Friday, April 23, 2010
The cyber war is not about countries attacking the infrastructure of other countries.
The cyber war is not about mass panic and destruction.
The cyber war is not a fiction of Richard Clark
The cyber war is in your phone
Recently we have discovered that your cell phone company is more than happy to provide the information about your location to anyone who has the technological acumen to request it. The researchers in the above article were “able to track a German journalist talking to a confidential informant in Serbia and follow his travels back to Germany, as well as obtain the informant's phone number.” I suspect that several governments would like to have that ability, and probably do now that the story is a few days old. Want to be a whistle blower for some egregious corporate action; make sure you leave your cell at home. Anybody staying in a safe house for whatever reason should probably consider disposing of their cell.
KDDI, A Japanese phone company has developed technology that can tell what you are doing from the motion of your cell phone allowing your boss to know exactly where and what you are doing.
The cyber war is on your home network
Next comes word that the Google street view car also collects WiFi network and MAC address information. So now Google can provide your computer's physical location by performing a simple lookup of the MAC address that is present in all network packets.
Facebook has once again changed privacy settings under the guise of providing users more control.
The cyber war is not about nothing to hide
As noted on PrivacyAuthority.org:
Think you have nothing to hide? As yourself if you would answer these questions if posed by some stranger in a parking lot:The cyber war is about you
1. Where do you sleep?
2. Where do your kids sleep?
3. When are you home?
4. When are your kids home without you?
5. When is nobody home?
6. Where do you work?
7. When are you at work?
8. Where do you bank?
9. When do you go to the bank?
10. Where do you go on Saturday night?
11. Where were you on X date last year?
12. What schools do your kids go to?
13. How do they get home from school?
Do these make you uncomfortable? If so, you may in fact have 'something to hide'.
The cyber war is the war waged on you by those that would use your data for their own gain; by those who would rather not spend money on security; by those that believe you have nothing to fear if you have nothing to hide. You are the collateral damage in the cyber war.
In short the Cyber war is between you and those that wish to know everything about you. There are only two responses:
- Become a neo-luddite and shun most technological advances. But with the advent of RFID chips in numerous credit cards and passports, this response is only practical if you can function in a cash/barter only economy and don't care to travel very far.
- Demand changes to laws and enforcement of existing legal prohibitions.
- In the states, we should lobby for a change in ownership of data. You should own the data about you and you should be seen as having granted access to your data to companies that currently hold that data.
- An international definition and recognition of a right to privacy would go a long way toward curbing abuses of the system.
- Penalties should be imposed on companies that leak data. If it is too expensive to implement the security then perhaps the price of the service is too low. This is the market at work. If you can not provide a good or service at a price that customers will pay then you don't need assistance from government to drop your cost, you need a new product or business model.
Fitzpatrick, Michael, “Mobile that allows bosses to snoop on staff developed”, http://news.bbc.co.uk/2/hi/8559683.stm
Gruteser, Marco and Dirk Grunwald, "A Methodological Assessment of Location Privacy Risks in Wireless Hotspot Networks", www.winlab.rutgers.edu/~gruteser/papers/wlanAssessment.pdf
Mills, Elinor, “Legal spying via the cell phone system”, http://news.cnet.com/8301-27080_3-20002986-245.html
Orlowski, Andrew, “Google Street View logs WiFi networks, Mac addresses”, http://www.theregister.co.uk/2010/04/22/google_streetview_logs_wlans/
Singel, Ryan, “Richard Clarke’s Cyberwar: File Under Fiction”, http://www.wired.com/threatlevel/2010/04/cyberwar-richard-clarke/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired27b+%28Blog+-+27B+Stroke+6+%28Threat+Level%29%29
Sutter, John, “What you should know about Facebook's changes”, http://www.cnn.com/2010/TECH/04/21/facebook.changes.users/?hpt=Sbin
Warren, Jonathan, “RFID Chips in New Forms of ID Facilitate Massive Scams, Security Breaches", http://jonathan-warren.blogspot.com/2009/07/chips-in-official-ids-raise-privacy.html
Monday, February 15, 2010
Last time I wrote about government not being the one to protect your privacy. Now it is time to look at business as the guardian of your privacy.
The critical element, the one piece you should take away from this article, is that businesses are not here to help or protect you, they are here to make money any way they can. Businesses do not have a moral compass, they have a financial one. If they can make money at it, and the ramifications of getting caught are less than the financial benefit of the action, a business will probably take the action. It's a cost-benefit analysis, and that is all it is. Any business that claims they don't do something because it is not the right thing to do, because then they would not be a good corporate citizen, has done the analysis and determined that the financial impact of the action is too great.
But business climates change with the net result being that the business you trusted can suddenly turn on you. Witness Google, the company with whom mantra “First, do not wrong” is associated. Now, when the money is in linking people together, the new catch phrase is “If you don't want anyone to know, don't do it.” So if you've trusted Google with your address book, your bookmarks, your documents and your email, you have to start asking, what can they mine from that? What can they deduce that you haven't told your mother yet?
Consider the company that you do not directly interact with, like Omniture, Double Click, and AdBrite, who track your movement across the internet. How much information do they have about you, what sites you visit, who you buy from, what advertisements you click on. How much misinformation do they have about you? What can they deduce from your online actions that is just plain wrong?
What restrictions are placed on any of the data that these giant companies collect? The only restrictions are the restrictions placed by government, and then the only restrictions that are effective are the restrictions where the price for getting caught is higher than the benefit derived from the action. Remember it is a cost-benefit analysis.
So as the lowly consumer, as a natural person, what can you do to protect yourself from the behemoths of industry? There are two courses, first is to work with your government to limit what may be done with collected personal data. This puts me in the strange position of relying on the entities that I reproached in my last article. However, the reality is that only the legal system has the ability to direct the actions of legal persons with no moral compass, and the legal system is created and constrained by the government.
The second, and most effective means to protect your data, is to educate yourself. Learn how to enable all the privacy settings on all the system that you use. Keeping in mind that many of those systems benefit financially when you share more information, so they have an incentive to make it difficult to keep your data private.
I suppose there is a third option: Don't do anything you would not want your mother to know about.
Tuesday, February 9, 2010
I find it amazing that a country with over 200 years of “liberty and justice for all”, can't seem to figure out that liberty and privacy and security are all tightly bound into a single knot. The RAND corporation figured it out and the European Convention on Human Rights spelled it out in 1953. But here in the states we seem to be muddling along under the impression that if everyone knows everything about everyone then no one will be at risk.
The number and breadth of the changes to US policy, laws and rules around personal privacy is staggering. While there is no explicit mention of privacy in the US Constitution or its Amendments, the Supreme Court has held on several occasions that privacy is one of the values served and protected by various amendments. Our government seems to be destroying those protections, asserting that if we give up a little more privacy at the airport, if we suffer the indignity of undressing for the inspectors, if we just allow the government access to our banking data, if we just require that all drivers licenses function as identity cards, if we only allow........ If we, the people, do not assert that the Constitution does apply to privacy and that we have the right to be private individuals then the cherished Constitution and it's Amendments will not be worth the parchment they are written on.
And so we find ourselves in interesting times. It may take our European brethren, survivors of more terrorist attacks than the US, to point out the folly of our ways. Perhaps by not allowing the US government access to the SWIFT banking records they will send us the message that a reduction in privacy does not translate to an increase in security. To paraphrase Ben Franklin: If we restrict privacy to attain security we will lose them both.
Perhaps it is time for the US to start considering who owns the private data of its citizens. Here we find a fundamental difference from our European counterparts. There a person owns their private data, they specify who can have it and for what purpose. In the states whomever holds the data owns it and can do with it as they wish – subject to certain legal restrictions aimed at curbing identity theft and preserving specific legally recognized confidential situations (e.g. lawyer/client, and physician/patient). How different it would be if each of us were in control of our data. Perhaps it would be safer too.