Wednesday, March 30, 2011

Just how much should one be unsettled by all this unsettling stuff?

Sitting here as I type this, I can't see you reading it.  With a couple of exceptions, I have little idea who you might be, and you may well know me only through my profile and posts here.  In the absence of face-to-face interaction, it's easy to think oneself anonymous.  For all you know, I could be a dog.

It's easy to think oneself anonymous on the web, but there are significant ways in which this just isn't so. As I've mentioned in a few recent posts, for example, a web server can find out if you're logged in to various sites, your browser quite likely has a unique fingerprint, and the location of your WiFi router is probably in several databases which can be used to locate people who aren't even connected to it (on a recent road trip, I helped install a brand-new wifi router, and did a double-take when Apple's location service knew where I was -- because of the half-dozen other WiFi routers in range).

Which brings us to the question: To what extent are these just somewhat unsettling facts of and to what extent are they cause for real concern?  And of course, the answer is "it depends".

Fine.  What kinds of things does it depend on?

For such things to be more than theoretical concerns, someone has to do something harmful with the information that they wouldn't have been able to do anyway, or at least, the likelihood of someone doing harm has to increase (or if you really want to be technical, the expected harm has to be outweigh any expected benefits, using "expected" in the probability sense).  The downside will depend on what kinds of bad things can happen, which depends on the particular unsettling fact, and how likely they are to happen, which can depend on all sorts of things.

For example, there's probably not a lot of harm in most cases if a server can tell that you're logged into FaceSpace, but if your employer has a strict policy against that and someone decides to install a FaceSpace login detector in your company's internal homepage, the consequences could be serious.  It's up to you to weigh how likely that is and how much you need the job (and how important it really is to browse FaceSpace at work).

If you live under a regime that bans unauthorized WiFi routers, the odds of something bad happening if you put one up anyway are pretty high.  It's almost certainly not worth it.  In most places, however, it shouldn't pose a problem.  If your security is set up properly, most likely all that someone can determine is that there's a WiFi device with some particular SSID near some particular location.  Given that it's easy to determine that there is, say, a house with a mailbox and electricity at a given location, that doesn't seem so dangerous, once you get past the creep-out factor of someone being able to detect something inside your home that they can't see.

To a large extent then, such things are just a part of conducting business on the web.  There's nothing wrong with being concerned about privacy, or taking reasonable steps to try to protect one's privacy, but it's a mistake to expect one's online life to be perfectly private.

But the same can be said of one's offline life.  Ultimately, issues of privacy are not technical, but social and legal.  Expectations of privacy have always been around.  So have breaches of those expectations, and so have various ways of trying to cope with such breaches.  Which is worse: having your Awful Secret shouted in the town square of your medieval village, or to the whole tribal group around the prehistoric campfire, or having it posted to millions of people on the modern web?  I don't see much difference.  All three cases are serious.  What matters isn't how many people find out, but how many people that you care about find out.  I'm not convinced that technology changes that picture much.

No comments: