Musing about openness and security

A few days ago I read a report about the dangers of making one’s date of birth public on the web. “After all, unscrupulous people can make use of that data and commit some sort of electronic theft.”

And I thought to myself, what utter tosh. That’s about as meaningful as saying “Most car accidents take place within three miles of home, so don’t drive near home”. Or even “most murders are committed by people known by the victim, so it’s best not to know anyone”.

Currently there’s a lot of personal data freely available on the web, particularly with the advent of electronic social networks. And currently it is possible to misuse that data in order to commit some crime or the other.

So something has to be done.  Agreed. But. Rather than make people “hide” personal information, surely the answer lies in making better security “devices”. Surely the answer lies in making a person’s date of birth (or for that matter a person’s mother’s maiden name) less “valuable”.

I don’t know, I must be growing old. Sometimes I look at what we do, and I think to myself: First we take living things and make abject skeletons out of them. Then we carefully build cupboards around the newly formed skeletons. And then we wonder why we have skeletons in cupboards.

We shouldn’t have to hide simple information about ourselves. We shouldn’t have to worry about the Semantic Web, and how people are going to misuse personal information for the most heinous of crimes. We shouldn’t have to worry about “our past catching up with ourselves”. We should not build systems that make use of simple easily-accessible information as security tokens and devices.

Of course we should teach people to be prudent about what information they make available on the web. But let’s not forget that the web has always been about openness and transparency. That this is a good thing.

For centuries people have been putting spare keys under mats and in plant pots and over door ledges. For centuries unscrupulous people have found the spare keys and put them to nefarious use. The answer to that problem was not to change the locks, but the unsafe practice. The right unsafe practice. In this particular instance, the unsafe practice is the use of dates of birth and stuff like that as security tokens.

Just musing.

16 thoughts on “Musing about openness and security”

  1. While it should in an ideal world be tosh, the reality is that it is not.

    Unfortunately access to credit is driven by a relatively limited amount of information requirements. Birth dates are core to that. Its not even enough for big Banks to stop using DoB; so long as there is one lender willing to use it, then its a dangerous access point to ID theft.

  2. Colin, just because it’s real doesn’t mean it’s right. It may have been meaningful at a time when the search costs for a person’s date of birth were very high. We live in a different world, and we need to move away from the models that worked in the past.

  3. JP: What an intriguing idea!

    The value of information is what we assign to it, and if we are going to move to biometrics (what you have) rather than DOB/ mother’s maiden name (what you know) this may indeed come to pass.

    There is however the institutional status quo to contend with. A small change in existing systems costs banks a lot of money and customers do not easily adopt new things (if you have followed the hullabaloo over chip-and-pin in the UK).

    Which is why in the meanwhile, trust in God, but lock your car may still apply for a while.

  4. Interesting point…. Just to follow-up on the example, even if birth dates are not used as security questions, they are confidential info : one could guess your age and use it against you.

    Not sure what the best solution is, but we still should be very careful who can access what of our personal info on the Web…

  5. Warning: slightly off-topic

    I am getting a bit annoyed by organisations asking me for a utility bill to verify my residential address. Hello? Utilities now bribe you to go for paperless billing and I am a sucker for a bribe. I don’t get any paper utility bills any more. Ergo I am homeless, apparently.

    Now if I could put these organisations in touch with my utility suppliers *electronically* to verify my address then not only would it save me buggeration but it would be a cheaper system for them to operate.

    It might happen one day, but a lot of mental heavy lifting needs to happen in these sort of organisations first.

    This is only tangentially relevant to JP’s post (I’m talking about identification rather than authentication), but I feel better having got it off my chest. Thanks for listening.

  6. Dominic: You may be off topic but not very much so, in my view. The holy grail in the real and the virtual world is unified identity/ single sign-on/ some kind of unifying API of the kind Ved proposes here:

    http://thinkplank.typepad.com/thinkplank_convergence_in/2007/11/the-mama-of-all.html

    I think JP has a visionary idea, but institutional inertia and costs are a major factor to consider. That said, the idea must get seeded now to be effected some time down the line, methinks…

  7. Very interesting and well timed. Too add to your point the regulatory environment is now telling me that I can’t have address prompts on email headers because I may send confidential data to the wrong person; I will be put on a “non-distribution list” so that I am specifically prevented from sending mails to a “conflicted” or interested party; I will have to encrypt and decrypt the simplest things (which should raise levels of paranoia and suspicion to new heights); I have to prevent “inappropriate” access of staff to customers so that we can’t actually help them and I will of course have to classify, store and be able to retrieve in a blink of an eye every relevant piece of information that Big Brother wants to see.

    As you rightly say, if my intentions were dishonourable I would not be using any of these processes in the first place. For me the theme is becoming “blunting the competitive edge of technology”. Am I turning to the dark side?? Or emerging into the light

  8. JP – excellent blog. There’s so many people jumping on the social networks are a security threat. Has there actually been any crimes commited because someone looked on Facebook and saw someone’s birthday. I’m not saying it cannot be done but has it? Don’t understand your skeleton analogy though

  9. It’s a hard problem to find good authentication credentials. Certainly internet databases and search engines have already made “date of birth” and “mother’s maiden name” much less valuable to guarantee authenticity.

    But the same problem eventually applies to any other secret. Whether it’s a “random” password, “your favourite teacher”, “your childhood hero” or whatever: as soon as you have told someone, it’s no longer a true secret. Based on probability of re-use and on the trustworthiness of who you tell, these might still be useful for a while to give a reasonable degree of proof of who you are. And shared secrets are still a fairly cost-effective system, not requiring special hardware. But are only going to get less effective in the future.

    And as for biometrics, they are not secret either; just considered to be difficult to forge, at least under carefully controlled measurement conditions. So there’s likely to be an increase in their use in the next few years, but will be expensive if implemented in the most secure way, and may conflict with “privacy” demands too.

    So I’m coming to the conclusion that we will be forced to move to a “something you have” credential system, at least for authentication where it matters. Perhaps this is an (liberal shock horror) National ID Card; or Tesco Clubcard; or USB dongle; or mobile phone. Which, if you need to be sure is used by the right individual, also needs a shared secret or biometric – but at least that only need to be shared with the device, not the central database.

  10. I am not sure about date of birth as an identification system…many people in the world don’t use the Julian calender so what is their date of birth? How can you even identify that the date of birth entered is correct?
    The American system has become too rigid I know of many people born in Asia or Africa who have no idea of their actual date of birth and many who do not even have birth certificates…This system of authentication is wrong in my opinion and how much would it really cost to change it. Don’t institutions spend thousands to move away from applications they are becoming too dependent on? They too realise its safer that way..as for a national id card being issued – I can just see another Holocaust coming from that.

  11. I agree with your statement “We should not build systems that make use of simple easily-accessible information as security tokens and devices.”

    Security aware people take this advice – they don’t create passwords or PINs based on their date of birth, for example.

    However I don’t have any control over the authentication mechanisms used by institutions – and they do use date of birth. In the past month both my credit card company and my mobile phone company have required me to tell them my date of birth as part of their authentication process.

  12. I was at Digital Identity when this news (above) broke. Made me think, very much like JP, that it ain’t being human (what’s more natural than sharing your child’s name or where you live) that’s the issue – it’s the lock that’s the problem.
    If we have systems which equate a smattering of social information about us with our identity then we’re going to run into trouble. Actually, we’re not – they are.
    More here:
    http://fasterfuture.blogspot.com/2007/11/whoops-there-goes-your-identity-mass.html

Let me know what you think

This site uses Akismet to reduce spam. Learn how your comment data is processed.