Slashdot Mirror
Databases and Privacy
A couple of stories made an interesting juxtaposition today. First read this story about information marketers scouring public records to compile personal information. Note the emphasis on cross-linking data from various sources to provide more information than any one source did - databases are synergistic. Now read this column about David Nelson, and its follow-up.
It was just last year that myself and the other people of Missouri were shocked to find out that the local DMV was selling our personal information to the private sector. Unbelievable, a state goverment run institution that essential everyone who wants to drive and own a car has to deal with. Thats what I call being forced to opt-in.
I'm a partner in a market firm in LA, and I don't understand why /.'s would be opposed to this.
Techniques like this allow us to more effectively advertise products to you that you actually WANT. You don't want penis cream, you won't see it.
Targeted marketing is good for both the business and the consumer. It puts both of you in touch - they sell something YOU want to buy.
Seems like just a lot of kneejerk rebels that oppose this, if you ask me.
Once again, proof that passenger screening is counter-productive.
Seeing as Google provides as much as 75% of referrals, this is an enormous amount of very sensitive information. From the behavior of other internet companies, it's unlikely that google would fight a subpoena for this information, some companies even hand over data on simple request. The threat exists today that one may end up on a terrorist watch list simply because of their searching habits. You may not even even know you've been red flagged.
Give me Classic Slashdot or give me death!
I work in information privacy and security in health care. The situation is already beyond repair. The only thing giving anyone in the industrialized world any semblance of privacy is sheer numbers.
I can take your last name, gender, a guess about your age within five years, a guess about what region of the US in which you live, and right here, from the very terminal from which I type this message, probably determine where you have lived for the past seven years, your neighbor's names, your family members' names, your social security number, your driver's license numbers, any public records (criminal, civil, real estate) in less time than it takes to reload slashdot on a busy saturday afternoon.
The key is that the results I get back will be fuzzy, I'll have to try to make sense of them, and not all of the hits will be accurate. But anyone with a brain can sense a "theme" running through the hits and nail your ID beyond a reasonable doubt.
Think you're off the grid? Only if you have never applied for utilities or credit of any kind, never gotten a publicly issued license, and never graduated from any school. If all that's true, why would I be looking for you anyway? You can't buy anything.
We need to collectively grow up here. It's not about limiting our invasions of privacy, we need to be licensing and bonding people who can mine it, like we license doctors, attorneys and cops.
The information really is out there, and it really is indexed, and it really is being used. That's why these Internet cookie monsters are so bold and shameless. They're not doing anything new and they know it.
The best way to do is to be.
There is a way, however, to maintain your privacy where it matters. They want to collect information on you? Fine, let them. But insert some misleading data into those records. Here is just one way to do it:
Take two persons, of similar hight, eye color, skin color and hair color. They are good friends and developed a relationship of trust between them. They are not criminals and have no criminal intentions. These two persons can each have two copies of their identfications - say, two copies of a driver's license (say one is "lost"...). One copy they of course give to the other one. One of them must be the 'good person' and one must be the 'bad person'.
Now imagine one of these persons is stopped for a traffic violation. He hands over the 'bad person' ID, and the traffic violation is registered on his name. He doesn't own the car, though - because the car is registered to the 'good person'. When it's time to pay insurance, and the 'good person' record is being pulled, it's a clean slate.
The sample here is sketchy at best, won't work if the car history is checked as well (unless...), and I don't want to give any more ideas to anyone here, but it is possible to fake the records just such - have someone else buy your house, and have a contract with this person saying he has no claim in it, switch salaries with your neighbour, bank accounts... If it has a purpose.
Don't do it 'just to spite', because every such transaction has an inherent danger, but if done right and to an end, it can be beneficial to the people involved, despite the best efforts of those information correlators to the contrary.
Oh, yes, standard disclaimer apply, use this information at your own risk, don't come yelling to me, it's probably highly illegal, be warned.
http://www.anybirthday.com
It's got that great hook: birthdays (so sweet and innocuous)! And of course you can "remove" yourself from the database. The only question is what happens once you remove yourself, and confirm your birthday, identity, etc.
And this is assuming that there are other areas where they may or may not be in alignment (e.g. abbreviations, type of info gathered, spelling variations etc.).
A lot of the variances can be correlated using fuzzy match technology. Everything from "sounds like", to matching on common variations (John and Johnathan, Bill and William), along with looking for initials, sex, location (address, city, postal code), and other commonalities.
The amount of information required to achieve a 95% match is not that great. With a sufficiently large cross-reference, decent matching rules (based on weighing personal factors), and enough computing power, making matches is not that difficult.
Given the sum of our personal factors, we are all unique to an amazing degree. Take a subset of those factors, and we are STILL unique to some large percentage. Spread out the information gathering (multiple databases) and you quickly become a specific individual rather than a possible number of individuals.
Go back to the originating databases, and now you have a personal profile of what you like and dislike.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Now, lets talk about how it works in the real world. I wanted a copy of my credit report, so I tried using www.freecreditreport.com (it's not really free, but hey, good marketing). When I submitted my request and tried to set up my account, I was given an error that my password was incorrect. Now, never having set up an account, I thought "hey, this is odd". So I called their 800 number and promptly found out that I did indeed have an account. After about 5 minutes of social engineering, I had the e-mail address that was associated with "my" account. Low and behold, it belonged to a guy that had received a copy of my rental application (yes it is legal for him to get a credit report, but not by impersonating me).
So, I said to the helpful young man on the phone "you've given my information to someone impersonating me". His response, and that of his supervisor was to tell me I should go file a police report. When I asked if they would take any action, the answer was a very resounding "NO".
So, I called back a few minutes later, with my new-found e-mail address and talked to another helpful gentleman whom I convinced to change the password and e-mail address on the account so that the previous dirt-bag would be locked out.
That is how things work in the real world. The companies who compile/manage/sell this information do not give a flying-frig about access control as long as money changes hands along with the data. If someone wants your info, and they have your name and a few other facts... they can get all the juicy stuff w/in about half an hour. Your only protection is the sheer volume of bio-mass that makes up the target group.
Run! There's a lobster loose!
I'm still a traditional fan of cash, rather then a credit card for most daily transations. It has the benifit of being remarkably easy to budget, as in alocate daily spending, impossible to go over your self imposed set limits. But importantly, it's none too traceable.
I may be slightly paranoid, but after buying electronic goods at a shop, I got a phone call within days asking me how i'm enjoying my thingie. It's like, "how did you get my number, I didn't give it to you".
I guess I have in the past given my personal info to radio shack to get free batteries, and actually they send me a christmas gift certificate every year... and actaully I enjoyed getting their catalogs back when they actually had them.
But the point i'm making is, cash is a remarkable means to provide some privacy. Not that you can't get away from things like morgages, cars, air line tickets, and other larger purcahces, but there is some info that random people don't have the right to know, like an employer checking to see if you buy alot of porn or booze.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
From your post, I deduce that you have a college level (post-secondary) education [spelled anonymous correctly].
This is stupid. College generally does not teach spelling, and high-school-only grads have access to spell-checkers also. I have a college degree, but my spelling is sh8tty.
You used the expression "totally bogus". From this, I deduce you are between 22 and 37 year of age.
Sometimes older workers purposely use "young" phrases to sound "with it". They don't want to be fired for seeming "too old to grok the latest IT fad". I pick up a lot of jive talk from my daughter, for example.
Sure, you can make guesses that may be right more often than wrong (or than random), but it is hardly fool-proof.
Table-ized A.I.
Time for all and sundry to go back and re-read (or read) "Shockwave Rider" by John Brunner. Then remember it was written in 1976.
Well, this appears to confirms everyone's worst suspicions about these so-called watch lists. They are ineffective. They tend to brand people as suspects for no real reason, and this allegation sticks even in light of evidence to the contrary. No one involved in accusing these fliers has any real interest in making sure it doesn't happen again, or trying to help this customer, who is, after all, a potential terrorist who might blow up your plane.
The concept of these watch lists is inane. 19 people have hijacked planes in this country in the last 25 years. There have probably been 5 billion passenger flights in that time. If even 1% of 1% (1/10,000) of these are incorrectly flagged, that's 500,000 false accuation for every hijacker, assuming that they every bad guy is on the list. After 10,000 people are incorrectly flagged, how closely will these rules be followed?
The problem isn't the existence of the system; a good system could work well and get buy in from the public. A bad system will only serve to alienate people, and it will eventually stop working as no one believes it any more. So you will end up needlessly harrassing innocent people, but since 90% of these "incidents" will be treated as an annoyance, it's doubtful that they'll catch a hijacker anyways. Instead, it will only serve to hassle those who express anti-government views, and those who share their names.
What we really need is an amendment to the Constitution. The Bill of Rights protects most of our important rights, but one that is conspicuously missing is the right to privacy. Beyond "unreasonable search and seizure", our privacy is not protected constitutionally, and until it is it will be much harder to ensure legally than our right to freedom of speech or religion.
I found the meaning of life the other day, but I had write-only access.
Quoting:
I would worry about Choicepoint if I were you.
"dope will get you through times of no money better than money will get you through times of no dope"
If someone setup a website for all these people to log on, it shouldn't take more that a month or two to figure out the list.
The interesting thing to watch would be if all the various David Nelsons chartered a private flight to DC... Would they get off the ground, would they be forced down before reaching their destination, or what? Imagine the scene in the control tower:
Pilot: This is the David Nelson flight requesting landing clearance...
Flight Controller: NO! Go Away! You can't land here!
Pilot: You don't understand - I'm low on fuel. I'll be landing shortly whether I want to or not...
Is the recession really caused by a crash in IT, or because 99% of people in the US are now suddenly unemployable because our great grandmothers had cancer or something? Health insurance kills people that are poor and/or need expensive treatment, and now people with a 1% possibility of health problems in future will be denied jobs. Seems like Hitler's eugenics program is well underway in the US.
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
My point is that if comprehensive data is being collected about you by any organisation with which you have had no contact, and without informing you, you are running into a really dangerous situation which is only too easily abused.
A simple case would be crimes like burglary (income, address, occupation==times of absence). Then you can get into really ugly cases like stalking, rape and murder. And I'm not even going to get started on the possibilities for identity theft, etc.
George Bush - the pres flies AF1, all others suspicious
George Washington - rumor has it this is a revolutionary leader.
Abraham Lincoln - leader of a fight for freedom group.
Thomas Jefferson - Drafted revolutionary decrees.
Ben Franklin - supports freedom of information, writes subversive literature.
David Nelson - no reason, just want to harass a friend of the pres.
Mahatma Ghandi - leader of a revolutionary group.
Surely you can add more to this list. We might even come up with all 300 of the no-fly, or screen first list.
-Rusty
You never know...