Privacy was dead long before Mark Zuckerberg of Facebook decided that everyone should be able to see everything about everyone else. (He has tiptoed back a little from that position). He was blasted in the press because the public seemed to think that they had private lives until Zuckerberg opened them up to the world.
That was far from true. In fact, there hasn’t been much privacy for a long time – people just behaved as if they had privacy.
“Back in the day” when I was still with FiestaNet, I was interviewed on one of the local news shows about online privacy. This would have been around 1999 – 2000 or so. I told them then that privacy was a myth. I got the usual smile and nod that I would expect from a comment like that. So, I turned back to my desk and in under a minute gave them the home address of their news anchor, and what they paid for their house. (That part of the interview didn’t make it on TV).
So I was surprised not long ago when one of my most technically savvy friends was horrified that I had posted my home address in Foursquare. As if that wasn’t available on the county property tax site, by looking up my domain names, or any number of other public databases. I explained that I didn’t see a need to avidly protect data that was so readily available – I protect myself in other ways.
If you accept the premise that one of the drawbacks of today’s database driven, social media centric society is lost privacy, then there are some behaviors that should be changed. What caused me to think about that was this XKCD comic. As it says, we have trained ourselves to use passwords that only make things hard on ourselves, but actually don’t add any security, only perceived security. Our account and privacy policies do the same thing.
Not long ago, my wife’s iTunes account was used by someone other than her to purchase some apps. It was obvious that she wasn’t the one who did it, as the apps were Vietnamese. She contacted Apple, and after several days of runaround, she was able to get her account first locked, then re-enabled with a new password, and finally her money refunded. She then changed all of her passwords.
Technically her account wasn’t “hacked”, someone changed her passwords, and then used her account as their own. It is the typical account recovery policy that allows this.
Most web sites have a password recovery policy. This is because people set passwords that are difficult to remember and difficult to type. Add to that the fact that most people then save the passwords in their browser, once a new browser or computer comes into play, they cannot log into the site they are trying to access because they have long since forgotten the password. So, they follow the password reset process that exists to allow them to regain access to their account.
However, without your password, how do you prove that you are who you say you are? Typically with a verification question. Many of the predefined questions have answers that are publicly available. What is your mother’s maiden name? What is your address? Where did you go to high school? Some are not quite that public, but still easy to find. What is your pet’s name? Who was your favorite teacher?
Not all of them can be found – but many of them can. A simple Facebook post or otherwise innocuous tweet can provide the answer to many of the questions that are not specifically public. This gives third parties ways to access the credentials you use for e-mail, purchasing, banking, etc.
The way I get around this is simple – I lie. As far as the Interwebs are concerned, my pet’s name is Megatron, my favorite color is vermillion, my favorite teacher was Dr. Death, and so on. (Of course, now I have to keep track of this information as well as my passwords).
It isn’t an elegant solution, but at the same time it is one more way to enhance security in my online life. Do I have privacy, no. But, my lack of privacy is less of a target than for some others. Of course no one is hack proof. Systems that actually hold credential sets are compromised all the time. However, my method does make one of the many ways to steal personal data slightly more difficult…