How Much Do You Value Privacy?

People in my company travel a lot, and they like to have their itineraries easily accessible.  My wife wants to know when and where I will be, and that’s not at all unreasonable.  So, how best to process and share that information?  There are now several services that attempt to help you manage it.  One of those services, TripIt.Com, will take an email message as input, organize your itinerary, generate appropriate calendar events, and share that information with those you authorize.

The service is based in the U.S., and might actually share information with those you do not authorize, to market something to you- or worse.  If the information is stolen, as was the case with travel information from a hotel we discussed recently, it can be resold to burglars who know when you’re way.  That can be particularly nasty if in fact only you are away, and the rest of your family is not.

But before we panic and refuse to let any of this information out, one should ask just how secure that information is.  As it happens, travel itineraries are some of the least secure pieces of information you can possibly have.  All a thief really needs is an old ticket stub that has one’s frequent flyer number, and we’re off to the races.  In one case, it was shown that with this information a thief could even book a ticket for someone else.

So how, then, do we evaluate the risk of using a service like TripIt? First of all, TripIt does not use any form of encryption or certificate trust chain to verify their identity.  That means that all of your itinerary details go over the network in the clear.  But as it turns out, you’ve probably already transmitted all of your details in the clear to them by sending the itinerary in email.  Having had a quick look at their mail servers, they do not in fact verify their server identities through the use of STARTTLS, not that you as a user can easily determine this in advance.

Some people might have stopped now, but others have more tolerance for risk.

Perhaps a bigger problem with TripIt is that neither its password change page nor its login page make use of SSL.  That means that when enter your your password, the text of that password goes over the network in the clear, for all to see.  It also means that you cannot be sure that the server on the other end is actually that of TripIt.  To me this is a remarkable oversight.

For all of these concerns, you still get the ability to generate an iCal calendar subscription as well as the ability to share all of this information with friends and family.  Is it worth it?  One answer is that it depends on whether you actually want to enter the information yourself, whether you care about security concerns, and whether you like using calendaring clients.  It also depends on what other services are available.

Another service that is available is Dopplr.  It also attempts to be a social networking site, not unlike Linked In.  Dopplr allows you to share you itineraries with other people, tells you about their upcoming trips (if they’re sharing with you), and it lets you create an iCal subscription.

Dopplr also has some security problems, in that they do not use SSL to protect your password.  They also do not use SSL for their main pages.  They do, however, support OpenId, an attempt to do away with site passwords entirely.  I’ll say more about OpenId in the future, but for now I’ll state simply that just because something is new does not make it better.  It may be better or worse.

And so there you have it.  Two services, both with very similar offerings, and both with almost the same privacy risks.  One of them, by the way, could distinguish themselves by improving their privacy offering.  That would certainly win more of my business.

Beware Best Western

The customers of Best Western are the latest to have their identities stolen.  As the article goes on to say, the crime gangs are going to have a field day with such live and valuable information that included credit card numbers and home addresses.  There’s a clear lesson here in authorization: nobody needs to have access to the aggregate data that Best Western had.  It might be necessary to modify one or two reservations at once.  Perhaps it might even be necessary to know how much of a block is sold.  But the whole kitten caboodle?  Nobody needs that information.  Here are some protections Best Western could have taken:

  • Apply specific encryption of the credit card information and compartmentalize the use of any decryption key.  Hotels have need to retain credit card information in order to guarantee bookings.  Encrypting credit card data is nowhere near a perfect solution because there is relatively little clear text information and some of that can be guessed, like the first four digits.
  • Encrypt all backups and protect the decryption keys so that multilevel authorization is required to access them.  Many backups are stolen.  If they are stolen no encryption is perfect and so notification is necessary, but with encryption those whose information is stolen can take action, like have a house sitter or change credit card numbers.
  • Employ intrusion detection within the database.  When a specific user acts outside a profile, flag it and see what is going on.

In perhaps a more perfect world a separate identity provider could retain identifying characteristics of an individual such as address and credit card number.  Commerce likes some of this information because they can market to you, and absent legislation they have very little motivation to protect the information.

The Do Nothing Presidency

Smoke Stack

Yesterday, the Bush Administration released a long awaited report by the Environmental Protection Agency, that says that Carbon Dioxide can and should be regulated.  One would think this a remarkable departure for an administration that has done everything within its power to destroy the environment, through drilling in fragile environmental areas, unmitigated logging, and the failure to protect endangered species.  There’s a catch: the Supreme Court ordered the EPA to develop the report, and in releasing it, in the same breath, the administration argued that regulation by the EPA to protect our children will hurt business and industrial growth.

Let’s review our tally for this administration:

  • Housing —  Failure to properly regulate the housing market has led to a massive series of bank failures.
  • The Energy Market — we are suffering from inflation due to a massive increase in oil prices, which itself is in part due to an inability of Americans to conserve.   The administration has done absolutely nothing to reduce consumption, or for that matter offer fuel alternatives.  Instead, they’ve argued that drilling in wilderness refuges will offer some form of relief, a claim that is disputed by every expert in the field, because it will offer no short term relief, while medium and long term relief are by no means at all assured.
  • Security— having gone to war twice and wasted billions of dollars on meaningless programs, the administration has managed to alienate America from the rest of the world, reducing people’s desires to visit, impacting tourism, and reducing our national credibility.  At the same time the Taliban has rebuilt itself, and we’ve lost our allies in Pakistan and now, seemingly Iraq (not that Prime Minister Maliki was every clearly an ally).
  • Education— No Child Left Behind has meant that our children haven’t gone forward as a group.  Our public education system remains in a shambles due to lack of incentives for good teachers, buildings that are falling apart, and a general willingness by this administration to divert funds to religious programs.
  • Public Transportation— our skies are more dangerous than they have been since the creation of the FAA.  More runway incursions, more close calls in the air, disgruntled workforces, and disgruntled passengers have left our air transportation system in a mess, while we’ve invested nearly nothing in ground public transport.
  • Public Welfare— with a remarkably lame response to Hurricane Katrina, the administration demonstrated that they could not be trusted with emergency crisis management.

In short, they did nothing except collect pay checks.  Perhaps Americans will pay more attention to our civic responsibilities the next time we hand someone the keys.

No Evidence That Data Breach Privacy Laws Work

Have you ever received a notice that your data privacy has been breached?  What the heck does that mean anyway?  Most of the time what it means is that some piece of information that you wouldn’t normally disclose to others, like a credit card or your social security number, has been released unintentionally, and perhaps maliciously (e.g., stolen).  About five years ago states began passing data breach privacy laws that required authorized possessors of such information to report to victims when a breach occurred.  There were basically two goals for such laws:

  • Provide individuals warning that they may have suffered identity theft, so that they can take some steps to prevent it, like blocking a credit card or monitoring their credit reports; and
  • Provide a more general deterrent by embarrassing companies into behaving better. “Sunlight as a disinfectant,” as Justice Brandeis wrote.[1]

A study conducted by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti at CMU found that as of yet there can be no correlation found between these laws and identity theft rates.  This could be for many reasons why the correlation isn’t there.  First, actual usage of the stolen information seems to be only a small percentage.  Second, it may be that just because a light has been shined doesn’t mean that there is anything the consumer will be capable or willing to do.  For instance, suppose you buy something at your-local-favorite-website.com.  They use a credit card or billing aggregation service that has its data stolen, and so that service reports to you that your data has been stolen.  You might not even understand what that service has to do with you.  Even if you do, what are the chances that you would be willing to not use your-local-favorite-website.com again?  And if you hear about such a break-in from someone else, would it matter to you?  Economists call that last one rational ignorance.  In other words, hear no evil, see no evil.

Add to all of this that some people have said that there are huge loopholes in some of the laws.  At WEIS and elsewhere several not-so-innovative approaches were discussed about how some firms are getting around the need to disclose.

This paper is not the final word on the subject, but clearly work needs to be done to improve these laws so that they have more impact.  As longitudinal studies go, this one isn’t very long.  It’s possible we’ll see benefits further down the road.

[1]  The Brandeis quote could be found in the paper I cited (which is why I used it).

Off To New Hampshire

Many of us are geeks.  We like to think that just because we have a good idea other people will like it as well.  We’re particularly bad at user interface design and understanding the underlying economic drivers for technology.  As a case and point, why is it that IPv6 hasn’t taken IPv4’s place, even thought it has been in existence for nearly fifteen years and solves a real problem of address space shortage?  The answer can be found, I believe, in economics, which is to say that the motivations have not been there to spend the money to get people to move from one system to the other.

On Tuesday I am off to New Hampshire via Boston to attend the Workshop on Economics of Information Security (WEIS).  In past conferences, WEIS has covered such topics as when to disclose vulnerabilities, the economics of the insurance industry and cyberthreat insurance, digital media protection mechanisms, and the risks of new technology introduction.  One past paper that I particularly enjoyed discussed the risks of homo- versus heterogeneity in an enterprise.  It has long been an axiom that if you wanted to protect yourself from systemic failure you used redundant systems that are built using different methods.  In airplanes the rule is meant to keep passengers alive (although Airbus has flouted this idea, according to the Telegraph).

Cyberthreat insurance people take this to the extreme by not particularly liking even the idea of interoperability.  Their logic goes that any interoperating system can continue a cascading failure, and that is potentially true.  Of course, while an insurance salesman might want you to not have an accident, his management need some accidents to prove that insurance is necessary.  The extreme case of a cascading failure, however, has insurance people shaking in their boots.  They get away with insuring households and businesses against losses by (a) applying a reserve and (b) knowing that a fire or other natural accident can only cause so much damage in a local area.  In the case of a computer virus, they have no reason to believe that there is any locality, and so the policies tend to be very restrictive.

I have a few economic questions of my own to ask.  What will it take to motivate the adoption by a service provider  of a new authentication mechanism that would provide benefit to OTHER service providers?  In other words, how will service providers serve the common good?  In general, by the way, they do.  They recognize rightly that if they don’t cooperate on their own they will be made to do so under far less favorable terms.  But here is something new, and not old.  Introduction of new technology and new ways to cooperate is not exactly what they’re all looking for.  I am.  If we can find improved methods of authentication for end users we can surely reduce the value a PC represents to a criminal.

Of course this means we have to create a new authentication mechanism that actually does improve matters, but as my favorite theoreticians say, let’s assume that’s true, nevermind reality.  What then has to happen for the mechanism to be adopted by consumers and providers alike?

Going back to that earlier question of what will it take for IPv6 to get deployed, in this year’s WEIS Jean Camp, Hillary Elmore, and Brandon Stephens have produced a paper that puts the question into a formal economics context.  While the work is neither the beginning nor the end of the discussion, it is a very good continuation.

You can soon expect a post that discusses the outcome of this year’s conference.