Tag Archives: privacy

Watching my PII

For a while I’ve been thinking about how personal identity data (often called Personally Identifiable Information, or PII) is managed – both as a consumer, and from the perspective of service providers. I’ve been following along with the work being done  by (amongst others) Microsoft, Google and the Kantara Initiative UMA WG, and it seems inevitable that over the next year or so the landscape will have the scope to evolve dramatically; I say ‘have the scope’ because I wonder what this will actually mean from a consumer’s point of view.

The internet landscape of the ‘average Bob’ consumer user has changed significantly over the past year or two, resulting in not only an explosion of logins and of PII scattered everywhere, but of services that allow (or require) this data to be shared from site to site. Bob might well have logins to various sites for online account management (banks, utilities, etc), each of which will hold local copies of his PII (address, DOB, etc), but he also now has a Facebook profile, a Flickr account, and perhaps shares his travel through Dopplr and his location through Google Latitude, and allows his friends to see his data in some or all of these services.

What I want

Because I’m conscious of my PII spreading out over the internet, and of the hassles of managing it all in a secure manner, I’d like a service along the lines of that described by Mark Dixon here to manage it all; though as I commented on his post, I’d like something a bit more outward-facing. My ideal identity service would contain:

  1. Credential Vault: Consolidate credentials into one identity (‘me’), which lets me authenticate to services as appropriate. This should be a standard federated identity (an OpenID, InfoCard or whatever) where it can be, but it should also act as a LastPass-style credential vault where the service provider doesn’t support new-fangled federation. This credential store should be cloud-based, but locally cached, and optionally integrated with my OS (for strong auth via smart card, biometric, etc). The credential actually exposed to the end service will vary (I might want to be totally anonymous, or at least pseudonymous – not traceable from one service to the next), so they don’t necessarily need my strongly authenticated, full-on identity, and this is separate to my level of authentication to the broker (which is by necessity always equal, or stronger).
  2. Attribute Store / Persona Editor, with Assurance: Collect all my PII, and provide an easy way for me to group this into personae (my personalities, if you will) and present this to SPs.  Services should be able to specify that they need a level of assurance, and that the various attributes I provide are true – and my identity store should be able to keep this and present it when needed. As an example, I might just present a name (it might not be real) to a web forum, but my real address, verified by an independent body, when applying for a new credit card.
  3. Auditing and Updating Service: Beyond providing PII to sites, I want to be able to look back and find out who I gave it to. Today, I have no idea how many sites have my addresses (email or physical) – probably thousands over time. I’d like to see a log of this; moreover I’d like to be able to revoke that data from the providers, or force them to update their cache of it from my store when it changes. Furthermore, I want to know where else my data has gone – a list of which of my Facebook friends has synced my contact details to their mobile, perhaps. Ideally I should be able to set terms on registration of what each service can do with my data – this is more of a contractual, rather than technical, assertion.
  4. Sharing and translation: For site-to-site sharing of my data (Dopplr updating my Facebook, for example), OAuth describes how permission can be granted at a service-to-service level, but my Identity Store should be a broker in the middle so I can make decisions in one place. By sitting in the middle, this broker could offer additional services, translating data into a shareable format where a point-to-point service doesn’t already work.

I’d probably be prepared to pay for this, or see it as a value-add service from someone I already have a relationship with, as long as I trusted them with all this data.

What Bob wants

Bob, our ‘average internet user’, doesn’t really understand security. He’s the guy whose PC you have to fix when you go to visit, who has 15 browser toolbars from assorted malware running, and who loves to throw sheep at you on Facebook. He isn’t curious about why all those quizzes exist, and on a quiet Friday night wonders if that Viagra email might actually be a good deal.

He’s got online banking, GMail, Facebook and MSN Messenger. They all use his name (or a variant of) for the login name, and every password is the same, but it’s 8 characters and has a number in it – because his work IT policy says so, and that password is the same too.

Bob doesn’t think about where his PII is going, nor about who has it – at least until he moves house and has to tell dozens of companies – and gets a bailiffs letter because he missed one off the list and bills get sent to his old house. He’d likely be pretty confused with the concept of the identity service I’ve described.

What the services want

Service Providers (like my bank, Facebook, or even government) want me and Bob to use their services. They want to capture enough PII from me to provide that service without scaring me off (because the service is insecure, or they’re taking too much PII) or scaring Bob off (because signup is hard and confusing), in the cheapest way possible. They want users to be ‘sticky’ to their services, locking me in as much as they can so I don’t leave for a competitor. And if they’re less than scrupulous, they can sell all my juicy PII to ad companies.

The attributes actually needed by the service provider, and how sure they need to be that the attribute is trusted, varies according to the service. Twitter doesn’t care that I’m me – unless I’m a celebrity – but the government wants to be pretty sure I’m who I say I am when issuing me a passport.

There aren’t too many standalone Identity Providers, and no ‘Identity Store’ brokers in the way I describe that I’m aware of. The best we have today are things like OpenID and OAuth. These allow me to use the credentials from one service provider to access others, or to set up point-to-point data sharing, but these are far from perfect… Google is of course keen for me to use my Google login to access services like Plaxo or Facebook – but they wouldn’t let me use a credential from these sites to get into all my Google services. This is done to assert the Google brand, and to keep me using their services.

Will we meet in the middle?

The various great technical minds in the identity world will no doubt come up with excellent solutions to a lot of this, but I don’t think the technology is the real challenge; instead, it’s the fact that the bulk of internet users are like Bob.

Service providers are generally not independent enough to build a complete service like this, and for it to be truly trusted, and there isn’t a business case for a standalone identity provider because most people are like Bob, and wouldn’t pay for an identity service.

It’s not all doom and gloom, however. The fact I can use my Facebook, Twitter, Google or Windows Live login to log into multiple sites is a step forward; indeed I even think the ‘NASCAR problem‘ is a good thing, because it’s forcing people to think of elegant ways to move forward. This will over time

I’m not sure there’ll ever be a business case for completely standalone identity providers, but would imagine decent consumer-grade services will evolve out of services like Verisign’s Personal Identity Portal, or equivalents from people who already store lots of your PII (credit agencies, governments, banks etc) when they spot the consumer value in doing so. These will inevitably be multi-tiered services, offering Bob something nice and simple, yet offering me a (perhaps paid-for) more complex service.

As someone working in the identity field, I figure the best way to drive these things forward is to encourage all the Bobs I know to be more aware of their PII and where it goes – if enough of them start to ask questions, the services to support them will fall into place.

Facebook Security

Despite my better judgment, I’m still using Facebook. All of my friends and acquaintances use it, increasingly as an IM application, and not just for posting inane status updates. Indeed Adium, my IM client of choice, now supports Facebook chat, so I’m spending more time rather than less.

That being said, the thing I really don’t like about Facebook is the crappy applications and quizzes that people seem to expect you to join in with. I don’t care that you’ve thrown a sheep at me, or the Spice Girl you’re most like is ‘Baby Spice’… But more worrying is that these apps are quite often vectors for spam and people are entirely oblivious.

The security lab at Cambridge wrote a good article highlighting how bad this is, clearly spending a lot more time than my totally unscientific analysis of asking a few people I know, and experience of using the site. They noted that it’s relatively easy for an app to get published on the Facebook platform that can steal the user’s Facebook session, then use this to query Facebook’s servers impersonating the user and mine all of their personal data and that of their friends.

Facebook don’t allow you to do this under their terms of use, but obviously there are so many apps being published that some slip through the net. More than this, they’re not inclined to check particularly actively as long as users don’t shout too much – these apps have nicely targeted ads which make them and Facebook money. But of course the ads are targeted – the app stole all your data, so you can be pretty sure they can pick an accurate ad. None of this is new news, there have been a variety of reports in the technology and mainstream press highlighting how identity theft and other privacy concerns abound on Facebook.

The thing that never ceases to amaze me, however, is the fact that users continue to complete these inane quizzes, download free apps that allow them to throw sheep at their friends and don’t stop to wonder why anyone would go to the trouble of building these apps for free. It’s all well and good that Facebook asked me my date of birth when logging in from an ‘unusual location’ (I was travelling for work), but this is of little security benefit when it’s trivial to steal this information during my use of the site from the safety of my own house.

I’m unlikely to stop using Facebook given the amount of friends and work colleagues who use it, but please don’t be offended if I ignore your request for a pillow fight, zombie chase, gang war, or the chance to find out which South Park character you are.

Privacy and the government

Unfortunately I’m having a busy time of it at the moment, with lots going on both in and out of work. I really wanted to write a decent post around this, but haven’t had the time.

For now, I’ll just link to two articles from the Guardian:

Revealed: police databank on thousands of protesters

This first article shows how police are routinely storing photos and videos of political campaigners or protesters. These people aren’t breaking the law, but their movements and behaviour are being compiled into a large intelligence, to be kept for seven years, alongside evidence of those convicted of public order (or worse) offences. It’s a massive violation of privacy, as far as I’m concerned.

The second article stretches this loss of privacy even further, with the former Whitehall security co-ordinator stating “Finding out other people’s secrets is going to involve breaking everyday moral rules.”

This to me is a staggering admission that the government and civil service are happy to breach the rights of privacy for innocent citizens by routinely capturing and mining it to spot ‘suspicious’ patterns. The data to be collected are “personal information about individuals that resides in databases such as advanced passenger information, airline bookings, and other travel data, passport and biometric data, immigration, identity and border records, criminal records and other governmental and private sector data, including financial and telephone and other communications records.”

Even more worrying (though perhaps unsurprising these days), there’s a good chance the data management will be outsourced to the private sector and not held by the government. This means that private organisations, quite likely outside the UK will be responsible for the security of your financial information, communications records (in other words your phone bills, and likely your emails), and travel records.

It seems there’s little general awareness of the scale of these plans. If you happen to stumble across this post, I recommend you try to learn more about this, and if you feel strongly, write to your MP.

Homeland 'Security'

We got a notice at work this morning about the US Visa Waiver programme, informing potential travellers to the US that the system is changing. As of 12th January 2009, it’s mandatory to register in a US government online system at least 72 hours before you travel, unless you’re a US citizen or have a Visa.

Into this system, you must provide:

  • Applicant information (Birth date, full name, email, gender and phone number)
  • Passport information (issued date, expiration date, number and country of issue)
  • Travel information (flight and city)
  • Address whilst in the US
  • Health information (diseases, mental illness)

So, in itself, it’s amazing that you’re expected to give up all this personal data to the US government before you even leave your own country. Beyond that, there’s the risk that this system gets hacked, and someone steals all this data about you.

But I’m absolutely staggered by the popup disclaimer you have to accept on entering the site (I’ve added the bold emphasis):

You are about to access a Department of Homeland Security computer system. This computer system and data therein are property of the U.S. Government and provided for official U.S. Government information and use.  There is no expectation of privacy when you use this computer system.  The use of a password or any other security measure does not establish an expectation of privacy. By using this system, you consent to the terms set forth in this notice. You may not process classified national security information on this computer system.  Access to this system is restricted to authorized users only.  Unauthorized access, use, or modification of this system or of data contained herein, or in transit to/from this system, may constitute a violation of section 1030 of title 18 of the U.S. Code and other criminal laws.  Anyone who accesses a Federal computer system without authorization or exceeds access authority, or obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer system, may be subject to penalties, fines or imprisonment. This computer system and any related equipment is subject to monitoring for administrative oversight, law enforcement, criminal investigative purposes, inquiries into alleged wrongdoing or misuse, and to ensure proper performance of applicable security features and procedures.  DHS may conduct monitoring activities without further notice.

So I have to give up significant amounts of personal data, and have no ‘expectation of privacy’. Makes me think twice about whether going to the US is even worth it.

Surveillance, Privacy and Liberty

Britain has been known for some time to be decidedly interested in surveillance, in the name of security. It’s an oft-quoted comment that Britain is a ‘surveillance society’. That said, in part because of technology, and the ‘war on terrorism’, there seems to have been a noticeable shift in the amount of surveillance, and how it is being used – both by the government and private organisations.

Clearly there is some good to come of the 4.2 million CCTV cameras in Britain – I was astounded at the speed which the London bombers of July 2005 were traced. It wasn’t long after the event that the bombers had been traced back across London, to the place they had boarded a train, no doubt speeding the investigation.

Some people clearly have concerns about how the technology is used, however.

More than just the increasing use of cameras for passive monitoring, there are much more active techniques for observing people and taking action. Under a new police initiative, cameras will use automatic numberplate recognition to check for ‘vehicles of interest’, following which motorists will have their fingerprints checked against the Police National Computer. The stated aim is to ensure identies can easily be verified at the roadside, to avoid people giving false details. Fingerprints are stored in this computer system when people are charged with a crime – though clearly it would be much easier if everyone’s details were stored, rather than existing criminals. The police also suggest the technology could be extended for real-time searching of the “Facial Images National Database”.

One presumes these fingerprints might come from the biometrics gathered for identity cards, our nice, ‘secure‘ e-passports or the IRIS airport scanning system.

It seems to be a significant shift that’s occurred recently where it’s freely admitted by many of the involved organisations that this sort of data will be gathered on everyone, rather than those guilty of a crime. When automatic facial or numberplate recognition, or even behaviour patterns, are used to monitor potential criminals rather than those guilty of something, even those who suggest ‘if you’re not guilty you’ve nothing to hide‘ might start to worry.

As evidence that there is increasing acceptance of surveillance, I noticed barely a raised eyebrow when mentioning the Pay-as-you-Drive car insurance promotion by Norwich Union to people, wherein you are given a GPS tracking device and billed according to your driving pattern and risk profile. Given they know where you’re going and how fast you’re moving – might they report to anyone (or just adjust your premiums) if you’re speeding?