The end of anonymity
Thanks to the internet, there is no such thing as anonymity.
So says Dr Ari Juels, the chief scientist of RSA, the security vendor behind the world's biggest security conference.
If you think about all the digital crumbs we leave all over cyberspace, Dr Juels's assertion is not that hard to understand.
He claims that it takes a mere 10 digits of information to label uniquely each human being on the planet. It is not a new theory of his, but it is certainly one that is gaining more resonance as we grow more accustomed to parting with the smallest of details about our personal life.
"We are spewing information out in ways that we are not fully aware of and so those 10 digits tend to be collectable in many different circumstances and our identities will be very easy to unmask, at least on a technical level," Dr Juels told the BBC.
He said we leave these little tell-tale snippets all around the place - from websites that can pinpoint our geographical location, what kind of computer and browsers we are using to the things we carry in our handbag that act like mini-tracking devices.
Small wireless microchips - often called radio frequency identification, or RFID, tags - are in car keys, credit cards, passports, building entrance badges, and transit passes. They emit unique serial numbers and they can be traced back, of course, to us.
One of the biggest bull's-eyes we carry is our cellphone with its GPS tracking and our willingness to sign up for location-based services while on the go.
Dr Juels pointed out the very obvious fact that we are surrounded by video surveillance cameras and as today's face recognition software becomes more sophisticated, it is unlikely anyone of us will remain merely a face in the crowd.
"My proposition, from a technical perspective, is that anonymity is a losing battle. We have to give up on the idea that we can remain anonymous," said Dr Juels.
As part of an experiment to find out how useful the digital crumbs we leave lying around are, Dr Hugh Thompson, a renowned security expert who teaches computer security at Columbia University set his students an interesting task.
"The homework assignment I set students was to go out and find information that can be found publicly, like hirings and firings and put together a narrative that helps track down a real person."
He said one student concentrated on a person who sent out a tweet that said "major stuff is happening in our quality control department. The project manager is firing folks like it's hunting season."
Dr Thompson said the trail led the student from the Twitter account to a personal website and from there to a hint about working in Mubai for a major retailer to eventually tracking down the person, their workplace and a phone number for them.
Dr Thompson calls this "gateway data".
"This is data that may not appear to have any value or importance but when used in combination with other information, it reveals something very sensitive about the company or individual."
He advocates better education, but not a simple list of "do"s and "don't"s.
"Companies need to educate about the risk. Go and show these narratives. Pseudo-stalk yourself and build a narrative for yourself. People learn by example. If they can see the damage they might cause, they will change their behaviour," suggested Dr Thompson.
He also noted that "the longer history of data that we have online, the more information we can mine and the more we can find out about a person or company."
Dr Thompson said that developers, social networking sites and institutions have to help people make better decisions.
"There are some good risk-choices people make naturally. If you are walking down the street in New York and you see the street light is out and there is graffiti everywhere, you might hear a gun shot - these are signs that we have come to learn and accept that 'wow I really need to get out of this neighbourhood'. Online, we need to build that same intuitiveness for users. In the cyber-world, we don't have it yet."
Dr Juels said he believed we cannot afford to ignore the signs.
"Technology shifts 20 years from now means we are going to have a very different notion of what privacy and anonymity means. It would be nice to make informed decisions now and be conscious of the forms of erosion that are taking place."
~RS~q~RS~~RS~z~RS~20~RS~)
Comments
People are either blind to the privacy risks of technology use, or they take the view that the risks are worth it in exchange for the ability to connect with people over the net.
Here's a simple example: If you get hold of someone's email address, any email address, you'd think you can't garner much information from it. But, enter it into the search feature of Facebook, and more than half the time you'll be able to find the email address owner's full name. If they've not locked down their Facebook account, you can see their status updates, friends, and information such as their date of birth. Perhaps one of their status updates mentions a problem they've had with their bank and when they're going on holiday. Perhaps one of their friends is their mother, who mentions her maiden name. So you now have their full name, date of birth, mother's maiden name, when they're away from home and perhaps other information such as their pet's name. All useful information for those with devious intentions. And all from just having the email address of someone who didn't take the time to lock down their account on a social networking site.
And as technology progresses and we have more and more devices and places we store information, it will get worse and worse. I work in computer security and am aware of the risks and what to do about them. Among my friends, I know of no one else who has anything close to an understanding of the issues.
Complain about this comment
For one thing, it is possible to be anonymous, if one is in the know. For another please refer to 'these data'; if it were 'this data' there'd be no problem, since a datum is more than highly unlikely to be unique to one individual, unless we are speaking of the highly fantastic and unlikely number of the beast. The sooner people manage to wrap their minds about these sorts of things the sooner they are likely to prevent outsiders triangulating them.
HTH.
Complain about this comment
Wonderful, timely piece.
I think more teachers should assign a project similar to Dr Hugh Thompson"s, even better the students should be asked to trace their own personal data through cyberspace, see how much they have revealed about themselves.
Have they revealed enough to have their identity stolen?
Enough to cause them to be fired from their job?
Cyberspace crime is already BIG and getting BIGGER; sadly, we are setting ourselves up by walking down that dark street, ignoring danger at our peril, in other words; MAKING BAD CHOICES.
p.s. If you look at FaceBook, Twitter and the like, it is plainly evident that most young people are totally oblivious - babes in toyland.
Complain about this comment
>For another please refer to 'these data';
I'm reminded of a 3rd grade teacher who insisted, when referring to an american "Rodeo" (pronounced ROH-dee-oh), on pronouncing it "roh-DAY-oh", because the american word was originally derived from a Spanish word (for a similar but somewhat different festival). She was confusing the etymology of the word with the word itself. The same seems to be true of pedants who, when confronted with the word "data" (commonly used to refer to a body of collected facts), seem to insist on using plural pronouns in it's presence. Every dictionary within easy reach confirms that this is not necessary. Data can be used as a plural of the archaic "datum" (more common modern usage would be "data point"), but it is also perfectly acceptable as "singular in construct", i.e. interchangeable with "information" or "a collection of facts". In fact in common usage, outside of publications that insist on "these data" as part of their style guide, I almost never hear anyone use this awkward construction.
A living language is a moving target, and while I find etymology fascinating, a word's roots should not be confused with it's definition. Where I come from, they used to say "Ain't ain't in the dictionary", but alas it now is.
But I've probably given too much information away by now; no doubt the grammar police will be able to track me down and teach me a lesson :-)
Complain about this comment
Speaking of location based services, word has it it's all coming to FB and Tweeter very soon: http://blogs.zdnet.com/BTL/?p=31743&tag=content;col2
The thing about these social networks, though, is that they're like tabloids in that they thrive on personal information being made public as much as possible. Clearly it is not in FB's interest for people to be able to hide all information about themselves from the public. That's why FB keep changing their privacy T&Cs, which increasingly are leaving people unknowingly exposed.
Then again, people want to know other people's personal details.
Complain about this comment
It's easy to remain anonymous, or at least safe, online if you're not stupid. Making Facebook accounts private is basic common sense, as is not broadcasting your address on Twitter or telling strangers online when you're out of your house.
It seems social networking has removed people's basic concept of common sense, which is just stupid... No wonder so many people fall for phishing scams and such.
Complain about this comment
To the word guy: as long as we're getting into grammar, at least use "its" and "it's" correctly! "IT'S" is a contraction of "IT IS," and is emhatically not the possesive form of "IT". You used "it's" rather than the correct form "its" not once but twice in your correction of KZwert. I'm neutral on the usage of "data" but the its/it's thing is completely unambiguous: no dictionary will agree that "it's" means the possessive of "it"; it is and always will be (famous last words, I know) a contraction of "it is."
I'm sure I've made some other grammatical mistake here, for which I'll be taken to task. In the meantime, I'll add that the article was very good; anonymity is now a function of being as bland and normal as possible so that your data points don't flag you as someone worth anyone's time.
Complain about this comment
EMC2, I must admit you are correct on that one. And there may be a couple other grammatical problems as well (like starting a sentence with "and" :-). Ah well, I guess it's good that its not signed "the grammar guy".
Thanks!
Complain about this comment
The one thing I'd like all the website registrations to stop is making it required for people to add their birthday.
It should be optional, with ability to just say the year - again optional.
Complain about this comment
Vincent, the trick of getting around entering your DoB onto sites is to make up a false one, but making it something you can remember easily if you forget your password.
Complain about this comment
"[Juels] claims that it takes a mere 10 digits of information to label uniquely each human being on the planet."
Given that current estimates of the global population place it somewhere a little below seven billion, it takes only seven digits to label each person uniquely. What are the other three for?
Complain about this comment
As for comments correcting other commenters' spelling or grammar, it's as well to bear in mind Skitt's Law: "any post correcting an error in another post will contain at least one error itself" or "the likelihood of an error in a post is directly proportional to the embarrassment it will cause the poster."
Skitt's Law is the online version of Muphry’s Law: "any article or statement about correct grammar, punctuation, or spelling is bound to contain at least one eror".
For further information, see the Wikipedia article on "Muphry's Law".
Complain about this comment
Grey Animal, that's an excellent point about Skitt's law :-)
I'm afraid you may have miscounted your digits though. If the population is 7 Billion, that's 7,000,000,000 i.e. 10 digits. If we're lucky, it will be quite awhile before we can get back down to 7 digits.
In any case, I found the # of digits comment in the article a tad confusing. While it did clearly refer to the ability to label each person on Earth uniquely, in my mind it was conflated with actually encoding the information about that person, e.g. encoding name, birth, credit card numbers and other bits of info ("datums?" :-) into just 10 digits of information. I'm not sure why I think that, but that's just the way it came off to me. I'd like to think that my life would take at least a few kB :-)
I should quit before I'm penalized for excessive use of smileys.
Dale
Complain about this comment
the word guy wrote:
Grey Animal, that's an excellent point about Skitt's law :-)
I'm afraid you may have miscounted your digits though.
*blush* Um, yes. In mitigation, may I plead that it's been a long, complicated day?
Ten digits is about 34 bits of information. (Just in case my maths brain is still malfunctioning, I worked that out by converting 9,999,999,999 to binary.) You could encode a fair amount of useful demographic, social and economic information into those 34 bits (for example, the least significant bit could encode sex; the next two for age range (say) 00=0-24, 01=25-49, 10=50-74, 11=75+; and so on), but in general that wouldn't give unique identification.
I think I'll join you in quitting, and go and make myself a nice cup of cocoa :)
Complain about this comment
A good post to the blog raising important issues of which there should be more awareness, but why use an image of a CCTV camera? There are legitimate concerns of the use of CCTV but they are rather different from the digital footprint that we leave all over cyberspace. Almost always when the BBC have anything on privacy a similar picture is used.
At present CCTV is one of the most inaccessible forms of digital data and the Criminal Justice System is struggling to make best use of it. As such the privacy issues of CCTV have a rather different nature to those of our digital footprint. The BBC confusing the two prevents proper debate.
The recent appointment of the Interim CCTV Regulator is likely to be positive move in opening up the public debate on CCTV and how it is used. I hope the BBC reports on that debate rather than continue to confuse the issues.
Complain about this comment
View these comments in RSS