Author: privacymaverick

Something I’ve argued for in the past is the need to not treat passwords as an all or nothing access. It’s not binary. It’s shouldn’t be grant or not grant; on or off. Passwords are just one piece of the authentication puzzle. Someone entering a password should be viewed with more confidence that they are who they say they are but not with complete confidence. When analyzing access to information, a more nuanced analysis should be done to assess the sensitivity of the information and the need for confidence in authentication. If you need X confidence, require X level of authentication. If you require Y confidence, then you need Y level of authentication.

Many websites require you to log in (again) if you’re accessing sensitive information or making a significant account change (such as changing an email address on the account). This is because the fact that someone is logged in only leads to small level of confidence that they are who they say they are. After all someone could log into a public terminal and walk away allowing someone else to sit down and the computer. Or a hacker could be using a tool such as FireSheep to impersonate someone’s web session on an public network.

Joseph Bonneau has a related post on Light Blue Touchpaper discussing that authentication is becoming a machine learning problem.

Multi-factor authentication is really a method for adding confidence in your authentication, but it still should never be viewed as 100% or 0%.  If you’ve ever forgotten your password, you know that your failure to remember it is not proof that you aren’t who you say you are. Similarly, knowing your password is not proof that you are. It just tends to suggest one way or the other. Financial websites are the most common ones adopting other signals of authentication, such as your user agent or a previously placed cookie on your machine. Facebook also looks to see that you’re in the same country you’re usually in, or that you’re using a browser you’ve used in the past. If not, they place additional hurdles before you can access your account. If you’ve ever phone your credit card company from a phone they don’t have on record, you will have noticed they require additional verification.

As you develop your applications, you should identify critical information or controls that may require additional confidence. Then look for methods of increasing that confidence: requiring additional information from the user, verifying keyboard cadence, identifying IP address, user agents, biometric requirements, FOBs or dongles, etc.

 

 

 

 

“The Internet age means that a whole generation is accustomed to the idea that their digital lives are essentially in the public domain ” say Tyler Dawson in the Ottawa Citizen. While I’m not sure I agree with Mr. Dawson’s stereotyping a generation, I get his drift in terms of what I term desensitization. That is the idea that increase scrutiny into one’s private life leads to increased expectation of that scrutiny and thus reduced moral outrage.

In risk analysis we often look towards objective consequential harms or damages that may occur as the result of some action or inaction. The prototypical example is the risk of financial theft as a result of having one’s credit card or identity stolen. And while tangible harm is certainly important it is not the only type of damage that may result. Courts are loathe to recognize intangible harms, such as emotional distress, except in rare circumstances. But very few people would deny the very intangible harms to one’s psyche if nude photos were to be circulated of oneself (unless of course one is in the business of circulating such pictures). Many privacy harms are ethereal. Very few of us would be comfortable with the notion of constant surveillance by someone without our consent, even if nothing could ever affect us in a tangible way. I remember being provided a thought experiment at one point. If a space alien could use a telescope and follow your every movement, see everything you do, inspect every thought in your head, does a privacy harm exists? If you knew about this observation does that change your answer? Many people would feel judged in their behavior and thoughts and may alter their routine to prevent adverse judgment about them. I, as would others, would argue that is sufficient to rise to the level of a privacy harm. You are having to change your thoughts and behaviors as a result of the invasion into your personal space.

I return then to the idea of desensitization. The constant surveillance and invasion of privacy changes our social mores. It alters our thoughts and feelings towards the very notion of privacy and does so without our consent. To that extent, I would suggest that invasion without consent itself is a privacy harm. There need not be anything else.

 

For the last two years I’ve been lamenting the lack of standardization around the term “privacy enhancing technologies.” In fact, as I see it, the term has been bastardized to mean whatever the speaker wants it to mean.  Shortened with the moniker PETs, the term is used in both the privacy professional’s community and in the academic realm of cryptographic research. Newer incarnations, “privacy enabling technologies” and “privacy enhancing techniques,” do not even make the cut on Google’s Ngram service, which rates occurrences of terms in books (See chart below).

In 2008, the British Information Commissioner Office recognized the definitional problem in a paper on Privacy by Design and PETs:

There is no widely accepted definition for the term Privacy Enhancing Technologies (PETs) although most encapsulate similar principles; a PET is something that:

1. reduces or eliminates the risk of contravening privacy principles and legislation.
2. minimises the amount of data held about individuals.
3. empowers individuals to retain control of information about themselves at all times.

To illustrate this, the UK Information Commissioner’s Office defines PETs as:
“… any technology that exists to protect or enhance an individual’s privacy, including facilitating individuals’ access to their rights under the Data Protection Act 1998”.

The definition given by the European Commission is similar but also includes the concept of using PETs at the design stage of new systems:
Defining Privacy Enhancing Technologies
“The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitates compliance with data protection rules. The use of PETs should result in making breaches of certain data protection rules more difficult and / or helping to detect them.”

The problem with such definitions is that they are broadly written and thus broadly interpreted and can be used to claim adherence to protecting privacy when in fact, one is not. This also leads to the perverse isolation of privacy protection as synonymous with data protection, which it is not. Privacy is as much about risk of aggregation, intrusion, freedom of association and other forms of invasions in the personal space that we designate and distinguish from the social space where we exist in a larger society.

I see the Privacy by Design (PbD) camp dancing around this. Ann Cavoukian, the Ontario Information and Privacy Commissioner and chief PbD champion, has promoted PETs for years and this evangelism is evident in the PbD foundational principle of full functionality. However, even she has allowed this termed to be applied loosely to make it more palatable to her audience. PbD and PETs thus become buzzwords to attach to an effort in a marketing ploy to give the appearance of doing the right thing, but often results in minimal enhancing of privacy.

I thus suggest the follow definition, and one to which I use in my own vernacular, a privacy enhancing technology is “a technology whose sole purpose is to enhance privacy.” Firewalls, something I see too often referred to as a PETs by laypersons, can enhance privacy but it’s purpose is not necessarily to do so. It is a security technology, protecting confidentiality and also securing the integrity and availability of the systems it protects. Data loss prevention, similarly, can be actually very privacy invasive but could enhance the privacy of data on some occasions. However, the primary purpose is to protect against loss of corporate intellectual property (be it personal information of customers or not), not enhance privacy.

Technologies which would qualify can be found in mixmaster networks (whose sole purpose is to obscure the sender and receiver identity of email) or zero knowledge proofs and related secure multi-party computations (which allow for parties to calculate public functions on private data without revealing anything other than the conclusions of the public function).

Some technologies may be privacy enhancing in application but the technology wasn’t created for the purpose of enhancing privacy. My purpose here is not to split hairs on the definition, per se. My purpose is to expose the dilution of the term to where it becomes doublespeak.

 

While reading this article earlier today, I came upon the term ‘problem closure’ which has been defined by sociologist to mean “the situation when a specific definition of a problem is used to frame subsequent study of the problem’s causes and consequences in ways that preclude alternative conceptualizations of the problem.” This is something that I see time and time again in discussions on privacy.

Perhaps the most prominent example is the refrain “I have nothing to hide” in response to concerns about surveillance. The answer defines the problem, suggesting that the only issue with surveillance is for those engaged in nefarious acts who need to conceal those acts. It precludes other issues of surveillance. This has been addressed at length by Law Professor Daniel Solove and his discussion of the topic can be found here.

More to practical applications of privacy, I find that many organizations suffer from problem closure in their business models and system implementations. This makes it difficult to add in privacy controls when the starting point is a system that is antithetical to privacy or precludes it. One of the many reasons for this is that companies view their raison d’être as their particular solution not solving the problem they originally set out to solve.  This can best be illustrated by example. Ask many up and coming firms in the online advertising space and they are in the business of ‘targeted behavioral marketing.’ Really, they are in the business of effective online advertising but they’ve defined their company by the one solution they currently offer. This attitude not only is bad for privacy it is bad for the business. The ability to adapt and change to changing customer needs and market conditions is the hallmark of a strong enterprise. Those that are stuck in an unadaptable business model have already sealed their eventual fate. This is especially true in industries driven by technology.

Are you in the business of providing gas powered automobiles or are you in the business of providing transportation solutions?

Are you in the business of printing newpapers or providing news?

Are you in the telephone business or the communications business?

Waste management is a good example of a company which adapted to changing social mores about waste. Originally a trash hauling and dumping company, they have readily adapted their business model to recycling.

When trying to escape the “problem closure” problem, organizations need to look not at the solution they are currently implementing to define them but the problem they are solving for their customers. Once they do that, they can open up their eyes to potential solutions that solve the problem for their customers AND have privacy as a core feature.

This problem is most prevalent, IMHO, in smaller companies who have bet their socks on a particular solution they’ve invented. They don’t have the luxury of having an existing customer base and the ability to explore alternative solutions.

It is a problem I deal with often in trying to convince companies that privacy must be built in. You can’t build the solution and then come back and worry about privacy. It has to be part of the solution building process.

 

 

Policy is a control by which an organization attempts to mitigate risk by ensuring that organization acts in a way that reduces the likelihood or impact of an event. However, thinks can and do go awry because policies are developed with certain facts in mind that may not be prevalent during the actual application of that policy. Let my give a few examples, one that has no privacy implications and the other than does not.

I went diving at Ginnie Springs in Florida yesterday as  I have been since 1987, when my dive instructor took us there for our open water checkout dives. I dive on an NACD Intro to Cave certification which was issued in 1990. I’ve been diving on that card (at Ginnie Springs) since then, in other words 23 years. At the time, the NACD only had 3 levels of certification (Cavern diver, Intro to Cave and Full Cave). Now the NACD has 4 levels (Cavern, Intro to Cave, Apprentice to Cave, and Full Cave).  Interestingly enough, my Intro to Cave card has in fine print, which I never noticed, a one year expiration. Neither has anybody else until yesterday when the cashier checking me in said my card had expired. This is no longer the case with current Intro to Cave certifications, though Apprentice to Cave does has a one year expiration. I do have a newer Intro to Cave card that does not have an expiration but I did not have that on me. Regardless, I registered under my older Cavern certification.

After diving I went to have my air tanks filled. I’m diving two 50 cu ft tanks with a cross over bar in a double tank configuration. This is an uncommon configuration and unfortunately has given me nothing but grief. I asked the air fill attendant whether he was charging me for a single or a double air fill, after a bit of negotiation he agreed to charge only a single. I only get a single dive off of the set. It is equivalent to having a single 100 cu ft tank, which though large, is doable. However, while it was filling he proceed to debate me and say that I should be diving it and they shouldn’t be allowing it. You see Ginnie has a policy that those without full cave are not allowed to use double cylinders. In fact the training organizations do have a limitation for Intro to Cave divers that they must turn the dive after 1/6th of their air supply has been used if diving double tanks as opposed to 1/3 normally. This is to prevent Intro to Cave divers from exceeding their training by going to deep or too far into the cave environment. Ginnie, because divers can’t be trusted to not exceed this limitation, restrict double tanks to only full cave divers. Fine, this is understandable. However, the air fill attendant said that I couldn’t dive my doubles because ….well they were doubles….never mind that they were HALF the size of normal tanks, the policy said you couldn’t dive two tanks and I had two tanks therefore I shouldn’t be diving with them. Now, luckily I’ve never had a problem actually diving at Ginnie with these tanks and was done for the day but this is where I’d like to point out that blind application of policy is stupid when it can’t be amended for a given factual situation. The justification for the policy is sound, don’t want divers going beyond their training limitation, but the application of this policy in this case doesn’t serve that purpose.

I’d like to give another example. While in law school, I did not supply my SSN to the school for privacy reasons. However, after two years I decided to receive financial aid and had to supply my SSN number to the school. They required that I supply my originally SSN card or a tax return showing my SSN. Why? Well I was changing my number and they needed verification. That policy makes sense when someone initially supplies one number and then supplies a new number. If you tell them one thing before they change it, they need some validation that the new number you’re supplying is the legitimate number. This wasn’t applicable in my case because I never supplied them a number in the first place. They have 10k + students enrolling every year where they accept SSNs without validation but would accept mine because I was “changing” it, only I wasn’t.  Even escalating this to a vice president, she couldn’t differentiate between the policy, the justification for the policy, and the application in this scenario.

Blind application of policy is one thing, but just as bad is wholesale lying about following the policy. In the wake of NSA revelations, it’s become quite apparent that the intelligence establishment is hell bent on keeping Congress and the public in the dark about what they are doing. Laws (policies) are ineffective if you have no ability to ensure compliance.  The cost of failing to comply has to exceed the benefit of non-compliance. If you tell an employee the policy is not to steal people’s identity but the cost to that employee is losing an $8/hr job where the benefit is steal hundreds of thousands of dollars, you essentially have policy by begging, begging people to do the right thing. You have to make it easy to comply with policy and hard to not comply.

 

I’m giving a speech to the Temple Terrace Rotary Club this coming week and I’m sure they are expecting something fairly dry about the need to protect your privacy online and secure your passwords and such, however, I’m going to give them a little different perspective. I don’t usually write out my speeches, preferring to speak from an outline just so I make sure I touch on my major points, so what follows is an essay based on my outline.

A few years ago, when my girlfriend and I were living here in Temple Terrace we used to frequent a Pita shop over near MOSI (the museum of science and industry). Sometimes we went together and sometime we would go alone to pick up lunch or dinner. Often times, especially when she went alone, the clerk would flirt with her. No big deal, she was an attractive young woman. Well one day she receives a Facebook friend request from him. That disconcerted her…and me. How did he get her name?  We finally figured out that he must have gleaned it off her credit card and searched for her on Facebook. So….what was bothersome about this? Why did she feel violated by his contact? Why was this a bit “creepy?” The clerk had exceeded the social norms associated with customer/merchant relations. He contacted her outside of the normal bounds associated with that relationship. This isn’t to say it can’t happen. I’m sure plenty of relationships have begun because people meet in the places they work. But usually, they ask permission….the waitress leaves her phone number on the check….the customer who gives the cute store clerk his business card. But those actions all give the other person the choice, the option of denying the expansion of the relationship.

Privacy is much more than just keeping secrets. My girlfriend gave him her name. She wasn’t trying to conceal it. It was his use outside of the merchant/customer relationship that was the privacy violation. Privacy does not require things be private. Privacy requires respect for context, respect for decision making.

Consider other relationships:

You tell your friends different things than you tell your boss.
You tell your spouse different things than you tell your children.
You tell your doctor different things than your waitress.
You tell your bartender everything!

If someone start inquiring about things that aren’t normally appropriate for that relationship, we get queasy. We feel unnerved. If your doctor asks about your finances or your children start asking about your sex life. Those things aren’t part of the relationship. Some friends we may share our health issues, some we don’t but if we don’t announce our health concerns on Facebook, we probably don’t want our friends to do so either. Even though we didn’t explicitly state so, when they exceed that unwritten norm that we have in our society the relationship is damaged.

A few years ago, a high school received a mailer from Target advertising maternity clothes, baby carriages and other things a would be mom might like to have. Her angry father stormed to the local Target to complain to the manager, who was profusely apologetic. A few days later, it was the father who was apologizing.  It turns out the young woman was pregnant and Target knew before her father. They had used some predictive analysis based on her purchasing patterns to identify her probable pregnancy and predict her due date. Target knew not because she had disclosed it but because her purchases implied it.

Some people respond to that story, not in concern of Target’s behavior, but with the retort that children don’t have privacy from their parents. I respond that nothing can be further from the truth. As children grow up, privacy is essential to their growth as individuals. The ability to distinguish their thoughts and actions from those of their parents is what develops their person-hood. Children develop into adults as they become individuals, with their own thoughts, their ability to control their interactions with the world. They develop a sense of self, a sense of freedom from their parents all knowing action.  And kids do take steps to actively claim that privacy from their parents. In the past 5 years as the wave of parents joined Facebook, kids began seeking alternative avenues of expression, where they could be free and would not have to self censor. They have moved to Tumblr and Twitter and other services not yet used by their parents or others adults in their lives. There was a fascinating article by a Dad who, for a decade, monitored the online activities of his 3 daughters. He used key-loggers, screen capture software, and other technology to totally monitor them. He learn some incredible things, not bad, but introspective and I quote  “The idea that even my virtual presence on Tumblr or Twitter might prevent them from being able to express themselves or interact with their friends (some of whom they have never met) in an authentic way made me feel like I was robbing them of one of the most powerful features of the social web.”

You often hear the retort that if you aren’t doing anything wrong you have nothing to hide. The problem with the nothing to hide retort is that in presumes that the only privacy violation is a lack of secrecy. Surveillance is not about the harms of exposure, it is much broader. The problem is not Orweillian it is Kafkaesque. In Franz Kafka’s The Trial, the protagonist is arrested by a secret court, with a secret dossier doing a secret investigation. He is not allowed to see it or know how it was compiled or what it contains.

The FTC is grappling with how to deal with mortgage companies that don’t necessarily advertise their services. These companies use complex predictive algorithms to predict who won’t default on loans but unlike traditional mortgage companies they aren’t beholden to the Fair Credit Reporting Act because they don’t “reject you” they just never market to you. What if you never have the opportunity to buy a mortgage because of where you live, what products you buy, who you associate with?

Orbitz was found to pitch higher priced hotels to Mac users over PC users.

People on the no-fly list are not told why they were put there and appeals are limited to those who are mistakenly identified because they share a name with a suspected individual.

Who is in control of your life?

Let’s talk about control for a bit. Companies are increasing putting out devices that they control, not you. This is either done at the behest of government or industry. It started with copyright, with VHS devices and now DVDs having technical mechanisms to stop people from copying them. Sony, a few years ago, installed a virus on millions of their CDs which  when placed in a computer, prevented the computer from copying the CD but also exposed the computers to risk of other viruses. Copy machines are restricted from copying US currency. Years ago I was forced by my phone provider to upgrade my phone because mine didn’t have GPS. The FBI was behind the initiative called Enhanced 911 as a public safety measure so that when you called 911 they could identify your location. Yes, the FBI, the public safety organization. There is talk about preventing 3D printers from printing gun parts, but what about Mickey Mouse dolls or interchangeable anatomically correct Barbie parts. Apple doesn’t allow applications that show pornography in their App store….or ones that identify drones strikes in Pakistan. Google’s Android market won’t allow Ad blocker software which prevents other apps from blocking advertising and increasing your bandwidth bill.

In 2012, San Francisco’s BART shut down cell phone service in the subways system to block a planned protest.

I want to switch gears a bit and talk about risk. Risk is important when making decisions about privacy. Generally there are trade offs. We share information because there is a benefit. We tell our doctors about our heath issues to get the benefit of his professional advice. On a social scale, we allow search warrants to fight against criminal activity. There is always a balancing of privacy versus other interests, be they personal or societal. However, we are terrible at assessing risk. Risk is the probability of occurrence and the severity of the damage.

We have cognitive (mental) biases that make us prefer to get things now and discount the costs in the future. We behave irrationally. A few years ago, a study was done where people were given $10 gift cards in a mall and given the option of getting $12 card in exchange for some personal information about them, about 50% kept the $10 card. Other participants were given $12 gift cards and given option of switching to $10 cards if it was anonymous, only 10% switched. Essentially the same economic results but depending upon where they started, privacy was worth more to those who already had it versus those who could pay to acquire it.

On a societal level, privacy suffers from not being visceral enough; not vivid enough; not violent enough. Fear is a powerful motivator and we tend to fear things that are extremely low probability; terrorist attacks, child abductions; random shooters. But these things are so incredibly rare, that’s why they are so amplified out of proportion. You have a higher chance of drowning than dying in a terrorist incident. Children have a higher chance of drowning than being abducted by a stranger. Yet we spend incredible resources trying to defend against such low probability events.  What else do we lose in the process? What kind of society do you want?

Prior to a few hundred years ago, the notion of privacy was very limited but so too was the notion of freedom. We lived in societies ruled by oligarchies, feudal lords, dictatorships. It is no coincidence that as we gained our privacy so too we gained freedom. As we grew into a society of individuals with power over our lives and our bodies, we no longer served the state as serfs. Privacy is not about secrecy. Privacy is freedom.

 

I remember during law school, I was helping out at the Florida First Amendment Foundation and discussing privacy and public record issues with the Director. She was fairly adamant that death obviated any expectation of privacy. The person was dead, how could a person without consciousness have an expectation. Her position was informed in part by the debate over the autopsy photos of Dale Earnhardt, Jr.

Fast forward to 2013 in which I’ve had a few friends, unfortunately, pass away recently. One friend’s death was particularly gruesome and was publicized in the local press. The other friends were more mundane and to this day I don’t know what they died of. One of those was elderly and I suspect due to health issues, though I’m unsure. The other friend was my age. In Florida, a death certificate is public record an easily obtained by paying the appropriate fee. However, only certain related person or those with an interest in the estate of the deceased may receive a death certificate which list the cause of death. I believe that this is fairly common practice through the US.  I have witness that it is generally verboten to ask or tell if known, what one’s cause of death is unless it is widely known (obvious illness, accident, murder, etc). It appears that we have adopted a cultural norm against generalized disclosure of cause of death and that norm has been codified in law as they related to death certificates. This isn’t airtight (as certain causes mentioned above become widely known) and it doesn’t appear to be based on any preference of the deceased, though one could imagine the deceased leaving instructions to publicize their cause of death.

 

I’m not sure how or when this cultural norm developed but I do find in interesting and would like to learn of others perspectives in differing cultures.

I’ve been thinking a lot about Mesh Networking and the possibility to foil NSA style tapping by bypassing centralized networks for localized networks. For those who don’t know mesh networks are ad-hoc peer to peer networks, primarily wireless. The decentralized nature of the communications provides some level of privacy. Additional privacy comes with making the system anonymous. However, it seems that anonymity comes with a price to bandwidth. Here are some of my findings:

The standard model is circuit switched. In other words, each node maintains a topological map of the entire network, so that it knows who is connected to whom. This allows it to create a circuit through the network to the destination. That means that each transmission takes t bandwidth where t represents the size of the data. If s represents the shortest number of hops from source to destination then the total network bandwidth used B= s*t. In this model, no storage is required because each node forwards the data without need to retain it. There is some data storage requirements for the network map. This map grows with n^2.

Circuit: (Bandwidth = s*t, Storage: n*(m*n)^2)     m= the amount of data necessary to indicate a link or not (maybe a bit, maybe a byte if you store strength).

The upside is that each new node increases the bandwidth of the network. The downside of this is that an attacker could possibly follow the data as it gets transferred from node to node and identify sender and receiver, providing linkability and thus defeating anonymity.

Consider, alternatively a broadcast model. In this model, no topological map must be stored but every node gets a copy of the data.

Broadcast: (Bandwidth = n*t, Storage: n*t)

In this model, nobody can identify the destination of a message which is very privacy preserving. However, the bandwidth cost are enormous. Now, each new node added to the network actually adds an external cost to the other node, similar to a car being added to a highway. The storage cost also increase at rate n*t because every node must keep a copy of the message (or at least a digest) for a period of time to prevent it re-accepting the data from one if it’s neighbors.

A third option is the random walk model, also called the hot potato. A node passes the data packet to another who passes it again, etc. In this model no node keeps a copy of the data once it has passed so the storage costs are 0. The bandwidth is a minimum s*t, because that’s the shortest circuit. BUT, the packet could be passed along for ever, so the bandwidth could be potentially infinite. Needless to say this is not good.

Random walk:  ( S*t < Bandwidth < ∞, Storage = 0)

What about a biased or intelligent random walk, a lukewarm potato. The network has the following rules. Each node ask its immediate neighbors, “is this yours?” Appropriate response are “yes, give it to me” “no, but I’ll take it” or “no, i’ve seen it”.  If the neighbor said yes, the node gives them the data. If the neighbor say “no, i’ve seen it” it ignores that node. The node then randomly selects one of the nodes that hasn’t seen the data and sends it to them to continue the process. If the node can’t find anybody to hand it over to, it tells the node that it got it from that it can’t pass it along, that node starts over again. [Alternatively, it could force one of the nodes that have seen it to take it again]. This method allows the data to snake it’s way through the network but not repeat any nodes. Here is the bandwidth and storage boundaries.

Intelligent random walk: ( s*t < Bandwidth < n*t, s*n < Storage < n* t)

So this doesn’t have as low of bandwidth and storage as the circuit but it’s not as bad as broadcast for storage and not as bad as random walk for bandwidth. However, anonymity is not perfect. An attacker who had access to the entire network could identify the recipient as the packet traces it ways through the network.

 

It appears then than anonymity costs either in bandwidth or storage cost. The question is what is more valuable to the network. There maybe additional techniques to mitigate this, and I continue to investigate this area.