“On the Internet, nobody knows you’re a dog.” Right? Not if you are known at all. Those days are gone. As if to prove the point, one of my favorite web sites is on the wrong side of this issue. An actress unsuccessfully sued imdb.com for lost wages for having included her age on their site. There is a well known axiom in Hollywood that starlets have a half-life, and age is something that is best kept secret. IMDB countered that what matters is not an actress’ age but her ability to play a certain age.
My point is this: she sued and was unable to have information about her removed. Is age something that you believe should be private? I do. I especially do for people born after 1989 where a birthday and a home city can lead to someone guessing your Social Security Number.
But what about other physical attributes one might consider private? “He has a mole that you can only see if he’s naked.” How about illness? “This actor cannot lift his arm due to a stroke.” Once the information is out there, there’s no way to get rid of it. And this in the UK, which is subject to the European Data Privacy Directive. The situation is considerably bleaker for your personal information in the United States.
Related to this is The Right To Be Forgotten. In Europe they are considering new rules that say that you have a right to have information about you removed. This has some American firms in an uproar, arguing that a lack of transparency only increases risk and inefficiency. But what are the limits? What about this actress who doesn’t want her age known? How did her age provide for market efficiency?
This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.
Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience. This year was no exception. The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists. Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work. Here are a few samples:
- Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
- Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
- The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
- A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure. One of the key messages from the presentation was that open standards are critically important to security.
- On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.
The papers are mostly available at the web site, as are the presentations. This stuff is important. It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.
Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like. Others just use SMS, where their cell phone number is the important for people to reach them. For some, however, their email address is their identity, and their only means of being reached by friends and family. That’s true for me, at least. I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use. This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.
If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint? Why would you want to do this? Let’s look at a few cases:
- Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else. What happens if you decide to change ISPs? Do you lose your email address? And do you care? Can someone else get your old email address, and what are they likely to receive?
- You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into. The first thing the bad guy does is change all of the security questions that are meant to cover password recovery. How, then, are you able to prove to the service provider that the account was yours in the first place? Can you even get your old account shut down, so that the attacker can’t masquerade as you?
- This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account? Who do you go to in order to prove that you are the legitimate owner of the account?
- Your mail service provider goes out of business, and the domain they have been using for you is sold.
- There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off. It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.
For all but the last case, you have a way of at least mitigating the problem by have your own domain name, like ofcourseimright.com. That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain. However, is this just moving the problem? It could be if someone breaks into a registrar account that is not well secured. However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).
The hard part is finding someone to host your domain. This sounds like a royal pain in the butt. And it is! So why not just use your cell phone or a social network site? Cell numbers are at least portable in many countries. Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen. Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.
New research published in yesterday’s Proceedings of the National Acadamy of Sciences has dramatic implications for Americans and identity theft. Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at Heinz College of Carnegie Mellon. He has spent the better part of two years with his colleague Ralph Gross, looking at social security numbers as both identifier and authenticator, something we have all known was a bad combination. Professor Acquisti demonstrates just how bad of an idea it has been in the last twenty years. In that time there have been two significant policy changes that have made numbers extremely predictable based on two pieces of information:
The policy changes involve release of something known as the Death Master File (DMF), which was intended to prevent someone from expropriating a dead person’s identity, and the Enumeration at Birth (EAB) initiative, which has had the effect of allocating SSNs shortly after birth. These combined with the facts that SSNs have structure based on location, and that the less significant components are serialized in allocation, and it makes for a predictable SSN.
This gets worse. While it may be possible to fix this problem for future generations that use SSNs, either by randomizing all or lesser components, or by not filing applications upon birth, the millions of people who have assignments in this time period are in an extremely difficult spot, because the workaround is a change of number. This argues for a new form of identity that separates authentication and identity, but the effort to do so requires that the finance, education, and medical sectors (not to mention government) change their means of identifying individuals. This will be no easy task.
This research is a remarkable piece of work by Professor Acquisti and his colleagues.
Have you ever received a notice that your data privacy has been breached? What the heck does that mean anyway? Most of the time what it means is that some piece of information that you wouldn’t normally disclose to others, like a credit card or your social security number, has been released unintentionally, and perhaps maliciously (e.g., stolen). About five years ago states began passing data breach privacy laws that required authorized possessors of such information to report to victims when a breach occurred. There were basically two goals for such laws:
- Provide individuals warning that they may have suffered identity theft, so that they can take some steps to prevent it, like blocking a credit card or monitoring their credit reports; and
- Provide a more general deterrent by embarrassing companies into behaving better. “Sunlight as a disinfectant,” as Justice Brandeis wrote.
A study conducted by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti at CMU found that as of yet there can be no correlation found between these laws and identity theft rates. This could be for many reasons why the correlation isn’t there. First, actual usage of the stolen information seems to be only a small percentage. Second, it may be that just because a light has been shined doesn’t mean that there is anything the consumer will be capable or willing to do. For instance, suppose you buy something at your-local-favorite-website.com. They use a credit card or billing aggregation service that has its data stolen, and so that service reports to you that your data has been stolen. You might not even understand what that service has to do with you. Even if you do, what are the chances that you would be willing to not use your-local-favorite-website.com again? And if you hear about such a break-in from someone else, would it matter to you? Economists call that last one rational ignorance. In other words, hear no evil, see no evil.
Add to all of this that some people have said that there are huge loopholes in some of the laws. At WEIS and elsewhere several not-so-innovative approaches were discussed about how some firms are getting around the need to disclose.
This paper is not the final word on the subject, but clearly work needs to be done to improve these laws so that they have more impact. As longitudinal studies go, this one isn’t very long. It’s possible we’ll see benefits further down the road.
 The Brandeis quote could be found in the paper I cited (which is why I used it).