Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Taguchi Me This ]   |  Changing the Game  |   [ I'm With Stupid ] >>

Weekly Column

Changing the Game: How to Save the World by Taking Back Control of Our Data

Status: [CLOSED]
By Robert X. Cringely

I am a pilot of sorts, and can remember a time when the dominant technique for instrument flight was based on the Big Sky Theory. This idea was that there is a lot of empty air out there, and chances were that if you stayed on instrument airways and maintained published minimum en route altitudes, you weren't likely to smash into anything. So we flew around more or less blind until two airliners collided over the Grand Canyon and the Big Sky Theory, too, went down in flames. Over the last several weeks, I have written about privacy and identity theft, and the current situation is beginning to feel more and more like the Big Sky Theory applied to our lives and our money. Only in this analogy, we aren't airliners or even little planes like I fly; we are the air itself. As I was getting ready to speak at last week's Toorcon 2003 information security conference in San Diego, I finally figured out that privacy was never intended for you and me. The system doesn't care about us at all.

The system doesn't care because the Post Office does nothing to protect our mail. Have you ever met a Postal Inspector? Neither have I. The system doesn't care because our government blithely gives away personal data on millions of citizens. For $3,200 and a couple pages of signatures, I could right now be running for Governor of California, but really harvesting the name, address, date of birth, and Social Security number of every registered voter in the state to be used for identity theft. Government does not protect our privacy, but is actively working to undermine it. Nor are we protected by the people with whom we entrust our money. For ONE DOLLAR I can get quickly this same information on anyone I like along with where they bank and their savings balance. This is supposed to be against the law, of course. We have laws and rules and regulations that supposedly protect our privacy, but they don't work. If we were to test them they would fail, so we don't test and they fail anyway.

If you think someone -- anyone -- is doing anything to protect your privacy, you are wrong. The system simply doesn't work, and it doesn't work because there are no real penalties for noncompliance and definitely no compliance tests. We pretend that the system works because we hope it does, and because if the bad guys knew it doesn't, they'd be badder still (if badder was even a word).

Well, the bad guys know it.

If you work, pay taxes or have a library card, you are vulnerable and for all the recent lip service paid by government to privacy issues, nobody at all is going to jail as a result of violating these new laws. They are effectively unenforceable. And so we say things are different, but they aren't, and the best we can hope for is not to be hit by an economic airliner or F-15.

If you haven't lost at least $15,000 to fraud, it simply won't be investigated at all. How many families can afford to lose $15,000? If you steal less than $15,000, you'll never be caught, and if you steal more than $15,000, you probably won't be caught, either.

In the middle of this, we find the trinity of banks, government, and credit bureaus who betray us on our behalf. The banks and their bank-like sister companies are the airliners in our big economic sky. They use a modified version of the Big Sky Theory that says as long as theft is kept to five percent or less, it is tolerable. That's what insurance is for. They play the odds to achieve this, which is where the credit bureaus come in. They are the oddsmakers. This system works for us, too, because it enables us to get a mortgage without ever meeting a banker, it increases liquidity and makes easy credit available for nearly all of us. But the system works against us if we are among the five percent who are victims because our time, our reputations, and a certain amount of our money will never be recovered.

There is no way out of the Big Sky for anyone who has more income than does Ted Kaczynski, which is to say anyone who has income at all. You can't opt out, at least not if you are an American. My 20 month-old son just got his first credit card offer. I wonder why they waited so long?

Among the litany of sad things here is that we not long ago had a vision of something better that could be achieved through technology. This was the cypherpunk dream of ubiquitous information security, perfect secrecy and anonymity, untraceable e-cash serving to enhance democracy, protect the small guy, circumvent censorship, form a parallel economy beyond the taxman's reach, reducing the power of states. That was yesterday's news.

Today's news is that a cypherpunk nightmare is upon us. Information is not power after all: Old-fashioned power is power. If you aren't big industry or government, you have very little power. Once they've hacked the electronic voting system, you'll have no power at all.

But we all share the blame for this. Joe user doesn't encrypt his e-mail and is not interested in doing so. Anonymity is overridden by court-order. The Great Firewall of China is effective in shutting out information from over a billion people. Electronic commerce consists of sending VISA card numbers over SSL, hiding nothing from anyone. Information is "protected" by companies bringing lawsuits against those who dare read it in unauthorized ways.

Now we get to the scary part.

The closest thing to strong security that is likely to be deployed in the foreseeable future is something like Microsoft's Palladium project (or whatever it's called these days), which sure won't empower the small guy.

But we as a people can do something about this. We can first recognize that what we have going right now is bad and getting worse. We can't legislate privacy if we can't test it and we can't test it if the threshold for enforcement is set at $15,000 (that's the FBI's number, by the way). The FBI sets this number by figuring what it costs to investigate a fraud case and not bothering to take cases that cost more to investigate than they stand to recover. That makes sense, I suppose, but we could investigate more cases if companies like Jet Blue, for example, were charged even $10 for every one of those million customer records they recently gave up in violation of the law. We could investigate more cases if BayTSP, the company that works simultaneously for the FBI and the Recording Industry Association of America, was training their sniffers on credit agencies revealing personal data in violation of the law. That can't be any harder than monitoring P2P music file sharers, yet it isn't done because the credit bureaus aren't officially viewed as the leaky boats they are.

But these are stopgap measures at best, and might cause even more harm than good. The real solution is to find a different system that works better, and refuse to use anything but that system. Thorsten Veblen wrote almost 80 years ago that the way to change industrial society was for the mechanics to put down their tools and refuse to fix the machines. The readers of this column are those mechanics.

Last week's column about the Taguchi Method of experimental design described a system intended to create robust things -- products that could continue to function despite degrading influences. So my 1987 Honda has 195,000 miles on it and runs just fine despite also having been built as cheaply as possible. Why don't we apply these same techniques to privacy, security, and simply hanging on to our money? Because too many people make their livings from the very inefficiencies we decry. The FBI doesn't really want crime to go away just as financial institutions are making too much money under the current system to think about really changing it.

The very fact that everything I have described is dependent on a digital system both enables these abuses and can make possible their end. And the solution, I have become convinced, lies in changing the nature of the data itself. My Social Security number is an artifact of the 1930s, a master identifier that has to change not just into a number that is harder to copy, but into a feisty little program that has only my interests at heart. When someone wants my Social Security number, I want my number to ask, "And who the hell are you?"

We spend all this effort protecting the system from our data when in fact what is at risk is not the system BUT our data. The former is an old telephone company central office way of approaching the problem. What we really need is an "I'm mad as hell and I’m not going to take it anymore" approach. I know this can work.

Smart numbers have to be combined with truly instant log tracing that enables me (not some investigator who won't investigate, but me who will) to track my data wherever it goes. I own my data, so the path it follows should be available to me, too. This was technically impossible until a moment ago when Addamark, a San Francisco startup that I am convinced will be the next Oracle, came up with a way to search cheaply and quickly petabytes of log data.

If nobody else can follow that trail, then I want to follow it myself. Multiply that by tens of millions and see what happens.

Smart numbers, near-instant log tracing, and giving me the right to trace my own data AND THOSE WHO WANT TO GRAB IT are the keys to returning our lives to some semblance of order. It is the end to identity theft, the end to spam, the end to worms and viruses, the end to distributed denial of service attacks. It is the return of sanity and the only way I can think of to finally make the air visible in that Big Sky.

Comments from the Tribe

Status: [CLOSED] read all comments (0)