Microsoft hosted today a Valley Speakers Series, on "Why privacy matters: Challenges and Opportunities". It was moderated by Moira Gunn, host of NPR’s "Tech Nation" (now podcasted on ITConversations), and featured Scott Shipman, privacy counsel at eBay Inc.; Barbara Lawler, chief privacy officer at HP; Peter Cullen, chief privacy strategist at Microsoft; and Fran Maier, executive director and president of TRUSTe.
I thought that, with such a set of panelists, we would be able to get quite a bit of perspective on what is being developed around both privacy, identity protection and federated identity. Unfortunately, and it might been a case of over-expectations, a lot of time was spent on current issues and current, limited, solutions. Interesting, but I had a sense of a missed opportunity.
I noted the following points:
G8 countries have decided to enforce data retention by ISPs in order to make sure that hacker intrusions, path, data changes,… could be traced through the multiple hops they follow. In effect, only a limited amount of data needs to be collected, but it has to cover all ISP users. This has raised privacy issues, and led privacy advocates to attack the directive. The reply from law enforcement is that such tracking is required in order to maintain the security of Internet users. This is an example of the common dilemna: Anonymity vs. Accountability, ie. how much privacy needs to be protected, vs. how much traceability needs to be put in place to prevent/track abuse.
Schools have to give the home phone number of parents/kids to military recruiters to avoid losing their federal funding. It is possible to opt out from this list but only within 3 weeks of the beginning of the school year. Opt-in was tried in California but led to a low % of acceptance, and was reverted to opt-out.
The decision as to whether opt-in or opt-out is to be used depends on the context, users’ expectation and the scope of disclosure. Customers want choice and control as to what information is collected, and how it is used. The current approach seems to be a pre-checked opt-in, but there is no clear definition of what is acceptable and what is not. Ebay has studied that using opt-in or opt-out leads to the same % of action from users: 1%.
Identity theft requires a lot of education of the public in order to 1) be aware of the issue and how it may happen, and 2) the grave consequences ID theft may have. In fact, Citibank – which has partially built its consumer value proposition on covering its customers in case they are victim of ID theft. And recently, TV series like Law&Order have included ID theft in their stories. All these elements lead to the required awareness of everybody, because everybody is at risk.
Ebay is doing a lot to educate its customers as to how you can prevent/detect identity theft. Risk is for someone to get phished, and have their account used to sell bogus items, leveraging their reputation score. Ebay detects unusual patterns: selling different types of items, and from unusual IP addresses – in this case blocking potential transactions.
Unfortunately, education is a challenge, because of the level of sophistication phishers now used to lead their targets to enter critical data. It takes some time to decipher that an email that looks genuine actually contains one or two bogus URLs. Not mentioning malware that might install a keylogger on one’s machine through a "drive-by download". Event experts or sophisticated users can be fooled, sometimes because they are not paying enough attention to what they are receiving, downloading or watching.
There is still a paradox: people are aware that their identity needs to be protected, companies spend serious dollars implementing dongles, secure ids, thumb scanners,… and at the same time, a lot of us drop our business card in a bowl to win a free meal…
Some level of regulation is required, but it is not clear how much can be achieved (example of the Can Spam regulation that led to… more spam). A baseline discussion has to take place at the national level about privacy and identity, treating both online and offline. Current state of laws is creating complexity and confusion.
There are a lot of point solutions, which are working reasonably well, like the Ebay toolbar that detects phishing sites. The industry has yet to come up with a set of standards that are broadly adopted, and swiftly implemented. But we are not there yet. In the meantime, this is a useful resource to consult regarding phishing.
So to summarize: the problem is complex, crooks are agile and come up with new ways of trying to steal things from us (phishing and malware are recent evolutions of previous deceptive techniques), and whilst the industry is trying to play catch up, "Users Beware" is in order.