IBM Uses Call-Detail Records To Identify "Friends" 116
theodp writes "Big Blue may know what you did last summer. Or at least who you called. In a move out of the NSA's playbook, IBM Research has been scrutinizing the call-detail records of 'one of the largest mobile operators in the world' (PDF). By analyzing who calls whom, and for how long, IBM claims its patent-pending snooping software can now identify circles of 'friends' who tend to exhibit the same profit-threatening behavior. 'We believe that our analysis is a first of its kind that exploits the underlying social network in a telecom call graph,' boasted a team of IBM researchers and a UMD prof. For now, IBM seems to have focused on using the info to see if your friends are churners, so you can be dealt with pro-actively lest you follow their lead and bolt. However, IBM suggests its SNAzzy data mining technology (Social Network Analysis for Telecom Business Intelligence) has a bright future, noting it 'is also capable of analyzing any kind of social network or graph, not just telecom networks.'"
Uh-oh (Score:5, Insightful)
So if several of my friends have poor credit ratings or are frequently arrested for petty crimes, I may not get a job?
Not good, not good at all.
Threats to Profit! (Score:2, Insightful)
NSA: we snoop to find terrorist threatS (and whatever else we run into)
IBM: We snoop to find profit threats (and whatever else we run into)
phone-churn terrorism? (Score:5, Insightful)
This sort of data-mining of quasi-private data to spot anomalous behavior is sometimes referred to as "terrorism informatics" [amazon.com], since lots of the funding for it and interest in it comes from the case where anomalous=terrorist. Not sure it's going to be good for society to be applying the same sorts of intrusive analysis to legal things that are merely bad for business.
Of course, it's a tricky regulatory issue. On the one hand you might say that a business should be able to analyze its internal data however it wants. But on the other hand, most people view the phone companies as infrastructure, and people don't expect them to be analyzing their calls--- just providing them with service at the stated rates. And since they form a oligopoly of sorts with very high barriers to entry, it's not clear that "just don't do business with the shady ones" is a feasible solution.
Profiles (Score:2, Insightful)
Did people learn nothing from the last time IBM helped "profile" people.... in 1939-45?
so much for traditional telco privacy of metadata (Score:1, Insightful)
See Matt Blaze's post The Metadata is the Message [crypto.com] which gives a phone company placard saying among other things: Secrecy of communicatins is a basic requirement and important company policy. It includes divulging neither the conversation nor the fact that a call was made between two telephones.
The current dotcom culture towards privacy seems to be that anything not nailed down is theres. Screw 'em. We need completely anonymized peer to peer communication.
Owning personal Information (Score:5, Insightful)
Years ago, when I (and others) pushed the idea that personal information generated as one goes about one's life should be considered private property, this is the sort of thing I expected. We should have always owned the copyright on all information generated by living our lives - "I am the author of my own history", and derivative works like IBM's should be a copyright violation.
Now it's too late - the corporations own your personal life log, and they can do whatever they want with it so long as they don't tell anyone else "personally identifying information". They can even, in some cases, deny you the right to see what they know about you, and they certainly have no requirement to actively inform you about what they're tracking about you.
The relationship should have always been the other way around - "I'm letting you use THIS specific information you gather about me for THESE purposes - anything else you want to collect or do with data I've allowed you to collect, you have to ask, same as with any other private property." Someday, some corporation will overstep somehow, and people will get angry enough to force some change.
Re:Academic ethics at work? (Score:4, Insightful)
If this was an academic study, then the raw data was (or should have been) typified (anonymized). Therefore it would not be useful for identifying real world "friends" responsible for "profit-threatening behavior". Rather, it would be a group analysis tool.
Except that there has been at least one Slashdot story in the past year or so explaining how supposedly "anonymized" data can be associated with real people, or at least different accounts on websites associated with each other.
And if anonymized accounts can be associated with each other, it's quite possible- if not probable- that they could be associated with one or more non-anonymized accounts- even if that particular account was used for some innocuous purpose- destroying the anonymity of them *all*.
Of course, you couldn't do this by hand; but that's what computers are for- data processing is a great way to spot patterns and guess which accounts might be the same person. The more advanced data mining software gets, the easier it becomes to have it automatically associate different accounts via patterns and trends.
(Of course, in some cases, it's not even that hard- searching for names- ego-surfing or looking up friends and family- is a big clue if not complete giveaway to anyone looking at (e.g.) a Google search history, if that info hasn't been anonymized as well).
Even if the websites were unwilling to share account info with each other, I suspect that one could write a screen-scraper for information and posts on the most popular sites, and group all the public info associated with a particular account anyway- which is probably enough.
To reiterate the point above- if you have a large number of anonymous or anonymised accounts that you reckon are associated with each other, you only need to make a connection between *one* of them and some non-anonymous source for anonymity to be blown on all of them.
And even if you were to take more care from now on, there's probably a mass of info you've left out there already, and it won't all go away in a hurry, if at all. And even if today's data mining wasn't powerful enough to tie it all together, it's quite plausible that it could improve significantly in the near future, changing its nature completely.
Things are changing all the time- this story being just one demonstration. Assuming you'll be safe because you're using anonymous or anonymised accounts gives a very dangerous sense of false security.
Re:How the mighty have fallen (Score:3, Insightful)
I fail to understand the rationale (if there is one) behind how the geographic location of a research project might make a difference, but even so, it would appear that the corresponding author in the manuscript is from 'University of Maryland, Baltimore County.' Apart from the above statement, I also do not understand the wisdom behind expecting 'customer service' from a 'Research Lab,' simply because it is located in India--apparently IBM has research labs in many other parts of the world, but there isn't an unspoken expectation of 'customer service' from research labs anywhere else in the world.
Re:How can we churn? (Score:3, Insightful)
In the USA, whenever one of the two parties in a contract wants to change the terms, the new terms must be agreed to by both parties or the contract can be cancelled. Typically, the verbiage that one can cancel the contract and get out of the terms without loosing the deposit is buried in all the other legalese. But it should be there.
Re:Owning personal Information (Score:4, Insightful)
I think we (as a society) still haven't worked out what we want to do about this as the problems become more apparent. I wouldn't call the ownership-of-information view as dead as you seem to think it is. If anything, it has considerable support among moderate conservatives or libertarians who agree that we need to do something about privacy and large aggregate databases of personal information, but are wary of more centralized, paternalist solutions based solely around regulation. If you have that combination of traits---want something done, but want it not to be paternalist---a property right in personal information is an attractive idea. It's a few years old now, but this book [amazon.com] has a good concise overview (pp. 76-79; might be able to get enough of an excerpt on Google Books if you're lucky) of a bunch of the proposals.
An interesting variant are those that revolve around the idea of default implied contracts. The way that in normal contract law, there are all sorts of implied things for what happens if the contract doesn't explicitly specify terms governing a particular situation, some of the proposals would have default terms include some sensible governance for ownership and use of private information, and require deviation from those to actually be agreed by both sides (this might require broader EULA reform, though, to make sure people really do know what they're agreeing to).
To be fair, the book also (pp. 81-92) has a decent summary of problems and criticisms of these proposals. Some are from people who'd love to aggregate huge databases of information and use it without any restraints, but there are a number from well-meaning people too. The problem is that the property rights are really the means, not the end--- it's not that we think having property rights in information is an inherent ethical good, but that we want to avoid some sort of dystopian surveillance society, and having property rights in your personal information is one possible proposal for how to avoid that. But designing markets is tricky, and subject to unintended consequences and loopholes, or just failing to really produce what we'd like them to produce.
Re:More Fascism from Big Blue (Score:3, Insightful)
Q: How many Iranian presidents are there ?
A: Two?