Picked a bad day to depress myself by reading about privacy and security issues off of Bruce Schneier’s blog and then on to his latest Crypto-Gram. Thought I started the day on positive note, getting a lot of good work done and then at the realization that I hadn’t kept up with security reading, I decided to get that done. No regrets, but no joy in Mudville either.
So for all the noise you hear from people saying how they want to keep their information private and secure, what’s not often realized is that it’s actually all quite beyond our control despite our most valiant efforts. Why do I say this? Well, let’s see, I’ll start with the milder privacy issue and work my way up a heartier security issue (breach).
On the privacy side of things, how many people think that their business card is private? This has to be an interesting question because you can think of how many times you might have decided not to give someone your business card for whatever reason. Perhaps you didn’t like the person, or perhaps you just didn’t want them knowing who you were. Well imagine if every time you gave out your business card, you essentially were doing the equivalent of posting it to a big database for any one to have access to, at will, and without need for your permission. This is especially scary in an age where we’re now getting more comfortable adding our mobile phone numbers to our cards. Does this worry you? Well, there’s a company called Jigsaw, founded by some smart people that does just that, and because I know they mean no harm it forced me to think through what the implied privacy social contracts that go with handing someone your business card. Heck, Jigsaw even rewards its users for providing their contacts into their system by allowing them to get access to contacts they want.
So what’s the implied contract in a business card exchange? Well, I’m generally looking or have just met the person to whom I’m handing my contact information. Frequently, I give my card because I desire further contact with that person, and because chances are they have given me their card too then I know that we both have equal stakes in not violating the integrity of our meeting. This is also why it can be awkward to hand someone a business card and get none in return. You feel exposed almost, like you have nothing from the other person in this exchange.
With Jigsaw, this social contract goes out of the window, though the reality is that there was never a formal social contract to begin with. No matter how careful I am about whom I give my card to it no longer matters since they can then easily put it into Jigsaw and now any one can have it. The reality is that this could have happened any way for the asking. In other words, someone I met and gave a card to might have passed my card on to another colleague, but there’s still this link between us. With Jigsaw there doesn’t need to be any link. It’s one of those cases where the privacy one got in the business card exchange process was that there was no easy way to quickly disseminate this information widely and indiscriminately. Technology really helped play a role here. Kind of like the story of the waiter stealing your credit card, as it’s not practical for him to steal millions of them and easily sell them or monetize them, but online you hit one database and voila…millions of credit cards with which the savvy hacker can issue transactions right away and even simultaneously. Technology playing the role of disseminator. I guess this makes a good segue into the ‘security beyond our control’ issue.
Checkout this story about how 40 million credit cards were vulnerable to a hack. Imagine that, you sit around not doing business with any site or business you don’t trust, simply using your credit card for transactions with only reputable banks and merchants and just like that one of the companies in the transaction food chain get compromised. CardSystems Solutions suffered just such a breach.
Stories like this one really put it all in perspective for me. At the same time, at least in this country, I also realize that there’s no real desire by the credit card companies to really enforce security measures. In Europe, because of their expensive telecommunications fees, a simple security mechanism was put into place that forces a PIN to be entered for any credit card transaction. This PIN does not appear as 3 digits on the back of a card, it’s like the PIN one uses for ATM machines. The effect of this is that at least counterfeited signature fraud is thwarted, but it could also address the issue of transactions on the Net by doing an authentication on the spot before ever transmitting any information over the Net, and cards in a merchant’s database would be useless without the PIN authenticating step. I’m not trying to solve this problem here, but suffice it to say, there are solutions that are just not being attempted for reasons that have little to do with security.
So are we in control of our privacy and security? Certainly the lobbyists for the direct marketing industry would fight against this and explain it in economic terms and the harm it would do to their industry if people could own their own information. Even the Europeans, who have been stalwarts of privacy are now beginning to bow to U.S. pressure in the name of (dare I say it) “The War on Terror”.
OK, enough bantering and ranting for now, just know that in the areas of privacy and security, the citizens’ best interests are not those being fought for.
UPDATE: In an ironic twist, I was going to put a link to the CardSystems press release that I found off the Crypto-Gram reference list, and when I clicked on it (http://www.cardsystems.com/news.html) I got the following error message (note: I’ve been using the new Flock browser which may have something to do with this, but nonetheless give me a break on the severity of security notification here. WIsh they’d thought of that when the 40 million cards were getting hacked into.):
Web Server Security Alert
This website uses a
special security software that monitors suspicious network traffic and
behavior. If you feel that you have caused this security error
unintentionally, please contact the website administrator at the address
below and be sure to include the reference ID in your message.
Email contact: Cardsystems