The Privacy Trade-offs: Report from the 2011 Cybercrime Conference

By TAP Staff Blogger

Posted on October 13, 2011

Last Friday’s 2011 Cybercrime Conference examined the current trends in cybercrime, security in the cloud, and the trade-offs between sharing and securing private information. Keynote speaker, Edward Felten, Chief Technologist with the Federal Trade Commission and on leave from Princeton University, discussed why cybercrime losses continue to rise and what government can do to help address the issues.
TAP attended the conference and provides a summary of several of the sessions. This post focuses on what we, U.S. citizens, are receiving in exchange for our privacy. TAP academic Chris Hoofnagle participated in this session. Additional posts covering other topics are linked to below.
The discussion on the trade-offs between privacy and security began with a lesson in the economics of transactions. When someone interacts with a web site, what is being exchanged is valuable product in both directions: personally identifiable information (PII) in exchange for goods; or in the case of social media sites, PII in exchange for connections and convenience.
Professor Jan Whittington, University of Washington, further discussed how one loses value from personal information in order to get essential service. When one interacts with a web site (Facebook, for example) there is a contract entered into –governed by the site’s terms of service. Once that personal information is provided, it is no longer owned by the individual; that information on the site becomes governed by others.
Chris Hoofnagle, director of the Berkeley Center for Law & Technology's information privacy programs, discussed key privacy terms and the shortcomings in enabling consumers to “negotiate their privacy preferences.”
First, privacy policies: they are unreadable due to length, complexity, and ambiguity of language (example: “confidential” has different meanings in the law field than the health field; additionally, “anonymous” to who and to what extent?).  Additionally, third party sharing is obfuscated. The privacy policy is a great example of a contradicting statement that refers to a policy of sharing or not sharing information:


Will my information be shared?  
To respect your privacy, Ann Taylor will not sell or rent the personal information you provide to us online to any third party. Ann Taylor shares information about our clients with affiliated companies and reputable third parties to provide better service to you. … In addition, Ann Taylor may share information that our clients provide with specially chosen marketing partners. We also may share aggregated statistical or demographic information about you with third party companies in a manner that does not reveal your personal identity.
Opting out is cumbersome for consumers. Hoofnagle pointed out that online companies use current technology to make purchases and signing up for online services efficient for their customer; however, many of them require consumers to use mail or fax as the means for opting out of certain parts of a privacy or terms agreement.
Additionally, there’s the provenance problem. There is no ability to tell how personal information traverses the network. Ever wonder why you start receiving emails for discount pharmaceuticals or Caribbean vacation packages? It is very difficult to determine which company you willingly shared your personal information with may have passed that information along to an affiliate or third party who then shared it with others. Without provenance, consumers cannot attribute spam, junk mail, or even ID theft to specific wrongdoers.
An expert in information privacy law, Hoofnagle also spent some time talking about identity theft. He stated that the “Attorney General is going to play whack-a-mole with scammers for years until you focus on the intermediary incentives that make scams so easy to perpetrate against consumers.” Referring to his article, “Internalizing Identity Theft” (UCLA Journal of Law and Technology, p. 1, 2010), Hoofnagle showed that the speed in making the sale sometimes beats taking effective security measures. The data in his research show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem lies in the risk tolerances of credit grantors. Identity theft remains so prevalent because it is less costly to tolerate fraud. On the flip side, adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts; that is, that quick, streamlined purchase.
When asked if ‘the Genie is out of the bottle,’ that is, is it too late to do something about protecting PII, the participants generally agreed that no, it’s not too late. Hoofnagle said that there is still a lot of obscurity around some information. Some steps to address are: financial institutions need to use information other than personal information to authenticate users (i.e., don’t assume that because a user provides a correct social security number, they are in fact the customer who has been assigned that SS#); and with regard to phones, there needs to be two-way authentication (currently there is only one-way authentication, and that does not provide an appropriate level of security).
To read more about the 2011 Cybercrime Conference, view these posts: