Privacy and Security in the Network Age
Notes from a very lively and informative panel, featuring Moderator Andrea Matwyshyn (Wharton), Bruce Schneier (BT Counterpane), Fran Maier (TrustE), and Gerard Lewis (Comcast).

Bruce Schneier
Natural tendencies of information age. Everything we do creates a transaction record. Everything creates data. All that data has some value, and when the cost of data processing and storage approaches free, we start saving everything. This enables a new form of surveillance, wholesale surveillance. We can now follow every car. TIA is about following everybody. The police are in favor of universal surveillance. Corporations favor, now track cellphones in stores to see what people are doing. Moore’s law is an aid.

And this fades into the background over time. As RFID becomes pervasive, we will expect to be known as arrive places.

Technology is moving faster than our records.

• We have law that say video rental can’t be published from video store, but Netflix rentals not protected.
• Fasted typist generates only 200 megabytes per year.
• Terahertz radar allow us to see through walls.
• Lawn companies using satellite photos to figure out who to sell to

Death of the Ephemeral conversation. Example of Oliver North email, Foley IM messages. The whole world could become Airport security area.

Debate will be framed as security vs privacy. That is bullshit. Burglar alarm, tall fence, door lock give us security without reducing privacy. Liberty vs. control is the debate.

Fran Maier
Debate and framework for privacy has changed forever.
Fair information practices based on 1973 law.
– Notice and awareness
– for personal data, also for anonymous data
– choice or consent
– what about data that others put on social network about you?
– Access
– how can you go back and find the data about you that is inaccurate and have it removed
– integrity and ….?
– enforcement
– there isn’t an effective framework for enforcement

Need to change distinctions between online and offline data.
Privacy paradigm was build on who you are. But we also need to look at what you do.
What about stuff that intrudes upon you, or impedes your control of your computer, like spyware and spam?

Gerard Lewis (Comcast)
Fair information practices are 35 years old, potential for change is there.
Important to look at what’s technically possible, and what are we trying to solve from a business perspective.
Example: Where do we do security for ISP networks?
ISP’s do some limited network filtering, but expect customers to do anti-virus, anti-phishing …
Could expect ISPs to do more or all of security. Why not? Why should customers have to deal with all that stuff. But then what happens to customer choice?
How do you do enforcement? How do you do accountability?

Moderator Q: What is one biggest issue?
FM - hot is how are we tracked across the internet. Important is gov’t use of data.
BS: Consolidation and cross-correlation of data, by choicepoint and gov’t. We have data that is illegal for gov’t to collect that they buy from industry, and vice versa.
GL: Something bad happens which drives bad laws about stuff that isn’t technologically sound.

Moderator Q: Business’ investing more in data security? Is this true? If so, what are drivers?
BS: Increased spending on security, driven by regulation. Sarbanes Oxley is bring used as a stick by IT. But this doesn’t mean that your data is being protected, it means that their data is being protected.
It is an externality. When Choicepoint loses your data, they don’t care. You can’t fire them for doing poorly. Corporate security doesn’t translate into personal data security.
FM: We need to have some accountability. Breach laws help. We are all taking about security, but a lot of this is about human behaviour.
BS: There is no patch for stupidity.
FM: Reputation harm is going down from data loss, as people become accustomed.
BS: Law worked by shame. But now happens so often, that doesn’t have effect. Happens so much.
GL: Data breach laws have had some effect. But has gone down. Data losses not news anymore.

BS: Did research on blog today. If you want 10 credit cards, can’t. Come in units of 1 million. Identity theft is not really that much of risk (see http://www.schneier.com/blog/archives/2008/06/lifelock_and_id.html)

Moderator Q: Choicepoint advocating national privacy law.
FM: the reason there was a can-spam law is that there is a law in california. Will a national law have an effect. Probably not.
Should we do the European approach and regulate all data? No.
GL: Would depend on what law says. Might give an illusion of protection when it would give none. What about online vs. offline? I doubt that a national privacy law has a chance in US.
BS: I don’t think we will get a national law with teeth anytime soon. Leveling the playing field is the kind of thing that will get thrown up. It will be like can-spam. We will eventually have a national data privacy law with teeth, can’t operate a national information economy without one, but it may take 20 years to get one.

Moderator Q: Facebook beacon? Social networking affecting data privacy.
FM: Beacon was a tilting point, if people get creeped out, things change.
BS: Our definitions of privacy have changed. Recommends http://papers.ssrn.com/sol3/papers.cfm?abstract_id=667622. As Clay Shirky said, The internet is the greatest generation gap since rock ‘n’ roll.

Moderator Q: What should top privacy security issue be for next administration.

BS: There are a lot. A serious approach to ID cards. Fairness, redress, use commiserate with benefits. Pass laws about how when and why use ID cards.
FM: Change the fact that there is no due process for exchange of gov’t records — all policies done in the dark.
GL: Transparency of govt.

Q&A from audience

What about data of non-US citizens in US. Will there be laws?
BS: Works the other way. What about data of US citizen over seas. This is how our gov’t operates. Data that illegal for US gov’t to collect they have Brits collect for them. And vice versa.

Moderator: Huge cultural differences — Europeans have constitutional right to privacy.

Brad Templeton Question
Installing an application is really giving your data to a 3rd party (company). Like an embedded website. Downstairs they are having discussion of open flow, making it easy to send your data = “Bulk export of your personal and sensitive information”

FM: What happens when all this information is on your phone.

Brad Templeton — Supreme court has said that data held by 3rd parties doesn’t have 4th amendment rights.

BS: True, 4rth amendment was designed for stuff on person. Data is the pollution of the information society. All processes produce it, how we deal with it is key. We are still figuring out pollution. Handing the gov’t the record of who called who, who knows who, the social graph of the country, is really scary.

Q: Can government break any encryption? No, but they don’t have to.
BS: Encryption is a technical tool that doesn’t solve any of these problems.

Q: How do we segment our audience so we can get higher CPM?
FM: Give consumers choices. Know that some information is so sensitive. Don’t be creepy.

Q: Do you see any positive trends?
BS: Short-term pessimistic, long term pessimistic. Just like industrial age didn’t kill us, this won’t even. Laws moving slowing. Land grab from 9/11 will take years to undo
(audience - unless of course another building falls…)
FM: Found out that son had a party when I was out of town via Facebook. Post re 120 beers in an hour.
GL: A lot of this is generational. People will start to appreciate it what it means to have data in the cloud.
Moderator: Wharton undergrads know better than law students.
BS: Everybody that age has been dumped online.

Q: What will get people to care about privacy. What is story that will convince public.
BS: Hard question. People will say I have nothing to hide. I ask them about their salary.
This isn’t an issue that has easy visuals.

Q: More about behavioural targeting. There are now companies reading your blogs and using it targeting you.
BS: Fran’s creepiness test works.
FM: Give customers choice, and don’t give them the unexpected.
BS: Has to work. 50% of people won’t change defaults.

Brad Templeton — choice is a false paradigm. Removes ability to negotitiate. No ability to negotiate, it is either opt-in to all, or can’t play.

GL: Behavioural targeting is an inside out solution. It isn’t actually clear that there is a business value. Data mining hasn’t generated a lot of value.

Q: How long before there is product liability for software?
BS: Liability is one of the major ways to solve externalities.
Moderator: Strict liability won’t fly. Proving damages and proving causation is hard.

Arial Waldmen: What about cyberstalking? Isn’t that a good story for privacy?
BS: Yes that is a sympathetic story. There is a group of people vs. realID. Transgender people who have docs with different genders. Media not sympathetic.

FM: Law enforcement needs better trained law enforcement people with more resources.

Moderator: What do we do about social security numbers? Trying to get a new one is very hard, but 1/6 are compromised.

BS: We have all these authentication mechanism based on things like social security, mother’s madien name, all of which can be legally bought over the internet. We should just publish everybody’s data like that on the internet, so people stop relying on it for authentications.

What about data poisoning?
BS: I often transpose numbers on passport forms and such, but it doesn’t help. The fuzzy data analysis works.

OpenID or FederatedID?
BS: Federated systems much more dangerous, because much more attractive targets. ID thief

Brad Templeton: [In security,] Ease of Use is a bug.