Nov
2014
Privacy in the Digital Age
During the Cybersecurity month presentation by John Sileo, I heard him mention something to the effect that the constitution does not guarantee privacy. Whether the constitution explicitly provides privacy protection seems to be unsettled and different legal scholars seem to have different opinions about this. Whether constitution guarantees it or not, we have all made serious assumptions about privacy and lived with those assumptions and in the digital age, this has become a serious issue. In 1999, Scott McNealy was quoted as saying ““You have zero privacy anyway. Get over it.” Despite the fact that this was pretty scary to hear, in the networked world, this has turned out to be correct.
Whenever you have a networked device that connects to the internet, it needs a unique identity, typically an IP number. I will keep things simple (because in reality they are very complicated as to how this works) by saying that in order to reach the destination, say a web site, information travels through multiple networked devices and all of them pass information from you to the destination. If your connection is encrypted (such as an SSL connection using https://), the content traveling back and forth is encrypted and generally hard for those intermediate devices to unravel, but there are certain pieces of information such as source and destination IP numbers and the “ports” on which they communicate which have to remain unencrypted. Ports are some predefined mechanism for different types of network communication to occur. This simply means there are a whole lot of devices and operators of those devices who have access to at least the IP numbers of who is communicating with who and what type of communication it is (typically based on port numbers). You need this information to properly route your packets back and forth. Requiring every intermediate device to unencrypt and re-encrypt this information is not practical and provides no additional security. And one we can generally agree that this is a serious privacy issue, especially, as we have found out that the government itself uses this information in ways that violates privacy!
When someone has the source IP number, generally it is easy to find out where you are. You can try it here and read about how all of this works when you scroll down on the page in that link. ARIN (American Registry for Internet Numbers) provides location information for range of IP numbers. For example, when Wellesley receives a range of IP numbers to use, we had to register ourselves with a domain registry and provide an address. Whenever the IP number is in the range that belongs to Wellesley, the location will be listed as the College address. This gets complicated for ISPs, but there are techniques available to narrow down which IP numbers are being used by Verizon in Framingham, for eg. So, if I am running a website, I receive the IP number of the machine that is connecting to me and I now can quickly look up the location. Though it won’t be exact, it will be pretty close. It is also the case that if you use VPN, the location is not exact. However, whoever you are VPN’ing to, knows where you are connecting from.
This is the most fundamental privacy issue in the networked world over which many of us have no control over. If you are brave enough, you can try The Onion Router (TOR) network, which cleverly hides the identity of your IP number in ways that make the identification essentially impossible. However, it has its own downside, mainly the slowness.
In most other cases, we have choices we can make about our own privacy, but we don’t. We value the ease of use and convenience over privacy. For example, location finder on our smart phones is a fantastic way to get directions, find out nearby restaurants etc. However, the moment you turn that on, there are umpteen other apps on your phone that you downloaded and gave permission to use your location that are receiving the information and potentially use in ways that you may not always approve. Or that we use the likes of Google and Yahoo on our computers and phones using our accounts while they gather so much information about us.
Then there are cases where our information is being used without proper consent or permission. I have found the real time traffic signs on Mass Pike and other highways to be extremely valuable. They are as accurate as waze, one of my favorite applications. They basically show how traffic is flowing by showing the travel time to the next few exits. They seem pretty accurate, so I was wondering how they do it. I found out that they basically rely on all the bluetooth devices in the cars. Since each bluetooth device has a unique signature, when you pass one of the signs, a sensor records it. A second one at the next spot does the same and through some clever averaging (accounting for people stopping at rest areas or taking intermediate exits or breakdowns etc, which are outliers) they are able to show you the time. I don’t remember anyone asking me permission to track my bluetooth! Yeah, they say they don’t keep the records, and that they cannot associate the bluetooth device with an individual (not really true) and so on and so forth, but it would have been great to use the same displays to tell people “see website for bluetooth tracking” and on the website explain that as of some date they will begin this process. And tell people that if they don’t want to be tracked, turn off the Blue tooth devices (of course, no one will do it, but they can).
The moment your personal information is in someone else’s hand, it is fair to say that privacy is compromised. It really does not matter where the data is held. If it is in institutional servers, a rogue employee or hackers can access them and misuse them. If it is transmitted to other services and applications, you are trusting the provider to guard your data. The fine print you signed may not necessarily protect your data the way you would like. And the issue with hackers remain the same there to.
As you can see, security and privacy are so interconnected for this reason. Practicing good security will provide you additional privacy protections, though we should always remember that in the digital world, you are entrusting your privacy to someone else, which in some sense is the brutal reality of “You have zero privacy anyway. Get over it.”