Renewal
"Everyone has a computer," says the cab driver. We are driving from Hersonisos to Heraklion airport, a 40-minute jaunt. Half an hour later, the disposable-gloved guard checking me through the security scan tells me the same thing. "And two or three mobile phones." This is Crete in 2009.
Here is Crete in 1998: "I can't imagine that any of my neighbors will ever use a computer," my friend John said; he was living in a small mountain village near Hersonisos. The computer he'd brought with him didn't like the dust, and of everyone he knew only a couple of travel agents had one. He recanted a minute later: one neighbor had a computer. "It's what he calls the remote control for his TV set."
I am here for a conference on computer security and privacy run by the European Network and Information Security Agency, and that in itself is a reflection of how fast things changed. ENISA, whose headquarters are at the Foundation for Research and Technology's shiny, white building on the edge of Heraklion, is an advice broker: its job is to figure study information security and recommend how to apply it. This week's effort was a summer school organized by associate researcher Sotiris Ioannidis.
Three talks particularly strike me: Ronald Leenes, Ari Juels, and Richard Bartle, probably because they're the three with the closest to a hands-on approach.
Leenes, who was new to me, has been working on privacy in social networks; he demonstrated a Firefox plug-in that allows a user to drag and drop contacts to groups that might represent family, (real) friends, work mates, and so on, applying different privacy settings to each. Segregating audiences, he reasons, is important; today's social networks are binary - "friend" or non-friend. Separately, he's working on a platform where the data is all encrypted and is transparently decrypted only for those people who have the permission to view it. These are good ideas, and I'd like to see them adopted; but more than a decade of watching people come up with good but slightly complicated, privacy-enhancing ideas have left me unconvinced about their appeal to the mass market. Would Facebook to adopt either interface design?
I already knew some of Juels's work at both his day job and his after-hours recreation. Here, he had an elegant answer for the problem often raised by privacy advocates concerned about the potential for detailed, intimate tracking once RFID is ubiquitous in consumer goods. The idea is to implement cryptography by sharing a secret key a group of items. While they're together, they can be tracked; sell them individually and the key vanishes. This idea is, he said, easier to manage than a kill tag, which requires more complex key management.
Juels mentions something else. I knew that RFID tags don't work well in or around water; I didn't realize what he says now, that because of that they don't work particularly well next to human bodies, which are mostly water. In other words, if there were nothing else silly about Katherine Albrecht's frequently repeated scenario of the creepy man RFID-scanning the underwear of nearby women, technically it doesn't work. "If you're concerned about tags on your garments, wear them," he says. To be fair to Albrecht, though, the industry is working on solving the water adjacency problem so tags can be used for tracking surgical instruments. It might be just a matter of time.
Bartle has talked elsewhere about the today's virtual worlds. Of course a server administrator can follow in detail everything any player does (but "terabytes of data," Bartle says). A virtual world is in fact the closest thing to an implementation of the complete surveillance state. What was notable, therefore, is how much malfeasance there really is and how much it costs. Sony, when it tried to act as a middle-man for transactions involving real money and in-game loot found itself in the hole for a $1 million every six months - in fines for having too many credit card charge backs when thieves took consumers' money but failed to deliver the virtual goods.
The bridge that needs to be built is the one between policy and active technology. Many good things were said about good practice and securing the infrastructure, and they were said to the right sort of interested policy makers. The best suggestion for building that bridge came from Ian Brown: alter the liability regime so that the burden doesn't fall entirely on users.
That night, I have dinner with some of my friend John's friends, and the conversation shifts to computers - Crete in 2009! "I think the Internet needs to be regulated," one of them says. He is, he says, sick of: spam, viruses, idiots hacking into things. But the Internet was never built to be a secure system; we are trying to retrofit security onto it and it isn't clear that's ever going to really work completely. And even it it were: Bartle has shown the limitations of regulation and surveillance.
Juels's talk reminds me, though, that with RFID we still have time to build a secure, privacy-enhancing infrastructure - if we do it now, at the beginning. These things get away from us so fast.
Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.