Our Blog

Our Blog

Expectations of Privacy

Computer Security Baltimore

In the future, there will be no privacy. Truth is, there’s really not so much of it now, but in the future, we’ll all know it, and not be shocked or surprised when we discover that it’s been breached. Now isn’t that a cheery thought?

I don’t know if it will actually become Law, or just the understood de-facto situation, but it will happen. It will be due, in part, to “Big Government,” in all technologically-adept countries, but it will also be due in part to carelessness: on our parts (i.e. Consumers), and on the part of the companies we need to work with.

Our Part

As consumers, most of us are usually looking for the easiest path to just about anything. Whether it’s something that’s good for us, or not. We want it “easy.” That’s why we don’t fix our default FaceBook settings, unless someone posts something about how we should. It’s why we use the same username and password for every website on the Internet; why most of use passwords like, “Password” or “123456”, and why we keep even those on a piece of paper we carry around with us, or have it on a Post-It Note stuck to our monitor, or to the bottom of our keyboards (if we really want to be sneaky!), or maybe we even have it in an unencrypted text document called Passwords.txt, on our computer’s desktop.

We say we care. We even think we care. But we don’t – not really. Because “Security” is, by its nature, inversely-related to “Easy.”

The Companies We Work With

If we don’t care about our own privacy and security, why should others care? And so we have breaches at Sony, which compromised hundreds of thousands of user’s data, including usernames, passwords (which we’ve already established, we use for everything), real names, email addresses, and other bits of information. And what did people really care about? Well, the PlayStation network was down for a few weeks! They couldn’t play MegaGoryDeath VII! I don’t recall there being much out there about masses of people changing their passwords for everything.

This morning, I read Casey Halverson’s excellent piece about the Nissan Leaf’s new CarWings system. Now CarWings is intended to make things really easy for the driver, and frankly, it does a bunch of really cool things. Among those things, is an RSS reader, which enables the user to setup feeds from various websites, that it will then read to you. So you can listen to the latest CNN or FoxNews articles, while you drive. But it’s the GET request that Casey found so interesting. (An HTTP GET request is the message your computer sends to a web server, in order to request information from that site.) Usually, GET requests are formulated to provide certain information to the web server, so that the server can better provide the data to you. For example, it will usually contain the name of your browser, so that it can be used to better format the page for you. In this case, as Casey demonstrates, CarWings also includes your current latitude, longitude and speed, as well as your destination latitude and longitude, if you’ve put that into the GPS module. This information is sent in clear text across the GSM cellular data connection, to any site you point it at. At the moment, sites are probably not configured to actually use that information for anything, but in the future, it could be used to, say, enable local businesses to promote themselves to you, as you drive. Imagine driving down the highway and having the car tell you that you need to charge up the car, and that there are 3 charging stations within 5 miles of you right now, and that the Shell station at on Exit 35 has the best price today, but that the Exxon station at Exit 36 is offering a free car wash. Hey – that’s pretty cool. But now imagine getting a bill from the local police dept. because you were driving over the speed limit. Imagine a stalker knowing not only where you are, but where you’re going. Now it gets a bit more scary. And what if the rapist in the car behind you has a GSM scanner, and can discover where you’re heading. Now he can follow you at a leisurely distance, or perhaps even beat you there (think Little Red Riding Hood), instead of trying to find an opportune moment to do it.

But we like the “features” aspect of it all, so we don’t complain about these types of things – at least not loudly. And so there’s really no disincentive for manufacturers to pull this sort of thing. We just don’t care.

What can we do?

We can vote with our feet, and our keyboards. We can tell Nissan, and others, that we don’t trust them with that much personal data. That we aren’t going to buy the Leaf, even though we like the car otherwise, because we believe it’s an invasion of our privacy. We could rail, not whimper, when Sony or Best Buy or others get hacked and expose our personal data, which could have been much more protected had they taken the simple expedient of encrypting the data! Then companies wouldn’t even think of doing things like this. But as long as we just shrug our shoulders, and go on with our days, they won’t bother.

Is this what we want? Is it what we need? I guess that’s a political argument. I’m just reporting on the technology.


About dspigelman