The last issue of Red Herring I read was all about real-time computing, which is all about how computers will be networked together to provide information immediately rather than running them separately and independently of each other. Many people think a natural facilitator in this process will have to be tools that enable a secure transaction and also a proactive one that will take measures to avoid being intercepted by the wrong hands. It is Internet security. It's making sure one person gets something from another, and that both people are who they say they are, and that no one else saw what happened.
There were articles about expectations of security software from companies like CheckPoint and Symantec and McAfee and whatnot, and how well they would sell the companies who would be expected to have maximum privacy and security. A hefty premium should be paid for all of it.
So you have the customers, who basically are afraid of everything on the Internet because they've been warned by the media, companies that sell them things, and by their collective paranoia. Buying anything online might have a mysterious hacker who cracked into the connection and is monitoring the data stream, lifting out the credit card number and immediately adding it to a long database. Or they might encrypt their e-mail or hide it away because they think a hacker might break into their system and read it. Hackers, customers think, have nothing better to do than probe individuals for that small window when they might send anything more useful than an HTTP request for porn.
And ironically, what ends up happening after all that is people open their e-mail client and see an Anna Kournikova e-mail and immediately try to open up what they think is a hot snapshot of her, and instead they find that the snapshot is actually a script that infects their system.
A long time ago, two years ago, Scott McNealy, the CEO of Sun Microsystems, said at a product announcement that "you have no privacy anyway" so "get over it". I read all of the slashdot comments written in response. As usual, the slashdotters took little time in meandering down some unimportant trivial path.
But the reaction seemed almost unanimous, even from privacy advocates, that McNealy was out of line and was sending the wrong message. That it was a defeatist comment and ran counter to the efforts McNealy should be having towards making foolproof privacy more of a reality.
Now I realize McNealy's context may have been more limited to his own product than privacy in general, but I think that what McNealy said did not mean we should all give up on security but instead change the way we look at security and how we approach it.
Security companies and privacy advocates use rhetoric that kind of implies that you still have your privacy right now and it's your job and theirs to maintain it. That's why they were trashing McNealy's comments. They don't question whether privacy can be usefully maintained. For security companies, it is in their best interest to make people feel secure that their data is safe and to make sure they are needed by companies to protect THEIR data. Privacy advocates are there to point out when companies aren't trying hard enough.
The problem with all that is that we have no privacy already. Companies know what groceries we buy and what assets we own and what services we subscribe to. Credit card companies could easily crunch their data and develop consumer habit profiles and whatnot. Since they have customer protection service against identity theft, it no doubt exists already.
WE HAVE NO PRIVACY. About all that is private is what we have locked in our own heads. The Internet was supposed to usher in a new era of privacy, but as it turns out, we saw from people who broke the law that their identities could be culled from ISPs and from guaranteed anonymous bulletin boards. Given sufficient cause, companies or the government can come after us no matter how safe we are. And if those people can get that sort of information, then so can anyone with the advent of the unabated, increasingly popular, and incredibly outmatching population of hackers.
This is the stuff that you find all throughout cyberpunk. WE HAVE NO PRIVACY. Anyone can find out your location through one insignificant connection to the Internet. Your records seem to flow like rivers out of companies. Hell if it isn't happening already, companies that guarantee your data isn't being resold will resell it once the financials turn red or fear sets in. Or greed.
Security companies will fail just like their stocks. My nose sniffs out bad companies, and anyone that claims they can secure your system against attack with a simple fix is just bullshitting out their ass. You can take rudimentary measures, of course, and you should, but there's really nothing that secure about everything you do online.
And that leads us to another point. So your life isn't secure. But NO ONE CARES. No one's sitting and watching you, waiting for you to buy something from The Gap, or to check your balance at your bank's web site, or archiving all e-mail you pull down off your server. They MIGHT care, if given reason to. But most likely, they don't.
The only sense of privacy you have comes through the lack of interest anyone else has in your data. But!, if someone becomes aware of you, they can get anything they want about you easily.
It's entirely a matter of looking at security from the right perspective. Consumers live in this utopian fantasyland where completely independent nodes, dormant and lifeless on the outside, suddenly and quickly send bursts of information to other nodes, which know when to open up and accept it, and the walls go back up again and no one saw anything. Consumers think advertising is a four letter word. Consumers go crazy when they catch a whiff of a company trying to profile its customers, or compile data. Consumers complain at the length of commercials, the omnipresence of advertising, the commercialism involved in anything they want to take part in.
The reality is that consumers can't have it as easy AND secure as they want it. Networks need to be open and need to communicate on many levels. They can't work with limited, intermittent data. Consumers want to watch free stations but they don't wonder what pays for the shows they watch. Consumers want the latest products, but they want to show up at a store and run across it without any intervention. Consumers complain about advertising not being interesting to them, but gag when companies want to compile their habits and suggest to them things they might like based on history.
Okay everyone, repeat after me, WE HAVE NO PRIVACY. In case you didn't notice, you receive phonecalls ALL DAY from businesses offering you shit. They dial phone numbers you didn't know anyone had. You get mass marketing mail from companies who bought data from a company you thought you trusted. You go out and see people wearing brand t-shirts and see stickers and billboards and commercials on TV and products strategically placed in your shows and in movies. You go to amazon.com and it suggests shit to you. You go to buy a car and they tell you you had some late payments on your credit report. If you end up in the news, all the sudden, people you ever fucked or swore at show up in interviews along with your history in high school, times you cheated on your taxes, and what devious shit you used to do in your own home. WHO ARE YOU KIDDING? YOUR PRIVACY IS ALREADY GONE.
So look, what I suggest is that we either develop a completely open society, as David Brin wrote in his book Transparent Society, or we come to accept that companies really really excruciatingly want to exploit us as consumers, and come to terms with the fact that hackers are an element nothing can be done about in this day and age. Although we should try to ensure security, no guarantee of it should be made, and when we live in a society where we deny what is happening around us (skriptkiddiots knocking entire web sites off the net because they lost at CounterStrike, or advertising being pervasive in our lives anyway) we are deluding ourselves into putting our forces in the wrong locations for enemies who will never arrive there.
Inherent in any form of communication is the risk of interception. That is where most energy goes into in security. Encryption, cryptography, etc. All nothing more than a nuisance at this point. Or a dead-end. The most important problem, and one which everyone is ignoring, is leakage, another component inherent in communication. Encrypted data must be unencrypted at some point for a human to digest, and somewhere along the line, the human either leaves his end unprotected, or misplaces the decrypted data. This is where firewalls and filtering and software debugging teams come in. There is still the careless human element, though, which people like the infamous hacker Kevin Mitnick would take advantage of. I feel less energy is going into this part of the security equation. Not that I feel it is very profitable for companies to put money into, as I mentioned earlier.
The only conclusion is that security is an increasingly complex problem to work with. It was different when we connected to BBSs. Now you have whole banks of information being required to have access to the Internet to talk to other databanks, and transactions must take place constantly and with some slack given towards execution time. The world requires a more fully communicative network of computers and with this come infinitely more numerous and difficult bugs and exploits to get rid of. The closed minded philosophy of networking that helps proliferate this kind of exploitation could be opened up, and marvelous things like watchdog groups and network admins ganging up on offenders could begin to happen. If people began to talk to each other more, brighten the shadows online, offenders and companies would be inhibited more and even ganged up on when they step out of line. A neighborhood watch if you will. Instead of everyone only worrying about their own necks.
So, "get over it". I buy shit online. I post my thoughts and opinions on my web site. My personal data's scattered everywhere. I leave my address on different bulletin boards and whatnot. I invite commercialization. Hell, it's inevitable anyway. But perhaps with less meddling, the advertising will be more interesting to me, and more palatably integrated into my services instead of hackjobs like those terrible banner ads and 5 minute ads.
It is all about how you perceive it. If you approach it as an arms race, you will lose. If you think of it as priority assessment and damage control, it's more adaptable and more realistic towards your needs. Our lives are already open; come to accept it, and instead worry about finding ways to hold people accountable for their actions.
[ respond to this in the General Discussion forum ]