Privacy & Security on the Internet

Miscellaneous Thoughts from IT Security Entrepreneurs Forum

                            

 

I have been working on a couple of different projects lately that have me tied up and I have not been blogging lately. But as usual, whenever I go to trade shows or industry events, invariably something sparks my interest. I was at the IT Security Entrepreneurs Forum last week and one of the panels really got my attention. The concept proposed to the audience:

Do you believe Security & Privacy on the Internet are diametrically opposed? 

Seriously. This is not a loaded question. At the forum, one of the panelists, a respected member of the US Intelligence Community stated that we cannot have Internet Security and Privacy. It’s one or the other, and privacy groups’ demands do not allow policing of Internet activity. They are diametrically opposed. This person then gave the analogy that Privacy on the Internet was just like putting cops (His word, not mine) on the street, and allowing them to watch crime occur, but not draw their guns and not make arrests. 

I believe that there are ways, perhaps dozens of ways, to provide both. There are many ways to create a trust relationship without a specific identity, or even create a proxy relationship to create this trust relationship. I think it was the American Express Blue card, circa 1999 or so, that offered anonymous Internet payments. It is the concept that is important here, not the individual company offering, so don’t send me nasty email for my lack of fact checking on this point. The payment proxy concept I felt had great promise for providing a platform for anonymous purchases on the Internet. There would not be an exchange with the merchant of the credit card number or other related information, they would only receive payment. Sure, in the case of purchasing goods requires that the name and address information be passed, but for services and the purchase of virtual goods, there may not even be that. But this is privacy and security all at once.

If I run a blog and I want to make anonymous posts, or communicate electronically under a pseudonym a la the fake Steve Jobs , I can do so by digitally signing the blog posts, allowing me to make public comments that could be verified as authentic without revealing my identity. I could correspond through email by posting a public key and email address in an accessible location and allow for correspondence to me that was both confidential and secure while providing me a degree of privacy.  There are lots of examples of creating intermediary trust relationships that will work depending upon the goal.

We can have privacy and security on the Internet. At the same time. Arguments to the contrary are FUD motivated by money. Or politics. Whatever.  My privacy being at odds with someone else's desires is the real issue.

"Problem Customers" and Data Privacy

"Tell me, Mr. Anderson... what good is a phone call... if you're unable to speak? "

I recently ran across this http://news.yahoo.com/s/nm/20070709/us_nm/sprint_dc article on Yahoo! News. I read this first with amusement, for how could a company have so missed the concept of ‘Customer Care’, and later annoyance as it reminder me of my personal experiences that paralleled this story. As a former customer, linking my experiences with this service provider, I realized that I would have been an ‘excessive’ customer service caller as well.

In 2003-4, while I was a customer of this service provider, I received a call from the Arizona Department of Corrections. They wanted to know why my phone charges were being billed to them. It turns out that somehow my bill was being booked to me as well as a regional prison, and they were rightfully attempting to figure out how this had happened. At the time I had no idea if this was some crank call or not, so I responded by asking them what they were doing with my personal information and how did they get my unlisted home number? Admittedly this call did not go well, but we both agreed to call the service provider and get to the bottom of this issue.  The following day I received a voice mail from the prison informing me that they had called and had my account suspended. Sure enough, my cell phone was dead, and I could not even use it to call ‘Customer Care’ to get the issue fixed. Not only had my personal information been leaked, but it had been used to shut off my phone service! 

 

I will make a long story short, but during the 2003-4 time frame I had logged over 70 phone calls to ‘Customer Care’, spending over 80 hours of my time during my first two months of service to straighten various items prior to the call above.  It was at this time I went nuclear, and sent email to the CEO, most of the board members, and several members of the executive team, with detailed notes of everything that happened. They responded in a professional manner, told me the issue would be investigated and that they would do their best to keep it from happening again. While I was hoping for a call from the security or fraud department, I did get a call from VP of Customer Service, who I gave quite an ear full on security and privacy. I have no idea if the free advice ever put it to good use, but we did mutually agree that I could terminate my contract if I chose to do so. So long, problem customer.

Back to the issue of data privacy: The original setup of my account took an extraordinarily long time. The issue was my unwillingness to provide my social security number as an issue of privacy. The company stated that a social security number was a *mandatory* requirement to activate an account. I wanted service and did not want to provide the number because there was no good reason to do so. They were happy to have me become a customer, but not unless I provided a SSN#. After several phone calls to various representatives, they said they needed it to deter fraud. After four hours they wore me down, gave me an extra free phone, and I relented. My mistake in giving it to them in the first place because I thought I could save $10.00 a month on my cell phone bills. That won’t happen again! I will not give up my personal information because my time and my privacy are worth more than a couple dollars per month, or a free iPod or whatever else they are offering.

If you are one of the ‘Problem Customers’, I would love to hear your story.  Oh, and if anyone would care to explain to me how 'ringing' should be considered a 'service', I would love to hear an explanation for that as well.