Security and Privacy

It’s probably impossible to get too much of Bruce Schneier, although I honestly wouldn’t mind if he stopped Friday Squid Blogging.

His latest article on the false dichotomy between security and privacy is an excellent counterpoint to a recent Lawrence Wright profile in the New Yorker on Director of National Intelligence Mike McConnell. The Lawrence Wright article was surprisingly uncritical, considering the New Yorker’s usual zealous approach. Check out, for example, his description of the “Clipper” chip:

In the nineties, new encryption software that could protect telephone conversations, faxes, and e-mails from unwarranted monitoring was coming on the market, but the programs could also block entirely legal efforts to eavesdrop on criminals or potential terrorists. Under McConnell’s direction, the N.S.A. developed a sophisticated device, the Clipper Chip, with a superior ability to encrypt any electronic transmission; it also allowed law-enforcement officials, given the proper authority, to decipher and eavesdrop on the encrypted communications of others. Privacy advocates criticized the device, though, and the Clipper was abandoned by 1996. “They convinced the folks on the Hill that they couldn’t trust the government to do what it said it was going to do,” Richard Wilhelm, who was in charge of information warfare under McConnell, says.

(emphasis added). Compare, for example, EPIC’s Clipper Chip information page.

Schneier, by contrast, sees right through the core:

We’ve been told we have to trade off security and privacy so often — in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric — that most of us don’t even question the fundamental dichotomy.

But it’s a false one.

Security and privacy are not opposite ends of a seesaw; you don’t have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it’s based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and — possibly — sky marshals. Everything else — all the security measures that affect privacy — is just security theater and a waste of effort.

By the same token, many of the anti-privacy “security” measures we’re seeing — national ID cards, warrantless eavesdropping, massive data mining and so on — do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn’t security versus privacy. It’s liberty versus control.

Read the whole essay. And send it to your mother, as well.

[Tags]Schneier, Privacy, Security[/Tags]

Facebook Privacy Dialogs

James provides an overview of some of the legal privacy problems with Facebook Beacon: first, in law school essay form, then, as a sitcom dialogue complete with laugh track. I recommend the latter, unless you’re in law school or a practicing lawyer.
[Tags]Facebook, Beacon, Privacy, James Grimmelmann[/Tags]

Privacy is for Google…

ChoicePoint and Regulation

Bruce Schenier wonders why ChoicePoint seems to be so obviously asking to be regulated:

ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle. But it’s not doing any work to determine if more than 145,000 customers were affected — or if any customers before July 1, 2003 were affected — because there’s no law compelling it to do so.

I have no idea why ChoicePoint has decided to tape a huge “Please Regulate My Industry” sign to its back, but it’s increasingly obvious that it has.

I think the answer is quite simple: it will be much easier for ChoicePoint to implement some basic privacy safeguards if it is not put at a competitive disadvantage as a result. Regulation in this context could insure a relatively even playing field, and the big data aggregator/data mining companies would be forbidden from stooping to new lows of data disclosure in order to facilitate easier access to personal information by their customers, the data purchasers.

Perhaps ChoicePoint executives actually have a conscience, but competitive pressures prevent them from exercising that conscience. Or, more conspiratorially, maybe ChoicePoint realizes that it already has all the systems in place to implement better security and privacy protections and its competitors do not. If they were all forced to do this, ChoicePoint might be put at a competitive advantage.

I remember hearing a similar thing from a video rental company executive once: he was asked if he resented the Video Privacy Protection Act for depriving him of the opportunity to sell customer’s rental records to direct marketers. He responded that it didn’t bother him at all, since none of his competitors could sell that information either. Even if he believed it was wrong to sell that data, if it weren’t prohibited by law, he said he would be forced to do it or his competitors would be able to drive his business into the ground with the additional revenue.

All this is to say that markets only function within regulatory structures: the right wing mantra of “less regulation is good for business” misses the point that in many cases a healthier competitive environment is established with the right set of regulations.

Spammed By The Marines

I recently received this message from “Captain DeStefano” at my Northeastern University email address. He has this to say:

My name is Captain DeStefano. I am the Marine Corps Officer Selection Officer here in Boston. The reason that I’m mailing you is because I want you to be aware of an awesome summer training program called the Platoon Leader’s Course (PLC).

Interestingly, this is an opt-out spam, and apparently I’ll continue to receive them unless I “click here”:

This email was sent to you to assess your interest in U.S. Marine Corps Aviation. If you prefer not to receive future emails, click or copy and paste this URL into your browser. Please review our privacy policy at

I wonder if the Marines actually harvested all of the email addresses on the web or from some third party source; or if Northeastern willingly turned them over, for fear of reprisal under the Solomon Amendment, which has been used to threaten educational institutions that receive federal money if they refuse to let military recruiters on campus.

In either case, it strikes me as inappropriate and vaguely desperate. The email is clearly directed toward current undergraduates—I wonder if they actually emailed all graduate students as well as law school alumni with active email addresses such as myself?

(I can just see the slashdot headline now: U.S. Military Resorts To Spam For New Recruits).

What’s the catch?

I just opened an account at ING Direct·, an online-only bank that provides 2% interest in an “orange savings account” (vs. 0.5% at my regular bank) with no fees, minimum balance, etc..

What’s really surprised me is their privacy policy·:

ING DIRECT’s privacy policy exceeds the standards required by congressional legislation. One requirement of the Gramm-Leach-Bliley Financial Modernization Act of 1999, or GLB, requires financial institutions to provide customers with the ability to “opt-out” of information sharing. ING DIRECT has adopted an “opt-in” privacy policy, which means that we will not share your data unless you explicitly request that we do so.

I don’t think I’ve ever received a privacy policy from a financial institution that say much more than “we promise we’ll comply with the law!” Compare my credit union, whose privacy policy says: “We share member information with discretion. We may share some or all of the non-public, personal financial information we collect about you, but we pledge to share such information with prudence and only as permitted by law.” Great—prudence—I’ll definitely be able to enforce that one!

The mailing I got from ING Direct is even better:

Banks have assumed for too long that they can share information about you, and then ask if you mind; requiring you to tell them not to, or “Opt-Out” of their information sharing. ING DIRECT will not share your information unless you ask us to, or “Opt-In” to us sharing your information.

The only thing I find a little irritating so far is that they always answer the phone with, “ING Direct, how can I help you save more money?”

So what I want to know is: what’s the catch?

Network Monitoring

I helped author this letter urging Universities to take a stand against network monitoring purely at the behest of the copyright industries.

This strip from Doonesbury was right on.