I’ve written a number of posts about security issues relating to the Internet and World Wide Web. We’re all at risk and it’s getting more difficult to keep up our defenses. According to the Ponemon Institute, a Tucson-based research firm, it costs a company over $200 to deal with each customer record that has been compromised when security systems are breached [“Data Breaches Are More Costly Than Ever,” by Brian Krebs, Washington Post, 3 February 2009]. The Institute examined 43 companies that reported breaches last year and they found that it cost an average of $6.6 million to mitigate the consequences of the breach. The study “measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services. The survey also sought to measure more intangible costs of a breach, such as the loss of business from increased customer turnover and decreases in consumer trust.” A year ago, BusinessWeek published an article that highlighted the “rising attacks on America’s most sensitive computer networks” [“The New E-spionage Threat,” by Brian Grow, Keith Epstein, and Chi-Chu Tschang,” 21 April 2008 print issue]. That article began with an interesting tale.
“The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as ‘Poison Ivy’ designed to suck sensitive data out of the $4 billion consulting firm’s computer network. The Pentagon hadn’t sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the “sender” and “recipient” to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.”
The authors of the BusinessWeek article report that “many security experts worry the Internet has become too unwieldy to be tamed.” Lack of security is generally the reason that most analysts cite when they call for a dramatic overhaul of the Internet. That is exactly what was on the mind of New York Times‘ columnist John Markoff when he asked “Do We Need a New Internet?” [14 February 2009]. Markoff notes that twenty years ago a young Cornell University graduate student unleashed what he thought was a bit of harmless cyber graffiti that jumped from computer to computer at the speed of light and clogged the nascent Internet within a couple of hours. Markoff then laments, “Since then things have gotten much, much worse.” He reports that things are “bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.” The current Internet will probably never go away, but networks within the Internet are likely be set up as safe alternatives to the current Internet. As Markoff describes it, this new Internet within the Internet would be like “a ‘gated community’ where users would give up their anonymity and certain freedoms in return for safety. Today that is already the case for many corporate and government Internet users. As a new and more secure network becomes widely adopted, the current Internet might end up as the bad neighborhood of cyberspace. You would enter at your own risk and keep an eye over your shoulder while you were there.”
The latest Internet scare occurred around April Fool’s Day when the media warned that a program called Conficker was set to unleash another round of damage similar to what it caused late last year. According to Markoff, “Conficker … has the power to lash together … infected computers into a vast supercomputer called a botnet that can be controlled clandestinely by its creators. What comes next remains a puzzle. Conficker could be used as the world’s most powerful spam engine, perhaps to distribute software programs to trick computer users into purchasing fake antivirus protection. Or much worse. It might also be used to shut off entire sections of the Internet. But whatever happens, Conficker has demonstrated that the Internet remains highly vulnerable to a concerted attack.” Markoff reminds us that the Internet was originally intended to support scientific and security work [see my post Happy Birthday World Wide Web] and that adequate security was not built-in and has had to bolted on. Internet users now spend nearly $80 billion annually to protect their systems yet the situation continues to get worse.
According to Markoff, the U.S. Government, industry, and academia are collaborating to figure out the best way to start over. They are far enough along, Markoff reports, that they are ready to begin implementing their plan.
“At Stanford, where the software protocols for original Internet were designed, researchers are creating a system to make it possible to slide a more advanced network quietly underneath today’s Internet. By the end of the summer it will be running on eight campus networks around the country. … The Stanford Clean Slate project won’t by itself solve all the main security issues of the Internet, but it will equip software and hardware designers with a toolkit to make security features a more integral part of the network and ultimately give law enforcement officials more effective ways of tracking criminals through cyberspace. That alone may provide a deterrent. … They argue that their new strategy is intended to allow new ideas to emerge in an evolutionary fashion, making it possible to move data traffic seamlessly to a new networking world. Like the existing Internet, the new network will almost certainly have no one central point of control and no one organization will run it. It is most likely to emerge as new hardware and software are built in to the router computers that run today’s network and are adopted as Internet standards.”
The problem, Markoff notes, is that one of the principal features of the Internet — a user’s ability to remain anonymous — would be lost under any Internet scheme with enhanced security. In the long run, he believes that may be the hardest obstacle to overcome in implementing an Internet replacement. Security isn’t the only reason that people are thinking about changing the Internet. I’ve discussed before the dream of some people to develop a semantic web that would make search engines much more useful than those used today. Stephen Baker wrote an article for BusinessWeek that describes how some businesses are trying to evolve the net so that it can pinpoint the movements and behaviors of millions of cell-phone users [“The Next Net,” 9 March 2009 print issue]. Like the more secure Internet discussed by Markoff, the Internet described by Baker would require a significant reduction in the privacy of its users. The focus of Baker’s story is a small company called Sense. The company was founded by Greg Skibiski and his chief scientist, Tony Jebara, who is also a Columbia University computer science professor.
“Phone companies and advertisers provide Sense with raw data on people’s movements and behavior. Sense’s mission is to transform mountains of data into intelligence: what individuals will be most likely to buy, or where they’ll be when a craving hits. … Marketers have long dreamed of zeroing in on shoppers, whether in a mall or a competitor’s store, and hitting them with targeted ads or coupons. (The privacy implications are a big deal, as we’ll see.) But the business ramifications of the Next Net stretch beyond marketing. Mobile data also promise to help researchers fine-tune transit systems, study the spread of crime or disease, and even monitor and optimize the movements of workers. For many businesses, the coming flood of mobile information could bestow a competitive edge.”
Baker points out that Sense is doing in the physical world what Google does in the cyber world — it is mapping people’s preferences and behaviors.
“Eventually these insights may lead to a new kind of cartography. The evolving maps will identify places not by their roads, forests, or mountain ranges but by what kinds of people spend time there and by what they do. If the efforts succeed, these pulsating flows of information are likely to become a vital resource for every company that wants to put up a sign, sell a drink, rent a room, or fill a stadium.”
Sense, in other words, is trying to put a little science behind what we already suspect — that the people who flock to NASCAR races and guzzle beer are probably not in the people who attend the opera and sip champagne. The explosion in popularity of smartphones and improved mobile network location capabilities is what permits Sense to obtain the data necessary for its algorithms to work.
“Every time a user clicks on an application, whether it’s to turn a phone into a radio or make a bid on eBay, the time and place of the event zips straight to the company selling the service. Certain phone manufacturers can also peek at this data, depending on the handset. Naturally, the wireless service provider also sees it and can place it into the context of the user’s other behavior, from physical movements to calling patterns. While phone companies have long had a line on customer behavior, the applications add crucial perspective by pointing directly to each person’s interests and needs. … It’s also becoming easier to pick up a handset’s digital trail. Traditionally, wireless carriers have marked our wanderings only by the nearby cell towers receiving our signals. Each phone, even at rest, stays in touch with those towers so it can send and receive calls. But the towers can miss a person’s location by several hundred yards. Satellites are more precise, but they often don’t work when people are under roofs. Many of the latest phones, including the iPhone, have Wi-Fi, the radio signals used in home networks. These signals often can pinpoint someone within 33 feet.”
As noted above, however, there are serious privacy concerns about a business that tracks a person’s every move. Baker reports that Sense’s executives “concluded a consumer-led business would place Sense in the crosshairs of privacy advocates—and it wasn’t likely to pay the bills.” As a result, Sense has focused its marketing strategy on companies rather than individuals. Nevertheless, privacy issues remain. Baker wonders aloud whether users will permit their movements to be used for advertising purposes or willingly receive targeted ads on their mobile devices.
“The consensus among marketers is that consumers won’t stand for an invasion of targeted ads on their phones unless they have asked for them. Fearful of a privacy backlash (and resulting government regulation), most advertisers are holding off on personalized ads and coupons. Instead, they’re focusing on customer service, an area in which mobile technology has a track record. General Motors provides an early example. Some 5.5 million subscribers in North America pay for its OnStar global positioning service.”
We know that the Internet will continue to evolve. It should be clear from the discussion above, however, that the direction it will take is not so clear. Security issues will continue to clash with privacy issues. In the end, however, I suspect that millions of people will opt for security over anonymity. Users who continue utilizing the Internet as we know it today should have an icon that pop ups and says “Here be monsters.” Medieval cartographers, when noting uncharted areas, would often inscribe them with the legend “Here Be Monsters.” Drawings of fanciful sea monsters would often accompany the legend. The difference today is that we know there real are monsters waiting on the Internet. Figuring out how to keep them from devouring our systems remains a real challenge.