Privacy by obscurity

In the same minute that I pressed “publish” on this blog entry, it was downloaded by search engines, chopped up into keywords and indexed for the world to find. It was downloaded into RSS readers. If it were something significant or vaguely interesting to someone, it might be copied to another blog, a forum, linked to or printed out. A wandering spambot will likely download it, scan it, and attempt to insert a comment promoting some sort of pharmaceuticals. It might also be used by that spambot in an attempt to stuff another fraudulent website with “real content” in order to boost that websites search engine ranking.

Knowing all this, I still pressed that button. But how many others would hesitate doing the same if they knew this? When it comes to self-published blogs, it’s quite likely many authors do know this – at least on some level. They may not understand the full ramifications, but they likely have a reasonable grasp of the situation. If you’re a professional web developer or work in the online industry you are likely aware of all of this. What of the majority of Internet users though? What of the Facebook or Bebo users?

The title of this post is inspired by a phrase from the world of security engineering, “security by obscurity,” which describes a system secured by an outsiders lack of knowledge/understanding of the design or implementation of the security system. Privacy by obscurity then, could be defined as the belief that information is under control where it is in fact, not.

Security through “obscurity” is effectively a social deterrant to crime; a locked door or closed window won’t stop a determined thief. Online privacy would be the same – if the house had no doors, windows, or walls.

Privacy has no easy template

People have a fuzzy, stratified concept of privacy. There are things that you will tell one friend that you wouldn’t tell another, or things you might share with your siblings that you might not with your parents, etc. The stratification is broad, multidimensional and different for each person. It changes between each data point in a particular block of information, per person, over time.

For example – Bob goes out to a nightclub on Wednesday and meets Sally. He has a few drinks and smokes a couple of cigarettes. A friend takes a polaroid photo of Bob and Sally dancing; Bob goes home at 2am feeling a bit ill due to some dodgey pints.

Bob’s friends want to know what he was up to on Wednesday, and as it was perfectly innocuous, he’s probably happy to tell most of them; however, some considerations:

1. Bob might not want his workplace knowing that he was out til 2am during a working week, especially since his performance on Thursday was less than fantastic.
2. Bob promised his mother that he would stop smoking.
3. Bob’s friend, Joe, used to go out with Sally, and would not be happy to find out that Bob and Sally were hitting it off.
4. In a few years time, Bob may not be so happy about that photo of him.

This is only a short example, but hopefully it illustrates that this block of information does not fit what most people would like broadcast about them on the nine o’clock news (if in the imaginary situation that Bob suddenly received a lot of attention), nor is it exactly deeply personal.

However, it is also technically possible that one of Bob’s friends will inadvertently tell Bob’s mother that he smokes, or that the polaroid will be shown to Joe at some point. The idea that “unencrypted” information can be confined to the specific target audience of the person involved is flawed. In real life, we’re used to judging the probability of this bleeding of information because the number of data points (the polaroid, the fact Bob smoked) and nodes (Bob’s friends) are small enough for us to naturally calculate the risk.

Network effect

The problem occurs with the Internet because the data points are infinitely replicable at zero cost (copying a photo to your hard drive, or to your Facebook profile is trivial and takes virtually no time at all – in many cases even this is automated). The network effect of Internet technologies also means that each node is massively more connected than before (everyone you know is probably listed as a “friend” on your social networking profiles regardless of your relationship to them).

The low cost of replication and the network effect quickly eradicate this flimsy stratification, treating it as an error, and reduces our personal stratification of information control to its simple, boolean reality – private, or public. Like heat increases the rate of chemical interactions by increasing the rate at which molecules collide, the Internet increases the rate at which data points collide with nodes.

This is not an entirely new concept, however. From the emergence of language to the invention of the printing press, ways of disseminating information faster and more easily have paved the way for light to be shone into the dark recesses of ignorance and secrecy. Sharing of information is literally the cornerstone of civilization – it’s one of the major behavioural traits that set us apart from the animal kingdom.

Much like the printing press, the Internet has catapulted us into a new and ever changing revolution in the way we see ourselves, each other and the world around us.

Privacy is boolean

With this understanding, comes the inevitable realization that information can really only be reliably defined in one of two fundamental ways:

• Private – This is information only you have access to, stored by you – probably on your local machine or in a secure email inbox. Making this information non-private requires, at minimum, blackhat hacking of some description.
• Public – This is information that someone other than you has access to. This could be information your friends can see, or just information an informal group has access to; a vague circle of trust.

Public is where the majority a person’s online information falls into (intentionally or not). There are a lot of people for whom what they consider private information actually falls very much into the public sphere, through simple lack of understanding of the Internet.

The Internet has a long memory, and it’s improving

Whoever falls within your circle of trust now may not do so in future – relationships of all kinds can change over time. Conversely, due to the persistent and transferrable nature of bits, a copy of a given piece information is just as good as the original, just as transferrable, and importantly, eternally subject to the whims of whomever has access to that copy.

If you’re not routinely conscious of your personal information, this proposition should, to put it mildly, alarm you. Never in the history of humanity has so much information about people been willingly offered up. This information is being regularly scoured by farms of automated bots owned by criminals looking for information on how best to scam you. It’s also being regularly scoured by “legitimate” marketing agencies who want to find ways to make you buy their tat, as well as find ways to prevent you from talking about poor experiences with them or their clients. The more online services you use, the less anonymous you are.

There is an argument that people should stand over what they say and do online. Maybe they should think before going on a wild rant against a company they had a poor experience with. Maybe they shouldn’t publicize how they’re giving work the runaround by taking sick days and going on holiday. Maybe they shouldn’t fill out personality tests or give their email login details to “help” them find more “friends”. I agree, to an extent. People need to think before they share, but to do so they need to understand what they’re doing in the first place.

This tearing down of percieved walls may be something we’re going to have to come to terms with if we wish to live in a more connected society. We may be able to prolong the illusion of information siloing, but the longer it continues, the higher the risk to each of us and the higher the reward for those who exploit it.

Maybe we will decide the illusion is worth it, as each of us operating online as though we were a celebrity, endlessly pruning our public image, may have conseuqences we’re not prepared to accept. However, the concept of the Internet as an Orwellian monitoring device, powered by the gossip-hungry schadenfreude of the people who use it may not be far from the truth in the near future.