Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Changing the Game ]   |  I'm With Stupid  |   [ No Feather in Our CAPPS ] >>

Weekly Column

I'm With Stupid: How Having Friends Might Be the Key to Both Privacy and Identity

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

I've been thinking what passes at my house for deep thoughts about identity and privacy -- thoughts spurred both by my columns of the last several weeks and the reaction of readers to them. At one extreme, we have identity zealots who would plant microchips in our kids. At the other extreme, we have privacy zealots who don't want anyone anywhere to know anything about them or about what they do. Somewhere in the middle, we can probably place most of the rest of us. It is doubtful that we can fully satisfy both extremes at the same time, so the real question is what path will give us the most identity for the least loss of privacy or the most privacy with the least amount of identity?

These concepts of identity and privacy are not polar opposites, though we treat them as such from a public policy standpoint. Privacy advocates are not opposed to most identity verification schemes that keep strangers from looting their bank accounts. To be fair though, a really rabid privacy seeker probably wouldn't have a bank account at all. At the same time, even the most staunch identity advocates probably have a few secrets of their own they would like to keep from public view. I certainly do.

While trying to find this secrecy sweet spot, I came to realize that the security techniques we use aren't often the ones we really need or even intend. Take the whole issue of Social Security numbers, for example. This is a unique identifier every American already has, so rather than replacing it with something better or with nothing at all, we fixate on keeping the number secret so it can't be used against us. But the simple fact is that Social Security numbers aren't secret -- in large part they have never been -- and they are already being used against us. So protecting them is like closing the barn door after the livestock have run away, and replacing them with something else doesn't necessarily give us more privacy or firmer identity.

Let's think, instead, about what are our real objectives in all these actions, what underlies this desire for privacy or identity, and how best to achieve that real objective, not some proxy for it which may or may not be correct. In the case of identity, what it really comes down to is that we don't want others being able to impersonate us and thereby either take our possessions or somehow sully our reputations. They might do these bad things through the possession of information like a Social Security number, but it isn't really protecting the number that's our true objective -� it’s protecting our stuff and our access to more stuff. So too, the real objective of weighing privacy against the good of the population is not that we have some right to know what's in your underwear drawer, but that we have a right to protect ourselves in case what is in that underwear drawer is a tactical nuclear weapon.

We have the right to keep our stuff and to keep our lives, simple as that. And anything that doesn't threaten property or safety, well, that ought to be nobody's business. These are really simple ideas that we tend to lose sight of in our rush to protect Social Security numbers or assign national ID cards. Are there ways to achieve these true objectives without stepping on too many toes or compromising public safety? I think there are.

At the very center of identity theft, for example, is the mistaken concept that it is about identity when in fact it is really about theft. While it doesn't feel good knowing someone has acquired the means to attempt to impersonate you, what REALLY feels bad is when they use that information to drain your bank account. It isn't the impersonation, itself, that does the damage, either; it is the bank teller giving all your money to the bad guy that really hurts. So forget about protecting identity. How do we hang onto our loot?

In this banking example, identity thieves take advantage of our over reliance on one or two highly specific identifiers. Knowing a Social Security number and a mother's maiden name is pretty much all it takes to loot a U.S. bank account, often without even knowing the number of that account. Yet the real question ought not to be, "Does this person know the right identifying information?" but, "Is this person really who they say they are?"

We concentrate too much on procedure and not enough on recognizing the true objective. If two soldiers have the day's password and countersign, they can get physically close enough to kill each other without knowing that their uniforms don't match or their language isn't even the same. We concentrate on the procedure at the expense of common sense. We can't tell a computer virus without having a virus signature against which to compare, yet there ought to be some heuristic we can use in the absence of a signature -- even before it is possible to generate a signature -- that can tell us this bit of code looks suspicious.

But we don't find that heuristic or apply it because we've already decided that doing so is too hard. That means we have decided to be victims.

Here is the core problem: We are attempting to apply statistical quality control to maximize societal safety, yet what really compromises that safety is aberrant behavior in areas we have not decided to monitor. So we tell the screeners to look for guns and knives in the possession of airline passengers, but we don't tell them to look for explosives in shoes. We invent clever identification schemes and rely on them because they usually work rather than doing the harder job of building an overall smarter system that can adjust to changing circumstances.

Look at how this works just in fighting spam. Spam is an ever-mutating pathogen always trying different ways to not only make it to our inboxes, but to get us to open and read the messages once they have made it to our inboxes. Something about the subject line, the message body, or the sender is constantly evolving, and as a result, spam will always be somewhat successful. We can't even end spam by making it illegal because that is too hard to enforce. Making spam illegal won't really change anything because spammers expect mainly to not succeed. They can make an acceptable living in spite of that fact. In order for their business to be successful, they don't need every message to get through or to be read -- only a small number of those messages, probably down in the single percentage points.

Spam response rates are similar to TV advertising response rates, yet for the most part, we are okay with TV commercials. That's because commercials actually provide us with a reward for attending -- you get to watch the TV show. Spammers give us nothing of value beyond the dubious opportunity to make our penises longer. TV advertisers are part of a symbiotic system, while spammers are pure parasites.

Spammers play the odds. Most thieves play the odds to some extent, using the system against us. Most of our protection techniques rely on playing the odds, too, but while that may protect most of us most of the time, that system is literally designed to fail because there are always more good guys than bad guys, giving the bad guys the edge.

There are some car thieves who steal only cars that are parked unlocked with keys left in the ignition. While this wouldn't seem on the face of it like a very successful criminal technique, it actually works quite well when there is a large population of potential victims. What percentage of parked cars is unlocked? Maybe 10 percent are unlocked. What percentage of parked cars is left with keys in the ignition? Maybe one half of one percent is left with keys in the ignition. Combining these two numbers suggests that one half of one percent of ten percent of the cars in any parking garage or parking lot is left unlocked with keys in the ignition. That is one car in every 2,000. If a car thief can look inside one parked car every two seconds, he will find the vulnerable car -- the car that requires no effort or skill at all to steal -- in an average of one hour and seven minutes. What makes this type of crime possible is the physical concentration of cars at the shopping center. What drives us toward a higher concentration of cars is that shopping is more efficient if you put all the stores in one place.

So our effort at increasing shopping efficiency makes us more vulnerable to theft. EVERY effort at increasing shopping efficiency makes us more vulnerable to theft in the same way that building cities creates targets for terrorism.

One key to fighting crime, then, is to make some activities less efficient. At Home Depot in my town, they have started requiring a picture ID before you can use a credit card, trying to make sure that people aren't using stolen cards. This extra step makes shopping at Home Depot less efficient, but it also makes credit card fraud more difficult to commit.

We could extend this idea to banning cities and shopping centers, but that wouldn't work either. For one thing, we've already built the cities and shopping malls.

Yet nearly everything we do to combat crime or enhance safety comes at the expense of reduced efficiency. So we build airports to make possible efficient air transportation, then set up metal detectors to slow down the flow of passengers. We build highways to make car travel faster, then set speed limits to make it slower.

What works against us is that we have a million years of societal and biological evolution based on the concept of small tribal groups, yet only a few centuries of urban life and less than two centuries of mass transit. One characteristic of tribes is that the members know each other. So when the lady at the bank recognizes you -- really recognizes you -- it decreases to almost zero percent the likelihood that somebody can come in the bank claiming to be you and steal all your money. This isn't some clever security design, but an artifact of tribal life. You don't resent the lady at the bank for knowing you. You are flattered that she does. You don't fear that because she knows you that you are more likely to be a crime victim. Just the opposite -- we feel safer because we are known.

But when we try to scale this inherent security up to urban, regional, national, and international levels, it doesn't work. We either have to accept less security or impose an artificial system intended to emulate that lady at the bank. This emulation is at the heart of every security system everywhere, yet we don't think of it in these terms.

It all comes down to scalability. If we want efficiency, we have to scale the system up, but that comes at the expense of safety. Even more to the point, IF WE WANT TO GET REALLY REALLY RICH, we have to scale the system up and safety be damned because what matters to those who run the system is accumulating wealth and power, not making the little people feel safer.

At least that's what we all assume to be true. And as a result of this assumption we have, for the most part, already made the decision to be less safe. Now we are mainly trying ways to finesse the system so other people have to pay for it, not us.

But does it really have to be like this? What if there was a better way? What would that way look like? And is there any way we could use technology to make that happen?

No, it doesn't have to be like this. Yes, there is a better way (probably several better ways), and technology can be a great enabler if we use it correctly.

What we need is a way to apply tribal values to international activities, a way to bottle whatever makes that lady at the bank so effective, and then spray it wherever we need it.

There are three keys to the system I am about to propose and the first comes from Volvo, the Scandinavian automobile maker now owned by Ford. Volvo built more than 400,000 cars in 2002, which qualifies in my view as mass production -- in other words, a scalable system. But unlike most of its competitors (even Ford, its owner), Volvo doesn't build cars on a traditional assembly line. Rather, they are built in what are called "assembly cells" where a small group of workers build each car more or less in place. This kind of manufacturing is not as efficient as using an assembly line and it requires better worker training, but it also results in higher overall quality and greater manufacturing flexibility. That Volvo is a successful car company tells me this manufacturing system is economically competitive. It is also tribal. So now we know that in order to get really big, you don't inevitably have to give up tribal values and methods. If Volvo can do it, then others can do it if they choose to.

The second key to my proposed security system also involves choice -- choosing when to apply the system and when not to. We have a tendency to come up with some new way of doing things, and then apply it to everything whether we need to or not. It's like in the book Catch-22 when they had to sign a loyalty oath in order to eat lunch. The issue here is how often do we really need to prove that we are who we say we are? Certainlym if there is a lot of money involved or a big safety risk, I say go for it. But if we build a system that makes it effectively impossible to drain a bank account, overload a credit card, or crash an airliner into a skyscraper, how much at risk are we for smaller identity crimes? If the big score becomes impossible, I maintain that reduces the attraction of smaller scores, and the overall system will become safer.

And the final key to my proposed security system is the actor Kevin Bacon, who seems to be six degrees or less from every celebrity alive. You see, in a tribe or village, identity is established by personal relationships, but to this point, we haven't been able to map those relationships over long distances. But now, using technology, we can.

My system is based on a registry of friends because we all participate in virtual tribes that are geographically dispersed. Every person who wants to have credit, to make a big purchase, or to board a 747 has to have a list of 10 friends -- people who can vouch for their identity and know how to test it if needed. That takes us out of the realm of the mother's maiden name, replacing it with, "What was the nickname I called you in the fourth grade?"

I am Bob, and these are my 10 friends.

They don't even have to be friends -- just people who know you. You don't have to tell them they are on your list and you can change your list as often as you like.

Imagine an aerial view of this network of friends. It is so large it could only be analyzed by a big honking computer, but there is a great deal to be learned from that analysis. People could disappear and be noticed, perhaps to be found. Deadbeat dads could be tracked, as could sexual predators. Epidemics would ripple across the surface of the model, perhaps leading to targeted anticipatory preventive care, saving lives. Guys who buy enough fertilizer to blow up a Federal office building would stand out.

Now before you can say the words "Big Brother," remember that YOU choose your list of friends so they can be people from work, from school, from the tennis club, but perhaps not from your Communist cell or from your swingers club. You can keep private what you want to keep private because the big picture is what matters here.

The system would be tied together by phone, e-mail, and Internet messaging. Ultimately,, it would come to function like a much larger version of eBay's feedback system which would result in subtle pressure toward more civil behavior -- something we don't have in any practical sense today.

Maybe this system wouldn't work. You tell me. But I know that what we have right now isn't working, and I am not sure it can be made to work. The only answer that makes sense to me is to hearken back to a simpler time when these crimes just didn't' happen. And it is only through clever application of technology that this can be done.

But it really needs a clever name. Too bad Friendster is already taken.

Comments from the Tribe

Status: [CLOSED] read all comments (0)