Day 2 of Supernova 2008 kicked off this week with a variety of panels to choose from. While many of the Web 2.0-ers were getting settled in the Open Flow Track, MC-ed by Tantek Çelik, , I joined the alternative crowd for the Privacy and Security in the Network Age panel.
The session started with the overarching ideas around privacy. Online, everything we do creates data and/or a transaction. A lot of privacy concerns are no longer about who you are, but what you do. Typical “duh” factors exist such as technology is always moving faster than laws. Even when laws are made, they risk being ineffective, as many have seen in the case of the CAN-SPAM Act, or lacking true protection, as with the company-not-user-data-protection under Sarbanes-Oxley. Bruce Schneier, of BT Counterpane, brought up various points about how he views the reality of privacy. In the “security vs. privacy” argument (e.g. you have to give up your privacy to gain security) Schneier stated that you should call bullshit on that false dichotomy, giving examples such as burglar alarms, and that the reality is about “liberty vs. control”.
Fran Maier, of TrustE, went on to elaborate that a lot of the current architecture for privacy online is a question of “choice or consent”. Examples like Facebook were given as case studies of more granular privacy controls. I have recently made similar remarks about FireEagle’s consideration of location privacy. Focusing on overall online privacy (not just focused on social networking), the panelists agreed that intrusion issues of spam and phishing were not about privacy, but rather about control. With issues of control, entrepreneurs can often take advantage by providing anti-spam/virus products. This made me question why, with the open APIs on social networks, no one has built a similar solution for blocking spammers/trolls/stalkers from friending you? It has been discussed before with all the chatter around data portability and XFN to include the ability to port your “block list” from network to network as well, but we’ve yet to see this come to fruition.
More importantly, the panel called for a system of accountability for privacy and security. It was stated that security includes how you live everyday (e.g. living in fear). Public shaming of companies used to work as one of the only ways to get them to increase their lack of security measures, but with data breeches being reported more often now, the press barely makes a mention of it anymore. While that is certainly a negative, the positive effect has been that it’s now a lot easier to resolve identity theft. Since identity theft is so common, companies know how to deal with it. On average, a victim of new account fraud loses only about $40 and 10 hours to clean it all up. Again, I have to wonder if the Web 2.0 companies will ever reach a time where dealing with identity theft, stalking, harassment, abuse, etc. will become so common that they (like credit card companies today) will know how to deal with it without putting their victim consumers through more trouble? I raised this question to the panel, who seemed pessimistic about that prospect. Unlike credit card companies, social networks have little if any financial incentive to provide security, and as such, it will most likely always take a second priority.
In the end, Schneier said that society may not be ready to handle privacy – similar to pollution, it may take a good 20 years or so for the masses to truly wrap their heads around it and do something.