Schneier on Security
A blog covering security and security technology.
« Digital Notarization |
| Economics and Information Security »
May 16, 2006
Trading Privacy for Convenience
Does this surprise anyone?
While privacy remains a major concern for people around the world, a majority of consumers would share personal data if they knew the information was securely protected and if sharing it would make their lives easier, according to Unisys' Global Study on the Public's Perceptions about Identity Management.
Posted on May 16, 2006 at 6:23 AM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Doesn't shock me a bit. The problem is, the vast majority of consumers have no idea how to tell if their data is secure, and will take a blurb on a website that says, "Yur dats is safe wit us!" to mean it really is secure.
Life is really too easy for identity thieves these days, me thinks.....
The major flaw with biometrics is that once your digital biometric information is compromised, you are done. You cannot change it (reasonably), or ever go back. It is impossible to invalidate or revoke. That, in and of itself, should be a major deal-breaker. Am I missing something? Why does this not come up?
Public to surrender privacy, seeks assurances of security. Film at 11.
What it tells me is how little the public knows about the consiquences of realeasing even small parts of their personal data.
I guess as security professionals we have either failed to get the message across or the public has chosen not to listen.
In a way people need to accept that the environment they live in has changed.
In the UK it was not unknown for people to quite happily leave their homes unlocked in rural areas even just a few years ago. Now however with criminals having easy transport the people living in those areas have found themselves even more vulnerable than those living in inner city areas that have traditionaly been subject to crime.
Well, since I happily signed up for a credit card, I'm one of these users that are willing to trade a little privacy for some convenience.
Trading off privacy for convenience is a commonplace. Anyone ever leave the house key with the next-door neighbours so they can bring in the mail and newspapers over a vacation? Each person has to decide where to draw the line.
@aetius - The point of biometrics is supposed to be that they cannot readily be forged. For others to know what your face, your signature, or your fingerprint looks like is traditionally held to be of little harm, because it helps to establish your identity. If it is easy to forge another's biometrics, then they become worthless for the intended purpose. (Of course, most of the reason we need secrecy of keys like social security number is that they are worthless for authentication but used that way anyway.)
If you ask a question with a false premise ("the information was securely protected') the answer is meaningless like "if the moon were made of green cheese then mice would be happy there".
It's a biased question.
I think what Kevin Davidson says is exactly right. If I knew that my personal data would be secure and used only for the purpose for which I shared it, of course I'd share it. Those conditions are pretty much equivalent to not sharing it at all.
The point made by aetius has long bothered me, and I wonder if I too am missing something important. Forging identification documents means making good copies. My physical biometrics are difficult to copy, but if my biometrics are digitized, then exact copying of the digital data seems to be easy. The security of stored digital biometric identification data thus raises the concerns voiced by aetius.
You can save, what, about 5-15 seconds when you check out at the local super market if you use biometrics instead of your credit card.
The article seems to equate secure storage with placing the data on a smartcard. Once you hand over your data, anything could happen. The way the question is framed, you'd think that the statement "your personal information is secure" would apply to the backoffice.
@jewelosco: You'd save way more than 15 seconds if they'd add another cashier to the ckeckout lanes: there would be shorter average wait times in the checkout line. You'd save more than 15 seconds again if they had dedicated baggers for each checkout lane vs. having the baggers service multiple lanes.
Don't kid yourself: Biometric checkout is just another way for the stores to cut staff/reduce costs. Security and customer convenience have little to do with it. From your link: "Why is Pay By Touch more secure?
You no longer have to carry or present your personal or financial account information to anyone. And because a fingerscan is unique to one individual, it is more secure than other authenticators such as signatures, PINs, and even photos. Plus, the financial accounts you include in your Pay By Touch Wallet are still protected by the same rules that regulate their physical counterparts."
These claims are questionable at best. You will still carry personal information for your daily life outside of the supermarket (drivers license, credit/debit cards/etc.); the best you'd gain is one less PIN to remember or card to carry. A fingerprint may be unique but there's nothing to say the collected data points will be (they don't mention how many data points they use either). As to the accounts being equivalently protected, that is also false/misleading. You will be granting J-O access to your financial accounts for the purpose of taking payment. Every additional entity with access to your financial accounts lowers the relative security. What happens when J-O's backup tapes are stolen? What ensures the transactions that J-O posts to your account are valid? What controls are in place to protect you when J-O is hacked?
Ben Franklin said this about 250 years ago, and it still holds true:
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety"
I think it holds true for security as well. There are other ways to be secure, but people are too short sighted and are looking for a quick, easy fix.
I'm still waiting for "Study: Do Consumers have a clue?"
By the way, the whole point in speeding payment (aka "convenience") is making you pay faster so, when you realize it's an impulsive worthless buy, you already paid for it.
@JohnJ: was not endorsing pay by touch. If you think this is just jewelosco, note that this probably albertsons/savon too. I don't know what kind of sign up rates they have, or if pay-by-touch is just jewel/osco stores for now.
I am wondering, with the marketing push for this, how many will have given up fingerprint data under this program, say 1 year from now. New flavors of identity theft involving these data?
What a load of BS.
As if Unisys is an impartial party in the privacy/personal data debate.
I don't see anything about supermarkets and speedier checkouts in the original article, but that example does illustrate why there's a push for these kinds of technologies: It's convenient for businesses.
While biometric technology is being marketed as a convenience (save time! avoid identity theft!) it's really about saving money for businesses and generating new sources of revenue. When the effort to purchase a television set is the same as for a pack of gum or carton of milk, it's likely a lot more televisions are going to be sold. Many people use grocery store "loyalty cards" and happily trade their grocery shopping patterns for a few dollars. Fair enough. But soon, along with how often they buy milk they'll be divulging their employment history, how often they see their doctor, and which naughty bits they like to view on the Internet.
The problem I see with this survey is the situation posited is never going to exist. You can never guarantee your data will be protected and the vast majority of people lack the information, understanding, and initiative to make an informed consent of use of their data. It's well known that people don't read the EULAs that come with software, nor the privacy policies on websites and mailed them by their credit card companies. Is there any doubt that such requests for your data will be written in arcane legalese?
Remember, the large print giveth and the small print taketh away. This survey is just reminding us about the large print.
To overcome this problem we need five things to happen:
1. Card-Present Transactions at all existing e-commerce sites.
2. Enable Card-Present Transactions at the client PC for increased security for both consumer and merchant.
3. Enable all e-commerce sites that currently accept credit cards to also accept ATM/debit cards through an existing network.
4. Shield the consumer’s financial and personal information from reaching the Merchant website during online payment transactions.
5. Protect the consumer’s account data and PIN codes from software executing in the consumer’s PC so that a virus cannot gain access to that information.
Its Authentication Stupid
I think that the basic issue is that people believe that biometrics identify *you*, as opposed to *measurements* taken from you. Thus, people do not understand that biometric information can and will be used in identity theft, because once the biometric info on anybody's thumb is leaked, the thumb in question is no longer required for authentication. And as aetius points out, revoking biometrics is not really an option (aside: anyone remembers http://www.imdb.com/title/tt0181689/ ?).
I wonder what the response would be if the question was phrased, "Given the frequency of recent published incidents of data breaches, do you feel that any institution is capable of adequately safeguarding your personal data?"
When using biometrics, why can't a salt, a pin, and a scan be combined?
A reader is sent a salt, and then the reader hashes the pin and scan together, and then hashes that against the salt.
Over-the-wire goes the final hash, to be compared with a saved pin+scan hash on the back end.
With something like this, the backend doesn't need to store the actual scan, just the hash.
The pin portion of the hash makes it revokable.
two american men, friends for many years, shot pool together every saturday night. one was a hardworking, 9-5 steady eddie kind of guy, the other was never known to hold a job, yet always had money in his pocket. finally the steady eddie could restrain his curiosity no longer, so he asked his friend "how do you manage to do this?"
"i take smart pills" replied the friend. "these pills make me smarter and also help me secure my data. i'll sell you a bottle for fifty bucks."
steady eddie was game, and he plunked down his $50. a minute later he was opening the bottle and washing several pills down with a gulp of light beer. he turned to his friend and said "these smart pills look and taste just like rabbit shit."
the friend replied "see? you're getting smarter already!"
Don't you get it?
Consulting companies post "studies" like this to make it sound like there is a debate going on.
The fact is there is no "debate".
The fact is no company or government entity can safely protect and respect a person's data.
The study is fact to create the illusion of a debate where there is no debate.
Experts like Bruce and pee-ons like ourselves are so ready to jump on the "issue" that we make the argument for them.
Unisys is attempting to justify for their customers that people want their data in control of big multinational corps.
Important: The fact is no company or government entity can safely protect and respect a person's data.
A company number one goal is to make money not privacy.
A government has hundreds of goals that trump privacy everyday.
The only person/thing in this world that values your privacy is YOU.
The only way personal information will ever be secure and private is if;
1. Individuals own their personal information
2. Governments and Companies have to pay for any use of an individuals personal information.
So, if the NSA wants to make a list of my calls they have to pay me for it. If the FBI wants to keep my fingerprints on file they have to pay. If Walmart wants to track how many times I buy tube socks they have to pay.
Once biometric data starts getting collected ('volunteered' for convenience over security) then a number of factions in the corporate structure will start looking at that database as a revenue source. They will sell it -- every chance they get to as many customers as they can find.
They would be wise to keep the sales on the quiet side, of course. No use inviting trouble.
Biometrics are not the problem, but rather (as someone else has pointed out) the storage of the info. An id theif could get in, change his thumbprint to YOUR record, and go have a good time. That is always the problem with security vs. convenience - how can we create a system that is very secure, and how can we create a resolution or arbitration process to fix the problems. Look at the TSA debacle - Godwin forbid if you get your name on the wrong list, they have a broken process for fixing the issue.
People like Bruce exist to point out the other side of the issue that doesn't get discussed at board meetings. He helps make it a hot topic and therefore likely to trickle up to Congresscritters in their talking points and maybe someday an actual law!
Groups like Unisys will always want speed over quality; that's why there are government regulators (or supposed to be).
If you ask a question with a false premise ("the information was securely protected') the answer is meaningless like "if the moon were made of green cheese then mice would be happy there".
It's a biased question. ]
IT is not a biased question, it is a fallacious argument.
99.9% of people don't understand mathematical logic
and neither understand security
If biometrics becomes easy to forge/fake, then you can pretty much forget about criminal forensics as we know it anyway.
there's a ton of other issues that come out of this.. security of the data store. issues with the pin size... managing brute force attacks.. etc.
The thing that I don't understand is why is that people are soo worried about their data. if you maintain your own records and can refute complaints with your own records (based on validation from external sources), then the issue should be smaller.
Who should suffer more? The victim, the facilitator, or the criminal?
The IRS tells you to save tax returns for 7 years (longest period for audit).. why not protect yourself in otherways against other types of attacks?
This is a bit off-topic perhaps, and it could be I forgot what I learned in my probability and statistics classes, but what good are these surveys? For instance, most of the "USA Today" survey results on their front page are from surveying about 1,000 people. How can 1,000 people accurately reflect the feelings of a country (the USA) with 280 MILLION people in it? Granted, a good portion of that 280 million are children, but still.
I agree with some of the others that this survey is worthless. Unless someone can show me how 0.001% of a population can accurately reflect the whole population, I take any survey with a grain of salt.
@Tim: It's not as difficult as you think, statistically, to use small samples in polls. The fundamental problem is the scenario of a poll: you make contact with a random, uninvolved, person; you ask them a potentially thoughtful question; and you bin their response in one of 3-7 bins for statistical analysis. You are faced with a 3-5% "margin of error", the error introduced by the statistical technique. However, you have huge errors in the raw data.
Folks love to quote Franklin and his witty sayings. Does anybody think these sayings popped into his head when some random stopped him on the street with a question?? Of course not, he was a professional writer, he published a product that had need for small bits of witty writing. Thus he worked hard to produce them, store them, and insert them when needed.
Pollsters seek uninvolved people, in the belief that most people are uninvolved. Thus they may ask "Do you or anyone in your household work in computer security?", but that is not to give more weight to people who know what they are talking about. It is the opposite, to ignore anyone who says "yes" for fear they would bias the measurement.
Pollsters like to ask "yes" or "no" questions, because they take the least bins to analyze. Even when they ask open ended questions, they are going to choose one or two of no more than seven bins as your answer. Otherwise they need more samples, and each sample costs money ... .
So the question is not why people ask "Would you share personal data if you knew the information was securely protected and if sharing it would make your life easier?", or even why people answer "Sure", but rather "Why do we consider statistical analysis of this sort of thing useful?". Sure, it is easy for "news" folks to gather and report, but that doesn't make it useful. If we asked specific, detailed questions like "Would you be OK with your employer raising your health insurance rates because you eat too much fatty food if the system that kept track of your food choices made it more likely the cafeteria would not run out of the foods you most often eat?" we might get something approaching a thoughtful response. However, we'd also start the rumor that some companies were doing this and probably end up in court for slander.
Perhaps we can't influence what uneducated folks think, how do we move ahead to increase security and privacy anyway?
Yes, you forgot what you learned in statistics, I guess.
If you pick a lot of individuals by random from a very big group, attributes in your sample should be disturbed according to the whole.
The Ponemon Institute looks as if it could pay a professional statistican - I don't know about 'USA Today'.
The study isn't only adressing the 280 Mio. US-Americans, but "perceptions of individuals in North America, Europe, Asia-Pacific and Latin America" - perhaps 3 Billion people.
I didn't find the number of people being asked.
This biometric data are like sci-fi for me, but i am afraid... This is like Orwell's Big Brother..
Just to chime in on the survey question - the biggest obstacle to surveys being valid for inference to the larger population is that the sample be truly random. Anyone who has ever done any kind of survey work can tell you (as can any statistician worth his/her salt) that the samples are decidedly NOT random (and that's not just because they "qualify" you first). IMHO, most polls are only valid for inferring what people who don't have caller id think, because that's the group they're really sampling. :-)
"Well, since I happily signed up for a credit card, I'm one of these users that are willing to trade a little privacy for some convenience."
I also have a credit card. But, I already have a bankcard with the same bank, so they didn't get any additional information about me. The Credit card company did, but they are bound by Belgian and EU law not to share it with anyone else unless I explicitly agree to it.
It is impossible to keep personal details entirely private as that would require you to not have bank accounts, credit cards, to not fly, not work etc.
The question is what these companies should be allowed to do with that data and why people give up very personal details just to get a worthless gift through mailorder.
"If biometrics becomes easy to forge/fake, then you can pretty much forget about criminal forensics as we know it anyway."
This is exactly the kind of incorrect reasoning I was talking about in my first post. It is not matter of faking *fingerprints*, but *measurements* taken from fingerprints. Biometric ("measurement of living things") signatures are just numbers, and as such, can be perfectly copied unless cryptographically protected. So, it is perfectly possible to fool a biometric authentication system (thus faking an identity) without having to fake an actual fingerprint.
surveys are questionable for another reason not yet mentioned here. people lie. people are cynical and suffer from survey fatigue. people know that behind that survey is an advocacy organization with an axe to grind, seeking more government grants, which carefully tailored those questions to paint you into its corner. some of us answer the questions in a way calculated to prevent them from using us to get more grant money, and some of us use the opportunity to salve our chronic amusement deficit: "why no, i haven't decided who i'm gonna vote for. i'm so sure i'm gonna be raptured in the next couple of days, i've even stopped taking showers. i don't want jesus to take me in the nude!"
I worry much more about the banking/payment industry developing more secure methods of authentication than I do about privacy.
Today when I call my credit card company they ask me for my SSN, DOB or mother's maiden name. That is authentication? What a joke! The problem isn't that my SSN or DOB is easily aquireable. The problem is that these pieces of information are being used to "authenticate" my identity.
What is needed is for something like RSA's SecurID to be used as one factor in a two factor authentication scheme. Sure, every scheme can be broken but the current SSN/DOB authentication scheme is little better than no authentication.
Having a crypto token based authentication would definitely raise the bar for identity theft.
Of course we would want some top notch white hat hackers to develop protocols for how to quickly and easily deal with compromised crypto tokens.
A few important points in moving to the "multipurpose smartcard":
(1) We must have laws governing the protection of sensitive data (e.g. any data that would be useful for identity theft). These laws must have significant penalties for leaking this sensitive data. It is not enough to follow the GWB doctrine of "trust us".
(2) The financial institutions must be liable for fraudulent charges (like they currently are or used to be for credit cards). Banks do a very good job of monitoring credit cards for fraud because fraud costs them money.
(3) There must be well thought out protocols for dealing with identity theft. I.e. how do I revoke a compromised ID and get a new ID issued? This should require me being physically present and having various biometrics collected (video, voice recording, fingerprint, DNA, signature).
The question isn't "should we move to biometrics as the foundation of authentication" the question is "how are we going to protect this senstive data?
Why not pursue a stategy of changing your identity every few years? Such a plan, if executed properly, should work spectacularly. If nothing else, bureaucrats are a class easily confused.
@ozian: "See the latest from our state police"
Oops, I misread that for a moment there.
Thought you put "See the latest from our police state" :)
Maybe I've been reading this blog too much...
That's the funniest piece of link spam I've seen in a while. Well, for a few days anyway. Here's a hint: if you're going to advertise your English translation services, at least run it through a spell-checker first. That helps you to avoid the more outrageous clangers like "professionaltanslation".
Is there a way to report link spam on old threads?
Security and Privacy vs Convenience
I agree with the basic premise that customers often choose convenience over privacy - I frequently choose to sacrifice the anonymity of a cash purchase for the convenience of a credit card over the Internet. While this is true, I think the real problem is that the the choices offered are often "stacked" to favor the convenience or business practices of the merchant rather than the customer.
The obvious example here is the fact that most Web merchants insist that the customer establish an account - a user name and password - before being able to check out a purchase. The intent here is to establish a "relationship" with the customer.... by having the account already set up they will make it more convenient for you to make future purchases there - which will make it more likely that you will return. I have no problem with this either. My complaint is that they REQUIRE it.
I frequently shop at Amazon.com and and so I have no objection to having an account there, but I do NOT want an account at a merchant where I rarely shop. In that case the convenience is not worth the extra risk associated with having an account that could be compromised. A few merchants offer the option to "check out without creating an account" - but not very many. Much as I dislike government regulations, maybe there should be a privacy law outlawing the practice of requiring the creation of a user account as a condition of making a purchase.
This practice even extends to many banks - in a more dangerous form. At least one bank with whom I do business has sent me a letter stating that "We now offer online banking - here is your default password - you should change it as soon as possible." It required considerable time and effort on my part to convince them that I did NOT want online banking and did NOT want the online account to be active because of the security risks. They simply assumed that everyone should have an online account - so they automatically created one for every customer without even establishing a mechanism for deleting the ones that were unwanted.
It really seems that we need a regulation stating that "No financial institution subject to government regulation may create an online or other remote access account on behalf of a customer unless it is expressly RQEUESTED by the customer." Obviously this would displease the institutions (who, I firmly believe, have the "try it, you'll like it" philosophy), but it would be much better for the security of the customer.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.