Friday, January 4, 2008

So Long 2007! Reflections on computer security and data privacy

Well, it’s January 2008 and I’m a little late with my end-of-the-year reflections on information security and data privacy in 2007. Nevertheless, here’s my take on what I think were the three top trends/stories/developments. I think 2007 was the year:

  • of the criminal hack

  • of a new shift in privacy concern

  • of important new tools for data security

The Criminal Hack
Obviously a lot of past hacking activity has broken the law and was thus criminal. And a lot of criminals got into cyber-crime before 2007. But 2007 was the year when a truly significant proportion of the system abuse and data theft was perpetrated by persons whose intentions were criminal from the outset. Some references on this are

Between January and June [2007], Symantec detected more than 5 million bot-infested personal computers carrying out at least one attack a day. The FBI began paying serious attention with its Operation Bot Roast, leading to stories like this on CNN: "A New Zealand teenager has been questioned in connection with a scheme by hackers to remotely take over more than 1 million computers worldwide and use them for criminal activity, New Zealand police and the FBI said Thursday." (See CNN.)

Privacy Shift
I think that 2007 will be seen as a year of significant shifts in privacy concerns. After several years in which mass data exposures were the big privacy story there was a return to concern focused on the actions of big personal data players in both the private and public sectors. There was increased scrutiny of the surveillance activities of various branches of the U.S. government (I would describe this as one more stage of the 'sinking in' process by which it will finally sink in to all persons on this planet that the means to listen in on everything they say or type exists, the main questions being the end to which these means are put and by whom).

There was increased concern over the actions of big commercial personal data players like Google and Facebook, with the failed Facebook Beacon program highlighting the issue of inverse privacy exposure.

I am defining inverse privacy exposure as the problem of getting people to be circumspect with their private data. In 2007 I saw and read many things people had posted about themselves that boggled my mind. I think it's high time for a 'back to basics' refresher course: The world wide web is worldwide. A picture you post on the web in order to impress members of the opposite sex who live in your city can, potentially, be seen by any person on the planet, regardless of location, gender, or cultural perspective. And it is a web. The strands that let you reach out and connect with others let others connect with you, like it or not. I am reminded of what I used to teach about email ten years ago: Don't send any emails you wouldn't want your mother to read. And if you're on a social network, don't post pics or text you don't want your mother to see.

For a lot of people, Google's acquisition of DoubleClick raised a lot of red flags. The FTC, whose defense of consumer privacy remains one of the brighter lights in the dark night of 21st century federal bureaucracy, decided that the merger was not a threat to competition. Further, the FTC said threats to privacy posed by what Google/DoubleClick get up to extend beyond these two companies (a possible indication that the FTC will be watching this space, so to speak?).

Perhaps the real red flag with entities like Google and DoubleClick, Facebook and MySpace, is the possibility that their privacy snafus are in fact conscious decisions to test the limits of the acceptable. This possibility was raised in this excellent New York Times piece referred to me by my very perceptive friend David Brussin. Again, there is a retro feel to this; consider the various Amazon mis-steps that defined its current posture on privacy. In other words, if there is money to be made by going one step beyond current privacy boundaries, why not take the step? Do a risk assessment and if the downsides are not too bad, roll the dice. You weigh the bad taste a snafu might cause versus the kudos you will get if you

  • a. succeed--investors and analysts are impressed and you are richer

  • b. incur user ire--but then retract and come off looking respectful of user concerns

Hardware Lends a Hand
In 2007, Intel fleshed out its vPro technology, something genuinely new in security enabling hardware. I am duty bound to commend this as a step forward, having written, in my first computer security book over 15 years ago, that more could and should be done to implement security through hardware.

I will have more on this topic the meantime, have a great oh eight!


  1. [...] Recent Comments The Stephen Cobb Blog » Recommended Reading for Mark Zuckerberg: A free privacy primer on So Long 2007! Reflections on computer security and data privacy [...]