Protecting Privacy in the Electronic Age
This is a rush transcript created by a contractor for KPBS to improve accessibility for the deaf and hard-of-hearing. Please refer to the media file as the formal record of this interview. Opinions expressed by guests during interviews reflect the guest’s individual views and do not necessarily represent those of KPBS staff, members or its sponsors.
The next Ethics Center forum: "Can we share electronic information without losing our privacy?" is Wednesday, July 1, 2009, at 5:30 p.m. at the Reuben H. Fleet Science Center.
MAUREEN CAVANAUGH (Host): I'm Maureen Cavanaugh and you're listening to These Days on KPBS. Suppose your dog has fleas and you casually search the web to find a good price on some flea medication. In the next day or two, you may be surprised to find a lot of pet and flea information coming up in your e-mail, or in the advertising you see on other websites. And you think, well, that's quite a coincidence. It couldn't be that anyone knows I was looking for flea medicine, could it? Unfortunately, it's no coincidence. Privacy advocates say our personal information is being captured and stored by search engines, social networks, and mobile browsers and then shared with marketers. Most of this is perfectly legal but not widely understood by internet users. Many lawmakers, and privacy rights groups want more disclosure about how this information is being collected and used, and they want new laws and regulations put in place. But, technology and innovation have a hard time flourishing in a restrictive atmosphere. So the question is: how much privacy are we willing to give up for freedom of information? Electronic access to information is the topic of our monthly series on science and ethics. And I'd like to welcome my guests. Murray Jennex, he's Professor of Information Systems at San Diego State University and an expert in the area of cyber crime and identity theft. Welcome to These Days, Murray.
MURRAY JENNEX (Professor of Information Systems, San Diego State University): Good morning. How are you?
CAVANAUGH: Great. Thank you for being here. And Erin Kenneally, she is an attorney whose company, Elchemy, deals with cyber law. She's also a cyber forensics analyst at the San Diego Super Computer Center. And, Erin, welcome.
ERIN KENNEALLY (Cyber Law Attorney and Forensics Analyst, San Diego Supercomputer Center): Thank you. Good morning.
CAVANAUGH: Good morning. And I – We'd like everyone to comment on this topic. We'd like to hear from you. Do you think you have a right to privacy when you use the internet or shop online or send an e-mail? Do you care that companies are tracking your every move online? You can call us with your comments. Our number is 1-888-895-5727, that's 1-888-895-KPBS. Now I want to start by talking about the different ways electronic information is collected but first, the ACLU, which advocates for privacy rights, has put out a humorous ad on the internet about how much information might be involved in making a casual phone order for pizza sometime in the near future. And I'd like to start out by hearing just a bit of that ad.
(audio from ACLU privacy rights ad)
CAVANAUGH: That is from a new ACLU internet ad about privacy rights and, I guess, losing privacy rights in the electronic age. My guests, once again, Murray Jennex and Erin Kenneally. And I want to start with you, Murray, is that a fair depiction of what might happen in the near future?
JENNEX: I don't know if it might happen. I know that it's very capable of happening. Right now, we can gather that much data and put it, basically, at the fingertips of anybody answering an order. So is it unreasonable? Probably not. I don't know that I would ever have somebody tell me I couldn't eat my meat pizza though.
CAVANAUGH: And, Erin, you know, when you see this ad on the internet, what you actually see visually is all the information coming up on the man who wants to buy the pizza, you see his phone number and his home address and his work address and all that information being on the screen of the person who is actually at the Pizza Palace. And that's what we're talking about here, all of that information just coming up because you make a phone call.
KENNEALLY: Absolutely, and I've seen the video. It is quite cute. I think what it illustrates is this underlying issue that – in terms of how I frame the debate in the issue itself, which is this gap between our expectations and our capabilities. You know, technology arms us with wide-ranging capabilities yet our expectations are still steeped in our laws, which very often takes quite a long time to catch up to technology. So it's in that gap between expectations and capabilities where we're running headstrong into a lot of these issues, and that certainly highlights them. I think it's, you know, it pokes fun at what we – what's possible but I certainly think that we are capable of it now and the challenge will be inserting the right controls, the proper controls, to find the right balance between privacy and security.
CAVANAUGH: And, Murray, let me ask you, I started by saying I want to talk about the different ways electronic information is collected. When you go online and you make a purchase, let's say you make a purchase at amazon.com for, as I said, flea medication for your dog or something like that, where is that information stored and who gets that information about what you wanted and who you are?
JENNEX: Well, it's stored in a couple of places. First, if you went to Amazon, they collect that information and Amazon does a very good job of tailoring their offerings to their customers, which means that they're building a profile on you. So they are keeping track of everything you purchase, when you need it, how often you need it, that type of thing. And then they're looking for new products that might fit into that profile. So they're collecting that information. But I don't think it really stops there also, because there are companies—and I won't mention who they are—but they collect information on where you go on the web so they're keeping track of your web activity. So they're keeping track of the fact that you logged into this particular site and then you processed this particular type of search. So they're keeping that information on you which they can then sell to other people. And, again, they're building a marketing profile on you as a web surfer so that they can gather that information. And then additionally, there's the criminal aspect of this. There are people who have implanted software onto your computer who are tracking where you go, what you do, if you're using a credit card, and they're going to try to collect that information and then use that against you perhaps to steal your identity. So, in reality, you're probably getting tracked multiple times, multiple locations. The one company that you did the transaction with is using it for their purposes, which is very nice for you. The other company that's doing it as a marketing activity is using that to help other companies tailor their offerings to you, so probably that's okay. But then the criminal aspect is totally, you know, not something you want.
CAVANAUGH: Sure. And, Erin, I think everybody would know that everybody has that distinction between, you know, these people who are trying to get your credit card information and perhaps steal your identity. But I think people really don't know, aren't really aware about how much legal information search engine companies are keeping about people and what they do online.
KENNEALLY: For sure. You know, certainly from a government perspective, we have much clearer standards. We have laws such as the Electronic Communications and Privacy Act and the Federal Privacy Act, and those do a pretty good job of spelling out what the government can and can't do with your information and disclosure of that information. But then if you segue over to the private sector, there really are unclear standards in that regard. There's no federal law that protects anonymous speech online, there's no identity disclosure laws per se for private business. I mean, they're basically held to their own self-imposed standards via their own corporate policies, and that's where you get into the notion of the huge importance of transparency and enforcement of those policies and the problems there. But, yeah, for sure, it's – we're forging new ground in that regard and that's where the law is struggling with, how do you draw those lines.
CAVANAUGH: And I want our audience to know that we want you to be involved in this conversation. We're taking your calls at 1-888-895-5727. Does it matter to you that companies are keeping profiles of your online activity? Maybe it does, maybe it doesn't. Give us a call at 1-888-895-KPBS. Murray, I think that one of the things that is perhaps disturbing to people is the notion that their e-mail may be tracked. How does that happen?
JENNEX: Well, personally, all e-mail is read or checked by something somewhere. When you send an e-mail, you're really sending out electronic packets. These packets have to get opened. You have a router that looks at your e-mail to see where it goes to, so it's going through a series of different computers, being looked at to a point, but not necessarily read. But at each one of those points, your e-mail can be looked at if it's not encrypted. Now I think if you wanted to prove that to yourself, you could do something silly like writing 'I want to kill the president' or something in an e-mail, and you would find that you would be contacted probably within a few months by somebody checking up to make sure you're not really serious or some sort of terrorist.
CAVANAUGH: Really? You would be contacted if you said that?
JENNEX: You see this in the paper periodically.
JENNEX: About six months ago some twelve-year-old girl had gotten a visit. She's wasn't considered a real viable threat so they didn't really push it real quickly to get to her but, again, we are scanning all e-mail communication, mechanically mostly, looking for key words, looking for certain phrases that would trigger a follow-up investigation. Now my personal experience with this is I've actually done work in Ukraine and I was working there just prior to the Orange Revolution, for the government, and we were using e-mail communications as our team to do an assessment of their oil pipeline system and those e-mails started showing up in the news. And it turned out that the local government, the government itself, was tapping that e-mail and publishing the parts that they wanted to put out to their people.
CAVANAUGH: That's really – that really gives you a lesson on – I really want our audience to know we're not advising you to do any testing of who's looking at e-mail by making threats to anybody in your e-mail communications. But, Erin, I think that that – that story that Murray just shared with us is the kind of thing that just no one expects that anyone's e-mail is being tracked by code words or anything else.
KENNEALLY: No, this is true but I also sort of want to step back and make it clear to folks that it's not like we're living in a complete wild, wild, west with regard to restrictions on viewing of e-mail. I mean, there are, as I mentioned before, the Electronic Communications and Privacy Act. It's not the clearest in the world but, by the same token, it does afford protections for the – for your internet communications, for your electronic communications. So the government is held to standards in terms of, you know, what type of legal process is required in order for them to obtain your traffic, your e-mail. Now having said that, where we've come into areas of contention is where the notion of national security overrides, or the argument is made, that national security should override some of our domestic laws in this regard. And that's essentially what occurred with the AT&T and the Telecom controversy that's actually still brewing right now. They wanted, basically, immunity for sharing your phone records and your internet communication records with the government, and there was a claim made by the government, by the former and the current administration, that basically they can override the domestic law. So that's where the debate, as far as I'm concerned, lies in that regard.
CAVANAUGH: Yes, Murray.
JENNEX: I agree with Erin and, actually, I wanted to point out that really what I was saying is mechanical skimming. It was an automated system looking for key words. I don't believe the government has the time or the resources to look at an e-mail. But I think where there's another issue though is, legally a company can look at their own e-mail systems. So a lot of times people are working for a company and they think they have a expectation of privacy in e-mail but if they're using the company e-mail system, that expectation of privacy really isn't there because the company's allowed to protect their networks and they can look at what goes across their systems.
CAVANAUGH: A word to the wise there. 1-888-895-5727 is our number, and on the line, Kay is calling us. She's calling from UTC. And good morning, Kay, welcome to these days.
KAY (Caller, University Towne Center Area): Good morning. Correct me if I'm wrong but I believe one of the companies that does the data mining of our personal, private information is right here in Rancho Bernardo in San Diego called NCR Teradata.
KAY: The thing that I'm concerned about is that I had ID theft and fraud and had to fight with my banks about my bank accounts being drained and get the money back and, you know, how much am I in danger for having this happen again?
CAVANAUGH: Well, thank you for that phone call and I do want to ask our guests. Any comment about a company called Teradata?
KENNEALLY: Well, you know, I'll jump in first on that. I'm not going to talk specifically about a company. There's certainly a whole host and it's a growing niche of companies who perform predictive analytics and the – another recent one is Deep Packet Inspection. But the notion is that, you know, they have access to a lot of personal information and there's not a whole heck of a lot of transparency or enforceability in terms of how they're actually using that information. So just to answer the caller's question somewhat, I think that the answer to the problem of the abuse of technology is not to prohibit it. You know, not to oversimplify this but, you know, guns kill people, certain types of weapons kill per – kill people, you know, we don't disarm the police or prohibit those tools just because we know that they can and will be misused. I think it's better to engage all stakeholders in terms of creating the transparency and the controls to make sure that that information is used in the proper way, that it's collected for a certain purpose and that it's used for the purpose for which it's collected. There's a whole host of principles called the FIPs, the Fair Information Practices, that are used pretty much internationally as principles underlying the proper use and storage and collection and management of personal information. And so it's building upon those principles and building and institutionalizing those within our businesses and between the exchanges of information that I think we've reached the point where we gain more confidence in the fact that our personal information is being used in the correct way.
CAVANAUGH: Erin, we will talk more about who might be enforcing those regulations nationally and internationally but we do have to take a short break. I'm speaking with Erin Kenneally and Murray Jennex and the topic is Electronic information and who's using it and who's sharing it and who's storing it. Our number is 1-888-895-5727, and These Days will continue in just a moment.
CAVANAUGH: Welcome back. I'm Maureen Cavanaugh. You're listening to These Days on KPBS. We're talking about electronic access to information. My guests are Murray Jennex. He's a Professor, that is, of Information Systems at SDSU. And Erin Kenneally, an attorney from the company Elchemy, which deals with cyber law. And, Murray, you wanted to ask – you wanted to at least address the question that was posed by one of our listeners about what kind of information is collected by companies like Teradata here in San Diego?
JENNEX: Well, what I wanted to mention about Teradata, and I have a confession I have to make, is I teach information security but I also teach decision support systems and I teach, in particular, students how to maximize use of their data and how to mine that data to generate information about customers and to generate actionable knowledge to use in running their companies.
CAVANAUGH: So you're on the dark side.
JENNEX: So I'm – Yeah, I – Yeah, I guess you could say I'm a dark side, light side. And usually what's difficult, I teach them on successive nights, so one night I'm teaching you how to share, the next night I'm teaching you how not to share. And, in particular, with Teradata, I like them because they actually provide a student network that we can use to help teach our students how to analyze data. Teradata itself is primarily a company that focuses on data mining, data warehousing, analyzing data, so they collect massive amounts of data and they're not really focused on where it comes from because this data comes from a point of sale system. You go into a grocery store and you use your club card, you collect data about yourself and the transaction. You go to a Walmart or a Target and you use a credit card or a card there, same thing happens. So they're focused on analyzing that data and they're focused on doing business intelligence, business analytics, customer relationship management, supply chain management. Everything they do is focused on how to make better business decisions on managing inventory or managing sales. So…
CAVANAUGH: And I just want to interrupt you because we have a caller on the line who has a question about exactly this. Lisa is in Pacific Beach. And good morning, Lisa, and welcome to These Days.
LISA (Caller, Pacific Beach): Good morning.
CAVANAUGH: Yes, hi.
LISA: I – Hi. I had something odd happen to me. I bought something actually in Target and I got an e-mail—using my debit card—I got an e-mail sent to my personal e-mail address asking me to review the product that I bought in the Target store. And I was unnerved and I – and sent an e-mail to the Target saying, I don't like this, it's creepy, it's Big Brother. And Target actually called me and apologized and said it is a program that Target runs and they would pass along my comments, etcetera. And I wasn't sure whether Target found me in their system because I have an account with Target, not a credit card account, just an online purchasing account, if they found me that way with my debit card, or my bank sold me out and passed on my e-mail address somewhere in the system. Not quite sure.
CAVANAUGH: Well, thank you. I really do appreciate the call, Lisa. I want everyone to know we are taking your calls at 1-888-895-5727. And, Murray, is that the kind of information that is collected by a big agency or does the store itself have that information?
JENNEX: Well, the store itself collected that information. As Lisa said, she had an account with Target, she also used her debit card, so she created a link between herself, personally, and the transaction. And the company stores that in their point of sale system and that's actually what Teradata's talking about when they're analyzing data, is taking that massive amount of data and analyzing it. And what Target does and what several retailers do, it's not an uncommon practice, is, again, they're trying to make sure that the inventory they stock is the inventory people want to buy. So they're looking to better serve the local customer. This is a mass customization approach, and this mass customization, in – in a way, we're all guilty of causing a lot of this problem, is the approach that says that we want to tailor all of our offerings to the individuals. We want to make them feel like they're empowered, that they're going to a store that has their own personal aisle there and they can get exactly what they want. Well, that comes at a cost, a tradeoff. And the tradeoff for that ease is that your data is now there in their databases and they can use that.
CAVANAUGH: Right. Well, Erin, you know, the way Murray explains this, it doesn't sound all that different than the kind of demographics that have been, you know, a basis on which retailers have operated for a long, long time. But I'm wondering, taking the caller's definition of this as creepy, getting an e-mail after making a purchase, I'm wondering how much awareness is there in the general public about how their personal and electronic information is being used?
KENNEALLY: Well, Maureen, you make a good point. Look, this is not new in terms of businesses and companies wanting to extract value from their customers and, more directly, connect up the need and the demand. The internet changed everything, and it immediately enabled us to share a lot more information a lot more quickly and in a very opaque way, potentially. So I agree with the caller that that is – it can be creepy and I, personally, get very annoyed when those types of situations occur. I think what's important here is what's the default posture that these companies are approaching their handling of personal information? In other words, in this instance it sounds like Target's posture was opt out. In other words, we've got your data, we're kind of free to do with it what you want until you find something or catch us doing something that you don't like and then you can opt out. The more privacy protective posture would be opt in. So by default, we're not going to share your information, we're not going to necessarily do a ton of match-linking and predictive analytics and whatnot with it, we'll give you the option to do that but we're not going to do it by default.
CAVANAUGH: Go ahead, Murray.
JENNEX: I think you're right except that even if you opt out and you maintain your privacy, they're still going to do the detailed analytics; they're just not going to link your name specifically to the transaction.
KENNEALLY: I agree. That gets to the whole notion of use. So how do you use that information? If you just sort of sit on it and don't necessarily act on it, you know, certainly, that's much more beneficial to the user. And, actually, Murray, if I could just backtrack a little bit, I wanted to anchor off of something you said with the Teradata situation. For certain, they're – they do a lot of great work, have some very interesting technology. I think what's important to keep in mind there, though, is, you know, their customer, so to speak, is – are the merchants, are the individual businesses. Their customer is not the individual consumer whose privacy is at risk. So, you know, we can say that they're running all these analytics and they're trying to make businesses better and what not, and they do, they really do accomplish that in a lot of ways but, you know, there again, they don't feel the pain points that an individual citizen consumer feels when their privacy is violated. And so, you know, the solution there is you've got to keep a chain of responsibility and trust between the merchants and their individual service providers and whatnot, so that that privacy does flow through the line.
CAVANAUGH: Well, that brings us to the issue of privacy, though, and a lot of people seem to expect information to be private, which is not private at all. Let's look at the social networking that people do on the internet and the Facebook pages, the MySpace pages, and the fact that all of this information is being shared by so many different people. What does that do, Murray, to our idea of private information? We may not think a lot about it if we just type something on our own computer and then put it on the internet, but it's there for the world to see. It's not ours anymore.
JENNEX: It is a confusing issue. I think – I work with a lot of students who are younger and they very willingly put out more information and knowledge about themselves to the world than any of us adults would. And I think in many ways they think they're just giving it out to their friends. They don't realize that it's going out to everybody. And I think that is an issue from privacy but I think it tells business a different message also. I mean, how can a business be expected to maintain privacy about you when you don't maintain privacy about you?
JENNEX: And I'm not saying business is right not to go ahead and do – abuse your privacy but I think it sets up a very confusing situation in our workplace today. And, Erin, I know you can probably address this a little bit more from the legal standpoint but I think it really is a confusing issue that we don't know what to do with because in many ways we put out more information about ourselves than any of these companies puts out about us. And while we worry about what a company does, we don't worry what our own kids do and what they tell the world about our families. And, as when I teach security, that's one of the things I tell – I have people analyze is the risk of their own family telling about themselves.
CAVANAUGH: I'm wondering, too, not only does – not only are people putting that information on the internet but also are there agencies, are there companies, that go around and look at Facebook pages and take information from those sites?
JENNEX: Oh, it's standard practice anymore that if you apply for a job, many, many companies will go look and see what they could find publicly about you, what you posted about yourself, and there've been many cases where people have been turned down for a job. I even had a case in the last year where a student of mine sent in a resume that – and she put a picture of herself in there and her contact information, and the person who got that resume used it to try to solicit the data off of her.
CAVANAUGH: That's not fair.
JENNEX: No, it wasn't. That was a gross breach of privacy.
CAVANAUGH: Right, right.
JENNEX: I mean, that was clearly beyond the line.
JENNEX: But where is the line? And I teach – I tell my students, I wouldn't put my pictures, I wouldn't be putting my addresses, my phone numbers, everything like that, onto a resume or onto a letter. I would make a very single point of contact and leave it at that.
CAVANAUGH: Let's take a call now. Mike is in Poway. And, Mike, good morning and welcome to These Days.
MIKE (Caller, Poway): Hi, how you doing? First I want to bring up something I think that is sort of a reverse side of this issue that I don't hear much about and I don't see much online, and that is that most of the arguments are about how companies are using things and the effect it has on the individual so it's, you know, more of a privacy-based discussion and, you know, how that might, you know, not be beneficial for them. I'd like to flip that argument and I'd like to say that in reality, all the information that people are providing, whether willingly or not willingly, and whether they're getting renumerated (sic) or not, is essentially their personal information asset. So in some ways, when you talk about awareness, if people realize that there's a financial benefit to them of providing that information, that actually could create a business opportunity for individuals as well as companies that might be willing to take this sort of market approach. And then in reality what happens is, when you call up for that pizza like that example that was used earlier…
MIKE: …when someone says, hey, we need your name, your address, and da-da-da, and that happens a lot, you know, both on the web and on the phones now, you can say, hey, look have you checked out my – where I'm registered on Mike-I-want-to-share-this-information and then, you know, you can use whatever's there, and then proceed with the transaction, whatever it is.
MIKE: It's kind of like putting power, you know, back to the people, and saying that what you own about yourself, your profile's actually of huge benefit to people. Now to Murray's point about Generation X sort of giving this stuff away, or Generation Next giving this stuff away, that obviously is a cultural discussion. But I think that most people who realize that if they're doing this on a daily, weekly basis, which happens on the phone, you actually could make quite a bit, you know, if there was some kind of a recurring revenue model there for you to provide things about you for other people to benefit.
CAVANAUGH: That's a good idea, Mike. Thank you for the call. I'm wondering, Erin, if I can perhaps ask a question that stems from Mike's question, and that is what kind of responsibility do people have when they put out information about themselves? You're an attorney and you can't really claim that your privacy has been violated, can you, if you are the one who supplied the information?
KENNEALLY: Well, right. So this gets back to the larger issue or comment that Murray made, which is, you know, there's certainly confusion and tension in this space. What we're in the middle of right now is evolving this notion of reasonable expectations of privacy in the cyber realm. I'm familiar with the posture that the caller Mike raised with regard to, hey, let's take control of our personal information because it's ours. The problem there is, we have to realize, at least from a legal perspective in the United States, we're very different than the framework that exists in Europe. In Europe, that is exactly the case. In other words, citizens are deemed to own their personal information and they control it and they have much more – a stronger ability to control that and make demands in terms of how it's used. In the United States, that doesn't exist. The posture right now in the United States, from a legal perspective is, you don't necessarily own that information. You know, our privacy laws are basically a patchwork of laws that break down along industry lines. We don't have an overarching framework that protects our personal privacy. So that has definitely caused tension and issues and it's within those gaps in that patchwork quilt of
privacy laws that companies have been able to come in and exploit that and take advantage of those gaps for sure. So just to get back to your initial question, though, yeah, it's just – we're redefining what it – what reasonable expectations of privacy mean in this world, you know. These – our expectations of privacy were formed in the analog world, in the physical world, where, you know, it really took a concerted effort to copy information and if you wanted to delete or eliminate information, it was very bounded and known. You know, you knew where the information was, you could shred it, you're done with it. You know, juxtapose that to the cyber realm, the digital realm, where it's just trivial and seamless to replicate and copy information and, by the same token, it's very hard to delete it. Once it's copied, you don't know where all that information goes so it's tough to get your arms around it. And it's against this new, you know, cyber physics, I'll call it, that we're trying to redefine our expectations of privacy.
CAVANAUGH: I am speaking with Erin Kenneally and Murray Jennex, and we're talking about our personal information, how it's being captured, stored and used on the internet and by web browsers and a whole 'nother – a whole line of electronic information systems. We have to take a short break. Our number is 1-888-895-5727, and we will return in just a moment.
CAVANAUGH: I’m Maureen Cavanaugh. You're listening to These Days on KPBS. We're talking about how much privacy we're willing to give up for freedom of information in the electronic age. My guests are Erin Kenneally. She's an attorney who works with cyber law. And also we're speaking with Murray Jennex, Professor of Information Systems at San Diego State University. And we're taking your calls at 1-888-895-5727. Murray, I wanted to go back to you for just a quick minute because there's something important that you wanted to add to a question we had earlier from a woman who asked – she said that she had been the victim of identity theft and she was worried that she might become a victim again.
JENNEX: Yes, and, Kay, I think, unfortunately, the answer to your question is it is very likely. First what I'd ask you is what caused you to have your identity stolen the first time? Was it your online behavior or was it because a source that you had given your information to before, say, a credit card company or a bank, had gotten hacked and your identity stolen that way? If it was your own behavior that caused it, if you've changed your behavior, that has reduced your risk of having your identity stolen that way. Unfortunately, and Erin, this is one of the – where I actually have a big issue, is how responsible is a bank or company that collects your data, responsible for protecting that data and keeping it safe? And right now, most of the cyber crime is focused on hacking large companies to get large numbers of credit card information and passwords and identities which they can use to make money with. And that's where I really get upset. And, unfortunately, Kay, you don't have a lot of control over that and that's where you probably are at risk. All of us are at risk.
CAVANAUGH: Right, okay. It's good to know. Let's go to the phones and take a call from John, that is, in Carlsbad. Hi, John, welcome to These Days.
JOHN (Caller, Carlsbad): Oh, hello. Thank you. My call. My call is sort of related to what you're talking about today but it's not exactly the same thing. I have a question. My girlfriend was driving my car, which is registered only to me where I live, and she lives somewhere else. And she ran through a red light and they took her picture and then they sent her the ticket in the mail with her name and her address but there she was driving my car. And I was wondering how they managed to do that.
CAVANAUGH: That's a good one. Any answers to that one?
JENNEX: Well, first I'd ask you has your girlfriend done something you don't know about like told people, perhaps, that she's related to you? Another way, though, is they could've ran some facial recognition software and then if there has been some transactions in the past that—legally—in the legal system where you two have been linked, either through a lease or perhaps a previous ticket or some other activity, then they could've traced it that way. But more than likely, you know, the license people have your faces on record because it's on your license and if you run facial recognition software, there's a reasonable chance they could've matched it up that way.
CAVANAUGH: Erin, do they run facial recognition software on red light cameras?
KENNEALLY: You know, that's actually a new one to me. I – now having said that, I know from a federal perspective and especially at the border, they certainly use and employ state of the art facial recognition technologies. Those are certainly, though, not without their set of issues in terms of their accuracy and reliability. I'm not aware that from a – at a local level that's being employed. I certainly – it's certainly possible. I will say this, though, my normal response would be, gosh, how could you deploy, you know, such technology on pictures like that? I mean, wouldn't you think that they'd be really grainy and, you know, sort of like the bank photos? But having received several of the red light camera tickets, I will say that those are some of the best pictures that I've taken, so they are pretty accurate.
CAVANAUGH: That's wonderful. Watch those red lights, okay, Erin. Let's go to a caller. Tony in Oceanside, good morning, Tony, and welcome to These Days.
TONY (Caller, Oceanside): Hi. How you – thanks for taking my call. Yeah, I had a question of like where would I go to get like information to protect myself like it was suggested that I would check my ISP for monitoring or I could request changing my IP address or use guerillamail.com. I was just wondering if there was any kind of, you know, information that we could go find out on the net to, you know, to protect ourselves, like using different internet engines, I guess is another suggestion but, you know, changing your ISP is something I don't really know how to, you know, to do.
CAVANAUGH: Well, Tony, thank you for that, and Tony is talking about different ways to protect himself online, maybe protect online purchases, things of that nature.
JENNEX: Well, to protect online purchases you want to make sure you're using a encrypted type system and usually that's the SSL, the secure socket layer. And when you're doing a lot of the payments systems, you see the gold lock down below or that it tells you it's a secured site. But another question Tony is raising is what can he do to kind of maintain his anonymity and unless you're very much a technophile and you're very focused on the technology, nothing you can do. Changing your IP address, most of us have a dynamic IP address to begin with but from the standpoint of sending mail, you still have to have a link to your identity. The fact that people are tracking your web browsing habits, that's going to happen anyway. The fact that people can still track you is probably still going to happen because depending on where you go on the web, you're probably going to download a – some sort of malware that will probably track even more. Most websites you go want to download a cookie and that's to help them track your behavior. So unless you're, like I said, very paranoid and willing to really go to extreme lengths, there's probably nothing you can do to lessen the people – people from tracking your identity or what you're doing.
CAVANAUGH: What about – are you familiar with the guerilla e-mail he was talking about?
JENNEX: Not really. I am familiar with anonymous remailers and other approaches and doing spoofing and there are many ways that if you're trying to really hide your identity from what you're doing, you can do that, and it takes a lot of effort to track through and, Erin, I recall that you're working on digital forensics and stuff and you can probably answer how effective that is because we can still track in many ways where it comes from.
KENNEALLY: Certainly. I mean, I think it's important to know that there are the equivalents of the clubs, if you will, out there for cyber activity. Certainly there's no silver bullet solution. There are, and there have been, a growing number of technologies available to the citizen consumer to help protect their privacy. I understand your point that, look, at the end of the day, is it possible for all your activity to be traced and linked and whatnot? Yes. But, you know, a lot of the browser technologies have responded to the aggregate consumer citizen voice about the need for anonymity and privacy and, you know, there's a lot you can do from the browser in terms of accepting or deleting cookies and adding, you know, add blocking type filtering software. You can use anonymizers, anonymous remailers, which you mentioned, and there's things like Tor, which is – which allows you to basically surf the net anonymously. Now, certainly, it's going to cause a hiccup in your usability and, you know, that's the price you pay at this point until it becomes more unbiquitous, until more people demand it and it becomes sort of the default posture. You know, if you value your privacy, you're going to take that extra step. And I think also from more of a macro perspective, keep in mind, look, you don't have to – and I say this, I'm an attorney. I value my privacy tremendously and I'm also, you know, an officer of the court so I'm – I need to respect the law just as everyone does. But I don't put my real information in online unless I'm required to, unless I'm conducting a financial transaction, unless, you know, there's a need to know my true identity. If I'm just signing up to download an article, for instance, and they want a whole host of information about me, nine times out of ten, I'm not going to give them the – my real information. Is that the right thing to do? I'm not sure but that's the course that I've chosen and…
JENNEX: That's what I do, too.
KENNEALLY: Yeah, that's right.
CAVANAUGH: That's what you do, too. Let me – I don't want to leave this conversation without talking just a little bit about a botnet and why it's bad. What is a botnet?
JENNEX: A botnet is a large number of computers that have been linked together through malware usually or other software that allows one person to control them and use them to do whatever the user wants them to do. Usually, they're used to mail spam, send out vast amounts of e-mail. The idea is to hide the originator of the e-mail so they're using a botnet of thousands, maybe hundreds of thousands, of computers. But also they could be used to do denial of service attacks, to block, say, certain e-commerce website that have annoyed them from getting business or other websites from getting business. And in many ways, they're being looked at now as actually a technique for attacking infrastructure, our cyber infrastructure. We haven't talked about cyber warfare at all.
CAVANAUGH: No, no.
JENNEX: But botnets can be used in that approach, too.
CAVANAUGH: Right, and are these largely out of the country botnets? Or are they organized by foreign networks or is it homegrown?
JENNEX: Both. I – You can actually rent botnets or if you don't want to do it yourself, there are people who create botnets and then auction them off on the web or rent out their services on the web, and that's actually quite common. I think the ones we see frequently are run from outside the country but more for legal reasons than technical reasons.
CAVANAUGH: Now there was a whole article in the New York Times over the weekend about cyber wars, talking about countries being very concerned about their internets being – their internet networks being the subject of botnets from other countries and being hacked and so forth. Is this becoming a larger and larger concern as we move on, Murray?
JENNEX: Yes, it is. Actually, before I came to San Diego State, I worked for a utility company and that's what got me involved in cyber security is, I was a Y2K leader and we saw how vulnerable our infrastructure was. And there are several cases on record of hydroelectric plants being turned off by hackers or people penetrating, hopefully, secure stuff but not secure infrastructure and doing things. Like even last fall, there was this Amber Alert sign that was changed to 'zombies ahead.'
CAVANAUGH: Oh, yeah.
JENNEX: Now from my standpoint, while it seemed funny I was worried that that was actually a practice run for a possible cyber attack where they're using it to direct traffic and other people to go places that they wanted them to go to rather than the places they were supposed to.
CAVANAUGH: And our – Erin, this has to be my last question because we're running out of time. I'm just wondering that – what precautions in the United States is the United States taking against this kind of attack?
KENNEALLY: Well, you know, the interesting thing about the cyber threat is that everyone is connected to everyone so the whole traditional notions of jurisdiction and country boundaries are out the door for sure. Certainly, you know, the fact that our infrastructure is basically owned and controlled, you know, probably 80% by the private sector, our government is working a lot more closely with the private sector in terms of hardening the infrastructure with things like authentication, so two areas, at the front end security, providing more security so that systems can't get botnetted or backdoored or Trojan horses can't be installed on those. And then at the backend, from an authentication perspective, let's assume that there's going to be a break-in. You know, security is not 100% black and white. Let's insert and implement strong authentication mechanisms so that if that it is stolen, it can't be used. So those are two areas that certainly the government is working on and, wisely, they're working a lot closely – a lot more closer with the private sector to accomplish that.
CAVANAUGH: Erin, we're going to have to leave it there. We are out of time. I want to thank Erin Kenneally. She's an attorney whose company, Elchemy, deals with cyber law. Erin, thanks so much for being here today.
KENNEALLY: Thank you. I appreciate it.
CAVANAUGH: And Murray Jennex, Professor of Information Systems at San Diego State University, thank you.
JENNEX: Well, thank you.
CAVANAUGH: I want to thank all of our callers and also apologize to those we didn't get to today. The next
Ethics Center Forum: "Can We Share Electronic Information Without Losing Our Privacy?" is this Wednesday, July 1, 2009, at 5:30 p.m. at the Reuben H. Fleet Science Center. And you can find out more information at KPBS.org/TheseDays. Thanks for listening. Be with us again tomorrow on These Days.