Bits of Privacy

Monday, February 8th, 2010

The organization “Bits of Freedom is a Dutch NGO Privacy watchdog. It has been re-vivified in the past years. It hands out semi-regular Big Brother Awards (say, isn’t the estate of George Orwell going to wake up at some point?) for the worst offenses against privacy in the Netherlands. Worth reading if your Dutch comprehension is ok. BoF has garnered some mainstream media attention as well, which offers hope that privacy isn’t completely a lost cause in this country. [Current schemes of nationwide chipcard travel and road-pricing deny that hope] There’s also a “Winston Prize” for someone fighting for privacy, which went to the Euro-MP Sophie in’t Veld. It took me a minute to figure out the “Winston” name, but since I’d read 1984 (it says so right there in my book list) the light dawned eventually.

Anyway, cheers to BoF, and keep watching over your own privacy.

Privacy and metrics

Friday, November 20th, 2009

On Wednesday the Washington Post’s “Security Fix” blog had a small item on privacy issues with the smart grid. It was most interesting for me because of the graph that was included: by looking at a simple metric (power draw in the house) one could reach conclusions on what was happening inside. Breakfast, lunch and dinner can be spotted. This isn’t much of an issue if the data is available only to the power company, stored securely, and applied only to its intended purpose for which it is collected. Presumably that’s to optimize power delivery.

But when the information is used outside of that context, then bad things can happen.

This kind of concern applies to all kinds of metrics that indirectly show what is happening inside a closed box. Consider an active developer on software project where the source repository is available publicly. This applies to lots of them — and makes relevant stats for many even more public. By looking at time stamps you can find out roughly when the developer is active. How accurate this is depends on the style of development, but I know I’m a commit-early, commit-often guy so you can (or used to be able to) find out when I’m awake by watching commits. No commits? I must be elsewhere. Commits skewed by three hours? I must be in Brasil, hacking.

Even that information isn’t all that bad, although it’s a derived piece of information that possibly wasn’t intended to be public. But you can use it for nefarious purposes (e.g. housebreaking). Power consumption of an encryption chip was once used to determine whether it was doing a multiply cycle or an add — and knowing that revealed bits of the key being used, and so extracted the key from the chip. That’s the kind of ancillary information leakage that we can also worry about.

All in all I think it comes down to: data collection technology isn’t bad per se, but the safeguards around the collected data and the purposes to which the data is put might be. Privacy then is a matter of trust in the people that hold the data to do the right thing (regrettably humans are susceptible to temptation).