The Backward State of Society
. Updated: .
The weeks roll by and those of us in the UK are slowly but inevitably discovering that everybody in the country is actually in possession of everybody else’s confidential information; all of which was accidentally printed onto the inside of seventy-five million packets of Kellogg’s Rice Krispies. I’m more aware than ever of the technological generation gap. It’s growing rapidly and the haves and have-nots in technical competence are heading for a clash.
It’s not just the fact that information isn’t really as secure or competently handled as we pretend it is. Social networking is encouraging people to share vast quantities of information about themselves that no-one would ever have had access too before. Facebook especially has successfully given people a sense of security through granularity in the amount of information they share with their different networks of friends.
The problem is the reaction of the establishment to this casual whoring of personal details. Insurance companies, banks and Credit Card issuers are stepping out to tell us that we’re doing it wrong. Prematurely middle-aged men sternly tell us that sharing so much information on the internets leaves us vulnerable to so called ‘identity theft’. Identity theft is obviously awful; especially at Christmas time. No-one realises the horrible reality until they wake up in the body of their next door neighbour’s cat, paralysed by shock, fear and a severe flea infestation. Meanwhile the real Puss has collapsed against a back alley wall of Pets At Home, wasted on a binge cocktail of Whiskers, Felix, Pro Plus and your soul itself. All paid for in your name.
But such short-sighted advice is not going to get us anywhere. The horse has bolted and modern culture is already open. As it spreads through the technophile community, it will become normal. Like everything else published on the internet, telling people not to do something after the fact is ineffective. It didn’t work for the music industry and I can’t see it working for anything else.
Services — banks, governments and so forth — are supposed to fit the people who make up the society in which they operate. When society goes through a change in attitudes, those services should adapt to reflect the people that they exist for.
It’s that which makes this situation backward. The servant is telling us off, trying to scare us into compliance with RSPCA enraging horror stories of feline identity splicing. Nation-wide poster campaigns of bunnies with shotguns and Daily Mail leaders of guinea pigs funding international terrorism (and stealing the jobs of hard-working, white, British terrorist backers) cannot be far behind.
But that message is wrong and should be resisted. If my identity is impersonated because someone pieces together a profile of me from information on the internet, then the safeguards of the organisations who validate my identity are broken. If it is the case that society has decided to share their keys, then it is up to the banks, governments and insurance companies to change their locks. It is for them to fix their broken models, not for us to hold back or regress an evolving society to accommodate bad servants.
If that means logging into an online banking service takes a little longer, then so be it. The inconvenience of additional validation to protect identity is moot when compared to the detriment of preventing an entire generation of people from interacting with each other as freely as they wish.
Links
To share this entry, or reference it in commentary of your own, link to the following:
- Permalink: https://benward.uk/blog/identity
- Shortlink: https://bnwrd.me/1YURZg
You can file issues or provide corrections: View Source on Github. Contributor credits.
Comments
Previously, I hosted responses and commentary from readers directly on this site, but have decided not to any more. All previous comments and pingbacks are included here, but to post further responses, please refer me to a post on your own blog or other network. See instructions and recommendations of ways to do this.
What a refreshing post from you Ben (I mean, in comparison to other people on the Web)…I have to leave a comment because, well, it would be rude not to!
I totally agree with the suggestion raised in the final paragraph: I think tighter validations are the way to go, and despite the added time, it would be worth it.
What I find a bit at odds with all of this data theft, is the simultaneous rise of a likely OpenID – a universal id value of sorts, a master-key for multiple sites and…oh, just one way of getting in to varied personal data on multiple sites instead of the more elaborate, multiple ways at the moment. I mean, if my identity and a set of passwords is hacked for one site, at the moment, then it’s likely to only impact the data held at that one site, but if we start using one id for a whole bunch of stuff (although easier for us – the user) it also gives identity thieves a much larger haul of potential data too…which seems far worse IMO! I’m back to favouring the stricter validating process and ‘changing’ the locks’ suggestion!!
“Social networking is encouraging people to share vast quantities of information about themselves that no-one would ever have had access too before.”
Which is the reason why the vast majority of people who know me online (through Dawn of War and other things) know me only as my online handle. Even if they email me and use their name, I still use my handle (with a couple of exceptions for people I know comparatively well, work with quite a bit, and who have earned my respect).
I generally try to keep my handle and my name separate (with an extra effort over the past year or so to remove the references on my site where I’ve been less cautious). A WhoIs lookup would have rendered that null and void if I hadn’t opted out of showing details on .uk domains and got 1 year free privacy protection on the .coms.
Talking of which, any chance you can strip some info from some old comments if I email you? ;) :D
“If it is the case that society has decided to share their keys, then it is up to the banks, governments and insurance companies to change their locks. It is for them to fix their broken models, not for us to hold back or regress an evolving society to accommodate bad servants.”
Yes and no, really. Yes, everyone and his dog shouldn’t be using “what is your mother’s maiden name?” as the security question, but at the same time then people really shouldn’t be dumb enough to give some of this information out.
I keep having mixed feelings. I’ve moved house and it was worryingly easy to change some bank details – no confirmation of identity, just various details off bank cards/statements read over the phone. Similar situation with changing subscription addresses – I didn’t know subscriber numbers, so they look me up in the database and change it for me.
On the other hand I’ve tried to open a bank account in Manchester and been asked for photo ID and a bill. If I didn’t drive and I hadn’t been out of the country then I wouldn’t have any photo ID, which they didn’t seem to have much of an answer for when I commented. Generally, all of the bills are in the wife’s name rather than mine. That leaves something as simple as a bank account rather difficult to get hold of.
At the same time, though, I have a credit card with Halifax and that had added protection in the form of some sign-up thing that asks you for a code when you buy with “extra secure” retailers. I got it when we were down in Bracknell and have used it once while we were down there. I went to buy something with another “extra secure” retailer in the past week or so and I didn’t have a clue what I’d set it as.
When I use some secure information so infrequently then what are the chances of me remembering it? And if I write it down then that just makes it recorded and losable.
Right, but my point is that sharing the name of place I was born, or tagging pictures of people with their maiden names is not ‘dumb’.
In fact, whilst there are tens of thousands of inept individuals dragging down society in the months between series of Big Brother, I object to calling anyone dumb for telling the world about themselves. I think it’s socially very healthy, and it’s completely unreasonable for lazy companies and government to hold back society because they have weak identity validation and won’t invest in improvements as society evolves.
This is tangential, but whilst it’s obviously your choice to obscure your identity, I will say that finding an alias in a
From:
field really grinds my gears. It’s a form of personal communication, after all.Matt: Your point about OpenID is an interesting one. But the problem you describe is one of implementation.
OpenID might be the key to a service, but you needn’t make it the only key to your service. What’s stopping you (a service provider) from protecting sensitive personal or social information with additional passwords.
OpenID is a key enabler of portable social networks, and every new service should support it as it becomes a means of maintaining contact lists between multiple services. But that doesn’t mean your entire service has to be unlocked with it.
Considering how the Internet is home to millions, if not billions, of unknown individuals then it depends how happy you are sharing that information and how you share it.
TBH I can’t think of anywhere that has wanted my place of birth as security. Tagging a photo with a maiden name isn’t dumb either, as it is complex information that needs a lot of effort and deduction to associate. Posting “I’m Fred Bob Blogs of 29 Acacia Avenue, Nuttytown. My mum is…” and making it easily scrapeable is the problem.
Besides, it isn’t as if the information was completely secure before social networking. You want to find out my mother’s maiden name? Find my birth certificate to get my parent’s names then my parent’s wedding certificate. It might involve a bit of work, but then so would discovering the information from image tags.
As for having an alias in a “from” field, yes it is personal communication but the majority of people who email me know me from my websites and the forums I visit. On those then the person I am is my handle, and the person they are personally communicating is the person who goes by that name. It’s like people who have a first name they don’t like – in personal circles everyone knows them by their middle name, but in professional circles they may be known by their first name. I just use the most relevant alias for the context.
If the banks etc didn’t use maiden names and other questions as confirmation of identity (especially over the phone) then what information do you think would be suitable that wouldn’t (like my Halifax/Visa credit card password/code) be forgotten because it is hardly used?
Whether the information is scrapeable or not isn’t the issue, though. Lots of information in the same place makes it easier to automate or perform on a large scale, but it’s still possible to gather the information to impersonate an identity from tags and so forth. I think it’s fair to say that the services who broker our identity are not here to serve ‘most people’, they must serve everyone, including those whose identities might be explicitly targeted.
If internet practice has made it possible to piece together certain pieces of information, then that information is out there. So, I’d follow it is no-longer safe to rely on only that information to validate identity. If it’s not safe to validate identity with certain information, there should be no social pressure not to publish the information more openly.
That brings the problem right back around to where I started. The locks are already broken. We’re being told not to publish the information, rather than the services updating the broken methods of validation. Your argument, Stu, results in most people’s information being slightly more obscured than otherwise, but does not actually make things any more secure. The security is all in the hands of the service provides, so they should fix it.
At the end of the day, producing a more robust system costs them money which I’m certain they’d sooner not spend. In fact, so long as they can scare enough people into keeping their details locked in jewellery boxes in a bank safe, it may even be that the insurance cost of a small number of people cracking into their systems on an assumed identity is lower than the cost of developing and deploying a better system.
And in perfect harmony, via Jeremy Keith, That Mitchell & Webb Sound – Identity Theft.
But if the information has already been available via other means before technology and ‘social networking’ took off then scrapability is still relevant. If the information has always been available then it has always been a problem and the security has been broken from the start.
I think it all comes down to if the system is “foolproof”. If you need to have access to something then it must be foolproof (or have a fallback to let you back in). Unfortunately the world has far too many fools of too high a grade for complex systems of IDs and PINs for everything.
With any form of identification proof in a lot of situations (i.e. where it can’t be done ‘there and then’) then you end up with a cycle of “he has to prove his identity, so he needs something more secure that we can trust like a PIN, but to have something we can trust he must prove his identity we need to get it to him, but to get it to him then we need to know his address, but to know his address and know he actually lives there we need to confirm it is him at that address, but to confirm it is him at the address we have to prove his identity, so he needs something more secure…”
I’m still interesting in what alternatives you think there are that could withstand the majority of humanity. I’d also like to see the level of detail you tag your images with so that your mother’s maiden name can be fairly easily extracted in a manner that is consistent enough that the identity thieves wouldn’t get caught (or locked down) trying the possible variations.