How to trust in the Internet when nothing there is real?
Suspension of disbelief when using the web is what enables most of the safety problems today, but the solution isn't to try to make people more wary "viewers".
Malcolm's recent post about authentication and the fake Facebook university groups points to a whole set of issues to do more broadly with authenticity.
I looked over the associated New York Times blog about "Separating Real From Fake", and saw all the usual advocacy of education and common sense to prevent people getting suckered on the Net. One correspondent bragged about his skills in being able to read HTML code in order to find hints of cyber scamming; there was even some smug pride in the way his Mac supposedly insulates him from malware.
Well that's nice for him and the other geeks, but what about the other 95% of regular Internet users? If the digital economy is really the economy then it's high time we moved beyond hoping that we can simply train users to be safe online. Is the real economy only for heros who can protect themselves in the jungle, carrying their own guns? Or do we as a community build structures and standards and insist on technologies that work for all?
For most people, the World Wide Web experience has most of the same hallmarks as watching a cartoon show on the TV. The human-machine interface is almost the same. The images and actions are just as synthetic; crucially, nothing on a web browser is real. Almost anything goes — just as the Roadrunner defies gravity in besting Coyote, there are no laws of physics that temper the way one bit of hypertext mashes with the next. Yes there is a modicum of user feedback in the way we direct a bit of the action when browsing and e-shopping, but it's quite illusory; for the most part all we're really doing is flicking channels across a billion pages.
It's the suspension of disbelief when browsing that lies at the heart of many of the safety problems we're now seeing. Inevitably we lose our bearings in the totally synthetic World Wide Web. We don't even realise it, we're taken in by a virtual reality, and we become fatally vulnerable to social engineering.
But I don't think it's possible to tackle online safety simply by counteracting users' credulity. Education is not the silver bullet, because the Internet is really so technologically complex and abstract that it lies beyond the comprehension of most lay people.
Using the Internet 'safely' today requires deep technical skills, comparable to the level of expertise needed to operate an automobile circa 1900. Back then you needed to be able to do all your own mechanics [roughly akin to the hassle and mysteries of buying anti-virus software], maintain the engine [i.e. configure the operating system and firewall], watch out for lunatics on the emergent road network [there's no licensing on the Internet, nor any road rules], and even figure out how to fuel the contraption [the supply chains for Internet support services today are about as primitive as the petroleum industry was 100 years ago]. The analogy with the early car industry becomes especially sharp for me when I hear utopian open source proponents argue that writing ones own software is the best way to be safe online.
The Internet is so critical now that we need to move towards ways of working that don't require us to all be DIY experts. But by the same token, let's be tempered in our headlong rush to improve things. It took decades for safe car and road technologies to evolve, and the Internet is still really in its infancy.
Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity
management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.
Malcolm Crompton
January 14, 2009 at 2:14 am
Excellent Commentary
Excellent points to add to my blog on this issue. And the motor car / highway analogy really works as a way of visualising where we are & what we can do about safety on the information super-highway.
Many people are coming to these kinds of conclusions – are we at last reaching critical mass of opinion?
Two YouTube videos as small points of evidence:
David Lacey – Managing the Human Factor in Information Security
and
BT's Bruce Schneier discusses security with David Lacey.
Unfortunately, as Bruce intimates in the second video, it is still going to get worse before it gets better!
MikeM
January 14, 2009 at 11:21 am
This is overstating the
This is overstating the technical complexity of the problem.
People should be taught the basics of scientific method: a claim may be plausible but is it independently corroborated? Can I verify it? Is it consistent with other things that I know?
A recent report from the Internet Safety Technical Task Force:
The report is rendered slightly suss since it is said to be sourced from "SILOCONE VALLEY" – presumably the centre of web pornography rather than internet technology innovation (but I'm sure that is simply a typo – the task force report itself is hosted on a Harvard University web site).
http://www.cbsnews.com/stories/2009/01/13/tech/main4719750.shtml
http://cyber.law.harvard.edu/newsroom/Internet_Safety_Task_Force
Better report (as usual) in The New York Times
http://www.nytimes.com/2009/01/14/technology/internet/14cyberweb.html
The "danger to our dear little kiddies" meme seems to be a creation of tabloid newspapers, talk-back radio and scare quotes web sites. True, there is some danger – like there is danger in crossing the road. But perhaps it's time that Senator Conroy updated his understanding of the risks that an unfiltered web presents to our nation's littlies.
StephenWilson
January 15, 2009 at 4:48 am
Predation is a different can of worms
MikeM, I agree that predation is probably not as big an issue as some have thought. The issues I am exploring are different, and have to do with authenticity more broadly:
How do I know that a university Facebook group is really from that university?
How do I know that my banking site is really my banking site (without reading the native HTML code of the web pages)?
How do I tell real e-mails from spam? OK, so maybe I adopt the sensible yet tragicomic rule of not answering any e-mail from any bank. But spear phishing, aided by OSN data, is getting to the point where much business correspondence is also now suspect.
How do I know that the padlock supposedly corroborating a genuine website is itself genuine?
If I'm a merchant processing credit cards online, how do I know that the account number presented hasn't been bought by a crook from an Eastern European carding site? Along with the billing address, the full name, the CCV etc etc?
How do I know that my Second Life avatar isn't going to be stolen by someone to get hold of all my Linden Dollars?
If I'm a Personal Health Record service provider, how do I know that all the user IDs are valid? And if I am a user of a PHR, how do I know the service is genuine and not a pirate trying to hoover up health records?
And while I do think child safety is complicated and subtle, I would still add to the authenticity wish list: If child Alice is looking at another child Bob's online page, how does anyone know Bob is really a child? Can we inject some authenticity — such as minimal age verification — into OSN without having to ask all users for their full name, date of birth and Social Security Number?
These sorts of uncertainties erode the integrity of the Internet, of the digital economy, and ultimately of the real economy. My contention is simply that if the Internet is as important as governments say it is, then we need a blended approach to digital confidence, one that encompasses the best new identity technologies, as well as regulation, as well as education. Too often I hear that one only needs 'common sense' to remain safe online, but there can be no reliable common sense online when the online world is so unreal. And in any event, we don't rely on common sense alone to render any other critical infrastructure safe, be it road, rail, electricity or gas.
MikeM
January 15, 2009 at 10:05 am
Fair questions
There is no single answer to the issues you raise, Stephen, but how important are they?
Just because an ATM in the wall says it belongs to Westpac, it is not risk-free. Scammers may have attached surveillance equipment to it that records your card number and PIN. Or a robber may walk up behind you, stick a knife to your back and confiscate your cash.
How do you know that maintenance on that aircraft that you are about to board was carried out by a qualified aircraft maintenance engineer?
http://www.smh.com.au/news/national/qantas-liar-also-stole-from-social-club/2009/01/14/1231608794630.html
Reading the HTML code of an email or a web page is neither necessary nor especially helpful in determining whether it is bogus.
As long as you know the precise URL that the sender is supposed to have, and see that the originating URL is different, then you should reject it. That is all you need.
Fished out of my spam folder where Google mail put it automatically, is an email that purports to be from Microsoft about "MSN Featured Offers" but the links in the email are actually to a site, happinessfig.com, not to microsoft.com. I can see that simply by resting the mouse pointer on the link. I don't need to go to any HTML. (I have to say that Gmail's spam detection facility is good. I wouldn't see more than a spam message every couple of days in my inbox.)
If I really wanted to go into detail I would look up that site at whois.domaintools.com, where I would find that its title refers to Viagra and its owner has an address in Moscow. However I didn't need to do that to know that it didn't come from Microsoft.
Sometimes spammers use a slightly misspelt version of a valid site. For instance a spammer pretending to be Microsoft might have registered microssoft.com or some other slight misspelling as his web address. As always, it pays to be diligent.
The Australian Securities & Investments Commission has more about online scams at http://www.fido.gov.au/fido/fido.nsf/byheadline/Nigerian+scams?openDocument
But while people fall for the most transparent scams, you have to think that there is no limit to human gullibility. Even scammers are gullible, as the people at http://www.419eater.com/html/trophy_room.htm repeatedly demonstrate.
In the case of credit cards, merchants simply take their lumps. Many will only deliver goods to the card's billing address. Since the CVC or equivalent is not recorded on the card's magnetic stripe or on paper imprints, villains can't find it out unless they can obtain the physical card. Furthermore financial institutions of any size have quite sophisticated behavioural analysis systems that detect unusual expenditure patterns with a card and will reject suspicious authorisation requests.
As for banks, there is a variety of more sophisticated systems than just userid and password. Our bank guarantees to cover us against unauthorised transactions unless we have been clearly negligent, and offers an additional level of security, http://stgeorge.com.au/accounts/ways-you-can-bank/internet-banking/secure-code/
Online health services may raise some issues in future but, given the reactionary stance of the health profession against information technology very little is currently done online other than by fax, telephone and email amongst service providers. The CT scanners, X-ray machines and the like in this part of the world are digital, but law and convention still requires that images be produced on traditional photographic film, instead of being shipped around online. What a waste of money.
I agree that authenticating identities online is a genuine issue, as Peter Steiner pointed out in his famous New Yorker cartoon of July 1993: http://www.cartoonbank.com/item/22230
How does young Alice know that Bobby admires her and wants to be her chat room friend, and is not really Carol's mother setting Alice up for a vicious attack? How does Hans know that lovely Olga on a Russian dating site really exists, and that it is not just a scam to relieve him of hundreds of dollars to find a Russian bride?
They don't. http://www.boston.com/business/technology/articles/2007/11/26/girls_suicide_after_online_chats_leaves_a_town_in_shock/
Although unlike in 1993, law enforcement authorities have become better armed and quite adept at tracking down whether the person at that computer is a human or a dog. Furthermore I see reports from time to time of police forces devoting resources to monitoring chat rooms and the like, looking for adults grooming young people with various nasty objectives in mind. It may require a suspicious mind and a degree of sophistication to pick these people, but confidence tricksters are not unknown in the real world either.
There are plenty of tools available without using the web for some plausible rogue to rob hundreds of wealthy people of their life savings and supposedly create a $US50 billion black hole, http://www.nytimes.com/2009/01/15/business/15ruth.html?ref=business
I know that the argument that people have done it one way is no justification for enabling them to do it another way. All I am suggesting is the issues you raise, Stephen, exist in the physical world and in comparison, are still small beer in cyberspace.
MikeM is roadkill in the wake of the capitalist juggernaut but his voice continues to protest that he is not an individual.
StephenWilson
January 16, 2009 at 9:07 am
Too complacent
MikeM, you say that "the issues … exist in the physical world and in comparison, are still small beer in cyberspace". But it's not small beer at all. Over 50% of payment card fraud is now committed online. Card Not Present fraud online costs over AU$50M p.a. in Australia, over AU$1B p.a. in the UK, is growing at between 40-60% p.a., and shows no sign of slowing.
It is quite wrong that "villains can't find [CCV] out unless they can obtain the physical card". CCVs are available for sale by the tens of thousands on organised crime's carding sites. CCVs are collected online by a great many e-commerce sites, and while they are supposed to be deleted, compliance with Payment Card Industry rules is patchy, and CCVs are in fact leaking in great numbers.
And I think you underestimate the predictament in healthcare. It is not true in other parts of the world that "very little is currently done online other than by fax, telephone and email amongst [health] service providers". The UK's NHS e-health budget is a billion pounds p.a., and HMOs are spending the same sort of money in the US private sector. In Australia, we plan for large scale e-health records, and NEHTA is developing a national Individual Health Identifier, but has not yet given any thought to how to protect that number against ID theft.
Something that specifically worries me is Personal Health Records — is their authentication up to scratch? Most agree that PHRs will revolutionise healthcare; some think they will be essential to constraining costs. If so, then PHRs will soon be part of the critical information infrastructure. The numbers already are huge: US Dept of Veteran’s Affairs’ PHR has 600,000 users, Insurer Kaiser Permanente in the US has 2 million PHR users, and Walmart is in a consortium that plans a PHR for 5 million empoyees. I don't know what the figures are for Google Health. Users of these systems surely merit proper protection against ID theft, pharming, and web site spoofing.
Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity
management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.
MikeM
January 16, 2009 at 12:08 pm
MikeM, you say that “the
In a trillion dollar economy that is small beer. Since the banks and merchants, who carry most of the losses are not complaining loudly, I don't see why you are.
I know what the UK's NHS e-Health budget is and it has not delivered much. As for the US, better returns are available (see the latest post on my blog) if medical practitioners washed their hands between patients.
You quote numbers for US health care organisations that you say "worry me" but you don't say what your worry is. If the worry is that mistakes are going to happen, they already do on a massive scale and always have.
Are you simple talking your book?
Seems to me that you are.
StephenWilson
January 23, 2009 at 11:50 pm
e-health identity worries
I am not trying to sell anything here. Open Forum is a place to discuss public policy, and many participants like me are business people with vested interests in their areas of expertise. Readers can discount our views as they see fit, but hopefully not as casually as MikeM dismisses my concerns, and a billion dollars worth of fraud.
MikeM, I am not sure how you can have missed the finance industry's ever spiralling responses to the seriousness of cyber crime. "Not complaining loudly"? Some counter examples … Several nations' regulators have mandated Two Factor Authentication for Internet banking; the US FFIEC strongly recommends it. The credit card associations have spent tens of millions of dollars on the 3D Secure protocol to better safeguard Card Not present (CNP) transactions. CNP Fraud has got so bad that the European Commission Fraud Prevention Group said that it "undermines the general confidence in payments systems". Most British banks are busy leveraging Chip-and-PIN cards for online banking and shopping, like Barclays' "PINsentry" which is in mass deployment.
So it is hard to deny the quantitative and qualitative seriousness of Identity fraud. But the finance sector's responses to date are controversial in their completeness and effectiveness, and in my view, do nothing to systemically improve privacy. These measures certainly won't extend to address e-health's authentication issues.
Regarding e-health, I am not arguing about the efficacy of e-health, nor spending priorities. Irrespective of those matters, it is a fact that vast numbers of people are now using online health services like PHRs. In the context of this thread on Internet authenticity, my point is e-health users are being exposed to mounting risks secondary to ID fraud. If government is serious about the Internet being critical infrastructure for the economy, it's high time they promoted more substantive technical measures to safeguard the citizenry as it goes about its online business.
Specifically I am worried about such problems as:
With so much going on and so much at stake — let us remember the government position that the digital economy is crucial to the economy — my point is that people cannot be left to their own devices. Training alone is not going to make the Internet safe to use for banking and commerce and health care, just as driver training isn't the only way we ensure road safety. Expecting users to know enough to e.g. roll their mouse over a URL to check if it's real — or to even appreciate what a URL is — is selling the public short.
Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity
management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.
http://www.lockstep.com.au/technologies