Crazy little thing called Privacy (1)
Privacy is such a crazy little thing. We love it, we ache for it at times, yet we throw it away like garbage every day on the internet.
To most people it has become clear that the internet isn't a sunny day at the beach without worries. In the past year we've all read the stories about identity theft, complete identities and credit cards to go with it for sale for a few bucks in Russia and what have you got.
Most of these stories we quickly forget and the ones that cling to us are the tales about children getting framed and abused through chatrooms. Mostly the discussion afterwards centers on how we need to teach our kids to be carefull on the internet, which is fine, but not good enough.
I posed the following thought on LinkedIn a few months back to ponder this idea:
"The failure of maintaining a shred of privacy is not the carelessness of the internet-generation. Primarily it is the ignorance of pre-internet generations failing to guide teenagers growing up with the net and secondly a flaw in the design of the internet"
It led to a number of interesting reactions
Interesting concept. The internet, like any consumable product, should come with a warning label "caveat emptor", but it doesn't. The pre-internet generation (the bulk of my end user community) don't generally comprehend the basics of internet use much less the imminent security concerns with using this public domain. They can't teach their children what they don't know but I do have to believe that any generation would chose to protect their offspring to the best of their ability. Going forward from here, the watchful eye of a parent certainly should be on minors using the internet and there are enough support and information tools out there to guide the less internet saavy.
Secondly, to comment on a flawed design of the internet - I have to revert back to the original intent of the internet being to provide a highly secure network for Government and use only. In designing that infrastructure it would be unreasonable to have thought that the internet would become so readily available. Clearly, the internet was never planned to grow as it has (as noted with the consumption of IP addresses leading to the IPv6 addressing plans). Perhaps flawed may not be the right word - outgrown may be better.
Liz Dowie Manager - Information Management Systems
In summary, the majority of organisations have been aware of the privacy issue for years but has taken the hard-nosed decision that it is not a priority. Even in states where there is a formal system of laws and regulations requiring adequate security, such regulations are routinely ignored and data security is compromised. I fear there is no likely change in this reality in the foreseeable future.
David Marshal Legal Consultant
The reduction in privacy in today's world (and not just on the internet) is happening because...
- most people have no realistic idea of the degree to which it is happening and only the faintest grasp (if any!) of the technologies that make this possible.
- in the past privacy of information was often the "default" state simply because it was too hard to do otherwise (compare and contrast the problem of opening, reading, re-sealing and forwarding millions of letters with the ease of storing and data mining hundreds of millions of e-mails)
- too many people believe in the fallacious "if you have nothing to hide, you have nothing to fear" argument
It's not a design flaw in the internet. Technologies exist to protect much about you when surfing (Tor Project, cookie management softwarecetc.) and strong encryption for e-mail has been around for ever - just that hardly anyone bothers to use it.
Teaching children to act prudently on the internet is simply an extension of decent parenting into the modern world. And, as another has observed, the "risks" they face because of the internet are often as nothing compared with other risks they face and, I believe, often grossly exaggerated.
David Dingley IT Consultant
If communication passes from one place to another, and some part of that communication is neither protected (e.g. via encryption) nor destroyed (e.g. stored in a log), the privacy of the communicators is dependent only on the ethical integrity of both ends. When one end is a company, privacy depends on the integrity of every current and former employee at that company who has/had access to the data.
Since the Internet was not designed to hide the source or recipient of a network packet (i.e. via TCP/IP), this information is very difficult to obscure without a long series of trusted network proxies.
Sadly, most products - Internet or otherwise - that involve some level of communication are not designed with the privacy of the communicators in mind. This is true of everything from messages sent between national leaders in the ancient world to the original telegraph to the modern Internet. After all, communication is pointless if you don't know who you're communicating with.
As for teenagers on the web, most modern "social" websites encourage listing of personal information. After all, I can't "friend" you on MySpace or Facebook unless I know your real name, or at least your email address. Teenagers are usually aware that there will be some loss of privacy upon signing up for these services, but either accept the risk or do not recognize it exists. To their credit, these services do a decent job protecting those who do not want to be found. Hiding somebody who wants to be found, while still allowing them to be found by those who legitimately should find them is a difficult problem.
The use of aliases, which ensures some level of privacy via Instant Messenger, represents a severe hindrance to any real social networking. This would be analogous to you and all of your adult friends going to a bar, wearing black hooded robes and voice manipulators, and then referring to yourself only by ever-changing code names.
Devin Rosenbauer Software Engineer
There is privacy on the Internet depending on the choices you make. In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element of that transaction. In order to buy those goods you surrender your privacy surrounding your personal details to recieve those goods, you also probably use a credit card which means that you transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit.
This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store. Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.
Some will argue that governments monitoring of Internet usage etc. is a breach of privacy, e.g. EU Data Retention Directive and that your ISP knows all your activity from their system logs, e.g. the recent Phorm controvery in the UK.
This is true but you can still take measure to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums. You can control your privacy on the web, the question needs to be asked, at what cost?
Brian Honan CERT Team head
(All respondends agreed to be named in this article)
As I realize this piece is getting longer than anyone wants to read on the internet I'll go into these responses in follow up posts. I also would like to dig into the phenomenon of lifebloggers like iJustine who have a near 24/7 internet presence and what impact that has on privacy.
Meanwhile, I'd like to invite you to comment and add your thoughts on Privacy on the internet.