[Infowarrior] - OpEd: Schneier on Generational Online Privacy

[Richard Forno]

http://search.japantimes.co.jp/cgi-bin/nc20090819a1.html

Wednesday, Aug. 19, 2009

TECHNOLOGY
Offhand but on record
More and more people are using computers to chat with each other, but  
there's no such thing as a passing conversation on the Web
By BRUCE SCHNEIER
Special to The Japan Times
Facebook recently made changes to its service agreement in order to  
make members' data more accessible to other computer users. Amuse,  
Inc. announced last week that hackers stole credit-card information  
from about 150,000 clients. Hackers broke into the social network  
Twitter's system and stole documents.

Your online data is not private. It may seem private, but it's not.  
Take e-mail, for example. You might be the only person who knows your  
e-mail password, but you're not the only person who can read your e- 
mail. Your e-mail provider can read it too — along with anyone he  
gives access to. That can include any backbone provider who happened  
to route that mail from the sender to you. In addition, if you read  
your e-mail from work, various people at your company have access to  
it, too. And, if they have taps at the correct points, so can the  
police, the U.S. National Security Agency, and any other well-funded  
national intelligence organization — along with any hackers or  
criminals sufficiently skilled to break into one of these sites.
Think about your Mixi or Facebook site. You're the only one with your  
password, but lots of other people can read your updates and look at  
your pictures. Your friends can see a lot of information about you —  
that's the whole point of these sites — and you don't really know who  
they share their information with. A lot of your stuff is public by  
default, and you probably keep it that way. You might respond to  
quizzes, and who knows where that data goes or who can see it. Workers  
at Mixi and Facebook can see everything, of course. They also grant  
access to portions of your data to third parties who want to sell  
their products to you.

You could set every privacy setting on your Mixi or Facebook site to  
maximum, but few of us do that — most of us don't even know how. You  
could encrypt your e-mail, but almost no one does that — and, anyway,  
that doesn't work with Webmail very easily. Maintaining your privacy  
is hard, even if you're an expert.

Cloud computing exacerbates this problem. If your company uses  
software- as-a-service providers such as Salesforce.com, contact  
management or MessageLabs e-mail filtering, those companies have  
access to your data. If you use Google Docs, Google has access to your  
data. But even if you leave your data in your computer at home, you  
have to worry about your family or roommates, burglars, police with  
warrants and Internet hackers and other criminals as well.

It's not just your online data that is at risk. It's your cell phone  
data — both the phone numbers you call and who call you, and the SMS  
messages you send and receive. It's your buying history, sitting in  
some credit card company's database. It's your medical records. It's  
the itemized list of everything you buy when you use a card that  
identifies you.

These risks are new. Twenty years ago, if someone wanted to look  
through your correspondence, they had to break into your house. Now,  
they can just break into your ISP. Ten years ago, your voicemail was  
on an answering machine in your office; now it's on a computer owned  
by a telephone company. Your financial accounts are on remote Web  
sites protected only by passwords; your credit history is collected,  
stored and sold by companies whose names you probably don't even know.  
Your digital data is no longer under your control.

And more data is being generated. Lists of everything you buy, and  
everything you look at but choose not to buy, are stored by online  
merchants both in Japan and abroad. A record of everything you browse  
can be stored by your ISP if they choose to. What were cash  
transactions are now credit card transactions. What used to be a face- 
to- face chat is now an e-mail, instant message, or SMS conversation —  
or maybe a conversation within Mixi or Facebook.

Think of the number of people and companies that can know your  
location. Your cell phone knows where you are. Your air-travel history  
is stored in various airline databases, and unless you buy your  
tickets anonymously, your rail travel history is stored in JR's and  
other databases. Even your credit card company can reconstruct your  
whereabouts from your purchases.

All these systems are ostensibly private and secure, but many people  
have legitimate access and even more — such as hackers and criminals —  
can get illegitimate access. Japan's Personal Information Protection  
Act provides only some protections and may not apply if the computers  
that store your information are located in some other country.

Anonymity doesn't help much. Mixi might not know your real name and  
address, but there are many ways to link your identity to your  
account. Maybe your e-mail address identifies you or your ISP knows  
who you are. Your cell phone identifies you and your computer might,  
too. Use a credit card from your account and that identifies you. True  
anonymity is very difficult; we regularly identify ourselves online  
even if we think we do not.

The lesson in all of this is that little we do is ephemeral anymore.  
We leave electronic audit trails everywhere we go, with everything we  
do. This won't change: We can't turn back technology. But as  
technology makes our conversations less ephemeral, we need laws to  
step in and safeguard our privacy. We need comprehensive data privacy  
laws, protecting our data and communications regardless of where it is  
stored or how it is processed. We need laws forcing companies to keep  
it private and delete it as soon as it is no longer needed, and laws  
giving us the right to delete our data from third-party sites. And we  
need international cooperation to ensure that companies cannot flaunt  
data privacy laws simply by moving themselves offshore.

Laws can only go so far, though. Law or no law, when something is made  
public, it's too late. And many of us like having complete records of  
all our e-mail at our fingertips; it's like our offline memory.

In the end, this is a cultural issue.

The Internet is creating the greatest generation gap since rock 'n'  
roll. We're now witnessing one aspect of that generation gap: The  
younger generation chats digitally, and the older generation treats  
those chats as written correspondence. Until our CEOs blog, our Diet  
members all Twitter, and our world leaders send each other LOLcats —  
until we have a national election where all the candidates have a  
complete history on social networking sites from before they were  
teenagers — we aren't fully an information age society.

When everyone leaves a public digital trail of their personal thoughts  
since birth, no one will think twice about it being there. Some of us  
might be on the younger side of the generation gap, but the rules  
we're operating under were written by the older side. It will take  
another generation before our privacy laws catch up with the death of  
the ephemeral conversation. Until then, we're just going to have to  
live with this loss of privacy.

Bruce Schneier is a leading computer security specialist and the  
author of "Secrets and Lies: Digital Security in a Networked World."  
Read about him at schneier.com