Classic Facebook stalking horse
Yesterday Instagram made its first move towards delivering the real value in its acquisition by Facebook. They revised their Privacy Policy and Terms of Use to allow greater sharing of photos with Facebook and other businesses, especially advertisers. Instagram posted a new set of Terms on Monday, the shit hit the fan, and today they back-peddled.
The mea culpa is a classic, straight out of the Zuckerberg copybook. They say they were misunderstood. They say they don't want to sell photos to ad men. They say members will always own their photos. But ownership is a red herring and the whole exercise is likely a stalking horse, designed to distract people from more significant issues around metadata and Facebook's ever deepening ability to infer PII.
Firstly, let's be clear that greater sharing follows the acquisition as night follows day. I noted at the time that the only way to understand Facebook's billion dollar spend on Instagram is around the value to be mined from the mother lode of photo data. In particular, image analysis and facial recognition grant Instagram and Facebook x-ray vision into their members' daily lives. They can work out what people are doing, with whom they're doing it, when and where. With these tools, they're moving quickly from collecting Personally Identifiable Information when it is volunteered by users, to PII that is observed and inferred. The quality and quantity of the PII flux is driven up dramatically. No longer is the lifeblood of Facebook -- the insights they have on 15% of the world's population -- filtered by what users elect to post and Like and tag, but now that information is raw, unexpurgated and automated.
Now ask where the money in photo data is to be made. It's not in selling candid snapshots of folks enjoying branded products. It's in the intelligence that image data yield about how people lead their lives. This intelligence is Facebook's one and only asset.
So it is metadata that we need to worry about. In its initial update to the Terms, Instagram said this: [You] agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you.. In over 6,000 words "metadata" is mentioned just twice, parenthetically, and without any definition. Metadata is figuring more and more in the privacy discourse, and that's great, but we need to look beyond the usual stuff like geolocation and camera type embedded in the JPEGs. Much more important now is the latent identifiable personal content in images. Image analysis and image search provide endless new possibilities for infomopolies to extract value from photos.
A great deal of this week's outcry has focused on things like the lack of compensation, and all of Instagram's apology today is around the ownership of photos. But ownership is moot if they reserve their right to use and disclose metadata in any way they like. What actually matters is the individual's ability to understand and control what is done with any PII about them, including metadata. When the German privacy regulator acted against Facebook's facial recognition practices earlier this year, the principle they applied from OECD style legislation is that there are limits to what can be collected about individuals without their consent. The regulator ruled it unlawful for Facebook to extract biometric information from images when their users innocently think they're only tagging people in photos.
So when I read Instagram's excuse, I don't see any truly meaningful self-restraint in the way they can exploit image data. Their switch is not even a tactical retreat, for as yet, they're not giving anything up.
Posted in Social Networking, Privacy, Big Data
Don't mix business and pleasure
At the recent Gartner Identity & Access Summit, analyst Earl Perkins spoke of the potential for Facebook to be used as an enterprise IdP. I'd like to see these sorts of speculations dampened a little by filtering them through the understanding that identity is a proxy for relationship.
Here's the practical difficulty that shows why we must reframe what we're talking about. If Facebook were to be an Identity Issuer, they would have to be clear about what enterprises really need to know about their staff, customers, partners and so on. There is no standardised answer to that; every business gets to know its people in their own peculiar ways. Does Facebook with its x-ray vision into our personal lives have anything to offer enterprises? If we work out which assertions might be vouched for by Facebook, how would they be underwritten exactly?
And I really mean exactly because liability is what kills off most identity federations. The idea of re-using identity across contexts is easier said than done. Banks have tried and tried again to federate identities amongst themselves. The Australian experience (of Trust Centre and MAMBO) was that banks find it too complex to re-use each others' issued IDs because of the legal complexity, even when they're all operating under the same laws and regulations! So how on earth will business make the jump to using Facebook as an IdP when they have yet to figure out banks as IdP?
I'd surely like to hear from Facebook themselves about how they see their IdP business developing. They're being very coy about even the early forays like Facedeals, which is using biometric data from Facebook to check people into stores by facial recognition. It's a pretty serious app, with very serious privacy ramifications, amplified by the fact that German regulators have thrown the book at Facebook for being underhanded with photo tagging. Under the circumstances, I would have expected Facedeals to have a Privacy Policy, and Facebook to make some public announcements about how they support the third party consumption of their biometric templates. But no, neither has happened.
The old saw don't "Mix Business And Pleasure" turns out to predict the cyber world challenges of bringing social identities and business identities together. I have concluded that identity is metaphorical. Each identity is really a proxy for a relationship, and most of our intuitions about identity need to be reframed in terms of relationships. We're not talking simply about names! The types of relationship we entertain socially (and are free to curate for ourselves) may be fundamentally irreconcilable with the identities provided to us by businesses as a way to manage their risks, as is their prerogative.
Posted in Social Networking, Identity, Federated Identity
Any ideas to curtail CNP fraud?
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures and plots the trend data. The latest stats were released this week, for FY 2012.
Here's the latest picture of Australian payment card fraud growth over the past seven financial years FY2006-12.
Compared with FY2011:
- Total card fraud is up 25%
- CNP fraud is up 27%
- CNP fraud represents three quarters (72%) of all card fraud.
- Card Not Present fraud as a proportion of all fraud remains at just under three quarters (72%).
As with the CY2011 stats we discussed last July, card fraud has again grown in all categories at once, not just Card Not Present, and this is unusual. The explanation may be a burst of skimming and counterfeiting in late 2011 which would be reflected in both the FY2012 and CY2011 numbers.
APCA's press release this week notes that card fraud has dropped in the past six months, contrasting financial 2012 ($189M) with calendar 2011 ($198M). This may not be a statistically valid comparison. We should expect seasonal buying habits will cause asymmetries within 12 months, making FY against CY a case of apples and oranges. Indeed, this looks like the first time APCA themselves have plotted CY and FY stats together. It certainly makes the latest figures look better.
Time will tell whether the trend is changing. The long term trend is that CNP fraud has grown at 38% p.a. on average, from $27M in FY2006 to $189M in FY2012. A 5% drop in the past six months may not mean much. The $189M loss most recently reported is probably close to the true trend.
APCA says "Broadly, the value of CNP fraud reflects growing retail activity in the online space, with many more businesses ... moving online". That's true but the question is: What will we do about it? Bank robbers rob banks because that's where the money is. Think about high road tolls: they reflect the popularity of driving, but we don't put up with them!
In any case, a cardholder's exposure to CNP fraud has nothing to do with whether they themselves shop online! Stolen card data are replayed online by criminals because they can. The online boom provides more places to use stolen cards but it's not where the criminals get most of their cards. Instead, it appears that account numbers are mostly obtained from massive database breaches at processors and large bricks-and-mortar retailers, like Heartland Payments, Global Payments, and Hannaford. So it's not fair to play down CNP fraud as relating to the cost of going digital, because it hurts people who haven't gone digital.
I'm afraid payments regulators seem light on ideas for actually rectifying CNP fraud.
Until recently, APCA actively promoted 3D Secure (Verified by Visa or Mastercard SecureCode) as a response to CNP fraud. In June 2011, APCA went so far as to say "retailers should be looking at a 3D Secure solution for their online checkout". But their most recent press release makes no mention of 3D Secure at all.
It looks to me that 3D Secure, after many years of disappointing performance and terrible take-up, is now too contentious to rate a mention from Australia’s regulators.
In my view, the industry needs to treat CNP fraud as seriously as it did skimming and carding. The industry should not resign itself to increasing rates of fraud just because online shopping is on the rise.
CNP fraud is not a technologically tough problem. It's just the digital equivalent of analogue skimming and carding, and it could be stopped just as effectively by using chips to protect cardholder data online.
If Facebook were honest
The first and foremost privacy principle in any data protection regime is Collection Limitation. A classic instance is Australia's National Privacy Principle NPP 1, which requires that an organisation refrain from collecting Personal Information unless (a) there is a clear need to collect that information; (b) the collection is done by fair means, and (c) the individual concerned is made aware of the collection and the reasons for it.
In accordance with the Collection Principle (and others besides), a conventional privacy notice or privacy policy should give a full account of what Personal Information an organisation collects (including that which it creates internally) and why it collects it.
And herein lies a fundamental challenge for most online social networks: if they were honest about the Collection Principle, they would have to say "We collect information about you to make money".
The core business model of many Online Social Networks is to exploit Personal Information, in many and varied ways. There's a bargain for Personal Information inherent in commercial social media. Some say the bargain is obvious to today's savvy netizens; it's said that everybody knows there is no such thing as a free lunch. But I am not so sure. I doubt that the average Facebook user really grasps what's going on. The bargain for their information is opaque and unfair.
From the outset, Facebook founder Mark Zuckerberg was tellingly enthusiastic for information built up in his system to be used by others. In 2004, he told a colleague "if you ever need info about anyone at Harvard, just ask".
Facebook has experienced a more or less continuous string of privacy controversies, including the "Beacon" sharing feature in 2007, which automatically imported members' activities on external websites and re-posted the information on Facebook for others to see. Facebook's privacy missteps almost always relate to the company using the data it collects in unforeseen and barely disclosed ways. Yet this is surely what Facebook's investors expect the company to be doing: innovating in the commercial exploitation of personal information. An inherent clash with privacy arises from the fact that Facebook is a pure play information company: its only significant asset is the information it holds about its members. The market expects this asset to be monetised and maximised. Logically, anything that checks the network's flux in Personal Information -- such as the restraints inherent in privacy protection, whether adopted from within or imposed from without -- must affect the company's futures.
Facebook's business model is enhanced by promiscuity amongst its members, so there is an apparent conflict of interest in the firm's privacy posture. The more information its members are willing to divulge, the greater is Facebook's value. Zuckerberg is far from a passive bystander in this; he has long tried to train his members to abandon privacy norms, in order to generate ever more information flux upon which the site depends. He is brazenly quick to judge what he sees as broader societal shifts. Interviewed at the 2010 TechCrunch conference, he said:
[In] the last five or six years, blogging has taken off in a huge way and all these different services that have people sharing all this information. People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time. We view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are.
It is rather too early to draw this sort of sweeping generalisation from the behaviours of a specially self-selected cohort of socially hyperactive users. Without underestimating the empirical importance of Facebook to hundreds of millions of people, surely one of the over-riding characteristics of OSN as a pastime is simply that it is fun. There is a sort of suspension of disbelief at work when people act in this digital world, divorced from normal social cues which may lead them to lower their guard. Facebook users are not fully briefed on the consequences of their actions, and so their behaviour to some extent is being directed by the site designers; it has not evolved naturally as Zuckerberg would have us believe.
Yet promiscuity is not in fact the source of the most valuable social data. Facebook has a particularly sorry history of hiding its most effective collection methods from view. Facial recognition is perhaps the best example. While it has offered photo tagging for years, it was only in early 2012 that Facebook started to talk plainly about how it constructs biometric templates from tags, and how it runs those templates over stored photo data to come up with tag suggestions. Meanwhile, the application of facial recognition is quietly expanding beyond what they reveal, with the likes of Facedeals for example starting to leverage Facebook's templates, in ways that are not disclosed in any Privacy Policies anywhere.
Privacy is largely about transparency. Businesses owe it to their members and customers to honestly disclose what data is collected and why. While social networks continue to obfuscate the true exchange of Personal Information for commercial value, we cannot take seriously their claims to respect our privacy.
Posted in Social Networking, Privacy
Security-convenience trade-off: What trade-off?
As mentioned last month, the security-convenience trade-off in computer security is radically different from traditional locks and keys. Regular users are so habituated to door keys that they don't even think of the trade-offs! Keys are so easy to use that nobody bothers to make them "easier" with the equivalent of Single Sign On (just imagine asking your boss to re-key the office door and all the file cabinets just so you could use the same key for work as well as your home and car - it would be preposterous).
The cyber security-convenience trade-off could be radically re-jigged if we adopted serious physical keys for our computing devices. The usability dilemma online is really all about human factors engineering.
It's instructive to look at the evolution of door locks. For centuries we've used the same basic form factor: as the Oxford dictionary puts it, "a small piece of shaped metal with incisions cut to fit the wards of a particular lock, which is inserted into a lock and turned to open or close it".
The UX is universal, while under the covers, security R&D has spawned long and steady improvement.
And the most recent smart car keys still have a mechanical emergency key for when the electronics fails!
Posted in Security
Taking logon seriously
To a great extent, many of the challenges in information security boil down to human factors engineering. We tend to have got the security-convenience trade-off in infosec badly wrong. The computer password is a relic of the 1960s, devised by technicians, for technicians. If we look at traditional security, we see that people are universally habituated to good practices with keys and locks.
The terrible experience of Wired writer Mat Honan being hacked created one of those classic overnight infosec sensations. He's become the poster boy for the movement to 'kill the password'. His follow up post of that name was tweeted over two thousand times in two days.
Why are we so late to this realisation? Why haven't we had proper belts-and-braces access security for our computers ever since the dawn of e-commerce? We all saw this coming -- the digital economy would become the economy; the information superhighway would become more important than the asphalt one; our computing devices would become absolutely central to all we do.
It's conspicuous to me that we have always secured our serious real world assets with proper keys. Our cars, houses, offices and sheds all have keys. Many of us would have been issued with special high security keys in the workplace. Cars these days have very serious keys indeed, with mechanical and electronic anti-copying design features. It's all bog standard.
But for well over a decade now, cyber security advocates speak earnestly about Two Factor Authentication as if it's something new and profound.
For a few extra bucks we could build proper physical keyed security into all our computers and networked devices. The ubiquity of contactless interfaces by wifi or NFC opens the way for a variety of radio frequency keys in different form factors for log on.
There's something weird about the computing UX that has long created different standards for looking at the cyber world and the real world. A personal story illustrates the point. About nine years ago, I met with a big e-commerce platform provider that was experiencing a boom in fraud against the online merchants it was hosting. They wanted to offer their merchant tenants better security against hijackers. I suggested including a USB key for mutual authentication and strong digital signatures, but the notion of any physical token was rejected out of hand. They could not stomach the idea that the merchant might be inconvenienced in the event they misplaced their key. What an astonishing double standard! I asked them to imagine being a small business owner, who one day drives to the office to find they've left door key behind. What do you want to do? Have some magic protocol that opens the door for you, or do you put up with the reality of having to turn around and get your keys?
We are universally habituated to physical keys and key rings. They offer a brilliant combination of usability and security. If we had comparably easy to use physical keys for accessing virtual assets, we could easily manage a suite of 10 or 15 or more distinct digital identities, just as we manage that many real world keys. Serious access security for our computers would be simple, if we just had the will to engineer our hardware properly.
Speaking plainly about Identity
I was recently editing my long "ecological identity" paper from last year and I was reminded how we tend to complicate identity when we speak about it. Here's a passage from that paper, which argues that the language we use is important. I contend we don't need to introduce new technical definitions around identity. Furthermore, I think if we returned to plain language, we might actually see federated identity differently.
Why for instance do orthodox identity engineers insist that authentication and authorization are fundamentally different things? The idea that roles are secondary to identity dates back to 1960's era Logical Access Control. It's an arbitrary distinction not usually seen in the the real world. Authorization is what really matters in most business, not identity. For instance, no pharmacist identifies a doctor before relying on a prescription; the prescription itself, written on an official watermarked form confers the necessary authority. Context is vital; in fact it's often the case that "the medium is the authentication" (with apologies to Marshall McLuhan).
What follows is extracted from Identities Evolve: Why federated identity is easier said than done, AusCERT Security Conference, 2011.
The word "identity" means different things to different people. I believe it is futile quoting dictionary definitions in an attempt to disambiguate something like identity (in fact, when a perfectly ordinary word attracts technical definition, it's a sure sign that misunderstanding is around the corner). Instead of forcing precision on the term, we should actually respect its ambiguity! Consider that in life we are completely at ease with the complexity and nuance of identity. We understand the different flavours of personal identity, national identity and corporate identity. We talk intuitively about identifying with friends, family, communities, companies, sports teams, suburbs, cities, countries, flags, causes, fashions and styles. In multiculturalism, whether or not we agree on the politics of this challenging topic, we understand what is meant by the mingling or the co-existence or the adoption of cultural identities. The idea of "multiple personality syndrome" makes perfect sense to lay people (regardless of its clinical controversies). Identity is not absolute, but instead dilates in time and space. Most of us know how it feels at a high school re-union to no longer identify with the young person we once were, and to have to edit ourselves in real time to better fit how we and others remember us. And it seems clear that we switch identities unconsciously, when for example we change from work garb to casual clothes, or when we wear our team's colours to a football match.
Yet when it comes to digital identity -- that is, knowing and showing who we are online -- we have made an embarrassing mess of it. Information technologists have taken it upon themselves to redefine the meaning of the word, while philosophically they don't even agree if we should possess one identity or more.
We don't need to make identity any more complicated than this: Identity is how someone is known. In life, people move in different circles and they often adopt different guises or identities in each of them. We have circles of colleagues, customers, fellow users, members, professionals, friends and so on -- and we often have distinct identities in each of them. The old saw "don't mix business and pleasure" plainly shows we instinctively keep some of our circles apart. The more formal circles -- which happen to be the ones of greatest interest in e-business -- have procedures that govern how people join them. To be known in a circle of a bank's customers or a company's employees or a profession means that you've met some prescribed criteria, thus establishing a relationship with the circle.
[To build on my idea of impressed vs expressed identities, let's acknowledge that the way you know yourself one thing, but the way others know you is something quite different.]Kim Cameron's seminal Laws of Identity define a Digital Identity as "a set of claims made by one digital subject about itself or another digital subject". This is a relativistic definition; it stresses that context helps to grant meaning to any given identity. Cameron also recognised that this angle "does not jive with some widely held beliefs", especially the common presumption that all identities must be unique in any one setting. He stressed instead that uniqueness in a context might have featured in many early systems but it was not necessarily so in all contexts.
So a Digital Identity is essentially a proxy for how one is known in a given circle; it represents someone in that context. Digital Identity is a powerful abstraction that hides a host of formalities, like the identification protocol, and the terms & conditions for operating in a particular circle, fine-tuned to the business environment. All modern identity thinking stresses that identity is context dependent; what this means in practical terms is that an identifier is usually meaningless outside its circle. For example, if we know that someone's "account number" is 56236741, it's probably meaningless without giving the bank/branch number as well (and that's assuming the number is a bank account and not something from a different context altogether).
I contend that plain everyday language illuminates some of the problems that have hampered progress in federated identity. One of these is "interoperability", a term that has self-evidently good connotations but which passes without a lot of examination. What can it mean for identities to "interoperate" across contexts? People obviously belong to many circles at once, but the simple fact of membership of any one circle (say the set of chartered accountants in Australia) doesn't necessarily say anything about membership of another. That is to say, relationships don't "interoperate", and neither in general do identities.
Posted in Language, Identity, Federated Identity
Let's forget about identity
Here's a radical thought: why don't we Internet engineers forget about identity?
Businesses and individuals identify each other in various ways and to different ends, but always basically in order to manage the risk of dealing with the wrong entity. By and large, we actually do identification pretty well. There are many mature analytical methods and standards by which identification can be analysed and designed, as just one element of risk management.
One of the difficulties in Federated Identity is that it too often pressures participants to change the way they do identification. Now there's nothing wrong with change, and I'm not saying that identity management practices are perfect by any means. But they're changing already. They always have and they always will. What I am saying is that global identification is never going to happen, and neither will global identification benchmarks, like Levels of Assurance. We can think globally all we like but risk management requires fundamentally that businesses will always act locally.
Identification practices undergo continuous improvement under circumstances peculiar to different businesses, industries and jurisdictions. Most industries at some level constantly monitor the adequacy of identification in the face of fraud trends, and make steady adjustments. Some identification protocols are legislated, as in the 100 point check of the Australian Financial Transaction Reports Act and anti-money laundering laws. Some protocols are set by industry overseers; for instance, doctor credentialing is regulated by local and state health agencies with a degree of national coordination. Ad hoc standards (more like habits really) emerge all the time, such as the way so many hotels have taken to photocopying driver licenses at check in. For the most part, identification rules are made up by industry bodies and by businesses themselves to suit their local risk profiles. In general there are no laws that prescribe how employers identify their staff, nor universities their students, nor professional bodies their members -- just as there is no national identity card here.
In going online, several widespread problems in identification have arisen. We all know what the problems are: the inconvenience and cost of repeated registrations; the overhead of managing multiple accounts and often inconsistent authentication mechanisms (multiple passwords, and separately, the "token necklace"); the privacy risks that go with redundant registration information flows and records; identity fraud and "identity theft". These problems are mostly separable and are amenable to improvement without imposing global identity management practices, let alone re-engineering identity itself.
The process of identification boils down to presenting certain pieces of claimed information about the person or entity, and validating those claims. In improving identification in the digital environment, we must focus with more precision on the real problems needing to be solved. And we must avoid wherever possible imposing changes from outside on the way that businesses choose to know their customers, members, staff, partners and users.
Around the world, governments and public-private partnerships continue to strive for big over-arching "Identity Frameworks". I think we need to heed the lesson that Federated Identity is easier said than done. Really worthwhile efforts have repeatedly failed, none more significantly than Microsoft's flagship identity solution Cardspace. I'm positive the underlying problem is simply that identity is not what it seems. Digital Identity is metaphorical; it's not a real thing at all but instead is a proxy for a relationship. And we know that relationships are difficult to carry over across different contexts.
So what's to be done? In my view, a subtle but significant course correction is due. Why don't we drop down a level, forget about "identities", and put our energies into making reliable information about claims more widely available? Fortunately, all the orthodox identity frameworks include Attribute Provision, and let's remember that the Laws of Identity themselves teach that Digital Identities are "sets of claims made by one digital subject about itself or another digital subject". I've discussed elsewhere that the interoperability of IdPs and RPs is more complicated than simply matching Assurance Levels, because it's the details of the elemental claims that really matter. So why don't we stop trying to centrally govern how identities are defined by Subjects and by Relying Parties, and focus instead on improving the mechanisms for conveying the more atomic claims that power those identities?
The diagram shows how a marketplace of verification services could grow around a set of commonplace claims.
NB: "DVS" stands for Document Verification Service, currently operated by the Australian Attorney Generals Department, which allows state & federal government agencies here to inquire as to the validity and currency of a range of identity documents.
The approach includes many of the standard privacy and security features of higher order Federated Identity systems, such as information hiding APIs delivering only 'yes'/'no' answers to claims queries. But the approach stops short of describing any "identities" per se or characterising "assurance levels" and the like, leaving Relying Parties to continue to set their own identification rules, and to realise those rules by shopping around for claims verifiers that suit their purposes.
The suggested system has the following qualities:
- It does not impose any identification protocols on businesses, who remain free to select which claims and combinations of claims they want Subjects to exhibit.
- It does not change the context in which businesses deal with their customers/members/staff/partners/users.
- It is contestable. While there will be natural authorities (or 'sources of truth') for many claims like driver license numbers or date of birth, the proposal allows for other organisations to offer claims validation. Secondary data sets can be just as reliable (or even more so) for claims such as street address, alternate names etc. Information brokers can be expected to value-add certain claims, attest to baskets of claims, and/or bundle claims validation with other business services.
- It is much easier to ascribe liability around the validation of precise claims than the validation of "identity"; this approach should be more palatable to banks, government agencies and so on than other Federated Identity concepts where IdPs are asked to underwrite 'who someone is'.
- It is pragmatic; it avoids semantic technicalities like the difference between "authentication" and "authorization"; the proposal simply provides uniform market-based mechanisms for parties to assert and test elemental claims as a precursor to doing business.
In closing, I'd like to quote Dazza Greenwood on identity:
"Former Speaker of the House Tip O’Neil used to say that all politics is local. Similarly, it can be said that all identity is local as well. Not necessarily geographically local. A parent can have children across the country and a bank for example can have account holders all over the globe. But they are "logically local" in the sense that they are all "home grown" and make sense largely only in their internal context. The account number by which each banking user is primarily known and the attributes surrounding that number are not similar to the naming and identity scheme required by medical clinical systems, for example. One size does not fit all because the subtle contours and content of identity is not monolithic." Ref: Authentication and Identity Management: Information Age Policy Considerations, Greenwood, 2003.
Indeed: identity is not monolithic. We might make much better progress on the digital identity challenges if we dropped down a level and tried dealing with identity's common parts instead.
Posted in Identity, Federated Identity
It's not too late for privacy
It's an urgent, impatient sort of line in the sand, drawn by the new masters of the universe digital, as a challenge to everyone else. C'mon, get with the program! Innovate! Don't be so precious - so very 20th century! Don't you dig that Information Wants To Be Free? Clearly, old fashioned privacy is holding us back!
The stark choice posited between privacy and digital liberation is rarely examined with much diligence; often it's actually a fatalistic response to the latest breach or the latest eye popping digital development. In fact, those who earnestly assert that privacy is dead are almost always trying to sell us something, be it a political ideology, or a social networking prospectus, or sneakers targeted at an ultra-connected, geolocated, behaviorally qualified nano market segment.
Is it really too late for privacy? Is the genie out of the bottle? Even if we accepted the ridiculous premise that privacy is at odds with progress, no it's not too late, firstly because the pessimism (or commercial opportunism) generally confuses secrecy for privacy, and secondly because frankly, we aint seen nothin yet!
Technology certainly has laid us bare. Behavioural modeling, facial recognition, Big Data mining, natural language processing and so on have given corporations x-ray vision into our digital lives. While exhibitionism has been cultivated and normalised by the infomopolists, even the most guarded social network users may be defiled by Big Data wizards who without consent upload their contact lists, pore over their photo albums, and mine their shopping histories, as is their wanton business model.
So yes, a great deal about us has leaked out into what some see as an extended public domain. And yet we can be public and retain our privacy at the same time.
Some people seem defeated by privacy's definitional difficulties, yet information privacy is simply framed, and corresponding data protection laws readily understood. Information privacy is basically a state where those who know us are restrained in what they can do with the knowledge they have about us. Privacy is about respect, and protecting individuals against exploitation. It is not about secrecy or even anonymity. There are few cases where ordinary people really want to be anonymous. We actually want businesses to know -- within limits -- who we are, where we are, what we've done, what we like, but we want them to respect what they know, to not share it with others, and to not take advantage of it in unexpected ways. Privacy means that organisations behave as though it's a privilege to know us.
Many have come to see privacy as literally a battleground. The grassroots Cryptoparty movement has come together around a belief that privacy means hiding from the establishment. Cryptoparties teach participants how to use Tor and PGP, and spread a message of resistance. They take inspiration from the Arab Spring where encryption has of course been vital for the security of protestors and organisers. The one Cryptoparty I've attended so far in Sydney opened with tributes from Anonymous, and a number of recorded talks by activists who ranged across a spectrum of social and technosocial issues like censorship, copyright, national security and Occupy. I appreciate where they're coming from, for the establishment has always overplayed its security hand. Even traditionally moderate Western countries have governments charging like china shop bulls into web filtering and ISP data retention, all in the name of a poorly characterised terrorist threat. When governments show little sympathy for netizenship, and absolutely no understanding of how the web works, it's unsurprising that sections of society take up digital arms in response.
Yet going underground with encryption is a limited privacy stratagem, for DIY crypto is incompatible with the majority of our digital dealings. In fact the most nefarious, uncontrolled and ultimately the most dangerous privacy harms come from mainstream Internet businesses and not government. Assuming one still wants to shop online, use a credit card, tweet, and hang out on Facebook, we still need privacy protections. We need limitations on how our Personally Identifiable Information (PII) is used by all the services we deal with; we need department stores to refrain from extracting sensitive health information from our shopping habits, merchants to not use our credit card numbers as customer reference numbers, and online social networks to not x-ray our photo albums by biometric face recognition. I note that some Cryptoparty bookings are managed by the US event organiser Eventbrite, which has a detailed Privacy Policy setting out how it promises to handle personal information provided by attendees. It does seems reasonable to me, but like all private sector data protection arrangements, there's a lot going on there.
So ironically, when registering for a cryptoparty, you could not use encryption! For privacy, you have to either trust Eventbrite to have a reasonable policy and to stick to it, or you might rely on government regulations, if applicable. When registering, you give a little Personal Information to the organisers, and we expect that they will be restrained in what they do with it.
Going out in public never was a license for others to invade our privacy. We ought not to respond to online privacy invasions as if cyberspace is a new Wild West. We have always relied on regulatory systems of consumer protection to curb the excesses of business and government, and we should insist on the same in the digital age. We should not have to hide away if privacy is agreed to mean respecting the PII of customers, users and citizens, and restraining what data custodians do with that precious resource.
I ask anyone who thinks it's too late to reassert our privacy to think for a minute about where we're heading. We're still in the early days of the social web, and the information "innovators" have really only just begun. Look at what they've done so far:
- Facial recognition converts vast stores of anonymous photos into PII, without consent, and without limit. Facebook's deployment of biometric technology was especially clever. For years they crowd-sourced the creation of templates and the calibration of their algorithms, without ever mentioning facial recognition in their privacy policy or help pages. Even now Facebook's Data Use Policy is entirely silent on biometric templates and what they allow themselves to do with them. Meanwhile, third party services like Facedeals are starting to use Facebook's photo resources for commercial facial recognition in public.
- Big Data. The most notorious recent example of the power of data mining comes from Target's covert research into identifying customers who are pregnant based on their buying habits. Big Data practitioners are so enamoured with their ability to extract secrets from "public" data they seem blithely unaware that by generating fresh PII from their raw materials they are in fact collecting it as far as Information Privacy Law is concerned. As such, they’re legally liable for the privacy compliance of their cleverly synthesised data, just as if they had expressly gathered it all by questionnaire.
- Natural Language Processing (NLP) is the secret sauce in Apple's Siri, allowing her to take commands -- and dictation. Every time you dictate an email or a text message to Siri, Apple gets hold of the content of telecommunications that are normally out of bounds to the phone companies. Siri is like a free PA that reports your daily activities back to the secretarial agency. There is no mention at all of Siri in Apple's Privacy Policy despite the limitless collection of intimate personal information.
It's difficult to overstate the value of facial recognition to businesses like Facebook which have just one asset: the knowledge they have about their members. Combined with image analysis and content addressable image banks, facial recognition lets Facebook work out what we're doing, when, where and with whom, pirating billions of everyday images given over by members to a business that doesn't even mention these priceless resources in its privacy policy.
As an aside, I'm not one of those who fret that technology has outstripped privacy law. Principles-based Information Prvacy law copes well with most of this technology. OECD privacy principles (enacted in over seventy countries) and the US FIPPs require that companies be transarent about what PII they collect and why, and that they limit the ways in which PII is used for unrelated purposes, and how it may be disclosed. These principles are decades old and yet they have been recently re-affirmed by German regulators recently over Facebook's surreptitious use of facial recognition. I expect that Siri will attract like scrutiny as it rolls out in continental Europe.
So what's next?
- Google Glass may, in the privacy stakes, surpass both Siri and facial recognition of static photos. If actions speak louder than words, imagine the value to Google of digitising and knowing exactly what we do in real time.
- Facial recognition as a Service and the sale of biometric templates may be tempting for the photo sharing sites. If and when biometric authentication spreads into retail payments and mobile device security, these systems will face the challenge of enrollment. It might be attractive to share face templates previously collected by Facebook and voice prints by Apple.
So, is it really too late for privacy? The infomopolists and national security zealots may hope so, but surely even cynics will see there is great deal at stake, and that it might be just a little too soon to rush to judge something as important as this.
Posted in Social Networking, Social Media, Privacy, Culture, Big Data
I never trusted trust
From the archives.
- "It is often put simply that in e-business, authentication means that you know who you're dealing with. Authentication is inevitably cited as one of the four or five 'pillars of security' (the others being integrity, non-repudiation, confidentiality and, sometimes, availability).
- "To be a little more precise, let's examine the functional definition of authentication adopted by the Asia Pacific Economic Co-operation (APEC) E-Security Task Group, namely the means by which the recipient of a transaction or message can make an assessment as to whether to accept or reject that transaction.
- "Note that this definition does not have identity as an essential element, let alone the complex notion of 'trust'. Identity and trust all too frequently complicate discussions around authentication. Of course, personal identity is important in many cases, but it should not be enshrined in the definition of authentication. Rather, the fundamental issue is one’s capacity to act in the transaction at hand. Depending on the application, this may have more to do with credentials, qualifications, memberships and account status, than identity per se, especially in business transactions."
Making Sense of your Authentication Options in e-Business
Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence, No. 5, 2001.
See also http://lockstep.com.au/library/quotes.