Chapter 1

Privacy Activists Are Optimists

And all that the Lorax left here in this mess 

was a small pile of rocks with the one word UNLESS”

Dr. Seuss, The Lorax

The Illusion of Privacy 

An interesting debate arose at the Check Point User Experience event in Dublin on May 22, 2002. The issue concerned network intrusions of home computers that are connected to cable modem or DSL lines. “I think every single user at home gets 200 attacks every day,” said Gil Schwed, Check Point’s CEO. That contrasted with commonly accepted data, which suggests that the correct average figure is ten attacks per day. Only ten attempted trespasses into our homes by unknown strangers every day!

What accounts for the difference? According to Aaron Goldberg of Ziff Davis Market Experts, “The ‘200 attacks’ remark was based on the numerous alerts users see after they install a firewall or intrusion detection system. If all these were malicious attacks, it would require a hacker community much larger than is believed to exist, running multiple port scanners. In reality, many of these alerts are sites scanning for cookies rather than attacks – a privacy issue but not one to panic over,” said Goldberg. [1]

So let’s think about this. Even before the spyware epidemic began in 2004, our home computers were being intruded upon typically 190 times a day, but that’s merely a privacy issue and therefore nothing to worry about. Furthermore those intrusions are not just bored individuals poking around; they represent an organized search for information in our cookie files. In other words, they are digging for information about what we do with our lives, what we purchase, what sites we visit, even perhaps whom we correspond with. But they’re not “malicious attacks.”

Steven J. Schugart Jr., commenting about intrusive advertising in Network Computing, notes that:

And why would such an intruder stop with cookies? If they’re going to poke around without permission, they might as well look at our schedules, contacts, and perhaps search our word processing and mail files for the occurrence of select words and phrases.

Much has been made of the FBI’s Magic Lantern program, which captures keystrokes of people whom the FBI wants to monitor. The keystrokes of greatest interest, of course, are those that make up encryption passwords.

Magic Lantern has been compared to commercial key loggers such as Ghost, but there are two big differences between Magic Lantern and key-logging software. The first is that Magic Lantern is propagated as a virus. The FBI is in the business of planting viruses in the computers of those whom it wants to monitor, viruses that are sent via the time-honored method of infected email. The second difference is that key-logging software is a product, not a practice. It is not evil in itself – parents may legitimately need to know what’s going on in their young children’s chat sessions. But key logging can also be used by a thief to snag an online banking password. How it’s used determines the product’s legitimacy.

Before we condemn the FBI, and for that matter all in law enforcement who snoop on online communications, consider what they are up against. Global village communications facilities have made the job of the international wholesale drug trafficker or terrorist much more efficient, and encryption ensures that those communications cannot be read by others.

The fact is that the U.S.'s FBI, Secret Service, NSA, CIA, ATF, the UK's SOCA, MI5 and GHCQ, Canada's CSIS, France's DGSE and numerous other agencies must be able to snoop when the situation calls for it. Consider the very unsettling possibility, or perhaps probability, that a plan for use of a suitcase nuclear weapon in a major city is being discussed in some online communication right now. Even the most strident privacy activists would not want to categorically deny the right of law enforcement to intercept that communication.

Often the abridgement of the rights of suspects is cited as a dangerous Information Age phenomenon. In fact Thomas Jefferson himself acknowledged in his pursuit of members of the Burr/Wilkinson conspiracy that the liberties of unconvicted criminal suspects must of necessity be compromised. In a court of law Aaron Burr was considered innocent until proven guilty. That didn’t stop Jefferson from intercepting Burr’s written communication and interfering with his freedom of movement in order to have him brought to trial, where he was acquitted.

The good news is that we have a means of reducing abuses of such powers, while at the same time solving a serious problem for law enforcement. That solution is based upon something that is viewed by many as the antithesis of privacy: the universal ID. We will show, however, that a combination of a properly designed universal ID system, with a PKI built upon a properly designed and governed certification authority, is actually our greatest hope for truly keeping control of the use of information about ourselves. Properly designed, a unversal ID system can be a bulwark of our privacy rather than an eroder of it.

Strong authentication of identity gives us a means by which the use of police powers in monitoring online communication can themselves be monitored and limited. In Chapter 8 you’ll read about the specifics of the Law Enforcement Infrastructure, one of the twelve components of the Quiet Enjoyment Infrastructure. The Law Enforcement Infrastructure accommodates both the need for privacy and the need of law enforcement to monitor communication among suspected criminals. Most importantly, it allows law enforcement to do its job while providing a means to ensure that the power it conveys is not abused. You can skip ahead to Chapter 8 if you want to, but I hope you'll first read about the Personal Intellectual Property Infrastructure component of QEI. 

Sometimes the government’s ability to monitor communication among suspected criminals can distract our attention from the activities of others who have already succeeded in knowing much of what everybody is doing and have furthermore learned how to use that information to influence the decisions of huge numbers of people.

Your Choice

Privacy activists tend to focus on policy for organizations that allow themselves to be governed by policies. While they do that, an assortment of organizations and “cookie clubs” that laugh at the notion of privacy policies dig through the files that reveal as much as any about our lives. Your cookie files are much more valuable to nosy organizations than are utterly unnecessary pieces of “index” information, such as your social security number. We will go into this in more detail later, but this situation does highlight the need for action.

In fact, you have an important choice to make. Right now. Will you control your own life? It’s a simple, binary choice – yes or no. There are no shades of sort-of or almost to mitigate the starkness of the choice. This is all or nothing. If you don’t act, then ask yourself, who will be in charge? Will it be a monolithic entity more frightening than anything ever conceived by George Orwell?

Who will control your life?

You may think that’s overly dramatic. After all, the subject is privacy. We’re only talking about information, right? The junk mailers and others who use information about you don’t control your life, do they? Surely they just add an element of annoyance to it. Besides, a growing awareness of privacy concerns will result in meaningful privacy policies and laws that govern the intrusive activities of the companies involved and the use of their databases, won’t it?

This is about more than annoyances. To begin with, it’s about access to the most intimate details of your life. On a more sinister level, it’s about the ability of those who have information about you to control and manipulate you.

As a solution to the particular problem described in this chapter, privacy policies and laws are as meaningless as would be a law prohibiting the AIDS virus. Let’s look at some of the difficulties presented by technological innovation that prevent quick and easy remedies.

What Law?

Right now gambling operators and pornographers operate websites on servers in various Caribbean islands and Third World countries. Their services are offered to any users, including American citizens, who come across their site. But everything about the service and the transactions takes place offshore, using a foreign banking system to process credit card transactions. Unlike old-economy crooks, who set up false offshore addresses for illegal activities that really take place in North America or Europe, the operator of such a website is established in the Third World host country.

If the website operator happens to make his or her services available to anyone with a computer or wireless information appliance, regardless of location, then it is the user who transgresses, not the site operator. By anyone’s standard, the operators are governed by the law where their services originate, not by the law in the venue of some remote user. And what if their host nation changes its view of such matters? Easy. If one Third World government decides to crack down on offenders, a backup server in another developing country can be ready to take over in a heartbeat.

We all know that Internet traffic and activity knows nothing about national boundaries. Why then, when it comes to policy and regulation, do our discussions assume that governments and legislation are of any relevance?

What Company?

Companies have charters, officers, boards of directors, and balance sheets to which they are held accountable. Most companies will bend over backward to avoid putting their assets and officers and branded reputations at risk. But what happens when a middle manager at one of those companies is under pressure to improve his unit’s performance? And what if he discovers an unnamed club, devoid of physical location or membership roster, where he can barter his customer information for information from unnamed other sources and thereby get the advantage he needs in order to make his numbers? When the pressure intensifies, the trade will take place.

There is a famous story about IBM approaching the owners of the Apache open source Web server software product, which IBM wanted to use as part of its WebSphere product. IBM could not find the company that owned this market-leading product because no such company existed. Apache was developed by a club, a group of people dispersed around the world, many of whom had never met one another. There was no legal entity for IBM to negotiate with. This is how open source development typically works; in this case, it is a club with clear visibility and nothing to hide – a marvelously productive gathering of some superb developers.

Expect to see a proliferation of such clubs. Know that for every such club that has clear visibility and nothing to hide, others will exist with no visibility and plenty to hide. Can we afford to keep delivering security solutions to cure specific pains until we get around to developing managed facilities that are reliably secure and that accurately identify identities? Will chaos need to come before order? Isn’t the demand for accountability great enough for us to procure such a system?

Alas, the dangers haven’t reached sufficient height to appear to necessitate such a system. So, according to human nature, we will continue along, as is, until a disaster occurs that endangers enough people to bring about a reliable solution. The problem is, of course, that when disaster strikes, it will do so quickly and will certainly take us off our guard. It may be so severe as to offer no chance of recovery.

What Databases?

Two or more big, costly, established customer databases with the finest government-regulated corporate pedigrees and privacy statements can mate, in the middle of the night, on a server on some Asian outpost, producing a “join” that is not accountable to anybody.

Most “data banks” are collections of tables of information plus some procedures for using them, collectively called relational databases. A “join” is part of an operation that finds records of interest from two tables, using specific criteria.

Joins are ephemeral – they happen and then they vanish. Their progeny is a bit of combined information that then might be part of another table. That table, after perhaps mating with another dozen or so products of such joins around the world, might start to form a very revealing picture of a person or organization or other entity.

Joins are fun to play with and can be immensely powerful. Tracking down their source can take months and years of intelligent sleuthing, during which time another few thousand generations of joins have come and gone and wreaked their havoc. Databases are meek, joins are powerful.

Law, organizational accountability, and nicely bounded and identifiable collections of information are comforting concepts when our privacy is threatened as it is today. But these concepts, as they are typically invoked by those who comment on privacy issues, can be meaningless.

We will see that

• Instead of useless legislation, we need new applications of existing intellectual property law that is reasonably enforceable across national boundaries;
• Instead of useless privacy statements and impossible enforcement challenges, we need to claim our information as our property, and treat those who steal it as thieves;
• Instead of looking for abuse of our information at rest in databases, where it appears to be well cared for, we need to track it down as it’s dragged around the seamy hangouts of the tabular sex trade.

Invasion of privacy is an “in” topic these days. The standard concern seems to be how to prevent annoying and unsolicited mail. At the other end of the spectrum, journalists, companies, and individuals are expressing their concern about preventing disclosure of personal medical and financial information. But the consequences of loss of privacy do not stop with privacy loss itself. That’s just the first step. Industrial psychologists know that if I can know enough about you and I have some access to your perceptions, then I can control you.

How vulnerable are we humans to manipulation? Can we be made to do things we would never do of our own accord? On a mass scale, history shows that the answer is yes.

How did the Third Reich come to power and get the German people to acquiesce to its unbelievably inhuman agenda? Did a psychopath named Adolf Hitler find a capable and amoral propaganda minister who could inflame the masses? Or did a master manipulator named Josef Goebbels go in search of a convenient psychopath to implement his plan to leverage some emotional capital – Germany’s residual national psychological instability – after the First World War?

Practitioners like Goebbels used new kinds of media to move masses to act on their basest feelings of national anger. Goebbels and the media industry of the day believed that it was impossible and unnecessary to shape the perceptions of single individuals. Rather, one had to send out messages to be digested by millions of people at a time. Today in democratic, developed, happy consumer-driven cultures such as ours, mass media is used to move masses to believe in the necessity of food processors and the notion that one’s personal identity is defined by the purchases we make: a BMW, Prada shoes, an SUV, an IKEA chair, an Armani suit, a Madonna CD, an NSync action figure . . . one only has to sit down for 139 minutes of Fight Club to feel the impact of the degree to which we have truly become products of our times.

The junk mail industry shares many of these mass-media beliefs. But they have been attracted over the last few decades by the tantalizing results of what has been called database marketing. Database marketing started out as a way to make mailings more effective. A company would send out mailings with, say, four different messages and three different offers on a few different days of the week to names on a half dozen different lists, with different “selects” from each list. With the tools of a relational database, one could quickly discern which combinations produced the most successful mailing.

As the science of database marketing progressed, and the intersections of the growing number of tables became better understood, marketers were able to come closer and closer to their ideal of being able to mathematically predict the probability that, given certain things affecting your perceptions, you would behave a certain way.

And now, the more forward-thinking direct-mail experts look to the day when behavior is tracked, predicted, and manipulated on a “list” containing only one name. Based upon a detailed knowledge of a person’s past actions, a piece of mail could be so targeted to that individual that it would strike precisely the nerve it had to for a response. This, in fact, is the goal of “one-to-one” marketing. First described by Don Peppers and Martha Rogers in their book, The One to One Future, one-to-one marketing’s goal is commendable: to provide each and every one of a company’s customers with the kind of personalized service that one would expect from a shopkeeper down the street in a village where one had lived for years and where one’s preferences were well known.[2]

As long as we personalize the phenomenon in that way, it’s a wonderful idea: Old Mr. Peebles, who runs the village bookstore, knows I like Grisham novels. When a new one comes out, he makes sure there’s a copy reserved for me and that I know about it.

But it’s not old Mr. Peebles, it’s a software robot at Multimegamedia Ltd. The software robot does “data mining” on many tables in many databases about me. The software robot does not know me and does not want to know me. It does, however, want to get better and better at predicting what I will do, given what I’ve done in the past and what Web pages and other information guided my perceptions before I did those things.

Multimegamedia has a strong privacy policy statement, which one would assume limits it from sharing information about you. Not so fast. Multimegamedia also has tens of thousands of “partners,” and their partners have partners, who run clubs and clearinghouses, and they know precisely how likely I am to passively accept their monthly book selection rather than make the effort to select my own. (That is very valuable data to a marketer.) They also know everything my cable TV company knows about me, they know what TIVO knows about what television shows I have watched, particularly those I consider important enough to record, and for that matter they have access to the times and dates and locations of all my credit card transactions, and so much more.

Multimegamedia, technically, does not share data with “others.” The uncounted numbers of attempts to contact you by phone or mail or email or pop-up window to get you to do something will not come from outsiders with whom they have shared data. No, they will come from subsidiaries and partners. And if you will look closely at paragraph 156(Q)33, you will see that the privacy statement clearly says that sharing information about you with their partners is not really considered sharing at all. (Oh by the way, the state turnpike authority, which must record your comings and goings in order to bill you correctly for the use of your toll-pass device, is a “partner” of Multimegamedia.)

In implementation, we see one-to-one marketing take forms where, for example, an online retailer knows with a fair amount of certainty that a given customer has never seen a particular price on a product, and that the customer has shown a propensity to pay a high price for similar products. Instantly, a “special” (high) price is created just for that customer.

Online implementations of the one-to-one methodology don’t have to take forms that invite manipulation of users. If you marry the concept of “opt-in” marketing with one-on-one, you could have the best of both worlds. Opt-in refers to the practice by which a consumer explicitly enables access to their personal information to marketers whose products have interested them. The value of this approach exists only if the marketer is restricted to information about you that is accessible to you, information that is genuinely under your control. And in fact that can be done, using methods described later in this book. The methods are not naïve – a marketer can sustain a business with them.

Traditionally, marketing databases had been built upon information about responses to mailings. These responses will not define an individual beyond a certain point. But if you augment the information with a detailed record of the websites visited by the individual, where on the Web and in the physical world they have used their credit card, and other easily retrieved data, you start to get a more detailed picture of the person. Data acquisition techniques get more comprehensive and more powerful all the time. But the real break from the limitations of mass media comes not with data acquisition but with the interpretation of the data.

In the old days it took an experienced and intelligent human being to analyze data about you and make predictions about your behavior (“If I send him information which alters his perception in such and such a way, he will do such and such a thing.”) Now software makes the process of pattern recognition considerably faster. The software can analyze the patterns of a hundred million people almost as easily as it does a single person. Where the human mass marketer might come up with a few dozen profiled categories of people that the hundred million fall into, the software-robot can come up with a hundred million profiles and a hundred million sets of directions to other robots, each of them saying, “This person has been exposed to this and this information and has done such and such in the past; if you present this further information on these three dates, there is an 87% probability that the person will do what we want him to do.”

This view of the privacy problem is based on the knowledge that every human being’s behavior can be manipulated if you know enough about the person to control his or her perceptions – nobody is immune.

Professionals in the intelligence community must know that this applies to them too, because control of perceptions is one of the essential tricks of that trade. Advertising professionals know that they themselves are vulnerable to the efforts of their colleagues - Advertising Age is full of advertisements. Magicians certainly know the power of perception control.

For the most part, though, people who are not in the business of manipulating perceptions tend not to recognize their own vulnerability. We all want to believe that as rational human beings we are not susceptible to thought control. “That’s for the masses, not for me,” says every member of the masses. A simple test reveals the truth: Only those who are never fooled by a magician can make the claim that their perceptions are not subject to manipulation. Have you ever been fooled by a stage magician?

Here’s an example of modern media manipulation magic.

Let’s say I want to chop down ten thousand acres of forest. Four thousand individuals live in the area affected. Five hundred individuals appear at the intersections of some tables that define people who make decisions about the use of forests in the area. Twenty people at the intersections of these groups have credentials in the life sciences. One of the objections to cutting down the forest has been the destruction of the habitat of a certain mammal.

Now, can we find (or concoct) evidence that the mammal in question is a host for the deer tick that causes, say, Lyme disease? Can we orchestrate a series of communications to manipulate the perceptions of those twenty life scientists and frighten them into thinking that we have a deer tick epidemic on our hands?

Certainly we couldn’t do that with old communication tools; the effort would be clumsy and obvious. Certainly we can by deftly using today’s database and targeted communication tools. We simply have to make a series of pseudo-facts appear as though they are coming from legitimate sources.

But the challenge is not just to find the twenty life scientists. That’s old hat to database marketers – it’s been done for years. No, the very special challenge is to come up with the answer to the question, “Now that we have identified the twenty people we need to influence, how do we find all of the sources of information used by these people?” By discovering the sources they consult to form their opinions, thought control becomes more and more possible. Once they have been converted, they will influence their neighbors.

If the story of the epidemic were to come from anyone else, its credibility would be less than the strongest possible. Instead, the story of the epidemic will arrive at the journalists’ doorstep from the mouths of concerned local life sciences professionals, not from the PR machine of the greedy paper company that wants to tear down the forest. The result? In the eyes of the public, the forest, if left standing, will go from a source of inspiration to a tainted, troubled, infested wasteland – one of those places you need to keep your kids away from. That alone won’t make people want to cut it down, but it will be enough to limit the support for those who oppose the cutting of the forest. Mission accomplished.

What Law?Orwellian Joins

When a skilled writer like George Orwell builds a plot around an evil entity, he must give it a name. He must personify it. After all, how can a villain contribute to a plot if he cannot be vilified in a reader’s mind?

It is hard, however, to become passionate about a database – hard, that is, if you don’t have one. But some people have a piece of a database that is part of a powerful source of control over the lives of every human being in the developed world. And as we know from the familiar paraphrase of Lord Acton’s observation, “Power corrupts; absolute power corrupts absolutely.”

Real live human beings are at work building this immense source of power. It is not the Internet. It is not, in the lexicon of technologists, a database. But in the lexicon of lexicographers the term database really means something broader than its narrow use in technology jargon:

Database, n.: an organized body of related information[3]

A library filled with shelves of books all related to a particular industry or academic discipline is a database. A collection of tables all related to a particular thing is a database. If you’re not familiar with databases, you can still easily understand what this is all about. Start with a “table,” which is just what you think it is: information arranged in rows and columns.

Technologists often use the same word “database” to refer to two different things: (1) a collection of tables of information and (2) the software that manages those tables in order to sift through information – perhaps about you – and compare and merge it with information from other databases. To be accurate, though, the latter is a database management system, not a database.

But the real definition of the word “database” tells us that a collection of hundreds of thousands of cells in tables about you, housed on different servers in different parts of the world using different operating systems and different management systems is, in fact, one database about you.

The technical term for information about you is PII – “Personally Identifiable Information”:

At an e-business conference at Fleet Bank in Boston, a concerned statistician cited a medical study of the residents of Cambridge, Massachusetts, to show how revealing just one table can be. In response to concerns about protection of the privacy of the subjects, the study’s author noted that while he had privileged information on the medical backgrounds of almost all residents, all names and addresses were deleted from the records – ”only” birth dates were left. The statistician then noted that in a random sample of 100,000 people, 12 percent have unique birthdays. If I have only that one table, and I acquire the city’s public voter registration records, a simple sort lets me know something I should not know about the medical backgrounds of the voters among those twelve thousand people. And more tables are always available.

The database about you is very, very large. It includes information about where you used your credit card last night, what you bought with it, where you clicked on the Web, what you downloaded, what books you bought, what cause or party or charity you contributed to. Don’t worry that the tables are not linked right now. When someone needs to link them, they will be linked. It is not, as they say, rocket science.

If you’re bored sometime, you can even try it yourself on the database management system in the office suite software on your computer. Look for Microsoft Access or its equivalent. Create some tables and see what you can do with them. (This is a very worthwhile activity, because knowing how a database works is this century’s equivalent of knowing addition and subtraction. It is much more important than knowing about “computers.” You can know very little about computers and get along just fine as long as you know how to use a relational database and a few other things.)

The Sex Life of Tables

If computer viruses count as life, they are primitive asexual organisms. Table joins like the ones discussed here can constitute a more highly evolved, sexual, and potentially more powerful life form.

At this point I would love to cite statistics about how many tables around the world contain information about you. A more important figure would be how often those tables mate with each other to generate relational DNA for infant software robots whose only role is to know what you are likely to do next and how that event can be influenced. Unfortunately, there is no way to get that information. The sex habits of relational databases are as private as privacy policies are public. You and I will probably never know.

The profession and sport of data mining is all about seeing what happens when tables are made to intersect with one another. Data miners don’t want to know one little thing about twelve percent of their sample. They want to know everything about everybody. And isn’t that just how people are? People are nosy, and people like power. The sport of data mining serves both impulses. Add to that the sport of “target marketing,” which started out innocently enough but which has come to mean “control of perceptions of individuals,” and you have information power in spades.

The power of these techniques can be difficult to grasp if you have never fiddled with database tables. It’s natural to think that the main reason to be concerned about privacy is a desire to reduce the amount of intrusive marketing messages coming at you.

Look again, closely, at this section of the excerpt from the Fena and Jennings book:

What accounts for that characterization of the power gained by ownership of personal information? Why are collections of PII so valuable? After all, anybody can rent a mail list. What makes it dangerous?

It is dangerous, of course, because it can be used to manipulate our perceptions.

It is essential that we take measures to neutralize the threat to our privacy, to our very autonomy – our ability to inform ourselves and make good choices for our families and ourselves. The good news is that it is quite possible to solve this problem and to solve it without spending great amounts of time and energy reading privacy statements and advocating for protective legislation. The solution is the Quiet Enjoyment Infrastructure – QEI – described in this book.

We will discuss other digital life forms in Chapter 10. Let’s hope they don’t cross-breed.

TIA

Until now, data mining has been something that ostensibly takes place on the databases of a single organization, a process to ferret out relationships and patterns that “help us to better serve our customers.” The mining of data using Orwellian joins, on tables of uncertain ownership or pedigree, tables floating around among cookie clubs, is not a public activity. It has not been acknowledged in any visible way by any recognizable companies or governments.

September 11 has brought data mining out of the closet, using a vehicle called Terrorism Information Awareness. TIA (originally Total Information Awareness; the name was changed in mid-2003) is a government project, sponsored by the same Defense Advanced Research Projects Agency that brought us the original Internet. Its goal is to provide to law enforcement agencies the ability to link all information about a suspected terrorist or anything or anyone related to the suspect. TIA brings together both reference-type information but also telephone records, travel itineraries (completed and not completed), information from bank statements, securities, transactions, credit and debit card transactions, trips through toll booths, and of course email gleaned from either Echelon or other sources.

The Electronic Frontier Foundation officially considers the plan for TIA to be worthy of the title How To Build A Police State. Mitchell Kapor, its founder (also founder of Lotus Development Corporation and other enterprises) resigned from the board of Groove Networks over Groove’s willingness to support TIA in its software specifications. The EFF and other privacy and civil liberties organizations have made some impact, resulting in Congress modifying TIA’s charter on September 24, 2003, limiting it to foreign surveillance. However, it appears that the domestic portion of TIA has been moved to a service named Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to Boston.com,

Putting Matrix inside a private enterprise apparently allows the system to keep personal information that would violate the Privacy Act of 1974 if it were kept on government facilities.

At the other end of the spectrum, author Howard Bloom views TIA (and presumably Matrix) as a development that, like the original Arpanet, will be used by all of us. Calling TIA an “IQ expansion pack capable of plowing through the built-in barriers of central nervous system-based software. It will show us whole new ways to look at what we’re up against – whether it’s bin Laden, a demanding boss, or that damn lost phone number.” He dismisses the privacy and perception-control threat with “Public scrutiny of ominous-sounding government plans is a good thing. If people are being abused by Big Brother, it’s vital to drag the atrocities out of hiding and stop them. The misuse of technology is a social evil, and it’s essential to fight against this sort of crime. But let’s remember that the evil resides in the crime, not the technology.” [5]

Both Kapor and Bloom make valid points, but both are naïve. Bloom is naïve about what could be done to fix the problem after the fact. If TIA indeed became the central nervous system of an Orwellian police state, would he then circulate a petition or initiate legislation to curtail its powers? The person or “assembler” (described in Chapter 10) in charge of TIA would easily thwart any such democratic subversion. Locking him out of society would take just a few keystrokes. Kapor is naïve in thinking that civil liberties must always trump security, even in a world where terrorists are real and know how to use our Constitution against us as a defensive weapon.

We can have both. We can have a viable public data mining facility that will provide immense benefit to every information-using person on Earth, including law enforcement people, and we can have privacy – far better privacy than we have today. The key is a new kind of control on the use of information. Two Instigations in particular that describe how they work will be introduced in Chapter 24.

This book is about the solution. The solution requires you to take possession of the PII about you and to take steps to ensure that any sources of PII external to what you own are barren, incomplete, and obsolete. We shall go into more detail later. First let’s look at some ways our PII – that is, our privacy – is nibbled away.

Cookie Clubs

An Internet “cookie” is not a dessert treat but a piece of information planted in your computer by a site you visit. Cookies can be very useful not only for the site but for you as well, providing among other things a kind of session-like continuity and connectedness in the otherwise “stateless” Web. When discussing the benefits of cookies versus their potential for erosion of privacy, technologists and journalists tend to focus on the cookie as a record of a user’s activity separate from other records about that person. Viewed that way, cookies are typically fairly harmless.

But why would we view them that way? Even if the typical plan for the use of cookies is not overly intrusive, should we not be more concerned about the less common, much more intrusive use of cookies? Most of fissionable nuclear material is produced to generate electric power. Does that mean we needn’t concern ourselves with the lesser amount that is headed for some other purpose?

In fact, an Internet cookie is something so insidious that its very name reveals the cynicism of those who perpetrated it. You can just hear the big-brother-wannabes in the meeting room of their cabal (comfortably removed from the Internet highway, to be sure). Picture a mad scientist in a dark castle asking his assembled sycophants, “What can we call this snooping device that will make it sound innocent? Mom? Home? Nah, they’re too obvious, people will start to wonder. Wait, I’ve got it! Cookie! What could be friendlier and homier than a cookie? Yet the connotations aren’t so obvious that the word will cause people to stop and think what we’ve got up our sleeve….”

A cookie is a piece of information that is written into your computer by a website for the purpose of tracking your activities.

What happens if I collect information on you by means of cookies and share that information with another party, say, a credit card processor, in exchange for some reciprocal sharing, and the two of us have similar relationships with others in a chain that includes thousands of companies and nonprofit cooperatives, such as credit bureaus? The result is a loosely unified record of everything you do, every place you go, and anything you buy.

But it’s more than that. If you express yourself by contributing to a cause or a political party, does that information make it into the Cookie Club? Of course it does. In many ways this database about you is a record of your thoughts as well as your actions.

Information can be collected without cookies. Cookies just make it so much easier. Let’s say a particular computer is used by an adult and a child. The adult visits a site and responds to an offer of personalized items for the family. The adult fills in a form, providing name, address, phone number – and perhaps the child’s name. The site also places a cookie. Later, the child goes to an apparently unrelated site to play games and grab some images of dinosaurs to use in a graphics program like KidPix. That site also places a cookie.

Well, it turns out that the two sites are owned by two cooperating companies. It’s true, if you examine the cookies they are only feeding information back to the server that placed them. After the two cookies are placed and the information is gleaned, a very simple little program operating in the back room of the company or companies that run the servers adds one and one together and easily builds a record about that child and her family.

Now, there’s nothing preventing the organization that placed that cookie from adding that snippet to a database of thousands of such snippets about you. There is nothing preventing groups of such organizations from sharing such databases of snippets to put together an even more complete picture of you, your habits, your desires, and your most personal secrets. Let’s face it, if I know when you go online and what you do while online, I can use that information to exercise a startling level of control over your life.

But why assume just two sites? Picture a hundred sites cooperating to build that database. Pretty soon a bunch of meaningless stray cookies have produced an intimate and detailed profile of every member of your family.

The threat to your privacy is not a database as technologists and privacy activists define it. Rather, the threat to your privacy is the intersection of tables from many databases. True, each of the contributing tables is compiled and owned by an identifiable organization that can be held accountable. But nobody owns the place where all those tables intersect. That place is the lair of the monster that wants to devour your freedom.

Poisoned Cookies

Think for a moment about the implications of the cookie trail your children leave behind. Deirdre Mulligan, Staff Attorney for the Center for Democracy and Technology, reporting in APSAC Advisor, notes that:

Sites targeted at children tend to be costly because they have to be extremely intuitive, graphical, and responsive. They must include a lot of interactive items like games to capture and keep a child’s attention. They tend not to be amateur productions put together by people without the awareness or resources to consider things like privacy provisions. In other words, the stealthy nature of kids’ sites is quite intentional.

Let’s assume that the operators of such sites “only” want to build databases of information about your child so that they can exercise an unprecedented level of control over his or her perceptions, i.e., mold the thinking of a customer to be permanently profitable for decades. Let’s try to assume that none of them – none of the thousands of such sites – ever stoops to selling such information to organizations such as Boylove, which advocates for the “rights” of adults who want to have sex with young boys.

That is as much as to say that none of the owners of those sites ever gets into a financial situation where they need new sources of cash badly enough to do things they wouldn’t do otherwise. I wouldn’t bet on that. In fact, experience tells me that more than one of those sites will succumb to pressure to sell information to unethical organizations. Perhaps it’s already happened.

Let’s say one of those is a genealogical site. Hmm, what do we have here, a complete network of families and family members, including the very interesting mothers’ maiden names. As you probably know, one’s mother’s maiden name is a standard data item used to validate the identity of someone calling customer service when they’ve forgotten a password. If you can come up with the maiden name of the mother of the user, you can reset the password.

The formal cookie establishment has come under some scrutiny, and has changed its ways a bit since the following was written[6]:

What the Cookie Establishment Has to Say

If you inquire about cookies from the cookie establishment, they will tell a wonderful story.

“You can turn them off.”

Well, why didn’t you tell me they’re there in the first place, and why didn’t you tell me how to turn them off? And what happens if I turn them off? Does my computer still work?

“Yeah, sure, but I wouldn’t bother because they’re innocuous.”

It is a matter of opinion whether you can still be productive with your computer in the age of the Web if you turn your cookies off or if you choose to be notified each time a cookie is placed in your computer. Choosing to be notified when cookies are placed will slow you down to a crawl. And it is true, most cookies would be innocuous if they existed only by themselves.

Can you see the brilliantly devious design here? Let’s say you turn cookie notifications on. Every other time you click, it seems, another cookie message pops up:

And so you say, yeah, sure, what’s the harm of this one. And the next dozen times you click the message is about the same, nothing alarming.

Every day, every time you use the Web it’s the same tedious thing – get message window, click to permit a harmless cookie or click to not allow it. If you don’t allow it you may not get to see the page you wanted to see, so you generally let some mysterious robot set the cookie and be done with it.

The process gets tiring. After awhile you turn the cookie notifications off. You may feel a little uneasy about doing that, but those cookie notification windows just drive you nuts. I don’t know anyone who keeps cookie notifications active permanently. Nobody can stand them. That’s why we miss the one-in-five-hundred messages that say something like:

Would you know how to find such a cookie on your computer? It takes a bit of patience. The very few cookies that are dangerous in themselves are buried in mounds and mounds of what would seem like harmless cookies. But then, as we have seen, even the seemingly innocuous cookies are dangerous when all the nearly meaningless snippets of information about you and other users of your family’s computer are assembled in one much larger database record.

One thing you will probably find at the beginning of your cookie file is the following:

Wow, a generated file! With a warning and an exclamation point! Look out kids, don’t touch that one! Perhaps in future versions they’ll take a cue from the video industry and include an FBI warning. After all, they don’t want you tampering with this file containing detailed information about the online habits of you and your family. That’s their business, not yours.

When I first began writing this, users generally didn’t know about cookies. By 2004 that had changed. The wide acceptance of programs like Ad-aware have brought a great deal of attention to the phenomenon of cookies, especially what have come to be called “tracking cookies” (or “persistent cookies”) –  the ones that persist from session to session in order to track your website visits. (“Session cookies,” which help keep track of things like shopping cart contents for the current session only – are generally perceived to be less dangerous.) People are beginning to be careful not to indiscriminately allow any kind of cookies to be planted on their machines. But the cookie clubs need not despair, as plenty of techniques have been developed to secure the “benefits” of tracking cookies even in the computers of users who delete them. Published techniques generally replace session cookies rather than tracking cookies. They include the “query-string” approach, where an agile server generates a unique URL that actually contains an instantly-generated session ID (sites that care about security will hash the session ID with the IP address of the user); using a feature of Microsoft’s IIS server to similarly disguise session information in the URL; creating a hidden form on every page of a site, with automatic hidden information filling the form each time a new link is clicked; and by hiding session ID information in a JavaScript hidden frame.

Why do we find published only the alternative techniques for session cookies, while those for tracking cookies are not? The answer is that the use of cookies to track users from session to session has achieved the status of due process: If you put the information in the cookie file then you have effectively disclosed what you are doing to the user; if you plant files somewhere else on their computer then, well, you’re pretty much doing what propagators of parasites and viruses and worms and other malware do.

Let's Say You Do Turn Them Off...

As “nontechnical” (whatever that means) people get more familiar with their information appliances, they tend to learn about things like cookies. Those who feel that the “session persistence” offered by cookies – the convenience of having personal information retained from session to session –  doesn’t outweigh the damage to privacy can and do turn them off.

So what’s the response of the cookie clubs? Respect the wishes of those who have made an explicit choice to value privacy above convenience? Display a message politely stating benefits and asking them to consider?

Of course not. What do you think this is, civilization or something?

Site operators deal with cookie blocking by looking for ways to subvert the intentions and decisions of those who stubbornly refuse to hand over personal information about themselves. If the user won’t give it, they look for ways to steal it. They are helped in that effort by the vendors of server and client software. The resulting methods are typically passed around in IRC (chat) sessions and at conferences, but occasionally they surface in publications, as in this[7] Builder.com article:

Protect their privacy? Those meddlesome users have some nerve messing with our property – that is, our information about them!

…in other words, to bypass the explicit efforts of users to preserve their privacy…

The author then goes on to explain how to use hash values incorporating the session ID to prevent people from capturing the session ID. “People” in this case means hackers – but of course could also mean that pesky, nosy user trying to figure out what you’re doing with information about her. Hackers, users, what’s the difference…

Here’s another way – actually two ways – to get around user’s explicit decision not to be spied upon:

But those annoying users can still come up with countermeasures…

Or you can try “hidden forms.” Just as “persistent cookie” can be a misleading euphemism for “spy,” “hidden” in this case is a euphemism for “fake.”

Then there’s the favorite tool of all sorts of snoopware authors, JavaScript (not to be confused – please! – with Java) (Full disclosure: this site uses JavaScript to present its title and menus.)

Still not enough tools for your espionage cabal? Here are a few that bypass the bypasses:

The article concludes with the inspiring admonition, in bold:

We don’t need to play these games. The Instigation called the Personal Intellectual Property Infrastructure requires a site operator to display on a Web dialog a small, unobtrusive icon that signals what sort of personal information is being captured, and what provision in your Disclosure Practice Statement makes that information capture legally permissible. You, as the author of your Disclosure Practice Statement, can modify it at any time to change the rules for access to your personal information.

P3P

The World Wide Web Consortium (W3C) has introduced something called Platform for Privacy Preferences (P3P), which it believes is a solution to the cookie problem. P3P is a technology that opens the process of disclosing personal information, making it visible and understandable.

But P3P does not eliminate the ability to place and read cookies. Like the notification window for an “innocent” cookie, P3P may further anaesthetize people to what’s going on behind the scenes. P3P presents dialogs that seem to empower people to specify what information may go to whom. Those organizations that are already the most open about the use of personal information will probably make serious use of P3P. Others will use P3P as a means to make people feel they’re in control while their information is being pilfered through the back door.

Recall the remark by Gil Schwed, the CEO of Check Point: “I think every single user at home gets 200 attacks every day,” and the response by Aaron Goldberg of Ziff Davis Market Experts that “many of these alerts are sites scanning for cookies rather than attacks – a privacy issue but not one to panic over.”

Panic is indeed not the right response. Rather, our response should be to look for a design that requires all traffic to be identified. If someone wants to read a cookie on your machine, well, let them identify themselves and let that identity be checked against the digitally signed permissions specifically granted to specific parties.

The volunteer organization CPExchange is also making a valiant attempt at establishing a system- and platform-independent open standard for secure interchange of data. Their model is geared towards generating customer information standards for various enterprise systems. This is yet another instance of “you can have your privacy – all you have to do is exercise constant vigilance over those who influence and control our standard…”

You and I do not need privacy that requires constant vigilance. The mass media people know we will lose that one. Expecting vigilance on the part of the user – the subject of the information being gathered – is devious and unfair. We have better things to do with our lives. The burden of proof that information about us may be safely disclosed must be on the party requesting the information. And the individual must be the judge as to whether or not information about him or herself ought to be accessible to others. Anything else is just plain trickery.[8]

Just because someone sets out to provide a framework to protect your privacy doesn’t mean that framework will do the job right or completely. A highly qualified architect proposes a new kitchen to you. He surely wants you to have a good, usable kitchen. That intent, however, does not ensure you will get what you need. Examine the plans thoroughly before you call the contractor.

Parasites

At least cookies have come under scrutiny since browsers began supporting them in the '90's. The fact that a lot of people know what’s going on in the world of cookies has made the abusers of cookie tools perhaps a little more discreet in the data gathering part of their intrusive activity, if not the data sharing part.

The propagators of parasites - spyware - have only begun to receive such scrutiny in the last couple of years.

What is a parasite? It’s something that would be considered a virus if its propagators, having an economic motive, had not taken steps to make their viruses legal and thus not considered viruses by the vendors of virus protection software.

A parasite is a piece of code that gets embedded in your computer and reports to its propagator any information that it wants it to report. What sites have you visited to shop for books, software, cars, gifts; political sites, blogs and lifestyle sites; all email addresses in your address book, along with names – all can easily be reported back to the propagator of a parasite. Why bother with cookie files which, after all, everyone knows about and can easily detect on their computer. If your intentions are bad, why bother with the veneer of good intentions by messing with cookies? Just plant a parasite.

E-cards are a natural vehicle for parasites. People have learned to be wary of opening attachments that are the least bit suspicious, whereas e-cards evoke an emotional response that tends to displace caution. A mass mailing from cupid@valentines-ecard.com just before Valentine’s Day 2003 led many to open what turned out to be a commercial parasite that changed browser defaults and inserted at least one mysterious DLL into the user’s system. Soon someone will come up with a refined method of harvesting family and personal contacts from address books, making parasite e-cards quite indistinguishable from genuine ones.

The Doxdesk blog (www.doxdesk.com) provides a nice overview of the rapidly growing phenomenon, also known as spyware:

You think that’s insidious? Try this. Some spyware detection and elimination software is a ruse – it actually plants parasites instead of removing them! Two of them identified by Doxdesk are:

Parasites, P2P and Open-Ended Tunnels

When we get to the prescriptive part of this book, the Instigations, we’ll be spend a lot of time discussing online spaces where members of groups can work together securely. All forms of online collaboration are growing tremendously in popularity. At the tuned-in consumer end of the collaborative spectrum we have the music-file-sharing networks such as KaZaA, while at the buttoned-down corporate end we have virtual private networks, or VPNs. VPNs provide “secure” tunnels, as impermeable to parasites and the like as are the walls of the Lincoln Tunnel that connects Manhattan with New Jersey. Your company’s precious information assets are well protected inside a VPN tunnel.

Not.

Tunnels allow employees to work with confidential company files remotely, as for instance from the computer in the employee’s den at home. Of course when mom isn’t using the computer to update her department’s budget, her kids are using it to steal, er, share music with other users of peer-to-peer networks like KaZaA.

My objective is to generate enthusiasm for online collaboration, and so my observations about this particular form of online collaboration, the wide-open file-swapping peer-to-peer worldwide rave gathering, has a particular urgency. Some of these things simply open your computer to the world. You are simply publishing everything to an audience that consists of everyone.

The spyware parasites themselves are bad enough. But what happens when you use that file-swapping P2P network on the computer that sits at the end point of the company tunnel, the super-secure VPN? Why, everything at the other end of that tunnel, that is, the company server, is published for the world as well! Companies assess risk partly according to the hacking skill level necessary to penetrate, but with this arrangement, why, no skill is required at all! The competition can just come in and help themselves to those departmental budgets.

Are You a Spammer’s Accomplice?

Parasites are planted in your computer for other purposes besides spying. A parasite can also turn your computer into a spam host. Who is sending those volumes of annoying pitches for Viagra and Low Low Mortgage Rates? It could be you!

In the first half of 2003, many in the security and ISP community began to suspect that personal computers were being hijacked and turned into generators of unwanted email. Then in June, MessageLabs, the provider of email management services to corporations around the world, found the proof. According to[1] Britain’s VNUnet,

Scant months after that discovery, the public Internet had deteriorated to the point where the phenomenon of home computers turned into zombie hosts was obvious not just to security researchers focused on the subject, but to everyone. By early 2004 a succession of worms began to appear that were not directly very threatening to those infected but that revealed some significant network-building intentions on the part of their authors.

On March 15, 2004 the Phatbot worm appeared, first reported by managed security services provider LURHQ. According to their bulletin[2],

WASTE was invented by Justin Frankel, who had earlier created the WinAMP music player. In 1999 AOL was attracted to the latter as a means to get their client software onto the music-download bandwagon, and so they purchased Frankel’s company Nullsoft, personally netting Frankel a reported one hundred million dollars. As part of the deal Frankel agreed to stay with AOL until a new version of WinAMP was finished.

Shortly after, AOL shocked the media world by purchasing Time Warner. Having spent time at the intersection of online services and magazine publishing, I know that if AOL’s Steve Case had turned red and sprouted horns and a barbed tail as the ink dried at the closing of that deal, many at Time Warner would have calmly turned to their colleagues muttering “told you so…”

Imagine then the amusement at Warner Music when their new fellow employee Justin Frankel subsequently released the P2P file sharing program Gnutella, powerfully improving upon the Napster idea. When AOLTW brass heard about Gnutella they immediately shut it down – or so they thought. Gnutella is completely P2P, with no central administration. Stephen Hawking and Marvin Minsky would probably consider it to be a form of life. When AOLTW eventually managed to slow the spread of the Gnut client and disrupt the operation of Gnutella, Justin Frankel further entertained his bosses by releasing WASTE, a P2P system where everything is transferred in encrypted form over AOL Instant Messenger and AOL ICQ. Justin Frankel finally left AOL in December 2003, after the company summarily pulled the plug on WASTE. Some bosses just don’t appreciate hard work and creativity.

Spyware planted by piggybacking on existing P2P networks seemed like typical cookie club hijinks when it was first discovered and described. It looked like just another sleazy online marketing-espionage scheme, and it probably was. There’s no reason to believe that there is any organizational connection between those who first introduced these kinds of P2P tools and those who subsequently turned them into spam and spyware facilitators. More importantly, there is nothing that the inventor of these tools can do about their use. Picture a group of inventors and scientists manufacturing and distributing plutonium as a research material before its use in weapons was discovered. Now that the plutonium is out there it’s not possible to bring it back. Gnutella and WASTE have very productive uses – and other uses. They’re apparently being taken to “the next level.”

That next level, which in Quiet Enjoyment we named Arpanet II, appears to be a network on top of the Internet, VPN-style, that seems to be attempting what the first Arpanet accomplished, that is, a network that will survive an attack by an enemy, one that will keep its effectiveness as nodes are taken out.

The enemy in this case is the provider of anti-virus tools, security services vendors, and their customers, e.g. you and me.

What’s the goal of the unknown sponsors of Arpanet II? Certainly they have more in mind than a platform for anonymously sending spam and pornography. That’s already been accomplished. No, it’s something else. Perhaps it’s the destruction of the world’s commercial, banking, and government infrastructures. Perhaps it’s complete control over information and communication channels into households. I guess we’ll find out soon enough.

The previously-mentioned Doxdesk provide(s) a good bit of information about the removal of parasites, and is well worth a visit. If you’d rather point-and-click the spyware from your system instead of tinkering with registry keys, Ad-Aware by Lavasoft is the tool to use. (Be sure to tell Ad-Aware to back up before deleting, in case you accidentally throw out things you need.)

As is the case with other infestations, eternal vigilance over spyware is not a sound, long term solution to the problem. As long as the space where we hang out is the “outdoor” Internet, where authentication is a hollow joke tossed around by copywriters to lull users into confidence, the propagators will always be one step ahead of even their most vigilant victims.

If you, like me, are not driven by vigilance, if your notion of fruitful use of the Internet is something other than spending all your time scanning for such garbage, monitoring intrusion detection systems, and tuning your firewall rules, then there is no hope at all.

Until we have InDoor spaces, that is.

Web Bugs

We’re not done with insidiousness. Web bugs are another way for anyone – say some ex-convict working from a small office in a third-world city – to improve the local economic scene by selling information about you to companies that provide hard currency. This story[3] is about an attempt to regulate (ha!) this particular practice of pilfering information about you a few bits at a time:

If the bug can be tied to personal data, such as via a cookie or an email address, and it will be disclosed to third parties, then there needs to be an opt-out for the user, but only when the disclosure is for purposes "unrelated" to the reason the data was collected.

Companies involved in the development of Web bug guidelines include IBM, Microsoft, the US Postal Service, DoubleClick, WebSideStory, Advertising.com, 24/7 RealMedia, Coremetrics, KeyLime Software and Guardent (as of February 2004 a unit of VeriSign.)

Fortunately, Web bugs have been effectively blocked in many popular client programs.

Harvesting Your Information Residue

Cookies and Parasites aren’t the only source of information about you and where you’ve been and what you do on the Internet. Anonymizer.com notes that

The same site also notes that

As long as you hang out outdoors, your life is visible to the whole world. Your equivalent in the physical world is the unfortunate family living in cardboard boxes under a bridge in the middle of the city or in the infamous Rocinha hillside favela in Rio.

Is that where you want to be? Doesn’t your family deserve better?

Barbarians at the Gate

Consider for a moment the possibilities of parasite software tools in the hands of unscrupulous mass marketers, thieves, power-hungry megalomaniacs, and other ambitious low life. When you think about what could be done to wreak utter havoc on society, you realize that havoc is as inevitable as was the inevitability of civil disorder in Iraq after the power structure was removed.

Will things get worse? Of course they will! Wherever and whenever society’s ability to enforce laws and keep order breaks down, the worst elements in society come out and claim control of the streets. We are surely headed for another Dark Ages if we keep dealing with these criminals and other dregs as though they were subject to the laws of some geographic jurisdiction, say, the U.S. They are taking over our personal computers. They are having a field day. And they’ve barely begun their exploits. Every misguided idea about controlling them using traditional methods not only leads to failure, it encourages them as they see that they are headed for victory, that is, control of all of our information and communication facilities, which of course implies control over our financial and governance facilities.

Parasites steadily become more effective, especially while our attention is distracted by the spam problem. The Sobig vandals of the first quarter of 2003 turned your computer into a spam host, relaying messages in such a way as to make their origin untraceable. You may have received one of the spam messages from the kidnapped personal computer of some unsuspecting neighbor in the global village, asking whether your computer has been running slow lately and suggesting you click and install their wonderful FREE software to, um, clear out the bad stuff and speed up the computer. What the software does, of course, is install the very parasitic software that slows the computer down as it gets busy with its new spamming chores. P.T. Barnum would have loved it!

Sobig was followed by Migmaf, which propagates in a similar manner but which augments the spamming duties of the zombie PC-turned-server: it adds the machine to a network of relays of pornographic content (I refuse to use the word “adult” in this context) whose origin, again, is completely untraceable.

Have you noticed how prescription drugs are now available without a prescription? As long as the source of a fraudulent prescription is traceable only to the broadband-connected personal computer of some unlucky family, then it’s easily done! Next of course will be illicit drugs. Get ready for mass-marketed Oxycontin. Get ready for a thriving market in personal secrets sold to shady divorce lawyers.

Fortunately Migmaf was not very skilled at getting past firewalls. Perhaps its authors guessed that consumers, who don’t have access to trained security people who can monitor their connections and watch for parasites, are a better target than organizations with the resources to try to track them down and prosecute them, or at least persecute them. That will of course change as the competing parasites saturate the home computer resource, forcing their perpetrators to use any of the many techniques for getting past firewalls. As the Aladdin Content Security Newsletter notes[4]:

Will the creators of Trojans like Migmaf become more skilled? Of course they will. Expect to see more stories like the following[5]:

The story contains one important inaccuracy: Anti-virus software and programs will not ferret out and disable Trojans that may have been placed by a commercial enterprise. The obstacle is more legal than technical: vendors of anti-virus software are wary of litigation from pornographers and other commercial Trojan-planters who may be able to demonstrate some form of opt-in to get the material. Even if the opt-in was indirect, concealed and gained from misleading offers, legally it counts. Mr. Green may have signed up for a healthcare newsletter and inadvertently consented to receive anything from the newsletter’s partners, and its partners’ partners, and its partners’ second cousins of golfing partners, and their parole officers’ partners…

Commenting on the Green case, David Sklar, coauthor of O'Reilly's PHP Cookbook notes[6] the possibilities generated by the ability to plant targeted parasites:

Getting past a firewall is trivial if the Trojan is in an attachment to an email that uses advanced social engineering techniques. Even recipients who are trained and disciplined to open attachments only from trusted sources will see an acquaintance’s email address in the “from” line of messages using those techniques.

Other new Trojan techniques don’t depend upon email at all. “Silver threading” is a sophisticated technique that inserts malicious code into normal application software. As we noted in Chapter 4, the significant competition in virus development kits means that anyone can take advantage of such techniques. Significantly, when those kits were first developed there was no economic motive involved. No one had figured out how to make money with viruses; they were propagated only for sport. That was sufficient for what must have been some fairly dedicated development efforts, but now the spyware industry brings money to the table. Now your Trojans can be an army of dedicated employees, working around the clock for your clients in the fields of “legitimate” target marketing, pornography, international sex slavery, drugs, blackmail, “legal research” and terrorism. What a remarkable business model! Identity is the Foundation of Security. None of the computer security profession’s existing products and approaches can do a thing to combat the next wave of parasitic software. Not even the eternal-vigilance approach of the top notch managed security services providers, applied assiduously, will be able to stop this, or even slow it down.

It’s suggested that we limit all applications and system software to code that is digitally signed. (If you’re not acquainted with digital signatures we will cover that in Part 3). Great idea – but who signs the code? Microsoft has had its executable code released to the public with digital signatures of impostors. As code signing becomes more and more commonplace, so will the opportunities for those with malice in mind to slip into the system and sign another company’s code. A small contract software development company might take some money on the side for slipping in a parasite or two that will do something on behalf of someone other than the main client.

Identity is the Foundation of Security. Identity does not mean the identity of the company, or the job title of whoever happens to have responsibility for a company’s code integrity at some random point in time. That company’s trucks are operated by drivers whose licenses identify the employee who is responsible for the safe operation of the vehicle. The job description and department are extraneous to the license certificate.

Identity means the irrefutable, authoritative identity of an individual human being.

Phishing for Dollars

The following message appeared in millions of mailboxes in early 2004:

All parts of the message look legitimate, including the Web address (URL) for the Federal Deposit Insurance Corporation. The request itself seems a bit odd, however, so you look up the advice of the security experts, who tell us to examine carefully the address that appears in the browser window that opens when we click on the address in the message. Clicking on the address in the message, you carefully examine the address that appears in the Explorer browser’s address window. Sure enough, it is www.fdic.gov, the legitimate, valid address of the Federal Deposit Insurance Corporation’s website. Feeling confident that you have protected yourself by observing the directions of the security experts, you go ahead and fill in the FDIC form, providing the information requested.

But the site is a fake! You’re giving your confidential banking information to a bunch of thieves!

How did that happen?

The site was built by simply copying the site files from www.fdic.gov, modifying them to include a form where you enter your name, bank account number, social security number, address, phone number, and any other details that the thieves might find useful, and then planting the modified files on a server that has nothing to do with the FDIC’s servers.

Phishing is the odd name for one of the more effective techniques for committing fraud by means of social engineering. And a “vulnerability” in Windows Explorer makes it oh so easy. “Vulnerability” is in quotes because this particular idiosyncrasy was built into Explorer ostensibly to allow a username and password to be passed to a site through an invisible part of the URL in a kind of poor man’s single sign-on (SSO) scheme.

That particular “feature” of Explorer was well known. But as a perceptive vulnerability hunter known as Zap the Dingbat discovered in the last days of 2003:

Why does Explorer behave this way when a nonprinting character precedes the “@” in this special-case URL? Is it a genuine bug or is it a means to some purpose that we outside the Microsoft network of “partners” (as East Germany was a “partner” of the Soviet Union) can only imagine? Did someone in the Microsoft axis feel it would be useful to bring users to addresses that are not what they appear to be? Did they want to conceal their scheme for conveying state information via “legitimate” URLs – a legal but thoroughly manipulative version of the practice of phishing? Who knows. They never disclose these things, just as so many error messages never disclose the condition that made them appear. Microsoft is more than a company; it’s a bundle of hidden entangling alliances, with terms always dictated by Microsoft. We’ll never know what they’re doing with that lens through which passes an ever-increasing portion of our information and communications. “Features” we’re not told about, because they benefit partners instead of us hapless users, turn into vulnerabilities. We’re all darkies on Microsoft’s plantation.

And so we have a steady stream of vulnerabilities, the latest of which – the clever little SSO-implementer built into Microsoft’s Internet Explorer – carries the flaw that makes it so much easier for thieves using phishing techniques to steal your money. That little trick with the @ sign in the URL, it turns out, was a bad idea. Worse, the vulnerabilities it introduces turn out to be difficult to fix, like those from other Windows design decisions. The window through which most of the world sees the Internet turns out to be a big vulnerability. What to do?

Regardless of the difficulty, vulnerabilities, once announced, must be fixed quickly. Certainly one expects a company as exposed as Microsoft and with the financial resources of Microsoft to respond very promptly.  But in mid-January of 2004, users were still waiting, as illustrated[1] in this story:

What does the world do when half a billion people depend upon one window through which to view the whole world, and the view through that window is distorted and manipulated by the action of all sorts of hidden agendas?

We could just live with it. We could all live with the fact that our perceptions are perpetually influenced by one enterprise and those of its partners who have paid its asking price to get their particular astigmatisms added to the lens.

Commercial enterprises do things this way. Don’t get me wrong – I’m an entrepreneur. I’m not one of those who from a comfortably funded perch rails against the evils of the profit motive. But being an entrepreneur, I know what enterprises do: they manipulate perceptions in order to build dependencies. (We’re all drug dealers, of a sort.) Today, the window through which the world gets its information and communication is provided by one commercial enterprise. This is such a bad idea.

Some things that make software vulnerable:

• Complexity
• Undocumented features serving unpublished agendas
• Closed code
• Certain link-on-the-fly approaches to software design

The software that provides the window through which the world gets its information and communication could be much simpler and still provide all the functionality that we expect. It could be made to adhere to standards such as those published by the W3C. Its code could be open to public scrutiny.

Furthermore, the window itself should be an integral part of the operating system. The irony of that fact will be appreciated when we recall that was exactly the point on which the U.S. Justice Department made its antitrust case against Microsoft. Of all the charges that could have been brought against Microsoft for abuse of monopoly power, the government chose to accuse them of making progress in software design. Of course the operating system and the browser should be tightly integrated. Of course our information window should present things and act on our behalf with as little clutter and as few moving parts and “gotchas” as possible.

Microsoft was absolutely right to try to combine the browser and operating system. For that matter all the standard applications – word processor, spreadsheet, slide presentation software, database management system with contacts, email, calendar, personal finance including bank account links, simple general ledger and journals, document sharing and realtime collaboration, audio and video players including streaming media, publishing tools, basic programming tools – ought to be included also. That would give commercial software vendors a standard platform upon which to add value by providing templates and add-ons and specialized software for specialized industries.

With the new desktop platform and its PDA variants, there would never be a reason to introduce an incompatible file format. Anyone anywhere should be able to open a file sent by anyone anywhere. In contrast with current software that tends to provide no diagnostic information in error messages (thus maintaining your dependence on a channel partner’s certified technicians) it should tell you when asked exactly what it’s doing and what is preventing it from doing what it should be doing. Log files should be conveniently accessible by the user.

Its code should be available to and subject to the scrutiny of anyone who cares to scrutinize it. It should be regularly compiled from sources by independent local groups in cities and towns around the world, just to ensure that no one is sneaking in undocumented “features.” New features and standards should be the subject of worldwide debate.

Just as important as what should be in this common software package is what should not be in it. It should not have commercial agendas, hidden or otherwise. The software should not be something steering you this way and that. It should be like a roadway, accessible to any licensed driver responsibly driving a legal vehicle, without trying to influence where the driver goes and what he does.

Hmm, licensed driver. Here we are again, back to Identity Is The Foundation Of Security. If we could identify the “driver” who is operating his vehicle in an irresponsible manner, then we would have an additional measure of protection. To use the example at hand, we should know who is attempting to subvert the URL-masking features of the browser.

But if we’re going to identify the drivers of the data vehicles on the information highway, we had better have a really sound means of protecting their privacy. There needs to be a real process in place, where the default condition is that information is not released to anyone.

Who is going to do all this? What commercial enterprise will dispense with the whole license-based software business model and simply distribute to the public, free of charge, software that today generates perhaps a hundred billion dollars of revenue every year for the software industry?

Will the open source community provide the package? Certainly the open source people seem to be on this path. And yes, the product itself must be open source, so that we can all know what it is doing. Literally, the software will originate with the open source community.

The open source community is necessary, but it is not sufficient. In addition to that which is provided by the open source community, we will need two important components that it does not provide: authority and economics.

Authority is necessary because we are talking about a governed public platform. Only an entity with authority can govern. Often there is even less compatibility among open source software products than among commercial software products, where incompatibility has always been a weapon to be wielded against rivals. The authority that comes with duly elected governance processes can make and enforce the kinds of decisions that need to be made. Furthermore, if Identity Is The Foundation Of Security, then we will see as we study public key infrastructure that not only is a certification authority necessary, but the authority of a certification authority has to be real.

Economics is necessary because, well, open source people need to eat. Traditional open source efforts seem either to turn commercial or wither on the vine. When they turn commercial they turn manipulative, repeating the sins that they had just accused their commercial counterparts of. When they wither they provide ammunition for the commercial enterprises that lecture customers about the unreliability of open source software.

The source code for the software that provides that window should not only be published for all the world to see; it should be owned by an organization with a charter like those of the ITU or the UPU, which are accountable to member governments, or the ISO, which is accountable to nonprofit national standards-making organizations. (The ITU and UPU, being affiliated with the UN, are able to invoke governmental authority, which can be an important ingredient in resolving differences among competing standards from rival standards bodies.)

Later, when we introduce the Real Estate Professional Infrastructure, we will see that we can import the business model of the real estate professions – architecture, construction and property management – to provide a reliable source of income to those who design, build and maintain facilities based upon the new platform to clients.

Now we have a sketch of a platform that can handily solve the problems that the hidden-URL feature dropped in our lap.

Will it happen? Seems like a lot to expect, doesn’t it. On the other hand, how many more worm attacks, how many increasingly sophisticated phishing expeditions, how many emptied bank accounts will it take before large numbers of people start realizing that the emperor is naked? At some point, large numbers of users – including the courts, governments, information technology departments, simply a large subset of everybody – will get behind a new idea: the public, in the form of an ITU-like organization, should provide a secure, open-standards platform for all to use. Since things are not going to improve without this kind of change, I feel the change is inevitable.

For now, the software that presents the window through which half a billion people see the world is proprietary, built from secret code, embodying unpublished features and facilities disclosed only to developers who have signed nondisclosure agreements.

In response, Microsoft and others come up with patches and workarounds. Let’s take a look at one, explained[2] on February 3, 2004 by John McCormick:

This workaround is provided by software professionals and explained by a software professional. You may take comfort in the thought that “I am not a software professional; those guys know better than I what to do about the problem and so I will accept their solution.”

But let’s suspend that thought for a moment and look at just what we know about the problem and our untutored impression of the viability of the solution. Ask yourself: will this work? Does this have the look and feel of a long-lasting fix to the problem? Circle your answer.  

You’ve just got to do something about that hamster. It seems he knocked this one off in one day[3]:

And then the story closes with this wonderful bit of irony that could only come from this never-never land of preposterously Byzantine software that we all depend upon:

Back to the original January 15, 2004 story, for a closing note about the obvious:

Notice to users of popular desktop software: abandon hope, all ye who enter here. Just look at the chaos that is implicit in these reports. This stuff is falling apart!

But we’re being too hard on Microsoft in order to make a point. Phishing would probably be a thriving form of fraud even without the Explorer vulnerability. Like all the other forms of predatory behavior on today’s Internet, phishing is enabled more by anonymity than by any particular software vulnerability.

By now you probably can guess the QEI solution to the problem. If the original message is not signed by a properly authenticated individual, your mail program can be configured to automatically dump it into the trash. Even if you have not so configured your mail program, you can readily consider any messages that are unsigned or signed by some easily-spoofed identity to be suspect.

Until message-signing becomes commonplace, the phishing problem will be with us. A new approach called SmartMarks presents an image that is unique to each user on a site or in a mail message. When you see your own SmartMark on a site you can be quite sure that it’s authentic, as there would be no way for an impostor to know your SmartMark image without some fancy man-in-the-middle engineering.

Phony Security Harms You

Phony privacy makes it possible for nosy, avaricious – but legitimate – organizations to manipulate your perceptions and thereby manipulate your life. That’s pretty bad. But it’s nowhere near as bad as what’s in store for you and me as we enter the age of ubiquitous high-speed Internet access to the home. That’s because the people who will take advantage of your new vulnerabilities are individuals and gangs with no legal form of organization. Unlike a corporation or other chartered organization that runs the risk of penalties and even dissolution if their activity is sufficiently antisocial to incur the displeasure of regulatory bodies, these are gangs and individual sociopaths with nothing whatsoever to lose.

Here’s an article from Joe Connolly’s Networking Newsletter that illustrates why things are going to get worse:

Joe Connolly, the author of that article, is an acquaintance of mine. The following remark could be addressed in person, but this subject really is best suited to public debate: Joe, electronic countermeasures just don’t work!

Recall the incident in July 1999, when Microsoft began letting users of its MSN and Hotmail send messages to people using AOL’s proprietary instant messaging software. Within hours AOL had installed blocking software. Scant hours after that, Microsoft released a workaround that let its users get around AOL’s blockage. AOL responded with new blocks, and so on for about a dozen iterations.

Joe writes about business networking issues for a business audience. That’s why the headline and the message of the article talk about telecommuters. Such gaping holes may interfere with peoples’ ability to do their job from home. It is not Joe’s job to concern his readers with the fact that as more and more of their life is managed from files on their home computers; cable modems and DSL make people like you and me horribly vulnerable in ways we must consider right now.

We’ve talked about the hazard of children innocently disclosing information about their lives to strangers masquerading as their peers, or strangers whose intentions are unwholesome. But consider for a moment the inevitability of online registration for activities for young people. Let’s say it’s done intelligently. Such registration takes place over secure, encrypted forms. If the information about your child’s identity and location and schedule is intercepted on its way to the Brownie Scout server, it can’t be interpreted. Encryption makes it unreadable.

But wait, what about the information on your own computer at home? Shall you have a household rule that nobody keeps any personal information about themselves and their whereabouts in the computer? That’s thoroughly impossible. Just the information about when files were created and edited can tell someone a lot about who tends to be at home at what time.

You see, the term “server,” like so many technology nouns that we hope so fervently mean something distinct and clear, is actually a vague concept. If your home computer is online in such a way that someone may retrieve information from it, then it is a server. Practically every computer at some moment is a server. Every computer on a cable or DSL line is definitely a server unless specific steps are taken to prevent it from being a server. That means your computer at home is ready and willing to serve up its information to any of the half billion people on the Net, unless you have taken steps to prevent it.

Footprints in the Snow

Later in this book we’ll be taking a look at some new technology that is designed to enable you to protect – strongly protect – your privacy. Part of that technology could involve a device that reads information on a driver’s license. In researching that device, however, I learned that privacy advocates have sponsored legislation to make it illegal in two states. The encroachment on privacy never ends, and so it’s understandable that the watchdogs would attack such an obvious PII machine. The protection impulse says, “Don’t just stand there, do something.” Prevent the obvious info grabbing, the kind that goes on in broad daylight. The driver’s license has a unique identifier on it, the social security number or other unique identifier. One can build a database with that basic piece of PII.

This approach assumes that by preventing access to the unique government-issued identifier called social security number, or its equivalent, information about an individual cannot be collected in one central place. This is not only untrue, it is dangerous, and it leads to the false sense that protecting a certain kind of information materially thwarts privacy encroachment. It does not. In fact, every time you use your credit card you are registering information that is more meaningful than anything found on your driver’s license. With database technology, a single unique identifier is unnecessary to effectively aggregate information about an individual.

What does it take to figure out where a person is going from these “footprints in the snow”? You needn’t scientifically match every footprint with a piece of information that uniquely identifies that individual among all six billion people on Earth. If you have information of any sort about the identity of the person who made one of the footprints, and it is evident that the same person made all of the prints, then you can start drawing conclusions. If you have thousands of footprints that you can reasonably assume were made by the same individual, there is absolutely no need to link them using a number that some government has assigned to that person.

Let’s illustrate another way. Supposed you had a seat high in an office tower with a panoramic view of people and activities below. In your hands is a laser tag gun with a very special property: it can “brand” its targets – people below – without their knowledge, leaving a mark which can later be read by a corresponding piece of special equipment, a receiver, from any distance, even if the subject is not in view.

The user of such equipment could automatically collect information on the location of any person tagged at any time, and compile a record of that person’s detailed activity over a lifetime. But he could never learn any identifying information ever assigned to any of his targets – in other words, he could never learn their names, let alone their social security numbers nor their credit card numbers, bank account numbers, badge numbers, etc. But the lack of assigned identifying information would not inhibit the tracking activity in any way. Knowledge of social security number might not be worth the cost of the disk space to store those nine digits.

Physical tracking devices are rare, but in the world of information we leave our personal trails in a multitude of ways. Cookies are only one of the many sources of crumbs and tags with which we leave our trail. The social security number’s chief value to the cookie clubs is that it misdirects the privacy advocate’s attention to the visible and obvious, allowing the pickpocket to deftly, imperceptibly and continually grab the unobvious small information assets from the victim.

Magicians and performing pickpockets are fascinating to watch. Have you ever been part of the audience that watches a performing pickpocket remove a victim’s wallet, watch, belt, and jewelry – without the victim having a clue?

Guess what – it’s happening to you right now. With your present attire, you’re no match for a good pickpocket. You need to wear “clothing” that thwarts the pickpocket. Forget your social security number. It’s a distraction.

Now what if you were to grab that driver’s license from the encroacher and put it to use for yourself, in the same way a general seizes an enemy’s artillery and uses it against them? What if you were to assume control of the pieces of information about yourself? Would it not be natural for you to manage this information yourself?

Mind Control

There is an interesting aspect to the privacy issue that never seems to get covered: What happens when the encroachers are successful? The result is more than a loss of privacy. It is a loss of control, the significance of which is difficult to overestimate. The loss of control takes place through the operation of a principle that you’ve seen illustrated in spy movies and police detective dramas. At some point in the plot the good guy uses the line, “to catch the [bad guys] we have to think like them. First, we have to know everything there is to know about them,” at which point the ace detective or master counterintelligence agent assigns information-gathering tasks to all present.

“Account Control” and the FUD Factor

The business corollary to the think-like-your-enemy principle is “To totally control this client you have to think like this client.” Hence the sales manager’s rallying cry to his or her troops working at the client site: gather detailed information about everybody who makes or influences decisions.

I observed firsthand how this happens when I worked at a fairly large insurance company in the 1970s. I helped design software systems and wrote programs that ran on the company’s (physically) big IBM computer. I got to see up close how IBM exercised what they benignly call “account control.”

Account control means identifying every human being in the organization who makes or influences any decisions about the use of technology and learning everything there is to know about that person. IBM made it their business to know not just the usual who-reports-to-whom-and-what-are-his-kids’-names type of information. Any good sales rep does that

IBM, by contrast, would follow every footstep of the selected individuals. They would watch and know – how they felt about computers, how they dealt with people, what they were up to – that is, where did they want to go in the organization –  whom they had lunch with, whom they hung out wit, and on and on.

After IBM studied their targeted individuals as a biologist studies a specimen, they would sort them into two overall groups: (1) those who were most likely to do as told and (2) those who were more likely to question things, mention competing and bring significant information to meetings other than what they got from IBM. Then they would introduce the FUD factor. Anyone who has ever dealt with IBM has heard that term. FUD stands for Fear, Uncertainty, Doubt.

IBM would keep the first group informed about new products, case studies, techniques, and so forth. The second group would be treated courteously but fed old or irrelevant information. When it came time to make big, costly decisions about computer upgrades, the boss would hear from this contingent of radicals talking about alternatives that were much better for a fraction of the cost. But they seemed to be so, well, uninformed.

How confusing. Wrought with fear, uncertainty, and doubt, the boss became the victim of view control and would invariably stick with the known entity, IBM. The result of IBM’s special brand of surveillance and perception control was that IBM practically ran the company. I saw the same phenomenon repeated many times a couple of years later when my new job had me working with people at other IBM customer companies.

Before the insurance company experience, I saw the FUD approach manifested in a clever and amusing way in the Air Force. IBM’s big line printers used a punched paper tape to control page skips. A very simple-looking manual paper punch was used to punch precise rectangular holes in the loop of paper. If you had been selected by IBM and your superiors to be in on the IBM meetings, you learned that the operation of the paper punch was totally counterintuitive. The natural thing to do was to push the front of the punch, which wouldn’t have worked. The IBM-trained cognoscenti knew that, contrary to common sense, you had to push down on the back of the punch to make the front of the punch put a hole in the paper. One group of easily influenced individuals would be let in on the secret of the punch, while another, less pliable group was not.

During onsite training on a programming topic, the IBM representative would offhandedly ask one of those who “happened” to be uninformed to punch a hole in a particular spot on the tape while he continued with his talk. As he struggled in the background to perform the seemingly simple act of punching a hole in a piece of paper, the whole group inevitably started chuckling at the ineptitude of the victim. This would cause the IBM rep to turn around, “notice” the problem, and ask one of those who had been informed about the punch to help the victim. The message was simultaneously obvious and subtle: if you play ball with IBM you will know what’s going on around here. If you don’t, we will make a buffoon out of you.

Another FUD campaign was much more public. Some may recall that the familiar twenty-five-pin connector was synonymous with “serial” – the standard RS232 serial communications protocol for modems and other peripherals. Printing devices typically used a very different-looking (“Centronics”) parallel connector at both ends of a cable like the one still used at the printer end today.

All of a sudden the IBM Personal Computer arrived on the scene, with a very confusing printer connection. What was apparently a serial connector was really a parallel connector. Engineers recognize this sort of thing as a classic example of a choice that is certain to cause confusion, i.e., a very bad design choice. But it all depends on what you are trying to accomplish. If your goal is to discredit all the old geeks, what better way than to leave them fumbling around in front of the client, unable to connect a simple printer? The client politely turns to someone who has been properly “trained” by IBM in the way these new personal computers really work.

What has all this got to do with privacy? Very simply, if I know enough about you and I have access to your perceptions, I can control you. Few people want to believe that. And in the past, “knowing enough about you” meant knowing about you as a demographic statistic. “Having access to your perceptions” meant being able to buy commercials on TV shows that your demographic group likes to watch. “Controlling you” meant influencing the brand of peanut butter you bought or the candidate you voted for.

That is all changing. If you are not now targeted as an individual, you soon will be.

If you believe you are too smart, too wary, too in control to be manipulated by a robot, then you are the most vulnerable of all. I, the author who writes this, instinctively want to reject this notion. I want to believe that I can filter my own perceptions, that I can remain in control of my opinions and choices – certainly in the face of some mindless robot. But as I look analytically at the way some of these things work, I realize that I cannot rationally make that claim.

Captology

Captology. If that is a real word, surely it was coined by some conspiracy theorist.

How about the Persuasive Technology Lab? Surely that cannot be what it sounds like, and surely it does not exist in any really credible environment. It must be another artifact of some overly imaginative paranoid with too much time on his hands, this year’s version of the Trilateral Commission or the Club of Rome, no?

No.

Allow me to introduce that most highly respected and admired pillar of academe, Stanford University, and its Persuasive Technology Laboratory. As the name implies, the Persuasive Technology Lab develops machines and programs that get you to do things you otherwise wouldn’t do. And the term they have coined for their field of study is… you guessed it, Captology. Check it out. From their website:

Welcome to the Stanford Persuasive Technology Lab. In our lab we research and design interactive technologies that motivate and influence users.

Like human persuaders, persuasive computing technologies can bring about positive changes in many domains, including health, safety, and education. With such ends in mind, we are creating a body of expertise in the design, theory, and analysis of persuasive technologies. We call this area “captology.”

Because captology expertise can enhance interactive technologies outside the world of academia, our research often involves collaborations with industrial partners, clients, and affiliates. We also focus on developing the best methods for designing and prototyping new persuasive technologies.

So there it is: a laboratory at Stanford University dedicated to the study of getting people to do what you want them to do through the use of computers. (It’s noteworthy that the Stanford.edu website, which is quite informative about the immense variety of work that goes on at the university, somehow neglects to list the Stanford Persuasive Technology Lab.)

One of the lab’s projects is called Optiplex. The following is taken from the Captology newsletter:

The following are also taken from the Captology newsletter:

The Dark Side

Throughout the discussions about captology there are exercises labeled, “The Dark Side.” By studying these, the Captology student is supposed to learn about the ethics of captology by becoming familiar with the ways in which it should not be used, lest it give the student inordinate power and wealth. [Wink, wink. Nudge, nudge.]

In the MTV show “Jackass,” predominantly male twenty-somethings attempt everything short of killing themselves (rolling down a hill in a shopping cart, dropping heavy weights on themselves, etc.) in the name of “‘compelling television.’” Of course the demographic is prepubescent teenage boys. And there are warnings (“Don’t try this at home. These people are trained idiots, not teenage boys with no sense of fatality”). Of course the warnings are ignored. Of course there have been lawsuits.

Or: “These instructions on how to make a bomb out of fertilizer and diesel oil are only for the purpose of alerting the reader so that he or she can recognize the pattern and discern when someone is doing something unsafe…”

Or: “This paper describes how to acquire a handgun without any paperwork in the hope that readers will recognize such illegal methods when they see them being followed… [Wink, wink.]”

There are plenty of precedents for this way of telling someone how to do something unethical by offering never-do-this instructions followed by details on what is never to be done.

In the ‘80s, an employee motivation technique called KITA generated a buzz around Harvard Business School. Generally associated with Frederick Herzberg, the technique calls for identifying emotional triggers in employees and “pushing their buttons,” i.e., invoking those emotional triggers at key moments in order to effect certain behaviors. According to Herzberg, KITA stands for “Kick In The Ass.”

Herzberg identified two kinds of KITA: positive and negative. My acquaintances at the school told me that negative KITA was a “dark side” application of the technique and was dealt with in a dismissive manner as a matter for classroom study. After classes, in the local pub, however, the emphasis was quite different. Not only did negative KITA get the attention, but the focus was on how to use it to get one’s boss to discredit himself, resulting in his removal from the organization and opening up a rung on the ladder to the top.

Negative KITA is quite similar to a game that is familiar to anyone who grew up with siblings. The object of the game is to get the adversary to discredit himself or herself among parents, peers, and everyone else. For example, with parents nearby, the perpetrator “accidentally” bumps the adversary’s most precious model car, knocking it off its shelf right in front of him, in such a manner that the sibling can see it was quite intentional. Rival sibling screams, shoves, hits. Parents rush to check out the latest transgression, learn that an innocent accident has led to unwarranted retaliation. Parents discipline the apparent offender, who is of course more the victim than the perpetrator. Disciplined child protests, claims the original incident was intentional, comes across as belligerent, distrustful, looking for trouble. He or she is told to watch his or her step. Wrongly accused, manipulated, he acts upon his next opportunity to retaliate, which of course discredits him even more.

The goal of the technique is to get your rival to portray himself as a seething, sociopathic, malcontent. In the home the process goes through shouting and strife and perhaps visits to a counselor. In the workplace it ends with a termination.

In the early ‘90s Harvard Business School announced a major effort to raise the importance of ethics among the subjects in their MBA curriculum. The reason was the strong informal negative KITA culture that had developed outside the classroom. Or more accurately, Harvard MBAs were getting a reputation: if you hire one of them you’d better start looking for a new job. Producing products – Harvard MBAs – that have a reliability problem when deployed is detrimental to the brand. Harvard was simply fixing a problem with its brand.[6]

KITA illustrates a couple of things. First, the smartest, most wary people can be manipulated if you know something about their psychological hot buttons. Second, the study of powerful weaponry – including powerful psychological weaponry – always leads to its use to gain power. Perhaps the majority of students is balanced and responsible and views “dark side” examples as illustrations of what not to do. The others, perhaps the minority, take their lessons directly from the “dark side” examples. Guess who ends up with more power.

Examples of the misuse of the ability to manipulate perceptions and behavior are all around us. Tobacco companies keep their markets alive by getting children addicted. When the heat is on in the United States they work their evil schemes in other countries. Can we prove that with internal memos and other authoritative documentation? Of course not – only idiots put such schemes on paper, and cigarette-marketing executives are not idiots. Nor are KITA-displacers. Nor are captologists.

People think of oppressive regimes as exclusively the domain of governments and employers, because they are visible. But the cabal that consists of the network of cookie clubs, the skilled proliferators of parasites, and the captologists has the potential to exceed dictators and company town tyrants by any measure of oppressiveness. Traditional tyrants control public discourse, leaving any critical thoughts locked inside peoples’ heads. This axis of evil has the ability to oppress people from within their heads.

Privacy Statements

Privacy statements abound. It seems that every website operated by a major organization has one. So what are privacy statements all about? To be sure, privacy statements are probably adhered to by many of the officers of organizations that offer them. But how many privacy statements have you taken the time to read? And what is the probability that some organizations simply do not adhere to them? Perhaps management upholds the policy, but what about contract programmers and part-time or freelance database administrators and “data cleaners,” who really don’t have much loyalty to the organization offering the privacy policy? How difficult is it for someone who touches the information to write a CD or two, or simply email a few files to an acquaintance as a favor? Remember, there is the temptation not only of money but of real power in joining a cookie club.

Consider the case of the failed Internet retailer Toysmart.com, a licensee of the TRUSTe Privacy Program. The company’s stated privacy policy was:

Despite assurances to the contrary and the weight of a privacy policy authority, the company did indeed sell personal information, including names and birth dates of consumers’ children. If the first casualty of war is the truth, then the first casualty of financial pressure is integrity. In this case the sale of information in violation of privacy policy became a public issue. The first major casualty of the uncertain business model underlying the e-tailing “industry” was bound to get the scrutiny of journalists, the SEC, the FTC, and on and on.

Keep in mind that for every Toysmart that goes belly up in a very public fashion, there are hundreds of companies, product lines, business units, and, mostly, middle managers, who are under pressure from upper management and Wall Street to produce results right away.

Do most compromises of personal information take place in such a fishbowl? Surely not. They happen in bland cubicles and over lunch tables. After all, the transfer of 80 gigabytes of information encompassing sensitive information about millions of individuals is as simple as the handing over of an envelope with a couple of tape cartridges – no management people, no Chief Privacy Officers, no privacy policy involved. We’ve all heard that in the information age, information is money. It’s true. If information didn’t have high value, there would be no incentive for people to do what we are discussing here.

In assessing the danger to your own privacy, ask the following questions:

1. Are you going to keep track of all the privacy statements affecting all your sources of information and all your venues of communication?
2. Which organizations take them seriously, enforce them internally, and which do not? How will you know? And how will you keep track?
3. What are the mechanisms for connecting the privacy protocol of one organization with that of another organization with which it shares information?
4. People and companies change behavior when the pressure is on. Who ensures that when the company’s stock price starts to tank they don’t seize a quick revenue advantage by taking liberties with PII?

There is one big difference between valuable information and valuable money – a difference that often gets overlooked. If I take money out of the company, it is gone. The larger the amount of money, the more likely its absence will be noticed. You can’t click on money and double it by pasting it into a new folder.

Information is different. You steal it, and it’s still there. The company that owns the PII on you is not all that concerned, as long as two conditions are met: first, the disclosure of the information will not cause real financial loss to the company or its management; second, no one can later demonstrate that the company or its management was actually involved in the shady transaction.

A manager has a number to meet. There is a sales goal, a service goal – something by which his or her performance will be judged. “If only I had such-and-such a file from the consumer division of our channel partner Acme Industries . . .” End of quarter looms, the performance numbers are not looking so hot . . . Then a discreet phone call is made. “Hello, Joe? Listen, I want to talk to you about some information you have over there at Acme. Let me buy you lunch tomorrow . . .”

Now, Acme the corporation would never violate the privacy policy that it publishes so conspicuously on its website. Acme would never tolerate an employee violating the policy on his or her own. That is, Acme would never tolerate it if it were done sloppily.

However, an individual, “unauthorized” action performed deftly and without a trace is another story.

Part of being deft is honoring management’s orders: “Don’t let me hear about any violations of this policy by our people.” In other words, do it quietly. Use your own zip drive from home. And make sure you get some information of roughly equal value in exchange for it. And if I catch you you’re fired. So don’t let me catch you. But do make your numbers.

We can just hear the Chief Privacy Officers reacting to this assertion. “Prove it!” they shout.

Prove it with what, a survey of suspects? OK, here’s our sample survey:

A statistic about unauthorized data sharing is as unverifiable as a statistic about infidelity. The only sources of information are perpetrators. (Consider surveying prison inmates with one question: “Did you do it?” Would you trust the results?)

But there are clues. The information storage business continues to grow at a fantastic rate, as does the perceived need for storage. Capacities of individual disk drives grow fast, prices of both disk drives and storage management systems decline precipitously, yet revenues of storage vendors are going through the roof.[7] Do the math – revenue divided by price-per-gigabyte for the last five years. Where are all these terabytes being used? How is it that companies are generating information so rapidly? Or are they all swapping information at a furious pace, each making its own copy of everything that comes in over the transom, in a kind of newsgroup-for-snoopers fashion?

Some would say the proliferation of multimedia files account for the rapid growth of storage consumption. But we are talking about corporate storage systems, not home computers. A big graphics-intensive website for a big company might take up a gigabyte. That’s one-thousandth of a terabyte. Big companies gobble up many terabytes of storage each year in order to store names and numbers, not MP3 files and videos.

Here’s another clue. I received the following unsolicited message because somehow someone thought I belonged on a headhunter mail list:

That is only a solicitation of employee directory information, which is certainly not the most invasive and sensitive information that might be shared. But look at the process. A middleperson has made a business out of list sharing. Not only that, it’s such an accepted practice that a message like that goes out in broadcast fashion to people who might be headhunters, or might not.

Consider what kind of list sharing takes place behind closed doors between parties who are familiar to information brokers. And consider how middlepersons can keep the real sharers of information at arm’s length from the actual transaction, insulating everybody involved from difficulties should news of the event reach the wrong ears.

People are concerned about companies misusing information about them. They also worry about the mere accumulation of information about themselves, but that concern is a little more diffused and vague. In reality, however, we are not looking at islands or even archipelagos of information about ourselves. Information has a life of its own.

The following is a personal hunch, far from a provable theory: In the hands of a skillful user of the retrieval language called SQL, the power of a collection of information of certain types to be used as a tool for the manipulation of perceptions and actions is proportional to the square of its quantity. In other words, doubling the amount of PII in one place or a closely linked set of places quadruples the power of the collection. That is why PII databases grow.

They grow because they want to grow. They want to be big, and therefore they want to merge. Barriers to joining tables in disparate relational databases are withering rapidly. Your tables on a server in Singapore can easily mate with mine in Toronto, the offspring being something that inevitably makes us both more powerful.

Laundering Information

The process of joining tables from a multitude of sources amounts to a way to aggregate information with no way to track, and therefore no recourse against, the perpetrators. It’s an information laundering operation.

As noted earlier, information is not like money. Money is hard to launder, because you can’t copy money. While the object of laundering money is to make its origins untraceable, at the same time those who do the laundering have to make sure that they are paid for their services. This can be tricky.

Information, on the other hand, is easy to launder. You give it to someone, and you still have it. So there is no real incentive not to pass information from the company with the privacy policy to a cookie club, and plenty of incentive to participate in massive aggregations of information – provided there is no audit trail connecting the company to the actions of a few individuals who make such a transfer happen.

There is no apparent total solution to the information laundering problem. There is, however, a very good foundation of a solution. Once again, the foundation of the solution is the Quiet Enjoyment Infrastructure. There are two steps by which QEI enables control of the use of our private information.

1.       If most of the packets of information traversing the Internet were signed, that is, if packet streams on the information highway displayed license plates as do vehicles on the physical highway, with license plates linked (confidentially) to the identity of the human being responsible for that packet stream, then routers could be told to reject “unlicensed” packet streams.

2.       If the goals of the P3P standard were implemented in the actual tracking of packets in addition to their current use in the implementation of privacy policies, then little robotic highway patrolmen could cruise around looking at license plates, checking to see that the individual responsible for the information was actually granted the explicit right to use that information by its owner.

Not only is identity the foundation of security, identity is also the foundation of privacy. The goals of P3P are commendable. But without identity and without real tools by which individuals can really control the use of information about themselves, P3P will not work.

Our solution, to be described later, is an Instigation – a component of QEI – called the Personal Intellectual Property Infrastructure, which includes a Disclosure Practice Statement for every individual covered. Your Disclosure Practice Statement is actually a file that is maintained by you. Next to every group of identities either specified on a standard form or specified by you is a set of permissions. In order gain access to a piece of information about you, permission must first be established by your DPS for that particular user, as identified as a member of a particular group (for instance, people who work for credit reporting agencies.)

What’s to prevent others from carrying on with information about you as they always have, in spite of your DPS? Part of the answer is idealistic. As we disclose information only within a global village where people must abide by identity rules or else not participate in the village, we simply change the way the world does business. Not something that will happen by Thursday afternoon.

The less idealistic part of the answer is indicated in the notion that your DPS grants permissions. “Permission?!” exclaim the direct marketer, the credit reporter, the loan officer in unison. “Who are you to be granting permission to use information about yourself?”

The permission part is what permission to use information is always about. It’s about intellectual property. It’s about copyright and proprietary secrets. You see, the Disclosure Practice Statement is part of a Personal Intellectual Property Infrastructure (PIPI). With the PIPI system, you establish copyright to information about yourself, and further you declare and annotate such information to be a secret – the personal equivalent of the trade secret which is so important to business. Use of information about yourself without your permission is intellectual property infringement. It is subject to payment for damages.

The earlier point about the surreptitious mating of tables of personal information may seem to argue against this strategy, and indeed there will always be some infringement just as there will always be copying of music. But with a PIPI system in place it will become worthwhile for large numbers of victims of infringement to pursue the infringers. That fact, in turn, will give the CEO reason to make the company toe the line on its privacy rules instead of tacitly allowing transgressions to take place.

Is this doable under current copyright law? It is if the content of the document is put together as the sort of thing that is protected by copyright. To illustrate, if your personal information appeared in the form of a 300-page autobiography, it would be a protected “work” in the way that your name and address and phone number currently are not.

Years ago, Richard Stallman created a new kind of legal entity, a “public license,” not by pushing legislation but by crafting a legal document in a clever way. Similarly, the PIPI system turns the kind of information about you that is normally kept by marketers and credit bureaus into a “work” of the form that is most definitely covered by copyright law.

Imagine – this is far-fetched, but just imagine for a moment – that the credit bureaus and marketers don’t like this notion of personal information as personal intellectual property. We know that the entertainment industry has from time to time had its way with copyright law; what if the credit bureau and direct marketing industries felt compelled to similarly distort – er, influence – new copyright legislation?

In that case another form of intellectual property called a “secret” also applies. Usually cited as “trade secret” because the legal principle is almost always used in a business context, it says that if you take steps to protect a piece of information, and those steps include letting those to whom you disclose it know that it is to be treated as confidential information, then the information is a secret and is therefore intellectual property – your property. The nice thing about trade secret law is that it is almost entirely common law, based upon court precedents. It has almost nothing to do with legislation.

Others are starting to see the possible benefits of intellectual-property-for-the-rest-of-us. For example, Anne P. Mitchell’s Habeas, Inc. (www.habeas.com) provides an anti-spam service by incorporating material covered by copyright and licensed trademarks into message headers. Those whom you have given permission to send you mail have license to use your intellectual property. But if the intellectual property shows up in unsolicited email, Habeas will legally pursue the infringer.

If large numbers of consumers start treating information about themselves as personal intellectual property, and start aggressively asserting legal rights to that property, then such information will indeed become personal intellectual property regardless of what happens with copyright legislation. At the same time, consumers can have the tools to permit prompt disclosure – as when applying for loans, for example.

The PIPI allows us to address another urgent matter: the perceived right to anonymity. This can be implemented via multiple identities. Ironically, direct marketers and others who have staffs that are skilled with databases typically track one set of footsteps no matter how many handles, pseudonyms, screen names, or email addresses a person assumes. It’s only other individuals and database amateurs that are thrown off track by pseudonyms.

At the end of Chapter 18 we will go into more detail about pseudonyms and the need to let people continue to gain the same benefit via the DPS. The Disclosure Practice Statement itself will be described in Chapter 30, “Building The Personal Intellectual Property Infrastructure”.

The Solution

take the steps that will put an end to concerns about privacy, and make your life much more manageable as well.  your privacy – and have the Internet too. Identity theft can be a thing of the past. So can the nagging feeling that uninvited, intrusive marketers are collecting information about you behind your back.

How do you do all this? That’s what the rest of the book is about – read on. But before we get to the details of how to implement those steps, let’s take a look at how “outdoor” assumptions about the Internet are responsible for the exposure of our children to predators and other hazards.

We launched into this pit of privacy threats after a brief discussion of QEI, which we present as the solution to all of these privacy and security concerns. So let's pull ourselves up from the bottom of this troubling miasma enough that our eyes can see above its rim... there we go... Look, there it is, an orderly array of twelve building blocks of the Quiet Enjoyment Infrastructure. Now, if we can just... drag... ourselves up over the edge so that we can go over and examine those building blocks... there, up we go...

We've mentioned a bit about PKI and the problems with the way certification "authorities" have attempted to provide certification services to those public+private key infrastructures. Let's now turn the page to see how the Quiet Enjoyment Infrastructure sources and applies real authority. Continue