free html hit counter Only In The Movies? A Privacy Scenario | John Battelle's Search Blog

Only In The Movies? A Privacy Scenario

By - December 03, 2005

8353609 A5855Ecda7As I mentioned in my last post, I get asked about privacy a lot. I am not an expert on these issues, but I’ve stared at them just enough to formulate a few opinions. I am guessing that my readers know more than I do, so instead of assuming I’ve got it all figured out, I thought I’d just toss out this scenario and see what you all think. I’ve mentioned it a few times to reporters who’ve called, and also laid it out at Yahoo, and it seemed to go over OK.

So the set up goes like this: as I’ve written elsewhere, there is a ton of information about all of us that we willingly (social networks, registration data, search history, etc.) and sometimes unwittingly (clickstream data) leave, forever, on third party servers.

Now, we may trust those third parties not to mess with our data, and not to do evil things, and for the most part, I am quite sure they won’t – if they do and they get caught, they’d be crucified, and the competition is just one click away. And it’s pretty much out of their control if the government decides it wants access to that data – they have to give it up, and stay quiet about it (more on that here and here.)

But…Google, Yahoo, Microsoft, eBay, Amazon, etc. are not small companies. They are made up of thousands of individuals, a few of whom just might be…well…a bit off balance.

So this scenario involves one of those types of folks.

Imagine that an engineer at a major Internet company decides he has a thing for young blond women. Imagine further that he works at a place that has local search, social networking, blogging, search history, registration, and email all in one place. A company like, oh, Google, or Yahoo, or Amazon, or Microsoft.

Imagine further that this engineer has access to, or can figure out how to get access to, pretty much all the information he wants on all the young blond women that use his company’s services near where he lives (by zip, keyword, etc.).

Over a period of time, this engineer compiles an extremely detailed dossier of information about scores of young blond women, including addresses, personal emails, photographs, blog postings, social network connections, search histories, etc. This dossier is rather carelessly collected on his own personal PC at home, where he’s protected it in a folder with the password “hot young thing”.

Now let’s set the story in motion. In this engineer’s hometown, a series of unsolved rapes begins, all of which involve young, pretty blond women (why did I choose pretty blondes? Because the national media machine LOVES stories where pretty blondes are in peril, of course). Local officials and politicians, not to mention fearful parents and families, raise a cry to find the “Blonde Stalker”, but local police are flummoxed. The local media picks up on the story, but so far, it has only been mentioned in passing in the national news.

Then, one of the victims is found gruesomely murdered. Another follows. The national press pounces, and the pressure to find the killer intensifies. Every day pictures of the pretty victim are splashed across MSNBC and CNN, not to mention Fox, where Bill O’Reilly personally pontificates on how inept local police are, and how he’d personally pay a bounty of $50,000 to whoever finds and turns in the culprit.

Meanwhile, a co-worker of our dossier-creating engineer notices how strangely the engineer has been acting lately, making odd statements about women, missing work, acting, well, just generally creepy. The co-worker mentions this to a manager, who, to cover his ass, tells the police.

The police, hungry for any lead, obtain a search warrant for the engineer’s home, and while he is away, they comb through his apartment, finding little evidence linking him to the crimes. But they take his home computer, and through relatively simple computer forensics, manage to unlock the password protected folder, unearthing the trove of information contained within. It is a shocking dossier of scores of young women, and the most unsettling thing about it is how simple it was for the engineer to compile it.

Someone at the police department tips off a local reporter that the engineer is the killer, and that the password he used on his dossier of his victims was “hot young things.”

The national and international media absolutely go batshit over “The Hot Young Things Killer” and set up a 24-hour-a-day satellite-truck-infested mediapalooza outside the engineer’s employer. Every possible story angle, every speculation, every movement of anyone involved in the case is scrutinized, live, 24/7. It’s the Scott Peterson, OJ Simpson, Michael Jackson media scrum of the moment.

And the main hook of the story? How easy it was for the killer to identify, track, and manipulate his victims because of the data he had access to at his workplace. A privacy nightmare! Who KNEW that we we so exposed?! Google, Yahoo, MSN, etc. are FLOODED with requests about their privacy policies: What information do you have about me? How can I see it? What do you use if for? Come on, tell me EVERYTHING! Who else has access to it? How can I edit it? Protect it? Delete it? Manage it? The companies are caught off guard, and, at least initially, do not have adequate resources to manage the demands of the tends of thousands of users who are flooding their phone and email lines. In fact, some of them simply CAN’T promise that they can find or even delete the information, leading to even more outcry.

Sensing an opportunity, a cadre of congressmen whip up the USA PROTECT Act (I’ll figure out what that stands for later) which, in essence, is about as stupid and ill thought as the PATRIOT Act.) In short, it makes it nearly impossible for the Internet industry to do just about anything with individuals’ data unless they expressly agree to it, in writing. The debate is brief, the act passes nearly unanimously. Innovation and new product flow withers, search and search-driven progress stalls. A fearful public begins to use the Internet just a little bit less….worried that until the companies with which they interact can guarantee their personal privacy, the trade off is simply too great.

Now what?

Or rather, what can be done to mitigate such a scenario?

I have a few ideas, but that will be in the next post. This one tired me out, and it’s Saturday, after all. (Oh, and by the way, anyone in Hollywood reading this, the screenplay is in the mail….)

Related Posts Plugin for WordPress, Blogger...

24 thoughts on “Only In The Movies? A Privacy Scenario

  1. 1- Dont forget the Richard Jewel Case – (he turned out to be innocent – and, ironically was never charged nor arrested)
    ——

    2- There has to be probable cause to do the following…

    The police, hungry for any lead, obtain a search warrant for the engineer’s home, and while he is away, they comb through his apartment, finding little evidence linking him to the crimes. But they take his home computer, and through relatively simple computer forensics,
    ——-

    3- Finally, most of the personalization information is for the purpose of ..
    target Adverstising – (Online Ads are competing with Print and Media, Advertisers demand a better ROI to switch from a tradition spanning decades to one spanning years).

    Advertisers make these services high quality and competative.

    So, the only options would be a GENERAL SUBSCRIPTION MODEL – where those who want something just PAY for it DIRECTLY.

    or, CONSUMERS who want DETAILED and PERSONALIZED services – SIGN for that type of service VOLUNTARILY – and have the right to terminate the relationship and any information in that database.

    DON’T FORGET, most of this is happenning because people DO NOT want to pay for these “FREE” services – so advertisers have to be convinced to PAY!!

    Also, The Google “adrenalin shot” means that those who DO NOT COMPETE successfully – will eventually atrophy.

  2. Greg Linden says:

    John, I don’t think I agree with you on this one. This issue is not new nor unique to the search giants.

    The scenario you describe — a rogue employee abusing their access to a database to inappropriately compile information about people — could easily happen at the Department of Motor Vehicles, city hall, a hospital, or in a University student database. Geez, look at the CardSystems crack that may have exposed 40M identities.

    There is nothing about this issue that is unique to the search giants. Privacy is an issue anywhere there is a database.

  3. David Brake says:

    Here in Europe we have strong limits on what companies or governments can do with personal information without asking for written permission. The world hasn’t fallen on our heads as a result. Indeed I would go further and suggest that people are much too eager to volunteer to do that signing away without thinking it through.

  4. Andi says:

    I think it might work as a Law & Order episode, there’s not an entire feature film there…

    This scenario’s been possible for much more than a decade with AOL chatrooms et al. Cyberstalking is old news, it is just the level of possible detail available to insiders that increases.

    Having a hard drive confiscated and scrutinized has been played out many times on the TV news, usually for kiddie porn. Only the guilty ones get much press.

  5. bumble bee says:

    doesn’t this apply equally well to your isp, bank and credit card company?

    i mean, anything and everything you do with the internet or with money has to go through at least one of these agencies. unless you only use cash, surf from a library exclusively and live in a trailer or on a farm of your own.

  6. MikeM says:

    Your scenario could aply to motor vehicle departments in any state, police departments in every municipality or even persons working in banks.
    Anyone with access to a public database could perpetrate such an act.

    Here you are talking about computer geeks who generally are more turned on by writing a new line of code than chasing pretty blondes surreptitiously. The female populous is safe from your scenario in my opinion.

  7. Adam says:

    John,

    I agree with you about the overall feel of idiotic hysteria (just way too many examples post-9/11, but for brevity, I’ll just say: nail clippers?!)… but I personally believe that all the major search engines have very, VERY strict ‘paper trails’ going on re: searches and general accesses involving personally identifying information.

    How many thousands of people — both full-time and contractors — work at the three majors now (G, Y!, and M)? I can’t imagine that any engineer or other person at those companies would be able to assemble a dossier on someone, much less multiple someones, without massive warning bells being flashed. And just the threat of termination, even legal proceedings… I’d bet these’d put quite a crimp in even *thoughts* about invading folks’ privacies.

    And that’s assuming the core data — unencrypted — is available to even >5% of the employees at these places.

    * * *

    So, John, I partially agree with you. I can imagine that some event will trigger an hysterical run at or backlash against the Majors sometime in the future… but I doubt it will be a real or perceived employee PII leak.

  8. RichB says:

    Old news. How do you think Experian and Equifax manage the huge quantities of data they hold about every single one of us?

    Every time you perform any financial transaction, from purchasing weekly shopping to that SG subscription, they know about it.

  9. David Upton says:

    There are several cases where misuse of information has happened with municipalities, police departments, etc.

    I think John’s point is that Google etc work on a much larger scale, and also that their software engineers may use their specialised skills to do things that others can’t easily spot. (Quis custodiet…)

    It is also possible that people with hidden agendas might try to infiltrate Google (etc.) for their own ends, whether individual or collective. Perhaps the problem is not stalking pretty blondes, but collecting our clickstreams and (say) blackmailing someone who clicks on ‘adult’ sites? Or looking for people who click on sites you detest (say for ‘religious’ reasons) and targetting them? We already know that this sort of information is made avilable to the US authorities under the Patriot Act, so clearly the means exists to collect it.

    We have given Google a lot of power, but it has given us no transparency. We don’t know how it takes its decisions.

  10. Andi says:

    Every new technology or expanded use of technologies will have some unintended consequenses. It is important that we recognize and weigh the possible dangers against the obvious good that any new database creates.

    Creeps have been harrassing and stalking pretty young blonds for millenia, and authorities have been wrongly accusing innocent parties for as long as there have been authorities. This was a very old problem when it occurred in Imperial Rome, it’s just older and more complex now.

    It is good that our attention is brought to potential dangers. In 1993 I naively posted pictures and personal information on my AOL profile–big mistake. I think you were still using the more primitive text-only Well system then John.

    The databases that make this possible do provide more advantages than dangers…

    The dangers are usually foreshadowed (crudely) in science fiction at least decade before they occur. Remember Sandra Bullock in 1995′s The Net? If you were a techie then you saw it just so you could groan over Hollywood’s ineptitude.

    She was targeted because she had some special software but since it was a movie she was cute (though not blond). The sensationalistic aspect sold the (bad) movie because people were just then becoming aware of the internet, but the dangers portrayed in the movie were brought about by the same confluence of data that you are describing a decade later.

    Maybe not only in the movies, just mostly in the movies…

  11. I think you guys are underestimating the power of Google. Google is not the DMV or some credit reporting agency. Perhaps I should have named the company in the scenario, and the press subsequently called the story the “Google Rapist” or somesuch. Imagine what happens to Google’s brand when the entire world, for a period of months, thinks of “rape and killings” when they think of Google, and think it all happened because Google knows too much about you….

  12. Andi says:

    >>>Imagine what happens to Google’s brand when the entire world, for a period of months, thinks of “rape and killings” when they think of Google…

    I think this underestimates the intelligence of the “entire world” John. At most this would be met with hysteria among those who don’t know any better–the tech-illiterate and the main stream media. The media already spend much of their time dwelling upon rape, killing and the inevitable trials, the Google angle would just be a side-bar. It would serve to make Google an even more recognizable brand. There would be a backlash but no more than any other sensationalistic “internet sex crimes” have. These mostly just have the effect of parents not allowing their kids to have their computers in the bedroom. There are already predators, why would a Google connection make this so much worse?

    Should this become a problem for Google and the web I’ll eat my words, but I think you’re being hysterical about this.

    Other than putting a brake on information gathering (not gonna happen) what do you propose?

    You will have about as much success in stopping Google as you will have at the beach yelling at the incoming tide. Google already knows enough for world domination if they were to point their algorithms in that direction.

    Too late, genie out of bottle…

  13. Joe Hunkins says:

    Wow – a great screenplay for a TV Movie but I agree with the other comments skeptical of this premise. Info needed for this crime has been around in moderately organized forms for years.

    Far more than Google, I’m worrying about the Govts “Total Information Awareness” program and how it could be used to target political opponents in ways we’d never even know about. Think of what J Edgar Hoover could/would have done with supercomputers.

  14. Dave Hodson says:

    John – Sounds like a good outline for a novel – get cracking :-)

    Dave

  15. Andi says:

    I agree that it would be good as a novel (not a movie).

    The theme reminds me of an updated John Fowles’ The Collector. This is one of the scariest books I’ve ever read and the evil banality of the main character would certainly have been even scarier if he’d had internet access. It’s a short novel and hasn’t been matched for creepiness in the 40 years it’s been around. But then I’m a Fowles fan–he died just recently…

    But a collector of dossiers who finally goes over the edge could offer an insight into just what evil search could acheive. ewww very creepy! Go for it John!

  16. ID:entity says:

    So I guess the enevitable road for the likes of Google et al, is that they need to provide us with some benefit to holding the data – so we are going sell it to them, Google must pay us to use, hold, store our data.

  17. Privacy issues like the one mentioned don’t just happen online. Companies can become careless with your personal information in the form of paper, faxes, and chatty employees. I have several contractors working for me right now and each week they fill out a time card which I sign and then they fax back to their contracting company. The time card has their social security number as their identifier – which I get a copy of, and they fax, so there is a transmission ok copy lying around too. Luckily I lock up their time cards, but how many other companies that they contract for are so careful.

    As another example, how many companies ask for your phone number when you make a purchase in person? How many people think nothing of giving that number? The salespeople always react a little strangely when I say no.

    I think a related issue is that many people just don’t think about the information they are giving out and what could be done with it. How many people forget to click the opt-out responses when signing up for an online service? How careful are people about having firewall software when they’re using a wireless network at a coffee shop? About answering questions from someone who calls you and you have no way of identifying for sure?

    I think there needs to be a careful balance so that consumers can get quality services and companies can innovate. Frankly, I think that the scales are tipped almost all the way towards the companies and it would be nice if they were forced to be a little more careful about personal information. Either the companies as a whole will foster this careful attitude, or an event or two will tip the scales the other way, as John mentioned. I’m a person of balance, so I hope that both sides can come to an agreement before it is decided for them.

  18. Markus says:

    TO bad this isn’t really fiction…

    In the online dating industry true.com is attempting to pass legislation that will force every user that visits a online dating service to have a background check done on them. yahoo and google are fighting against this hard. At any rate as a corperation outside of the united states we are not bound by american laws. The US government can pass pretty much anything they want it will only hinder local corperations and prevent them from doing business.

  19. John, far scarier than this is that the security agencies already have access to Google’s data and much more besides. Remember Enemy of the State with Will Smith – that is reality these days with less satellite cameras and more digital surveillance.

    Alternatively, one of your security agency people (who are a far more disturbed pool of people than any lot of Google engineers IMHO) uses the tools at his or her workplace to run amok. With the benefit of having the government to cover up for him/her. You and I may never know about it.

    The amount of information that the government of the United States (only the USA has enough leverage on Google and Yahoo as their homebase hosts) is able to compile on any of the citizens of the first world is absolutely and utterly frightening.

    But I think the blondes of this world are safe from Google engineers (at least in their work roles). They are still at risk however from media commentators and journalists. For the sake of their collective well-being, all blondes should all dye their hair dark.

  20. Brian Smith says:

    let’s make the story line simpler. just use an engineer at a major online dating service who tracks everyone’s conversations. i’ve been writing this script for a bit now.

    -brian

  21. 90% of people who are hot young blond girls online are surely 50 something fat men though aren’t they? Apart from that, I’d go see this film…

  22. Andrew S says:

    An government act that would harm the search industry so greatly is extremely unlikely. There is just too much money at stake.

    The PATRIOT act was possible because there was no large-money entity around to fight it. EFF? ACLU? Small time.

    Any act that would harm the search industry would immediately be met by the billions in cash that microsoft, google, and yahoo hold. Billions buy you everything in congress; individual citizens hold no clout.

  23. Ben B says:

    Wow John this is quite something… i’ve never actually even had the slightest though of something like this…it would be quite crazy if something like this were to happen…kind of ironic how i found this on Google though.

  24. Joe says:

    You better believe it, because it happens, and the main reason is people have a lot of time on their hands in this big tech companies. Maybe not the engineers, but the rest of the crowd. In a second thought, even them too, in fact, because of what do they do. Once they set the system up and running it’s the system that does the laboring. Best way out, there are other safe services, where people are busy or wherever you go make sure what they do and what you do aren’t the same. Anyone selling things that can be forged easily, is a prime victim.

    All in all if they come up with a system –the top company guys—where no one can break into that could be protected with passwords, except them, it will be great, because for them it will be overwhelming to look into everything and are much busier than anyone else around. I think banks have that kind of system where the other staff doesn’t know certain passwords, but they can access accounts with their own password, which will make tracking every activity easy.