Database Nation 162
Database Nation: The Death of Privacy at the End of the 21st Ce | |
author | Simson Garfinkel |
pages | 312 |
publisher | O'Reilly & Associates |
rating | 7/10; 9/ |
reviewer | Matthias Wenger, Kurt Gray |
ISBN | 1-56592-653-6 |
summary | Thoughtful look at threats to privacy, and appropriate responses |
Review 1: Matthias Wenger
Personally, privacy has been a big issue lately -- hearing about DoubleClick and Real Networks customer tracking made the issue a bit of a sore point for me. Then a friend of mine bought a shredder after her credit card fell victim to a Dumpster diver, and I started getting paranoid. Reading Database Nation hasn't helped, but it brings up some possible solutions and provides a good deal to think about as we march blindly on towards Big Brother, Inc.
Database Nation starts out strong, with a hypothetical day in the life of someone with no privacy -- cold-call telemarketing at 6:30 in the morning, surveillence cameras all around, veiled blackmail for a hospital in desperate need of cash and plenty of medical histories, still more cameras at work, etc. This story ends up being a rough outline for the book, which also covers electronic footprints (ATM and credit card records and the like), private databasing a la DoubleClick, identity vs. body, and surprisingly enough, AI and intelligence agents. Each of the major topics covered has at least a full chapter devoted to it -- explaining the specific issues at hand, what sort of data is at risk, who would be interested in such data, and how data can be protected.
The biggest flaw in the book is that it is too ambitious -- how can you cover the sanctity of medical records in 30 pages? It would be difficult to do a better job with such space limitations, certainly, but it does make for a more general view of privacy rather than dealing with specifics. The result is "Privacy in a Nutshell," to steal a turn of phrase from O'Reilly. Given the subject matter, the Nutshell approach might even be preferable, since the theory can be applied in any situation once the awareness is there. Still, each topic felt like it could be expanded much further.
The over-eager breadth of the subject matter is also wonderful. Enough particular concerns are illustrated in each topic that there is an outline of the larger picture of information management even though a good deal remains to be filled in. Covering so many topics makes it easier to see just how much information can be collected about an individual while they remain unawares, and just how much that information can be abused or misused. To illustrate this very point, Garfinkel relates the story of an Internet-based scavenger hunt where the end result was to find out as much as possible about a particular "target," working only with a name. The information collected in 1993 included his place of employment, parents' names, home address, degrees earned, doctoral dissertation, the operating system he used, what his fiance's name was, and more. I found out five minutes ago, with the help of google, that he's now married and that he and his wife hyphenated their last names together. That was just the first hit. And that was a very casual search -- if someone was really interested in finding information, what are the limits?
Database Nation is, in a way, the ultimate discussion of information security. Garfinkel covers an amazing range of topics in exploring privacy and personal information today and into the 21st century. This is both a blessing and a curse -- there are so many things to be aware of, so many topics and points of view to consider, yet each one is worthy of more attention. At the opening of the book, Garfinkel expresses hope that Database Nation will do for privacy what Silent Spring did for environmentalism -- if something doesn't do it soon, there wont be any privacy left to save.
Review 2: Kurt Gray
If Simson Garfinkel's name doesn't ring a bell, check the computer section of your local bookstore or library: Garfinkel co-authored the O'Reilly Practical UNIX Security book, the O'Reilly Stopping Spam book, and some six other books. Before I was a Slashdot addict I enjoyed reading Garfinkel's columns in Packet and the Boston Globe , where his talents for technology journalism and futurist projections make informative reading for geeks and lay persons alike.
Just as Upton Sinclair's The Jungle led to sweeping reforms in the meat-packing industry (and probably turned a lot of people to vegetarianism) Garfinkel's latest book, Database Nation, should draw some much-needed attention to the manner in which everyone's personal information is being captured, cataloged and sold as commodity, and how each aspect of this process detracts from our civil liberties. If you're an American, you certainly know what the IRS is, but have you ever heard of TRW? Equifax? Experian? Or the DMA? Or the MIB, the Medical Insurance Bureau? Each of these corporate entities keeps records on you that determine your eligibility for bank loans, lines of credit, and medical insurance. Are you allowed to see your own record? Well, it's their data, so it doesn't belong to you -- but maybe if you ask them nicely and have due cause, they'll make an exception. Suppose you discover an error in the records they keep on you; are you allowed to demand corrections? Now you're asking subversive questions so we're putting an CM31 flag on your file ... George Orwell warned that the march of technology could allow a monolithic, tyrannical Big Brother to emerge. Database Nation points out that it's the thousands of unsupervised "kid brothers" that have a far greater potential to disrupt your life, and in ways you never expected.
I find the best way to summarize this book is chapter-by-chapter, so here are my own brief reviews of each chapter:
Chapter 1: Privacy Under Attack: Garfinkel opens with his own futurist vision: a day in the life of a typical working American. This hapless near-future dweller is continuously surrounded by targeted advertising, monitored at home and even in his car, and works in an office where constant politeness is enforced by the company surveillance cameras that are programmed to recognize facial expressions and sound an alarm whenever an employee appears disgruntled. Garfinkel explains that this book is not about Big Brother, but rather how the widespread capture and exchange of our personal information has been eroding our civil liberties already and goes largely unnoticed. Garfinkel makes the positive point that no threat to our privacy that exists today is beyond our control, and that we can develop robust, built-in systems of privacy protection rather than allow them to be only loosely guaranteed by the legal equivalent of patchwork.
Chapter 2: Database Nation: Chapter 2 starts with a historical perspective, answering the question "How did we get here?" In short, via the national census, the Social Security Board (leading to the creation of the National Data Center) and the widespread adoption of the Social Security Number and its inherent flaws (limited data capacity and lack of a checksum digit to avoid clerical errors). Page 26 launches into the disturbing episode of Steve and Nancy Ross, whose lives were shattered when the IRS botched their tax returns in 1983 and put a lien on the Ross' house for $10,000. That lien was noted in their credit records at TRW and Equifax, which in turn sold this data to 187 other independent credit bureaus. Here Garfinkel makes an interesting observation: the Ross' bad credit data spread "like a computer virus that kept reinfecting TRW's computer with incorrect information," and it took over seven years for the bulk of their credit problems to subside. Chapter 2 then explains how simple identity theft can be, whether Dumpster diving for credit statements (hint: buy yourself a cross-cutting shredder), or using Equifax's quickie credit report service to find chumps with good lines of credit, then applying for new credit cards in the victims' names. Equifax provides such thieves with everything they need: mother's maiden name, previous addresses, SSN -- it's all there. The victim's credit rating is ruined for years while bill collectors harass them day and night, and the credit card company writes off the charges and flags the victim's file. Frequently, the credit thief gets a slap on the wrist if anything at all. Page 33 lists at least 30 government agencies that are hardwired to track you only by your SSN. Chapter 2 definitely had me sitting up and paying attention.
Chapter 3: Absolute Identification: Chapter 3 is about biometrics and unambiguous identification of every member in a society, a seductive idea that has tantalized policymakers for centuries. Garfinkel argues, however, that this idea is fundamentally flawed. Garfinkel again provides historical perspective, pointing out that using biometrics is an old idea that only appears new as the technology matures. Garfinkel reminds us that even DNA testing is flawled. When a person's name is linked to a given DNA profile, for example, how hard would it be to modify that database record and change the name attached to that profile? (And did you know that 99% of DNA from any two people is identical, so DNA tests actually compare only regions of the genome that are nonessential to cell life? Hmmm ...) Garfinkel then lists various other biometric technologies such as face, voice and iris recognition; even your signature can be used as a biometric identifier. Some of these systems are already in use: Have you signed for a UPS delivery lately, or signed for credit-card purchases on an electronic touch pad? Biometrics. So here's a near-future scenerio: suppose all children need to have a DNA test shortly after being born "for the baby's health." Then the FBI warehouses the DNA fingerprints of every citizen in the U.S., and sells the data to the insurance industry, which can then compare it to the human genome map to weed out the "at risk" people, then target healthy prospects for profitable health plan solicitations... big ol' cluestick being waved around here.
Chapter 4: What Did You Do Today?: Maybe you went shopping, got some cash from the ATM, racked up some more frequent flier miles? Even the most mundane events in your daily life are recorded and archived somewhere -- from how often you withdraw cash from an ATM, to your entire purchasing history at the neighborhood grocery store, even the movies you rent at the video store. Dramatic developments in data-storage technology make it easier for businesses to keep what Garfinkel calls "hot files" on every customer transaction from day one, and then describes how we are creating the Earth's "datasphere." Nearly every durable product you buy has a serial number. Often that serial number becomes attached to your name and personal information (ever filled out a warranty card?) which can then be sold on the open data market, Garfinkel argues that even seemingly mundane information needs to be treated with respect for privacy.
Chapter 5: The View From Above: Chapter 5 is about surveillence technology and the growing private market for satellite photos and Webcams. Does it bother me that right now someone can buy a grainy aerial photo of my neighborhood taken sometime in 1987? No, sorry, that doesn't bother me. City police departments are installing surveillance cameras in public places. I still don't care. Garfinkel then explains how he set up a QuickCam to time-lapse record his Realtor while allowing prospective buyers to browse through his home without supervision. At this point I can't tell if the chapter is supposed to a condemnation or an endorsement. I suppose Garfinkel is pointing out that it's technically possible that are being watched and recorded in places when you assume you're alone. At the very least, it should change your ideas about expectations of privacy.
Chapter 6: cite> To Know Your Future: So who is the MIB? Men in Black right? No, the MIB referred to here is the Medical Information Bureau, which happens to be the secretive data warehouse of the American medical insurance industry's "customer profiles." Think you have a God-given right to medical coverage? Well, if you like Kafka novels then you'll definitely enjoy the hijinks that erupt around page 139, where Garfinkel tells us of more than a few people who've been refused medical insurance because of clerical errors in their MIB records -- records which they never knew exisited. But wait, isn't it illegal in many cases to deny medical coverage to someone with preexisting conditions? Yeah, sure it is, so what's your point? Garfinkel points out that only 23 of the 50 states actually have laws that require citizens be allowed to view their own medical histories. My only complaint with this chapter is that it pursues flaws in existing policies rather than staying with the theme of technology marching faster than prudent policy.
Chapter 7: Buy Now!: The DMA is the Direct Marketing Association. They lobby lawmakers at the state and federal level to further what they consider a God-given right to own and sell any piece of information they can attach to you. One of the nation's largest direct marketing list resellers is Metromail, now owned by the credit bureau giant Experian. Ever apply for a shopping card or magazine subscription, or fill in a product bingo card? Ever fill out a change of address form at the post office? Direct marketers get an automatic notification of your new address from the U.S. Postal Service, which causes your name/address to be copied into a hot prospect list called "New Movers," one of many direct-mailing lists sold by Metromail at the rate of $60 per thousand names. Garfinkel lists some 50 products Experian sells to businesses, like AutoCredit for quickie loan approvals, Bankruptcy candidates, Business Owner Profiles, and Property Link which provides a details of a subject's property holdings. He then argues against the opt-out clause the DMA offers to whiners (arguing instead for a more consumer-oriented opt-in approach), and lists preventative steps you can take to keep your name on as few lists as possible. This chapter left me with a question: if you complain to a direct marketing firm about what they've been doing with your personal information and then they flag you as hostile, and that direct marketer happens to be owned by a major credit bureau, what would that to your credit rating? Food for thought.
Chapter 8: Who Owns Your Information?: Take the case of Ram Avarahmi, who tried to sue a magazine publisher for selling his name, which was in their list of subscribers, to other magazine publishers. Mr. Avarahmi argued that Virginia law states that his name and his image are his property which can not be used in advertising or trade without his consent, and guess what the courts told him? "Sorry Charlie, or Ram, whatever your name is." Information is basically owned by those who gather the information and personal information is a commodity. Medical information is also a commodity owned by medical insurance providers. But can all this medical information be abused? Or let me ask it like this: are we evolved enough to not attach genetic defects to say, a person's ethnicity? Garfinkel excerpts an ad he found in the New York Times: "Ashkenazi Jewish Families Are Needed to Help Scientists Understand the Biological Basis for Schizophrenia and Bipolar Disorder" -- a 1998 John Hopkins University study, right here in America in 1998. Certainly, some medical disorders are confined to certain populations; the question is, what if someone wants to abuse such links? So do you own the books you read or the software you use? No, thanks to copyright laws. Garfinkel makes the point that you can't use the concept of ownership to protect your privacy, because you don't own data about you, however I'm not convinced. Maybe I can't force you to take my name out of your address book, because you own your address book, but I think I do have the right to demand that you not send me mail or sell my address to other businesses without my consent.
Chapter 9: Kooks and Terrorists: This chapter argues that individual terrorists deploying low-tech explosive and biological contaminants have spooked us into accepting ever more surveillance of our everyday activities. True to his style, Garfinkel dismisses some well-known urban terrorist acts as amateur-night material, then describes two fairly effective methods of introducing anthrax into an unsuspecting office building. Further pages show how terrorists might gain access to nuclear and biochemical devices. Garfinkel's point here is that constant surveillance cannot save us from a determined kook. The chapter then moves into the Big Brother question: what constitutes thoughtcrime? Didn't our benevolent goverment inter over 100,000 Japanese-Americans at the start of World War II? Didn't J. Edgar Hoover's FBI spend much of 1950's investigating "Communists" and "homosexuals"? So could our government be trusted with "brain wiretapping" technology? Sounds far-fetched? We're already using polygraphs and experiments involving fast sucessive MRI scans. Garfinkel makes the point that if we are truly concerned about public safety, we should track dangerous materials rather than try to identify potentially dangerous people.
Chapter 10: Excuse Me, But Are You Human? Imagine you're on an electronic mailing list, and you strike up an e-mail dialog with another member of the list. He tells you some things bout himself and you share something about yourself in return. Turns out "he" was actually an AI conversationalist programmed by a marketing agency to gather personal information to be sold in the form of marketing lists. Garfinkel then describes various intelligent agents that can parse natural language. But how is this useful for marketing? It is technically feasible for a marketer to scan the entire datasphere for everything that can be found about you in order to create a predictive model of your behavior: When will you buying a new car? When you will be on vacation? Valuable stuff for direct marketers to know. Might it be possible in 50 years to create a complete AI behavorial copy of you, and test various marketing schemes against it? Garfinkel actually argues that avatars should be afforded the same privacy rights as humans.
Chapter 11: Privacy Now!: Is technology neutral in the war on privacy? Garfinkel's answer is no, technology permits the greater cataloging and measuring of the world around us, and therefore technology is inherently intrusive. He argues that for the cost of around $5 million added to the annual budget, a Federal oversight agency could be created to monitor and regulate the flow of personal information throughgovernment and business data channels. Further, he proposes a list of reasonable amendments to the Fair Credit Reporting Act of 1970, such as giving consumers the ability to sue for damages resulting from the addition of erroneous information to their credit reports. Garfinkel argues that better laws and policies will be more effective than cryptography in protecting one's privacy, and warns that when some have their privacy violated, you can expect retaliation such as deliberate pollution -- and disruption to -- the datasphere. Overall, Garfinkel concludes that we need laws and policies that repect our personal information, not just a technological picket fence.
Before reading Database Nation, I had the typical "nothing-to-hide" attitude regarding my own privacy. I didn't care if some government agency or large corporation was able to read my academic records, my medical records, my magazine subscriptions, my credit-card purchases, my phone bill. "Let them read it all for all I care," I thought, "I'm sure it would bore them to tears." After reading this book, I realize it's not so much about Big Brother, it's about how the spread of your personal information can bite you in the ass someday.
My assessment: Garfinkel jam-packed this book with information every American ought to be aware of -- enough to think about to make your head spin. Thankfully his tone is not hopeless gloom-and-doom; he does remind you that 30 years ago the Cuyahoga River was an environmental disaster, but today it's safe to eat fish caught there. Overall, it's a great book. Yet another reason for me to give a favorable review to anything Simson Garfinkel writes.
Purchase this book at ThinkGeek.
Re:ethics and programming... (Score:1)
And it always involves the balancing of how much comfort you're willing to sacrifice against how much you believe in what you're doing (or not doing as the case may be)
With the "in the current job market" thing, I don't know where you live, but here in the UK for someone with less than 18 months commercial experience after Uni, it's pretty tough getting a job. If I were to walk out of my job due to issues now, I would have some trouble getting another for two reasons. The first of which is my lack of a significant chuck of commercial experience with a single employer, which is very important, no matter how technically proficient you are. The second is that when asked why you left your previous position, and you answer that you disagreed with the direction the software you were being asked to write was taken in, you have to thing that maybe your prospective employer is probably going to look for someone who's less likely to 'be a nuisance'.
Depending on who you are, what you job is, and how much experience you have, some decisions now could have serious repurcussions on your entire career which I for one like to think about.
As for the 'how far do your standards go' issue, again you have to look at what you're being asked to do.
I'm currently writing some very 'corporate' software for my employer. We have implemented some rather 'nasty' (IMO) things in the product we're writing, such as requiring an e-mail based registration for the product, and then sending back a unique registration-unlock key that we embed in any files saved by our product that allows us to track who created what.
The company also sends spam to email lists that it has purchased.
I disagree a reasonable amount with both of these things, and have registered by dissatisfaction with these practices to my employers. I might point out that I have not been asked to actively participate in either of these ventures. The coded-unlocking-registration was given to someone else (before I knew of its existence) and the spam was sent by our marketing dept.
So, what do I do? Do I quit (or threaten to) in protest? Do I just register my dissatisfaction? Do I sit quiet and say nothing? Something in between?
Personally, in those case, I decided to make my dissatisfaction known to my employers but took no direct action. That is what I felt was the best I could do in my current position in my life, given how strongly I feel about the issues.
But there was a time when I was not sure about what to do. I was not sure how strong my convictions were. Or about how ready I was to start looking for another job so soon into this one.
Sometimes it's good to ask people what they think of your predicament to get a new angle on each side of the issues.
But there are no immovable rules when it comes to this sort of decision. It's all a matter of balance.
German constitution protects privacy (Score:1)
Re:another long slashdot review (Score:1)
1) Really long;
What would you prefer? "This book good. Thag like. You buy?" The book reviews on /. are certainly no longer than those in most decent newspapers. Besides which, your next point,
2) Usually just [really long] chapter-by-chapter summaries of the book, rather than analytical reviews that tell you why you should read the book;
...suggests that what really bugs you is that the reviews don't do much with the space, something I'd agree with. It would be nice to see more analysis of the book, rather than information anyone flipping through a copy in a bookstore can glean. For example, how well does the technique of mixing fictional scenarios with factual information work? Does it enhance this book, or do the what-if scenarios undermine the credibility of the factual information? Do the premises seem sound?
Re:An instructive example in the style of 1984 (Score:1)
-lee
Technically possible but... (Score:1)
pointing out that it's technically possible that (you) are being watched
and recorded in places when you assume you're alone
I bet they catch a lot of people picking their nose
Re:Complete lack of privacy already! (Score:1)
Re:Nobody checks (Score:1)
Re:David Brin on Privacy (Score:1)
A big company will insist on preserving secrets not only to keep ahead of the competition, but also because if they do something shameful they're going to want to cover that up. As long as people who want to keep all of their own options open (while eliminating all of yours) can exert the kind of power that they do today, we're rather screwed.
This is not to say that i disagree with his idea that you can't put the privacy genie back in the bottle.
However, different methods - preferably a whole set of many different methods incorporating ideas from all comers - will end up being needed to come to a generally satisfactory conclusion.
Re:Here's to you, Mrs. Robinson (Score:1)
Except that PHB's will think this is a GOOD thing (Score:1)
BTW if you think this is not really a big deal. A fellow in the US recently lost a slip+fall case against a grocery chain because of the past record of his having purchased alchohol that was logged on his discount card.
I'm sure IG Farben chemists said the same thing (Score:1)
Yes you do have the option of not working on something that is unethical, immoral, illegal or destructive. You do not have the right to cop out or to ignore the ramifications of what you do, no matter how glittery the prize. No one is asking you to take a moral stand for the rest of us, but it is incumbent upon all of us to understand that being a cog in a machine does is not an excuse.
Ok I'll stop now.
Re:Buy this book at Amazon... (Score:1)
Seems awfully ironic while selling a book about all that...
Re:David Brin on Privacy (Score:1)
The $64,000 question for Brin, though, is whether it is only going to be the government and major corporations that have access to all sorts of personal data about you, or whether that information is going to be available to the general public as well.
His thesis (which is a good one, IMHO) is that losing privacy is inevitable (due to the march of technology), but that if it is a symmetric loss of privacy, if large corporations and governments can't get away with doing anything because they have no privacy either.... then a loss of privacy may not be a bad thing.
This ties in to some other posts made in this thread about passing laws enabling the public to know where telemarketers get your information, to be informed everytime your personal data is used, and to be aware of what databases exist on you, where, and for what purpose.
A world without privacy, but also without corruption, where you are aware of who is gathering or using information about you, even if you can't stop it -- it's not nirvana, but IMHO, it doesn't sound that bad. (Note that I, and Brin, are not saying we should trade privacy for security or anything like that - which would be stupid, IMHO. But if privacy is going to be technically impossible to achieve, let's try to make the best of it...)
Re:What's most important (Score:1)
France passed similar legislation as the one you describe in 1978 (Loi n 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, available from this government site [legifrance.gouv.fr]).
At the time the law was mainly seen as a precaution against big brother behavior by the state. With hindsight, it seems that today the most serious intruders on privacy are rather businesses that establish databases on clients and pass them to each other.
A few features:Article 2 says that no justice decision implying an appreciation on human behavior can be based on automated data processing giving a personality profile of the person.
Article 25 and 26 say that people on which information is gathered can
Furthermore, the law prohibits gathering information on political, philosophical or religious opinions, as well as on race (with obvious exceptions for churches or political parties and the like, who, by definition, must collect respectively religious and political information).
Re:What's most important (Score:1)
Agitate! != Fraud (Score:1)
My father almost always pays cash. If he's asked to fill out registration info, his name is that on the highest denomination... Andrew Jackson for example.
You've got to be reasonable. radio Shack, for example, uses phone numbers as database keys for customer tracking. You could try asking them to use a made up one, but you'll need to remember yet another PIN that way.
Simson is also an editor of... (Score:1)
I mean, Simson Garfinkel is a notorious UNIX hater.
Check out:
http://www.catalog.com/hopki ns/unix-haters/preface.html [catalog.com]
Although I consider myself a Linux/Unix enthusiast, I'll admit some of the things on this page made me laugh.
Sorry for the marginally offtopic post.
Who said Slashdot was biased?
Re:Unfortunately, Scott McNealy was right... (Score:1)
Re:What's most important (Score:1)
Non-citizens (businesses, institutions) may not provide to a third party information specific to a private citizen without the express written consent of the private citizen.
Enforced by the Justice and/or Commerce departments, which would investigate following tips provided by whistleblowers.
Re:Oh dear (Score:1)
If it is, he thought of it as a teenager, and convinced M.I.T. to use it on his official records... Simson was a classmate of mine, and a fine writer for The Tech [mit.edu] as far back as the early 80's.
Bravery, Kindness, Clarity, Honesty, Compassion, Generosity
Re:Social Firewalls and knowing the enemy (Score:1)
But I learned this time. Next time, it'll be under some nym.
Re:Social Firewalls and knowing the enemy (Score:1)
The bouncy-ball with LEDs inside is a VERY cool toy -- I know, I got one. However, the example is not a very good one. What makes you think that the name on my swiped tag was a real one (hint: the last name on the tag was "Foozle")? And yes, of course I am the CEO of a corporation that employs more than 10,000 people, and yes, I personally expect to buy more than a 1000 computers in the near future.
P.S. When the awards were given out at the Slashdot party, I kicked myself hard for not coming up with the "Anonymous Coward" name for my tag...
Kaa
Re:Unfortunately, Scott McNealy was right... (Score:1)
I see. You must be well acquainted with it, dearie.
Balderdash - debit cards can be tracked as easily as credit cards. Added to which, asking to be lent money is one thing - tracking where I spend it is another. I don't know why you feel inclined to have your creditors be given have this ability to track you.
You are confusing a credit report which companies like Experian will give to anybody for a small amount of money, and a credit card (or a debit card) transaction history, which is possible for the third party to get, but it's much much harder than getting a credit report. A credit report does not contain information on your spending: it records what you were lent money for, when, how much, and how you are paying it back. A credit card statement, on the other hand, does contain all your purchases. But I don't see why the simple idea of using cash has such a hard time of getting into your head.
You're missing the entire notion of why privacy is important
I guess we'll have to disagree about this. You don't seem to understand what I am telling you.
Your MAC address is hardwired. Even if the products you discuss cover this up, they can't cover up the bit trail you leave on email servers and routers in your wake.
Sigh. Why don't you get a clue as to what IP-based networks (such as Internet) are and what are differences between layers in a networking stack?
First, on many NIC cards the MAC address is changeable. Second, I tend to communicate with routers and mail servers using IP protocol. My IP address which the routers, etc. see provides no information about my MAC address and is easily spoofable anyway. I am even ignoring the fact that on a dial-up connection there in no such thing as a MAC address...
Kaa
Re:Unfortunately, Scott McNealy was right... (Score:1)
I am sure Experian would just *love* to have all my purchasing history in a database. Unfortunately for them, I don't see this happening any time soon. Cash is anonymous and changing that fact is very hard. It can be (and is) done for large transactions and for certain specific purchases (e.g. airline tickets), but in general changing the anonymity of cash is not feasible.
unforgeable headers IPv6 will certainly implement to render all of your aforementioned defenses obsolete
Another sigh. You don't really know what you are talking about. No good privacy tools rely on IP spoofing. Why don't you start by going off and reading about, say, anonymous remailers. Properly used they provide a huge degree of email privacy and IPv6 is not going to affect them at all.
Kaa
Re:Unfortunately, Scott McNealy was right... (Score:1)
What's a pamprin, dearie?
Now go back and read the post again and tell me what "tools" you have for realistically obscuring your credit record
Don't get your panties in a bunch, dearie. Re-read the post again, specifically the part about the trade-off between privacy and convenience. If you don't want information about you appear in the credit report, don't buy things on credit. Yes, I know that this will make your life difficult, but that's exactly the nature of the trade-off.
And remember that the credit report has a reason: you are asking people to lend you money. Don't like the consequences -- don't ask.
The value of privacy is independent of whether you have anything to hide or not
Of course. But the danger to your privacy from the release of a certain piece of info does depend on what's in that piece of info. The value of privacy stands by itself, but *threats* to it can be different. The fact that a driver's licence includes hair color is not very privacy-threatening, the fact that it includes the SSN is.
Your IP address and MAC information can be obtained without you knowing it
Yes, that's exactly why you have to understand what's happening and what your computer may be doing behind your back. But to repeat myself there are tools (e.g. ZeroKnowledge's Freedom.net) which will prevent this if used properly.
Kaa
another long slashdot review (Score:1)
Why are all the "reviews" on Slashdot:
1) Really long;
2) Usually just [really long] chapter-by-chapter summaries of the book, rather than analytical reviews that tell you why you should read the book;
3) Biased...no one on Slashdot reviews a book he or she didn't like in the first place.
To add insult to injury, when two people review the same piece, the editors print both, rather than making an attempt to decide between them (or concatenate them).
Feh!
Re:Are you sure it was a dumpster diver? (Score:1)
(I'm using lightweight mode, sorted by score, posts expanded).
Re:ethics and programming... (Score:1)
But now, we've got a new project coming down the pike, one that is intended to log every URL visited, and every keyword typed, and to use that information for targeting. Here I had to draw the line...no matter how wonderful the perks are (and they are wonderful, I work from home 90% of my time), I have to live with myself at the end of the day, and no paycheck is nice enough to make up for how icky I feel being associated with such invasive behavior.
Think about it this way, if I make an extra $500 a year at a job I feel icky about, and so I end up drinking an extra $750 a year to drown my concious, did I really make out all that well?
Anyone who thinks that stress doesn't cost them isn't paying attention to their own medical bills....
Re:Ahh, privacy. (Score:1)
itachi
Re:Are you sure it was a dumpster diver? (Score:1)
itachi, who sees dumpster diving as a privacy issue too
Here's to you, Mrs. Robinson (Score:1)
Are you going to Scarborough Fair?
Oh dear (Score:1)
What the fuck is up with his name? Does anyone else see a striking similarity to "Simon & Garfunkle" -- is it a pen name?? Because if it is, someone should tell him that they broke up.
-----------
"You can't shake the Devil's hand and say you're only kidding."
Re:ethics and programming... (Score:1)
i guess that either i have ethics and do something about them, or I just say I have them and use excuses... hmmm...
maybe there needs to be a "computer ethics" standardization... kindof like the medical ethics that defines what is ethical/unethcical and when programmers cross outside of the line, they get uncertified...
oh well...
Everyone *is* entitled to monitor their data (Score:1)
Re: Everyone is entitled to monitor any record about themselves.
The Data Protection Act [hmso.gov.uk] means that any firm must tell you what data they hold about you (I think a small fee may be charged). Isn't it the same in the US? You can also make them change the data if it's inaccurate and sue them if they're holding inappropriate data about you.
Unfortunately this only applies to computer records, so some companies circumvent the law. For example, to get into university you must apply through UCAS [ucas.ac.uk] and your school gives them a reference about you. But apparently you can't get that info, because they print it out and don't store it on computer. Bastards.
I like the idea about companies being forced to reveal the source of their data though.
Re:Programmer's Code of Ethics (Score:1)
I think that in this day and age, "I just work here" has ceased to be an adequate excuse.
The ACM [acm.org] has a code of ethics and professional conduct. You can take a look here [acm.org]
Programmer's Code of Ethics (Score:1)
I think that in this day and age, "I just work here" has ceased to be an adequate excuse.
Walt
No Transfer (Score:1)
The good thing about this one is that it simply removes the profit motive (or at least drives it into the criminal underground). The two problems I see: First, identity theives are not restricted in what they can do. However, I think this is mostly solved by the fact that there are no institutions that have access to the info theives need. So with regard to individual theives, the situation is not a whole lot better.
Second problem: it drives the collection of personal data underground. I can forsee the time when, "If personal data is outlawed, only outlaws will have personal data." Underground TRW? Maybe, although I admit that it would be a lot harder for them to get data.
Overall a good idea. In fact, maybe if we could get this passed in California, we could start forcing all businesses in CA to abide by it. Until then, keep polluting those databases. "Why yes, I'm a PhD Inuit with 8 children and an annual income of US$200,000."
Walt
Book's URL (Score:1)
Here's the URL http://www.databasenation.com/ [databasenation.com]
It has a complete version of Chapter 6 online as well.
Re:Ahh, privacy. (Score:1)
I'll start microwaveing my shapoo bottles right now !
Privacy is a joke here at school... (Score:1)
*pulls the curtains shut, plays scary music and burns his documents* err...
my $0.02....
Re:Simson is also an editor of... (Score:1)
The book is fantastic.
Social Security Numbers, ISPs, and Wireless Phones (Score:1)
Re:Here's to you, Mrs. Robinson (Score:1)
Re:Complete lack of privacy already! (Score:1)
Actually, there is a reason for any MD to ask you those questions: epidemiology. A big thing these days is "evidence-based medicine" --- the idea that maybe doctors should base clinical judgements on good statistics rather than their own faulty memories and biases. (What? Medicine should be based on rational scientific technique? What a new idea!)
Married people have different habits than single. If some weird oral condition shows up, it'll be useful to see what variables are associated with it. This kind of weird clustering is how we discovered that fluoride prevents tooth decay --- dentists were seeing kids with mottled teeth in some towns, and also seeing way fewer cavities in those kids. Do some studies, find fluoride as the key factor, and suddenly most of the population still has a full set of teeth.
Is it intrusive? Yes. Should insurance companies (or doctors) be allowed to do whatever the hell they want with that? Fuck no. However, it can be useful. (I do agree that there should be a disclosure with each question saying why it's being asked. Perhaps hypertext will make this a reality once people grow some brains.)
Alik
Re:What's most important (Score:1)
Person at door: This is Jim from the CIA, we've got a search warrant to come and find all that illegal stuff you've been doing over the last few years.
You: Please disclose the source of your information.
Jim: You see that house across the street over there? We've got someone watching you from there. See that light shade, it's got a bug in it. See that harmless looking telephone interchange there, it's got wiretaps in it. You know that...
Dude, if DoubleClick changes their privacy policy without giving anyone notification as they promised, what more chance is there they are going to disclose this information to you?
"This banner advert collected your IP address and links your browsing habits to profile #293-2995488-22312"
Re:Programmer's Code of Ethics (Score:1)
That depends on where you work; sadly, my current employees will accept a "Klaus Barbie defense" (i.e. "I was just following orders!") for just about anything. I haven't seen anything real heinous justified with that yet, but I can see it happening. (Fortunately I'm bailing in a few months to finish my degree and get me a real job...)
As far as the programming ethics goes, maybe now is a good time to promote such an idea. In the past, marketroids and other such "savants" would decide when code was "good enough" to ship, despite protests from the coders. Nowadays, it seems like the market is favoring the coders enough that one could dig their feet in and make it stick. (Actually I did this the other day when I told my new PHB that my latest kludge wasn't going to be ready until after I get back from vacation, 'cause I refused to slam-dunk a solution that would just cause problems further on down the road. It was a terrific feeling when he backed down.) The trick is going to be picking your battles; I think of coding as a kind of art (with 4GL's being the equivalent of paint-by-numbers) and, as an art student friend of mine once quoted (source unknown), "Art is never finished, only abandoned".
Why, Slashdotter's I'm suprised at YOU! (Score:1)
Re:Database security? (Score:2)
Had you read some of Gerfinkel's other books, you'd know that security is about a lot more than some trivial piece of tech like encryption. E.g., the most irreversible cipher algorithm in the world is only as good as the security of the keys, and we all know how well passwords are protected on certain widely-used Platforms Unmentionable on Slashdot. Even supposing top-notch password management by the system (enforced expirys, never in clear text except in protected memory, etc.) a lot of people write passwords down. How good are the backups - in terms of protection from prying eyes, their frequency (hence their currency), and reliability? How susceptible are the identifiers to error - he mentioned that the SSN has no checksum digit. Even the silly ol' ISBN has one of those!
Getting some of the picture now?
Nobody checks (Score:2)
I can write with either hand (not well, but I can) as an expiriment I signed all my credit cards with my right hand, and then all the sales slips with my left hand. Onle ONE clerk has noticed that my signature didn't match the one on the card and demanded further identification. (Once noting my drivers license had the same name, and signature and my picture on it he accepted the sale)
Somehow the above tidbit fits into this topic, and it forms some arguement in here. I don't know what though.
Re:ethics and programming... (Score:2)
As an intern I did some work for SAIC on rocket exhaust. Some of the work went to the shuttle effort (good) others went to the MX missile (probably bad). One good thing about that experience is when people make a comment like "well, it isn't rocket science" I can say "yeah, I know, I've done that."
I answered an ad for some async comm and database work in '91, turned out to be a BBS for the Navy. All logistics, no targeting, and a lot of it was just getting messages back and forth between sailors and their families. I thought that was OK. Having completely avoided real military service myself I felt I could make a contribution w/o blowing anyone up. That project was later taken over by a company that really just defrauded the Navy to the tune of millions.
When I was consulting at MITRE one of the guys was talking about smart minefields; I wasn't too comfortable with that. I wouldn't do any real missile work, especially targeting. (After all, rockets have peaceful uses too.)
If you really feel that your work is going to be used for evil purposes the ethical thing is to get out as soon as possible. Let's face it, your not going to quit if you can't pay rent, but there are no shortage of normal business gigs out there these days. One cool thing about being a programmer is we can do cool stuff without a big-bucks backer, as the development of Linux surely illustrates.
David Brin on Privacy (Score:2)
C.
It's not Big Brother that should worry you (Score:2)
The book's sub-title, "The death of privacy in the 21st century" sums is up pretty well. Being able to tell if a woman's pregnant from a retinal scan, the local council using a satellite photo to check your planning regulations.
He asks us to consider what might happen if you were to be able to link computer-held information about yourself. Scared?
Everything from your electoral information, your tax records, your credit card bill, your mobile telephone calls, your university's course records, your web browser's history file, your supermarket loyalty card, your car's satnav.
Now factor in face recognition from CCTV, cookies left behind from web sites, the boxes you tick when you sign an application form
Now draw it together. Now automate it so that a computer, not a person, makes decision on your life based on these related clues.
Scared now? I was.
Boy does he cover some ground - from medical records, web logs, satelite imagery, encryption products, mail redirection - we get the full gamut. His central tenet is clear - just what does personal information mean? What rights to you have over information about yourself? Your name, your date of birth, your income, your shoe size, your magazine subscriptions, your web life. All disparate facts, but when combined, a powerful profile and useful to many people. From an insurer worrying about you as a policy, to a prospective employer who's interested in seeing what you've said on the net, to the local council who noticed you've built a new outhouse on your land
The body is yours, but what's right do you have to your identity? You can fight back - pay in cash, wear dark glasses, don't get ill, don't travel outside your country's borders, browser through an anonymiser, opt out of DoubleClick - but the tide needs to be stemmed and only, apparently, the governments can do it
A truly scary read and a wake-up call that information is, now more than ever, power. And if you've either it got it or you ain't, just how to you decide who gets information about you?
Re:Complete lack of privacy already! (Score:2)
Ironically--and that's a point many people don't seem to get--having a national ID system SUPPORTS strong privacy rather than undermines it. If you have a single, simple system of identification, no further information is required. On the other hand, if you don't, you must piece together all kinds of info to make you unique. It's like databases: you either have a unique key that can identify a record unambiguously, or you have composite keys consisting of several keys that together create a unique key. The latter case by its very definition leads to less privacy.
Uwe Wolfgang Radu
Re:Ahh, privacy. (Score:2)
Wow. This would really put Being John Malkovitch in a whole new light....
It's already happening in Brazil. (Score:2)
part of this scenario becoming a reality here in Brazil.
It hasn't been accepted here at slashdot, but it's live and
well at www.kuro5hin.org [kuro5hin.org], under the title Brazil, a new "Database Nation"? [kuro5hin.org]. It has a description of a system developed in Brazil that cross-check data from 3000+ data sources, returning both your entire credit and consumer report (including address, telephone and monthly income) and a credit ranking which will tell how and how much credit you'll be able to take. All of this just with your name. The article has some links (in portuguese) that you may want to translate using your favorite translation tool.
P.
Simson's been around (Score:2)
And no, I never saw him sing Scarborough Fair.
Bravery, Kindness, Clarity, Honesty, Compassion, Generosity
You were watching me weren't you? (Score:2)
Re:Social Firewalls and knowing the enemy (Score:2)
The fact of the matter is, gov't agencies, if they ask for your SSN, have to give you a Privacy Act Disclosure Notice [cpsr.org]. Private companies can ask for it. You can refuse but, as you found out, possibly at the cost of not receiving the service you were requesting.
Great links are:
http://www.cpsr.org/cpsr/privacy/ssn/SSN-Privat
and
http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.ht
as well as http://www.ssa.gov/pubs/10002.html
Re:Unfortunately, Scott McNealy was right... (Score:2)
What Scott McNealy meant was: "I have no privacy and have to deal with it, so I don't see any reason why any of you should have any privacy either".
Your entire credit history can be inspected by strangers.
Yes, and so? You yourself are observed by strangers every day as you walk/drive on the streets. This is dangerous only if the credit history reveals much about you: see next.
Credit car purchases can be easily tracked, measured, and mined to form a frighteningly fitting profile of you.
Yes. There is a trade-off (as with most things in life): you trade privacy for convenience. You want more privacy? Fine. Don't use your credit card unless absolutely necessary (e.g. car rental). Pay for everything with cash. Yes, it's less convenient, but you leave no paper trail. The choice is for you to make.
Your emails can be read by your employer.
Duh! So, I am to understand, the idea of having non-work email account never crossed your mind? This is like complaining that you had a fight with your girlfriend on the front steps of your house and all the neighbors were watching.
Your phone may already be "observed" by outside agencies.
WTF do you mean? Wiretapping? That's very old news, plus the number of wiretaps in the US is very reasonable.
Most of your network transactions can be traced, given time and effort.
It all depends. If you give your real name/address/email to all who ask, never look into your cookie file, etc. don't be surprised that some companies (DoubleClick comes to mind) know exactly which porn you like to jerk off to. However, again, if you are willing to trade away some convenience to get privacy, there are tools available. Freedom.net, for example, comes to mind.
To summarize: don't whine. If you *care* about your privacy, there are tools out there to help you. If you don't want to spend any effort, thought -- don't be surprised at the results.
Kaa
Re:What's most important (Score:2)
The problem with written consent is that it may not be voluntary in any practical sense. This is a big problem with medical insurance and medical treatment in general. For most people, declining employer subsidized health insurance is not an option. It isn't realistic to expect people with serious illnesses to shop around or argue about the hospital's privacy policies. When you are really sick, you will sign any paper they give you if it results in access to a doctor and medical care.
Extrans & Plain Old Text options reversed... (Score:2)
I've sent mail to Rob about this a week or two ago - hopefully they'll fix it soon.
You don't need a shredder to stop dumpster divers (Score:2)
It also helps if you have something noxious (like leftover Ramen) to distribute over some of the paper - I think you'll get most dumpster divers to steer clear if it's harder to get to your stuff than some other bag with whole statements or numbers!
Re:you asked for it (Score:2)
There is a reason the phrase is "Anonymous Coward", because the anonymous have no credibility. When you can't tell a leader from a crank or the honest from the criminal, what good does it do you? All criminals want anonymity, while only a portion of the honest desire it. Therefore it is safer to distrust all anonymous people.
Would you give your credit card number to anonymous individual to buy something? Anonymity and security have opposite agendas. Authentication and non-repudiation, hear those words before? Ever used PGP, SSL, certificates or digitally signed something? It is all about trusting the party you are talking to, and holding those people to their word. You can't do that anonymously. Sure, you can have a proxy identifier, like my "0xdeadbeef" handle, but it is still an identity on slashdot, and there more I use it, the more tracable it is to my "RL" identity.
Anonymity is not privacy. Privacy is about protecting your sensitive information when information can be collected, bought and sold more easily than air. The anonymous have no need for privacy, because they have no information. They might generate it, but it is not linked to them. The anonymous have no "state" in the world, so they can't do anything that requires trust.
Re:Ahh, privacy. (Score:2)
itachi, who would like to point out to hemos that it is mwegner at cs.oberlin.edu
Simsom's weekly Boston Globe Column (Score:2)
I didn't see this mentioned anywhere, so I'll throw it out there. Simson Garfinkle writes weekly column for the Boston Globe called Plugged In [boston.com]. If you like his writings, you should probably check it out.
Cthulhu for President! [cthulhu.org]
Re:you asked for it (Score:2)
-----
On an unrelated matter: I met the author briefly at a Barnes & Noble. Very interesting person to talk to. He mentioned a couple things like potential names for the book which he rejected ("The Fishbowl", "Data Rape"), and chapters that were taken out (such as one about GPS).
Re:Programmer's Code of Ethics (Score:2)
Nonsense.
You're talking about abdicating your responsibility to your own morality/ethics. It is not anyone else's responsibility to come up with a morality for you, nor is it anyone else's job to enforce a morality on you.
The "code of ethics" you describe is not a code of ethics but a body of law. Law is - and should only be - the province of making interactions between peoples fair. Law should never concern itself with "good" and "bad".
You are solely responsible for adopting/inventing your own morality. You are solely responsible for enforcing it upon yourself.
Law which protects people from themselves is despicable.
----------------------------------------------
Re:Companies like Experian and SSN#s are scary (Score:2)
"Getting you closer Experian is an information solutions company. We help organisations to use information to reach new customers and to develop successful and long lasting customer relationships.
We have built our business on the simple premise that commercial success is about getting close to customers. The more an organisation understands them, the more able it is to respond to their very individual needs and circumstances.
This is the approach that we adopt in our own client relationships. It is also the underlying motivation behind everything we do as a company."
Strike me pink if THAT's not a warm and snuggly statement of porpoise!!
And their clients are happy as clams, too. Over a million Frenchpeople are serviced via the tracking on TF1, which I gather is Tee Vee France One.
Also English Banks, and variousBanks, like that they fight fraud!! See, they fight fraud by having a file on everybody, isn't that great?!
Unauthorized use is way, way down! And don't worry your little heads about AUTHORIZED use. It's AUTHORIZED!
DWW --/Disclaimer/-- Read twice for the saracsm-impaired.Swedish/Europeean conditions (Score:2)
In Sweden this law means that no one, save artists, journalists and govermental agencies, may use personal information without the persons written consent. This has resulted in some problems - but the intention is quite right: it is MY information.
When first passed, this law was the topic of a quite heated debate "you can not even name a third party in a mail", but the law has not been used to this effect.
Since a long time you have had a legal right to read all stored information about yourself free of charge (of course the goverment has some exceptions to this). Most information is public though.
This doesn't mean that this is unproblematic - it is very problematic in some ways. Anyone can walk in from the street and request information from my taxation records, my school grades (this is ok), my adress, what cars I own etc... While this has advantages the end result is that it is easy to get information about just about any Swede; this doesn't to my knowledge apply to the rest of the EU.
IANAL :-)
Re:Ahh, privacy. (Score:2)
The main problem I can see in this is that other people have the right to produce and collate data about you as an individual.Why not declare your life to be a work of art. then Copyright it. O.K. so you'll have Academics using the Fair use clause and Wannabe's can live up to 10% of your life. but any more and you can sue.
Why I'm a Hypocrite, and What We Can Learn From It (Score:2)
anyway, having been in this position for a while, i've becme acutely aware of not only how much information is available on your average Joe Consumer, but also how many varied hands this info passes through before magically being transmogrified into a piece of junk mail. a couple of months ago i got tired of the constant reminder in my own mailbox of how shady this all is, and i drew up letters to the dma, equifax, experian, and others to terminate their rights to traffic in my data.
fine. ok, so i'm a hypocrite, but worse than that, i mentioned to a peer, in confidence, that i was 'opting out'. next thing i know, i'm called into a superior's office, and without putting my personally paranoid spin on things, i'll simply describe the proceedings as an inquisition into my loyalty.
now, don't get me wrong -- i guess i shouldn't have mentioned it, and i should probably go into a line of work less troublesome for me, ethically. but the thing that wierds me out is the reaction that i should have no problem sacrificing my privacy, and that if i'm offended, i'm going to wind up getting in bad with management.
not the worst, though: the more of my non-tech friends i tell about how dirty my involvement in this process occasionally makes me feel, the more i hear that they don't mind, or don't think it's as bad as i say. they call me paranoid, and refuse or fail to draw the link between, in this case, junk mail and an invasion of their privacy.
now, don't post calling me a self-loathing scumbag -- i've got to make a living, and doing math tricks in washington square park doesn't pay as well as you might think. the point of my story is to provide a look at exactly how negatively any attitude other than complete surrender of one's information privacy can make one look, *has* made me look.
on the liner of radiohead's most recent single, they've written that the innocent have nothing to fear from the rapidly-expanding data industry. what follows from this attitude is that an individual who chooses to avoid this process of information buying, selling, and processing, is already in a position of issuing a tacit, unspoken admission of some sort of guilt.
Awareness is the Key (Score:2)
If the general public is more aware of the issues in privacy, better (more informed) decisions can hopefully be made. Privacy is getting to the point now where it affects enough people to get attention from advocacy groups, the media, and even (to a small extent) politicians.
I'm hoping this awareness will stop privacy invasions before they get to the "horror-story" levels we keep hearing about.
Can we use the copyleft? (Score:2)
If the data is attractive enough, people may use it. The idea is that the license will apply certain terms to other data that they hold. Does anyone think it could work?
That might be a mis-statement. (Score:2)
Not without reason - and currently there's not a reason.
The people maintaining/with access to these databases are paid minimum/barely above minimum wage... Turnover is rampant. The question isn't is the *database* secure, but who's "allowed" access to it.
The 2 biggest problems are going to be the a result of the institutional stupidity of big Corps, first, the utter reliance on "the system" - without the checks/balances and authority to fix problems, and the the enforced ignorance of their low level workers.
This is well illustrated with the error quoted with the error in credit rating - and then the continual re-error as databases were synced up.
And the utter disdain of anyone for any responsiblity in these matters is what makes them so bad - not that they happen - but that the corps just don't care to build the system right, and with the ability to fix these problems.
Addison
Re:Ahh, privacy. (Score:2)
watch your own ass. *shrugs*
Tell me why it is inaccurate? Theoretically a police state could be created and enforced with various forms of mind control. However it takes people really good at those things and we don't really have such individuals in the US today.
Re:What's most important (Score:2)
Won't do I'm afraid. To begin with it would make the phone book illegal. The same for e-mail lookup services. It would simply be to hard to get personal data for valid reasons.
OTOH it would be quite easy to go around such a law. So we can't sell our info to marketing companies? Well, then we will sell the marketing service itself. So we cant buy that information? Lets buy the company that has the information. (or if they are too big to be bought, let them split out a database branch, that can be sold).
I have no big problem with *correct* info about me used in the *intended* way. What I want is for it to be very dangerous for a company to use or sell incorrect data, or to use it against the terms I once agreed to. Thereby restricting database marketing to really profitable areas, not the "throw out a million hooks and something will catch" schemes.
A different matter (Score:2)
Databases as a threat to privacy is one thing, "ID spoofing" is another.
It does not matter if someone ruins my life by calling someone, saying "Hi I'm guran, shut down my account please" or "Hi I'm 123-456-789-0, shut down my account please"
Since when are usernames, or SS# alone an acceptable form of identification?
Wouldn't this be a "Ask Slashdot"? (Score:2)
There seems to be a double standard here on /.
Everyone is 100% for their own privacy. At the same time it is claimed "If the information is accessible, it is OK to use it", "Information wants to be free" etc
The net (or the electronic society to use a Katz-ism) is making more and more information accessible and searchable. That includes info about YOU as well as about software specs.
The information is out there. And if we can lobby for laws to restrict it's use (in the name of privacy) so can the corporations (in the name of protection of property)
You might argue that personal info is different from other info and deserves special protection. I agree. However, as shown in the DeCSS case and others: If protection can be circumvented, it will.
If you are anonymous, you have no rights (since rights are given to people, not computer sessions) If you are logged in you will leave a trail.
On a more direct reply:
What the heck does a bouncing ball has to do with privacy? If someone knows that I went to an exibition, that tells them... That I went to the exibition. Nothing more. Is your idea of privacy the same as absolute non-interaction? Cause that is the alternative.
Re:Social Firewalls and knowing the enemy (Score:2)
Ever try to argue this with the local cable company? I did. They said it is legal. And that there was a state law here in Florida that allowed them to use SSN's in their database anyway.
I said Federal Law supersedes state law and that the SSN number is issued and controlled by a federal agency. I got into a major pissing contest with the final result a denial of cable service. I have been without cable TV for 2 years now. Any clarification on this issue would be appreciated.
Should be required reading for PHB's (Score:2)
Re:Unfortunately, Scott McNealy was right... (Score:2)
I'm not confusing the two. Cash-equivalent transactions will surely be added to the same reports people like Experian manage, once they see the obvious marketing opportunity available in giving away not just your credit history but your purchase history. Don't assume your banks will continue to horde the valuable commodity known as your audit trail.
Sigh. Why don't you get a clue as to what IP-based networks (such as Internet) are and what are differences between layers in a networking stack?
If you're so well informed regarding IP than you surely know about the unforgeable headers IPv6 will certainly implement to render all of your aforementioned defenses obsolete. Enjoy.
Re:Unfortunately, Scott McNealy was right... (Score:2)
A pill for PMS'ing women.
And remember that the credit report has a reason: you are asking people to lend you money. Don't like the consequences -- don't ask.And remember that the credit report has a reason: you are asking people to lend you money. Don't like the consequences -- don't ask.
Balderdash - debit cards can be tracked as easily as credit cards.
Added to which, asking to be lent money is one thing - tracking where I spend it is another. I don't know why you feel inclined to have your creditors be given have this ability to track you.
the danger to your privacy from the release of a certain piece of info does depend on what's in that piece of info.the danger to your privacy from the release of a certain piece of info does depend on what's in that piece of info.
You're missing the entire notion of why privacy is important, at the base level. Once again, privacy isn't just for people who have "something to hide". If you can't get that and admit to it, don't reply.
But to repeat myself there are tools (e.g. ZeroKnowledge's Freedom.net) which will prevent this if used properly.
Your MAC address is hardwired. Even if the products you discuss cover this up, they can't cover up the bit trail you leave on email servers and routers in your wake.
Nice thought, but it will never happen (Score:2)
Buy this book at Amazon... (Score:2)
Fatbrain.com (Score:2)
So, what do we do about it? (Score:3)
Whether professional or amateur (a proud term, originally meaning someone who does something for the love of it), we're the people who are making this possible.
So, what are we going to do about it?
Are you sure it was a dumpster diver? (Score:3)
<p>
How does she know it wasn't a clerk at a store she used the card, or a relative or coworker snooping in her purse, or an employee of the credit card company, or someone stealing her mail, etc..
<p>
It bugs me when people come up with grand conspiracy theories or elaborite scenarios for how simple thefts take place. All it does is serve the interests of the people selling security solutions, or the credit card companies who know full well how insecure credit cards are.
<p>
People hype about how "insecure" online transactions are, when they are many times as secure as physical transactions, because there are less people involved.* It's the same with blaming a dumpster diver for stealing a number. Yes, you should probably shred things with your number on it. But no, it's not the most likely scenario. The poor security of credit cards is a fundamental flaw in using an identifer as a secret key. Don't go blaming our eroding privacy for credit card theft.
<p>
* One cavet about that. Foolish companies that store credit card numbers on their web server are asking for trouble. In that case, it probably is easier to steal numbers from online merchants.
*
Re:Agitate! Agitate! Agitate! (Score:3)
I whole heartedly agree with this strategy. It is extremely difficult to get laws for protection of privacy passed when most politicians are in the pockets of corporate interests. The best way to fight corporations is in the area that is most sacred to their cold little hearts: profits.
There are many opportunities to contribute to database pollution. When a website insists you fill out a form before allowing you to download their "free" offering, use made up data. I read recently that it is estimated that about 50% of such data currently collected is false. Some companies, such a Realplayer are particularly odious, demanding all sorts of personal info before letting you install the software. In their database, my name is "Off, F*ck" (without the *).
In the physical world, avoid stores that require customer cards for sale prices when possible. If that is not practical then make up a phony identity on your application. I shopped at Safeway for years and took advantage of their weekly specials. Then one day I walked in and they told me I had to divulge all my personal info before they would let me buy anything at a sale price. I eventually got a card, but they think my name is J. Mxyptlk. (It's amusing to watch the cashier try to read my name off the receipt so she can "thank" me.)
A friend who used to work in the credit card centre for a large bank once advised that you should apply frequently for credit cards. Use your real name but all the other data such as income, marital status, occupation, etc. should be different on each one. After a while, there will be so much contradictory information in your file, data miners won't know what to believe about you.
ethics and programming... (Score:3)
Problem is, its a fun, challenging exciting project, but the ethical questions are still plaguing me.
The problem comes down to economics... if i want to eat, i have to code... but certain projects may go against personal standards...
anyone else figured out where to draw the line?
Re:Unfortunately, Scott McNealy was right... (Score:3)
Take a pamprin honey. Now go back and read the post again and tell me what "tools" you have for realistically obscuring your credit record - news flash, there's more than credit card purchases on that puppy. Any long-term debt is recorded.
This is dangerous only if the credit history reveals much about you: see next.
The value of privacy is independent of whether you have anything to hide or not. If you can't wrap your head around this concept, you're pretty much a write-off.
It all depends. If you give your real name/address/email to all who ask, never look into your cookie file
Your IP address and MAC information can be obtained without you knowing it, and for most of us the IP part is hardwired, even at home.
Unfortunately, Scott McNealy was right... (Score:3)
Consider:
Folks - the only thing that separates you and Jennicam is the cam.
As Pogo said, "We have met the enemy..." (Score:3)
I think a big part of the problem is the ease of using our technology, and the tiny amount of attention we pay to it, ourselves! Here's an example:
About a year ago, I couldn't find my credit card when I tried to pay for a meal; after digging around in my wallet, I found it "filed" in the wrong slot. Because I was searching for a specific card (I have a few of 'em), I actually looked at the damned thing for the first time in weeks. It was someone else's card.
To make a long story short, I used the information on the card itself to turn it off (after I turned mine off, first!), then identify and find its owner. As it turned out, we'd used each other's cards for a week, since they were switched in another restaurant; each ran up several hundred dollars in purchases, without anyone checking the name or signature, and without once looking at the card ourselves.
It's so easy to use this technology, we simply don't think about it. The only ones who really pay attention to our behavior are the data collectors.
My point isn't to tell a somewhat-funny, somewhat-scary story; it's to encourage people to take back control of the technology. That necessarily includes the use of the technology for purposes other than their own. And so an important part of the story is this epilogue:
Both I and the other guy tried to fix the mixed-up expenditures by working with the two credit card companies. This proved almost impossible: we'd have had to cancel payment on all the cross-use purchases, then go back and repair the newly-inflicted damage ourselves. And there was no guarantee that doing this wouldn't cause bad posts to our credit ratings -- the companies were emphatic about this! So in the end, we did the simple thing: we tracked down all the purchases, and simply wrote each other checks to cover the balance.
We were both lucky that we were honest, but that's not the real point. The point is that the machine exists for the ultimate use of someone other than ourselves: we're just the grist the mill grinds. And if we don't watch out for ourselves, there's no one who will.
---
An instructive example in the style of 1984 (Score:4)
Firstly, your mistake was in using your credit card to buy an add-on for a product you do not own. Microsoft took to tracking those things once UCITA let them, and their self-help systems were typically Microsoftian in their vengeance against software piracy. They shut themselves down until you can satisfy MS that you're no pirate. (There is no due process as this is not government, but business). Once you call the nice antipiracy people and explain, they will undo the shutting-down of your systems. The reason for their doing so was suspected fraud. This reason was openly listed as the latest user-vendor transaction in your account with MS' payment processing people, who share information with many other businesses.
Said other businesses, such as your vendors, enjoy a much more rapid defense against deadbeat clients than they used to. They have an automatic response to the suspicion of fraud or bankruptcy. They are comparatively enlightened, as they are only killing 10 net 30 terms on the warning, and will still sell to you for cash up front. Your cashflow is considered _your_ problem. After only 3 more transactions you can get 10 net 30 financing back again, but for now every vendor you have is reading the same 'suspected fraud' report and being prudent.
Meanwhile, the credit card company has a process going itself. If more than 50% of the businesses you maintain ongoing relationships with downgrade your account level over a period of 48 hours, the credit card company will freeze your card until you call them from your work phone and reassure them that there's a good reason for this downgrading. This is for their protection in the event of a customer running amok and committing massive fraud and disappearing.
Assuming you remember all this from the fine print where it was hidden, your task is clear: leave the car where it's stranded, and walk across town to your store, where you must break in to use the phone to get your credit card turned back on to start dealing with these other issues.
On the bright side, your security system has shut itself off on suspicion you're a software pirate, so when you get to your store, the windows are already broken! Here's hoping the looters didn't take the phone. ;P ;)
Companies like Experian and SSN#s are scary (Score:4)
Experian had records on at least 95% of American households. It's amazing how much imformation they have on people, and where they get the information from. Experian also has amazing power over people's lives. When I came to America, it was companies like Experian that made my life miserable. I couldn't get credit cards (even though I had had them for four years back home), I even had a hard time getting an apartment. They're an international company with 22% of their business in the UK - they wouldn't even pull my credit file from the UK to help me out (even when I worked for them). Just wait until they start integrating their databases from all over the world: they will have the ability to track people better than amny governments.
One of our client's marketing data warehouses (non-US bank) had one table that stored all of their customers transactions for the last 48 months (we tried to avoid that table due to its size!). Plus hundreds of other columns of demographic information. The goal of these huge data warehouses and all their information: to increase the yields on marketing campaigns (ie the response rate to junk mail). eg Let's target all of the people 21-25 who like Pizza Hut within a five mile radius of zip code 80231 who use certain ATM machines who like.... and it goes on.
Everybody in America has a social security number. The way it get's into every aspect of life, it's almost equivalent to every child being tatooed with a bar code and serial number at birth (but of course, that would probably be deemed a violation of basic rights and freedoms - anybody remember that Sepultura song/video, Slave New World??)
Social Firewalls and knowing the enemy (Score:4)
First, be cognizant of what information is available how. In Texas, anyone with your driver's license number and city can find out if you have warrants out for your arrest, your full legal name including middle initial or name, and your true birthdate. True story--call up the local muni court and go through the phone system.
Anyone with a bit of money can get the full scoop on you via credit reports. Many academic institutions have access to LExis-Nexis, which has a huge wealth of data on tax and property records, all digitized and searchable.
Oh, but it gets more fun. Ever ordered pizza? Hell, what was the first thing you did when you moved into your new apartment? Did they ask you for your phone number? Guess what, that's recorded not only in their database, but a nationwide database used for direct mail marketing and keeping a updated record on where you live (better than your local white pages, I might point out)
So, what do you do?
As much as you can, fight against these. Don't give out information like your SSN (by law, no one can force you to use your SSN as an identifier!!), DL number, birthdate, phone number, etc.
Online, set up social firewalls between the real you and the rest of the world. Use pseudonyms. Use fully developed alternate personae to packet-drop spam (what else is hotmail good for??) Explore sites as one of your throwaway personae, check their privacy policies, check (not that it means anything anymore) on their Truste stamp if they have one. Check with the BBB online. After you're OK with them, then go in and use a real persona.
At RSA, there was a great speech by Stewart Baker, a lawyer at Steptoe & Johnson. He asked the crowd if they valued their privacy, of course, we repsonded, yes!. He asked how
Be aware--that's your best bet. Know what pieces of data are important and key to finding out more, and be miserly with them.
Re:ethics and programming... (Score:4)
Quit. And tell them why.
Sorry to be so blunt, but in the current job market, it's hard to be sympathetic to the plea "but I gotta code to eat".
Your morality is your responsibility. Live up to your standards. If you feel what you are being asked to do is wrong, don't do it.
Morality isn't about being comfy and avoiding sacrifice and strife. Morality is a heuristic for figuring out what short- to medium- term suckinesses must be endured for longer-term happiness. Morality is what tells you when to sacrifice some of your comfort.
If you feel it is wrong to track students throughout their primary educational careers, then you are responsible for not contributing to that project. It is not anyone else's responsibility to make sure your morality isn't transgressed against.
----------------------------------------------
Complete lack of privacy already! (Score:5)
This is one of my pet peeves, but Americans have no clue about personal privacy. They keep ranting against a national ID card or a national healthcare card because it would violate their privacy. Yet they think nothing of divulging their most private data to someone as inconsequential as their dentist, not to speak of using credit cards and personal checks in a system which openly laughs into their face regarding any sense of financial privacy.
Americans may rant against Europeans in any which way they like--some certainly deservedly--but regarding personal privacy they have nothing on them. While Europe is far from perfect even in the privacy issue (especially the UK), at least they try to maintain a semblance of personal privacy through the laws they pass and the way they approach the issue in general. In Germany for example, which I'm most familiar with, I can sue my dentist for breach of privacy if I feel that he is keeping data about me which he isn't entitled to. With the new digital healthcare cards I understand that I can limit the extent to which I divulge medical information even to my doctor.
Compare that to the Tennessee Department of Transportation which has included an onscure little checkbox on the driver's license renewal form, which instructs the department NOT to sell your personal information--INCLUDING YOUR MUGSHOT--to third parties. In other words, if you miss that little checkbox, which most people do, you are "authorizing" the TDOT to sell your info. If that doesn't raise your holy indignation, nothing will.
My point in all this is that we don't have to be pragmatic about privacy. There ARE things we can do to maintain and improve personal privacy, even--or rather especially--in a digital world. We have technologies that can accomplish the most amazing things: route a packet through a maze of computers from one end of the globe to another; transmit information reliably and accurately through light hours of space; write our names on the head of a pin with individual atoms; encrypt data in such a way that it would take eons to decrypt it. Yet we profess that there's nothing that can be done about the loss of privacy. It's a matter of will, not technology. We have to take the fate of our privacy out of the hands of corporations that profit from a lack of privacy, and put it into more reliable ones. Most importantly, we have to stop pretending that there's nothing we can do about it--there is, we just have to do it.
Uwe Wolfgang Radu
Agitate! Agitate! Agitate! (Score:5)
Frederic Douglass used "Agitate! Agitate! Agitate!" as the call to eventual freedom of the Black American.
Active resistance would have met with active retribution - and now would result in credit sanctions, bad histories, and denied loans.
Passive resistance would have led to further exploitation, and will do so in this case. Passively waiting for corporations and the government to spontaneously grow a conscience isn't going to work, as long as data-mining is profitable. Remember, in the end, the accountants make the policies.
Agitation, the non-violent and justifiable causing of frustration in the system that oppresses is the solution to the problem.
What needs to be done is, as Garfinkel (or maybe the reviewer) suggests, intentional pollution of the gathered data. Once the gathering of unreliable data becomes more costly than profitable, it will stop. If it costs more to filter and refilter dirty data than to simply ask for voluntary opt-in, then the data farmers will do the 'economical' thing.
Yes, it's going to be hard at first. Prices will rise (as they surely must anyway) and part of that increase will be due to the increased cost of fishing for good data, in a pool with an increasingly poor signal to noise ratio. We'll all get a lot more junk mail. Some of us will get very well paying jobs designing smart systems to side-step the subversion.
But eventually, through misinformation of the machine, they will just stop bothering us. It might even happen in this lifetime.
Whenever I fill out a 'registration' form (rare, and only for warranty reasons), I always jot down a household income that is hugely greater than the actual. I've gotten pre-approved credit cards for really large amounts. On some registration cards, I'm single, on others I'm married. There's about a three week delay between my infusing tracer data into 'their' system, and some peice of junk mail targeted as a response. When I last changed back to single status, a few weeks later I got mail for a local divorcee/widower support group. Hmmm.
A friend of mine, in high-school, used to order free smaples of stuff, using false names. He's gotten all sorts of interesting mailings to these names, slanted to reflect the information he provided. One alias, Santo Runningbear, got him a pre-approved Native American Scholarship. He's Irish.
The point is, a company won't change it's tactics as long as they are profitable. It's in our best interest to make farming of our identities and habits expensive.
you asked for it (Score:5)
Of late i've posted less and less to slashdot because I've become disenchanted with the quality of person I meet here. People who, as a result of their mild annoyance at F1R$7 P0$7ers and other trolls, endorse eliminating Anonymous Cowards. People who make ponderous distinctions between "privacy" and "anonymity", stating that while they cherish the first the second should be put down like a rabid dog.
Folks, privacy without anonymity cannot exist without a strongly legal barrier and vigilant law enforcement. But, as any sensible citizen shoudl have puzzled out by now, the people who influence or even fabricate those laws and the people who want to abuse your private profiles are generally about two shakes of a fleas leg apart from one another. Anonymity is crucial, because only you yourself can truly be trusted to protect your private information to a degree commensurate with its worth to you. Without anonymity, and only with legally enforced "privacy", the laxity of others in guarding their personal information can also affect the security of my own information. That is clearly a losing scenario for those who care whether their every quirk is ground down mathematically in a relational grid.
Of course sentiments like that aren't confined to slashdot, in fact I once had thought
So don't come bitching about losses of privacy. When you turned your backs on anonymity, you asked for it.
-konstant
Yes! We are all individuals! I'm not!
What's most important (Score:5)
Everyone is entitled to monitor any record about themselves
Then continue with principles like:
Every person or company who uses database records to contact you or in any other way influence your life is required to disclose (at their expence) the source of their information.
And
Every company or person that is providing data about a third paty on a comersial basis is responsible for the accuracy of that data