Thursday, April 12, 2018

The Privacy Revolution in Action

As a practical example of the Privacy Revolution, I have a little story.

In 2008, I was in London, staying at the excellent Royal Trafalgar hotel. I ordered a cab, and went downstairs to pay my bill. They ran my card, and said, "I'm sorry, sir. Your card has been declined. Do you have another?"

I said something to the effect of, "Wait ... what??? I know there's money in that account. There must be some mistake!"

They said, "I'm sorry, but you'll have to call the bank."

I sighed, and sent the cab away, and got on the phone to my bank. I fought my way through the voice prompts (never easy, when you have an accent), and finally got to speak to a human. They said, "Did you tell us you were traveling overseas?"

I felt like saying a great many things, some even unkind, but I thought better of it, and simply said, "No. I didn't know I had to."

They said, "You'll have to talk to our fraud department to get the card unblocked."

I got a human pretty quickly this time, and he asked me all the obvious questions, such as, "Last four of social, how many accounts do you have, what sort of accounts are they, and who's on the accounts with you,", all of which I answered successfully.

He then said, "And now, sir, just a couple more questions, based on publicly available information... What age-range would best describe this person... 25-30, 30-35, 35-40... Laura ************."

They used the maiden name of one of my daughters-in-law.

I was stunned.

This young lady had been married to my son for eight years at that point, and had not used her maiden name since she got married.

I stammered out the correct answer, and they asked me a different age range, and then used my wife's name, which was not a shock, and I answered that one. Correctly, thankfully.

They unblocked my card, and I got another cab to the airport, and home, but all the way, my mind was racing...Laura had never lived at the same address as me ... There was no obvious connection ... I well understood that if someone googled for a couple of days, someone could figure it out, but _at their fingertips_, they knew that I should know who this person, with a different name, was, and how old she was.

Finally, I thought... "It must be FaceBook, because on there, she calls herself Laura *MaidenName* Thompson. That must be it!", and I smacked them a little bit in my blog.

A couple of days later, a friend who worked at RSA called me, and said, "Uh ... Rog ... that blog you did. It wasn't FaceBook. It was us. We have a product called Knowledge Based Authentication (KBA), that we sell to banks."

Again, I was stunned. Then I was relieved, because I consider RSA to be Good Guys, and then I was stunned again, because the realization hit me, that if Good Guys like Google and RSA were collecting all this information, it was a given that Bad Guys were too, and we have no idea just who is.

Now, this was ten years ago, and lots of things have changed. RSA (who wasn't doing anything wrong with KBA) has sold KBA to someone else (Google knows who), and they aren't doing anything wrong with it either, but we may be confident that the race to collect information continues unabated, and probably accelerates.

It's bad enough that leaked personal data can be used in obvious things, like directed malware attacks, and common fraud, but recent events have shown us that one unexpected consequence of this is Mass Psychological Profiling, and the even scarier, Mass Psychological _Persuasion_.

This is the Privacy Revolution, folks. In the fullness of time, we will come to understand that the effect on humanity will be just as massive as the agricultural and industrial revolutions.

No comments: