Technically Exposed

The advent of computers, communication and networking has made it easier for tech savvy criminals to leverage the computing infrastructure for criminal purposes. Some of the methods and the risks of cyber crime was the topic of this column, last week. Computer crime has been so far limited to stealing money, corrupting information, infecting computers with viruses, disrupting web traffic and defacing web sites for attaining bragging rights. We are slowly coming to a realization such shenanigans are only the tip of the iceberg. Only recently are we coming to grips with the “vulnerabilities” that exist in our cyber infrastructure. The future will be a very interesting time.

The risk of technology is not limited to criminal activity. A large community of concerned people are getting even more worried about issues of privacy. The issue is, what information about a person should be private, and how should private information be kept private. Should my bank balance be posted on the web? Why not? In fact the banks would love to sell lists of their best and worst customers and there are tons of retailers standing in line to purchase this information. Someday, it is going to happen.

The acceptance of technology, especially the advent of the cashless society, has brought the privacy issue to the front burner. In addition to electronic payment systems, people use cell phones, GPS (global position systems) enabled handhelds, web browsers, email, online shopping and a whole gamut of things that make collection of private information very simple.

In the “good old days”, if Alice wanted to spend a evening on the town, she would drive around, visit some shops, buy some things (and pay with cash), go to a restaurant or bar, maybe even take a drive to a neighboring town and be back home, and no one would know what she was up to. In fact most of the events of Alice’s life would be private to her and those she confided in. Except for the old lady down the street, who knows everything.

Today, it is a different story—the old lady has been replaced by computers, with enormous storage and the ability to spread information far and wide. If Alice purchased something and used a credit card, the shop as well as the credit card issuer, would exactly when she was at the shop and what she purchased. Similarly she would leave footprints at the restaurants she visited and leave a trail of records of the food and drinks she ordered. The cell phone in her pocket stays in constant contact with cellular towers and the phone company has information about her position all evening long. If she filled up her gas tank in the other town, and used a card to pay for it, her visit there would be logged.

So what? Is anyone really watching? Does anyone compile this data? Does it really matter? Maybe yes, maybe no. As time is marching on, the collection and processing of individual data is becoming easier and hence more prevalent. Once the data is collected, sophisticated programs are let loose on the huge pile of raw data. The programs that cook them are called “data miners”. Data mining yields wonderful profiles of people, their habits, their strengths and weaknesses and insights on how to exploit them. Data mining also can be used to track down an individual and to really get to know him or her better, for better or for worse.

One of the origins of tracking people’s behavior was the establishment of credit-data repositories. Several companies, notably Equifax, Trans Union and Fair Isaac started computerized consumer databases in the late 60’s, which became popular with the financial industry starting in the early 70’s. These databases contain information about people—their spending habits, income, loans, loan repayment history, addresses and so on. The credit data proved to be valuable to the financial industry. Getting loans, credit cards, phone connections, rental apartments and so on have become dependant on one’s “credit rating”. In the 80’s the credit data collectors came under significant fire, for intruding on people’s private lives. By now, the criticisms have subsided.

For one thing, the “big brother” credit database has actually influenced the common person’s behavior for the better. People pay their bills on time, worry about not being late on loan payments, do not cheat retailers, do not write bad cheques and so on, as they know that they will be tracked and held responsible. It is like a report card on your daily life. Be careful, or you will get into trouble. On the downside, people’s lives have been ruined by wrong information getting into their credit files. On the whole, society seems to have accepted that credit reporting does more good than harm. So, we feel sorry for the few people who have been slapped hard, for no fault of their own, and continue on our path to peace and prosperity.

If credit reporting is invasive, what is coming down the pike these days is horrendous. Currently, there is technology in place, to track everything a person does, almost down to frightening detail. As of now, computer databases contain information about everything we purchase, every place we go, every time we use the phone, and even every time we visit a web site. The Internet merchants have put in place sophisticated tracking systems to discover who goes where. Email is almost always tracked, and those that contain sensitive words are read by humans. Huge machinery is in place to track, to record and to keep information about people. The bottom line is that people are being monitored behind their backs, without then knowing what they are not supposed to do, and then being blacklisted, again without their knowledge. This is considered to be a severe breach of privacy. Of course, none of it is illegal.

The US government is currently considering mandating that all cell phones must contain a GPS chip in it, and then every person who carries a cell phone can be pinpointed at all times, even when he or she is not on the phone. In a past debacle, the US government tried hard (thankfully unsuccessfully) to legislate that all encryption equipment use the “Clipper Chip”. The Clipper Chip is a particular encryption gadget that ensures there is a trapdoor implanted in the communications and the US Government can decrypt the communication without the need for keys. It all sounds a little scary.

Many people have the opinion, “if you do nothing wrong, why would you worry?” Actually, regardless of whether someone does something wrong or not, surveillance is intrusion on privacy and is dangerous. What you consider “not wrong” may be considered heinous by someone else. Nazi Germany spied on their citizenry and tortured people who they thought were “not of the right kind”. The Soviet Empire did similar things, and punished people who may have said things that are not officially good things to say. Since you have often no way to refute the data (or even know of its existence) you are charged guilty without due process.

All the data, that is being collected about us, and will continue to be collected—are they going to be put to any detrimental use? There is a chance. Right now, the data is quite fragmented. A phone company may know you have been calling a loan shark, but the bank does not have access to this information. The credit card company may know you buy a lot of alcohol, but your employer does not have access to this information. Such barriers are coming tumbling down. Sharing of private information between companies is on the rise. Medical information, shopping information, financial information—put them together and most anyone can be in trouble. Would an employer hire someone if they come to know he or she has certain bad personal habits? Would a health insurer give insurance to someone who’s genetic tests reveal a propensity for cancer?

A worrisome side effect of collecting large amounts of private data and using them for profiling is the possibility of errors. What if a person’s tracking data gets mixed up with another persons? This happens all too often (well, even at an error rate of 0.01%, thousands of people get affected). The innocent get blamed for nasty things. People lose jobs, get into problems with the police, the tax department comes after them and so on. If all the information about us, get interleaved and a small fraction of errors creep in, the results can be disastrous for a few. This problem is compounded criminals who steal the data and use it for “identity theft”. Once a person gets to steal another person’s electronic identity (ID number, credit card number, etc) he can pose as this person and cause the victim irreparable harm.

What is the solution? There is no good answer. Biometrics is being touted as the possible panacea for identity problems, it is not. Privacy using public key encryption has some promise, but it is difficult to use. Better solutions will appear once the end-users demand protection against privacy violators. Right now, most people do not seem to care.

Partha Dasgupta is on the faculty of the Computer Science and Engineering Department at Arizona State University in Tempe. His specializations are in the areas of Operating Systems, Cryptography and Networking. His homepage is at http://cactus.eas.asu.edu/partha.