my entire identity, both online and mostly offline, if there were a machine that could answer informational questions (Who are your parents? What’s your favorite color? What streets do you use to commute to work?) about me exactly like I did. If people continue to post everything about themselves publicly and data mining technologies advance, this is the direction we’re heading in. Society will have to redefine the way we identify people and structure systems in such a way that the secrecy of information doesn’t map to your identity.

Moral of the story: Secrecy still matters, don’t put things online, on your blog, or any other website, that you wouldn’t mind being printed in the NY Times and archived forever.

Did I miss something? Do you think my conclusions are correct? I know I left out certain things like the potential for phishing OpenIDs or how the ability to mine data from websites changes after the proliferation of OpenID, but those are really two discussions by themselves and maybe ones I’ll do in the future.

Thanks for reading, I hope you enjoyed this one. In Part 3, I’m hoping to do a survey of the next legal baby steps in solving identity theft as identified by Daniel J. Solove and some recently proposed privacy bills in Congress.

EDIT: After writing this I’m starting to think that the issues I covered above have a more analogous relationship to spam. But… identity theft was on my mind. Even so, I think the connections I made are still valid.

EDIT 2: If you haven’t heard of Web 2.0 before, or have and don’t quite get it, here are two short videos from Youtube that might help you understand it:

Web 2.0 … The Machine is Us/ing Us
Web 2.0

  • Digg
  • del.icio.us
  • NewsVine
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Facebook
  • Google
  • Pownce
  • TwitThis
  • E-mail this story to a friend!
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution 3.0 License.

2 Responses to “Solving Privacy in the Information Age, Part 2”

Feed for this Entry Trackback Address
  1. 1 J0hny_Lightning
    February 14, 2007 at 9:40 pm

    I’ll be honest, I didn’t read the whole thing. It’s an interesting point you make about ssn’s not being valuable to us until they are stolen… but the thing that I think people should understand is that if SOMEONE has your info (ie: ssn, email, phone #, photos) then ANYONE with the right knowledge & motivation could get that info as well. Especially if it is on a computer somewhere, or anywhere. I think I agree with that magazine cover. I don’t care what people can dig up on me and if I did, then I would keep it to myself. People should just come to understand EVERYTHING about them is available to a person with malicious intent if it has been made available to anyone else. Nice writing.

  2. 2 Brad Schonhorst
    February 20, 2007 at 10:16 pm

    This topic has been a huge one in the world of k-12 education. As you point out students are posting everything online. Many sites seem to encourage competing with each other for online attention (friends, comments, etc) which only makes matters worse. I am very grateful that web 2.0 style sites were not around when I was younger. The 13 year olds of today will face some ugly reality checks when they start applying for that first job or even some high schools and colleges.

    I have a friend who works in human resources at a large IT firm. The first thing they do is google applicants and scour their myspace page for any signs that they may not be an ideal hire. If this is not the hiring norm yet, its only a matter of time.

    Now what you seem to be suggesting is that it will eventually be profitable for people to gather this kind of information on certain individuals. Obvious candidates would be politicians and celebrities but I think you are right, this data could be used in some scary ways against the average internet user.

    Let me take a moment to review my web 2.0 accounts….

Leave a Reply