Recalibrating convenience, privacy and security

The computer era has largely been marked by a willingness of users to go with the easiest security options available even when those choices weren’t terribly secure.  Recent developments in courts and the industry may give users reason to re-think that approach, however.

Cross posted from Pruning Shears.

No Associated Press content was harmed in the writing of this post

We will probably always have to balance computer security and ease of use.  Ideally security is baked in, and we go on our merry way without having to think about it.  This is the case with viruses.  Users were once expected to download service packs, signature updates, and so on.  Since most people would not, the industry gradually moved to a silent update model.  Now these things generally happen in the background.  Provided you trust the company it is a much easier arrangement.

The IT industry is not always so helpful.  The real money in the consumer market will be made on advertising, the most lucrative form of which will be targeted: using detailed user information to tailor a specific ad.  This in turn can only succeed if, like software updates, the data is quietly collected.  It is why over a decade ago then-CEO of Sun Microsystems Scott McNealy said “You have zero privacy anyway…Get over it.”  It is why Facebook CEO Mark Zuckerberg seems to have no use for it.  For several years now – starting with Beacon – Facebook has tried to sell user data without provoking a revolt.  Many do not seem to be aware of this; they just signed up and started posting status updates.  However, in what seems to be destined to be one of the great pearls of wisdom from this era Andrew Lewis (aka blue_beetle) quipped (via (via – woo!)) “If you aren’t paying for it, you are not the customer; you’re the product being sold.”

Thinking of ourselves as commodities seems terribly depersonalizing, but it could be a good defense mechanism.  It could help raise awareness that we leave digital traces of ourselves whatever we do, even something as innocuous as a local print job.  The point is not to make everyone paranoid, just more knowledgeable about the footprints we leave behind.

Keeping that in mind will only become more important as data collection becomes more sophisticated.  Web sites were once content with writing the odiously-named cookies to local hard drives, but are now turning to more invasive techniques.  This week a class action lawsuit was filed (via) against several companies engaged in what is called “history sniffing.”  Look at the defendants:  CBS News and McDonald’s among them.  Do you think it will played up by CBS or any of McDonald’s major ad outlets?  By its very nature it will not get widespread coverage.

Together with the recent California Supreme Court decision approving warrantless data seizures by police it paints a picture of users’ data being substantially more at risk.  That data is only as secure as the policies protecting it, and they can be surprisingly weak – even with extremely sensitive data.

As the printer hard drive issue illustrates, data can be exposed in ways most folks simply never think of.  It is not an accusation of bad faith to say law enforcement may not be competent to keep or copy seized data.  There are simply too many vectors.  People have jobs, and (someone else’s) data security will naturally gravitate pretty far down the “to do” list.

Protecting against that is a hassle and requires some work.  You can encrypt a laptop hard drive and feel reasonably secure even if it does not make it past customs.  You can look for browsers that offer a private mode, where history and cache get cleaned out.  You can go with “security through obscurity” and pick products with relatively small market share – Opera for your browser, Eudora for email, etc.  Conversely, be wary of the ones getting all the buzz.  For as cool as the new Android phones are, they are also a fat, juicy bulls-eye for hackers.

Consider learning the basics of the GNU Privacy Guard, an email encryption program.  It is not an intuitive program, especially if you have never worked at the command line, but getting conversant in it will give you confidence that you can keep your communication from prying eyes as it wings its way across the Internet.

None of these are perfect, nor are they meant to be.  The point is not to be 100% safe; that will never happen.  The point is to make it difficult to track you.  Not because you are involved in some kind of top secret cloak and dagger skulduggery, but because what you do and what you write should be yours alone – unless you knowingly choose to share it.  (“Knowingly” does not include some line buried in a 20,000 word End User Licence Agreement, either.)  To the extent you do not want to bother, at least make peace with the idea that your data is substantially easier to get at.  And that you are indeed the product being sold.