In case you're deaf, or just tuned out to tech news, there have been an astonishing number of breeches in supposedly secure databases that have leaked millions of peoples personal data, the most spectacular melt down being the Playstation Network crashing and burning earlier this year (hilariously parodied here). Still, as this brilliant law review article (published in the UCLA Law Review) points out that the fact that the databases exist at all is, in and of itself, a huge violation of privacy? The big money quote is this:



Considering that in SR people are constantly broadcasting this information, on top of even more information such as their SIN which is more or less the future equivalent to a SSN, it makes the panopticon section of Unwired look tame in comparison to even what is possible now.

One of our, as a group, biggest problems with the Suspension of Disbelief in SR4 is the wireless movement.

Privacy, like security, is an illusion. Most people want the illusion. They don't want the reality.

While the technology has changed, the basics of the situation haven't. The privacy most people enjoyed was security through obscurity. You're life was private unless someone went through the incredibly easy task of simply hiring a private detective. Locally there are background check companies that will not only do checks for employers, but they'll do checks for people seeking employment. My TS-SBI (Top Secret Special Background investigation) had a wealth of information about me that I didn't have. (I couldn't remember every manager and every work address. They had everything, even interviews with people I had forgotten I worked with.)

It may simply be that people have a choice. Live a public life or live in the gutter. (Sadly enough, the movie Demolition Man leaps to mind.) Privacy (and real food) are for the wealthy and the rural. The wageslaves lead a public life, having sold their privacy for bread and circuses.

And automated terminals that boost their confidence.

And three sea shells.

Wow - That is.... pointless. That's just generic statistical data whose only use is for age group based marketing... hardly "landmark"

Now, add a name to any two of those and I can probably show you a picture of your house.

Gotta love Google Earth...

... why?

I think what he's saying is that if you download the "Anonymized Dataset" and you know some things about a specific person who happens to be in that database you can find their records. (see http://www.techdirt.com/articles/20060807/0219238.shtml , http://www.techdirt.com/articles/20071130/114005.shtml , etc. etc.) (I feel dirty explaining this thread with 5 year old articles....)

Not sure if the OP plans on fixing the link to the law article.

Because it feels wrong and in our humblest of opinions, handled poorly. It seems to equal parts handwavium, and way-too-complexium. I get why they made of the changes-because frankly hackers/deckers/technomancers have never really seamlessly fit into the game like the other archetypes.

For my dollar the wireless matrix and wireless portion of the game seem and feel forced.

The point is that with that data you can find the name. I'm not sure that you're grasping the enormity of the situation (or if I'm totally misreading you).

Imagine you order "Big Trannies (and the trucks who use them)" from Sony Direct Media. You use an anonymous name, but they do require age verfication, and they require a zip code (for shipping, billing, whatever).

Sony sells their information to "Fat Marketing Heads, Inc." to see which areas buy what sorts of videos. FMH says "this is anonymous data, we're the lowest-budget bidder, our database security is outsourced to some guy we found on this great networking site, 4chan. He has a monocle, he looks legit." This data then gets blasted over the Internet.

Now, as soon as someone takes the leasing or property owner data available freely online for most counties and does a reverse lookup, they can find everyone in your zip code who has your birthday (i.e., you). That means they can automate plugging their new Internet list to the other Internet list and get a list of every video rented and the name and address of each person who rented it -- and post it online.

Now swap out your video rental with anything else; medication you used, call service, the pictures of your kids you ordered, your subscription to "Anarchist's House Weekly", and imagine scuzzy people on the Internet knowing who precisely ordered it.

It's harder than you think it is, given the rates these people charge per day (and the dubiousness of them). Believe me, I've been there.


Bullshit. Privacy, however, is the currency you pay for when enjoying "free" internet services. If you don't pay for something in money, you pay another way. Most people just have to learn the hard way how easily this may cost them jobs and social standing.


+1. Besides, if you felt the pressing need, decking via cellphone networks was possible in SR3 already. Just, it was handled sensibly - it was hideously insecure.


Or your boss (oh, you registered with a labor union? You're fired!), your chaplain (addressing your interest in tranny sex videos this sunday!), or your family (you're 15 and look up help sites for gay teens on the internet? It's off to de-gaying bible boot camp!). Or maybe your health insurance suddenly skyrockets because your facebook account shows you have been slacking on your workout lately, or not following the latest health food fad? Scuzzy people on the internet are the least of your worries (unless you are female and play WoW, then you just gained several stalkers).

Remember that time when Lulzsec busted the pron.com database? I focused on folks from my country who were registered there (I filtered them out via e-mail addresses, so if there was someone else, using international e-mail providers like Hotmail, Gmail or so, I overlooked him). It would be much funnier if a horde of stupid kids didn't get their hands on the list first. If anyone from the list had a profile on the local social site, it was defaced or deleted, or defaced and then deleted (that is, if they were stupid enough to use the same password there and at pron.com). However, that was the only damage the kids managed to cause. I went a step further - looked up the login names (and real names) from the social site and e-mail addresses. Found a couple of telephone numbers (via a local auction site), one Skype ID (secured with the same password used on pron.com and the social site), one file-sharing website account, one or two forum accounts and, of course, accounts on other porn sites (usually secured with the same passwords...).

The lesson I've learned from that is: "if you get someone's login and password, don't act like a fucking moron with it. It's better to keep your intrusion quiet - just so the poor schmuck doesn't figure it out before it's much, much too late."

It's also the currency charged when you want a government permit or license or registration, bank account or loan, job, delivery, or anything else where someone is keeping a physical or computer record of the transaction (such as purchases made with anything other than cash).

It's also part of discounts attached to loyalty cards and similar programs.

I've had way too many places who have no business asking me, ask me for my zip code, phone number, etc.

It's frequently given up by people who don't know their smart phone records GPS information in their photographs. (geotagging on by default) - http://loc.alize.us/#/geo:34.098479,-118.327496,17,k/ for examples.

Looks suspiciously like a Penny Arcade comic.

An old hat in academic circles (the buzzword is k-anonymity), but it never hurts to remind people of how correlating data which by itself is anonymous (gender, birth date, rough location, education...) can easily identify someone. A popular choice to test such techniques are the "anonymous" statistics released by healthcare providers or hospitals, btw...

Except "sell it to the highest bidder" isn't quite legal for those. Unlike for google and facebook, who base their entire business model on exactly that.


That's true. Best reason not to have one (besides, the discounts and special offers usually are worth shit anyway).


Newer android phones actually ask you about that, and you can say no. Not true for Apple, however.


Lulzsec are (were) vandals, not thinking beyond wreaking a little havoc. But if they can do it, so can organised crime. And they're a lot better at thinking their criminal enterprises through. Think about all the membership lists/password and login data thefts we do not hear of, not least because some company wants to keep it quiet lest they look bad.

The Pentagon gets something like 40 (attempted) intrusions a day, just to give you a sense of scale on how often it's tried and caught before anything happens (generally by things like firewalls).

Certainly, but they're a high profile target (and supposedly use this as a recruitment tactic - you hack them successfully, they backtzrace you and make you an offer you probably do not want to refuse). They are also reasonably well protected, though - unlike the average webshop. THAT is where the danger is.

Notes:
1) Missed one: Smart phone applications that have the ability to save data, including any client/server app.

2) http://www.theatlantic.com/technology/arch...rifying/245867/ <- PittPatt, now part of Google.

Smart phones and social networks, the stalkers new friends...

I think I know that guy


Yes, I suppose that's true ...give or take the 23% chance you're one of the "other" Americans which will, naturally, be more likely the more densely populated your zip code is. However, much like one would in SR, any smart internet denizen has more than one "profile" for whatever their internet habits may be.

Of course, it's not just the info you plug into some form that puts you at risk anymore, anything you post on a MB or say in a chat room can also be used. It's hard to get through peoples heads that this can be a dangerous space... though I usually find when I show them how easy it is for me to track them down based on snippets of info from a handful of half remembered conversations from a public chat or forum, at least a few will sit up and take notice. Others hold on to their idealized "well I don't care because nothing like that really happens/would happen to me"

I always laugh when someone defines "smart" as "agrees with me".

Do you have a unique IP address for every one of those profiles?

I think I get what he's saying, because I do the same thing.

The fact of the matter is, the Internet has become a large part of our lives, and that means you're going to be checked out. There's lots of warnings getting thrown out there nowadays to make sure you're careful with your Facebook photos or your tweets or what have you, because bosses (and the companies they work for) check it out.

So I have one email address for work and professional stuff and another for general internet use (and I need to make one for gaming, but I drag my feet...). I know lots of people who have a work Facebook (for networking), family and local friends Facebook, and another Facebook for online friends and gaming, all locked down to various degrees. I lock down the rest of my social stuff too, just because I'm paranoid - we're pretty convinced I lost a decent opportunity because the company googled me and came up with some of my writing / gaming and other personal stuff. Can't prove it, but...

It's just the cost of living online. Be aware of what you're putting out there, and self-edit. I did that recently and it reminded me of stuff I didn't even remember signing up for - like my Myspace account, which was running on seven years old. Scary.

I don't see how that provides with anything more than an "illusion of privacy security". I'm willing to bet that this post, and edits to this post are timestamped with my IP address (as is the majority of information you submit to any web page). If you're not aggressively denying/killing cookies then advertising companies are tracking your actions across multiple websites (id XYZ has hit our ads on the web pages Q,R,and S). And even if you are killing cookies, they're probably tracking by IP address as well (you may be actively blocking ads which is a solid step to preventing that sort of tracking. No request = no track.).

The log files for every website you've ever visited should have timestamps, IP addresses, requests, etc.

*cough* Sony *cough*

I think we're talking at cross-purposes here and it's multiple conversations going on at once...

To be a smart online person nowadays, you have to think about everything you do online. If someone has a hard-on to find you, they'll find you. If someone wants to get your personal information - they'll get your personal information. Just like in Shadowrun, there are so many databases out there with varying levels of security that simply being able to cross-reference the easy ones will generally get you what you want. It's just that simple.

What Stalag and myself are saying is that for the people that are only doing shallow searches for you - jobs, companies, friends, family - it doesn't hurt to pay a modicum of attention to what you're doing online. Like, for example, locking down your personal social media, or operating under different online handles for different things. My work and professional stuff go to one email address; my general online browsing, another. I'm very careful with who I let on my Facebook and who sees what I say. And I stay off the internet at work, because I don't want my job seeing me post on Dumpshock and think that I'm some weirdo with an elf with guns fetish.

You have to be smart online. Don't post pictures of yourself half-naked, and don't talk about buying pot, especially if you're not smart enough to lock your shit down to casual browsing. If you're a girl (hate to say this) you have to be double-strength cautious.

But if people want to get at your stuff, they will, and there's not a whole lot that you can do about it. Sad, but that's the price you pay.

Ha, Sony is its own little kettle of dumbfish.

Point the first: don't put your authorization keys under your metaphorical front door mat and pray no one finds it.

Point the second: update your damn online network security.

See also Sony's whole CD rootkit fiasco...

Dynamic IPs are such a nice invention...

You keep defining smart as agreeing with you. I do not think that word means what you think it means.


So no. You don't HAVE to be "smart" online. One can simply accept that they have no privacy. One can accept that attempting to wall in data is an illusion because the walls are not secure. Maybe, like a car lock or house lock, it might keep out a casual intruder, but it's also reasonable to accept that it's not going to and instead choose to not be ashamed of who you are, what you do, and where you go.

People who make that choice no longer worry about security with regards to their privacy, they simply practice discretion if they feel like it. Otherwise they simply are who they are. It's a perfectly valid choice. Cromulent even.

Note: None of this is new with regards to the internet. Old folks may remember the birth and death on anon.penet.fi. (1993-1996) as well as the night in 1993 when Richard Depew took down the internet over this issue of privacy, anonymity, and technology.

It's 13% first off,* and second off, it's as high as 13% because 7.5% share a zip code with the other 7.5%. So while 13% seems like a lot, it's because we're thinking of it as "13% shares with another, unmentioned 13%" (for a total of 113%).

Secondly, you have to realize that while 7.5% of the population is like 23 million people, odds are they're sharing a zip code with at most two other people who match their birthdate-gender-zipcode profile. And even in the case where they're sharing with, say, 99 other people, that's still only a group of 100 you'd have to do any cross referencing with. And cross referencing with 100 individuals to further narrow you reidentification process is easy as pie.

*100 - 87 = 13

Only that this would be an acceptance of personal failure, not of some kind of physical law...

(6.5)

That wasn't how I was defining it but since I do seem to agree with you and defining it that way makes you happy you feel free to go with it.


No... why would you want static IP's that could be tied to specific profiles? Naturally they don't all tie back to a single IP (or host) either. To be clear I'm not making any claim to being some some sort of super hacker (or really a hacker at all) or that I need a bunch of profiles to mask my evil doings or that I'm any sort of privacy, programming, or networking expert - I just cherish my anonymity.

Never claimed to be good at math either

But neither are you... half of 13% would be 6.5%

Derp, yes. I fails at math since graduating college.

Whoops sorry about the stupid cut/paste job. Here's the REAL link:

http://epic.org/privacy/reidentification/ohm_article.pdf

I can turn off "Location Services" on my ipod touch (an iphone in all but actually being able to make/receive telephone calls) but, yes, the default setting is "on"

Otherwise they'd be asking for their products to be banned in most western countries. Point is, the android phone asks you when you switch it on. You are not expected to just know about this and hunt for the option in some obscure sub menu.


Soon as Facebook starts actually policing the profiles that's ghoing to break down (and they will, google already does). Besides, I don't know many people who actually do this (and most I know that do are doing it to sock-puppet in their zynga games).


More thinking of your friendly neighbourhood LA porn studio, but yes.


Yeah, but it's been like that ever since public records were kept. Just, it's not necessary to purposely male it easy for them.


Because every man's an island. Right. You realise how much you are missing the point Ravensmuse and Stalag want to make, do you?

Clearly I must be missing it. What they seem to be saying is that it's necessary to be constantly educated and to use that education to do everything in their power to keep their "public" life from being associated with them. ("public" in this case being "stored on some external harddrive under the control of an individual or corporation who isn't their personal friend". They are seeking the freedom to plan, discuss, and share things using "public" resources without the possibility of anyone finding out it was them. However, they both realize that if anyone wants to connect the "public" data to the individual, all that work is very likely pointless.

That's what I've gotten out of the conversation. So clearly I'm missing something. Especially the "every man is an island" part. To me, the issue is that every man isn't an island. They're all connected. Even if I manage to keep my secrets, the people who witnessed such actions almost certainly don't. Even if I attempt to train them on privacy techniques and enforce those policies, their ability to keep my secrets is not under my control.

It is just as valid to accept a complete lack of privacy as it is to try to retain privacy, especially when one realizes just how difficult it is to control their own privacy.

what they're saying is that there're more than binary options on this, such as making info maybe not everybody should find easily obscure enough that a majority of people can't find it with the time and effort they're likely to deidctae. Is it possible to hide yourself from a dedicated American intelligence agency? No. Is it possible to hide your dirty laundry from would-be employers? Yes. Should you do so? Absolutly.


Do you always surf porn sites with buddies? Do you always call your friends when you make a post on 4chan or any other highly dubious webforum? Do you tell your parents when you illegally download files? If not, what witnesses are there, exactly, for your internet secrets?

And if you worry about your friends spilling what you entrust to them privately, a) get better friends, and b) don't tell everybody everything.


Because Big Brother is your friend, citizen. That's the defeatism of the post-privacy squad.

m perfectly happy with my friends. If YOU need to get rid of friends because of your desire to have secrets that's your problem.

As for who knows, my pc, router, ISP, the end site, and everyone on the traceroute. And if it's good porn, the friends I have who are into that sort of things.

And my tech support days just kicked in again, with all the privacy nuts who saw half of a news report on "Internet Stalking" and freaked out about "All the people that knew EVERYTHING ABOUT HIM/HER/FAMILY"...

I'll be in my corner. Rocking back and forth. Crying.

If only we'd been able to say it as concisely

It's a matter of degrees and compartmentalization when it comes to information control. Generally speaking, information about my clients and the internal workings of my employer are never shared on my social or gaming profiles. Likewise my clients and my employer don't have access to the information in those profiles. Where I work isn't kept secret from my anyone with access to my social profile and, if they cared, I'm sure my clients and employer could find out that I have a social profile - but that's as far as they'd get. Neither have access to the information in my online gaming profiles (aka my "public" profile) and I don't share my real name or place of employment with the people (or systems) I game with. As much as possible, my gaming profile itself is kept minimized so even if those from my professional or social groups managed to get one of my usernames they wouldn't know anything beyond that (or even be able to prove any search results referred to me). Beyond all of those is the level of information I don't put online at all... ever. Is it out there? I'm sure bits and pieces are here and there in various company and govt databases as necessitated by living in the modern world and, as such, is beyond my control; but neither is it easy to get to it all or tie it all together.

So let's say someone gets my zip, birthday, and gender and that points to a single "me" - by itself it's pointless data. So let's say they get my name too - congrats, you can send me a birthday present. Then they get a hacked credit card database from someone I bought something from - well that would have my name and billing address and by the name they could determine the gender so the previous info becomes redundant - the addition of my birthday wouldn't really get them much more. So, instead, lets say they somehow get a database that has my SSN in it. Well anything that would have my SSN would have my birthday, address (at the time the form was filled out), and probably gender so, again, the data from the study would be redundant.

So sure, I'm still as vulnerable as anyone to a determined malcontent with the money or access to get what they want; we all have data out there outside of our control - but that's not a reason to abandon all vigilance on the availability of personal information. It's the difference between being the victim of a professional B&E artist and being the victim of anyone who just walks up and opens your unlocked door.

*Sigh* I do love this fantasy people have that the government/DOD recruits hackers. I'll only say briefly that what's more likely to happen is if/when caught some are offered a deal where they disclose their methodologies. These methodologies are then taught to comp sci and comp engineering majors or other insider IT techs. Has it ever happened, possibly a few ties but as the quality of computer education improved it's better to have a moldable mind then a freewheeling genius. Sometimes you even get moldable geniuses.

The same rules that applied to the deadolt security age apply the information security age: Ultimately everything is obtainable with the right level of access, planing, and skill. It's a matter of pushing information into the realm where it is no long feasible for amateurs, and then really blood difficult for professionals that is where the effort lies. As the old saying goes, locks don't stop criminals, locks stop LAZY criminals.