Where's my tinfoil hat?

Gibbs knows they (and maybe you) are out to violate his privacy.

OK. This column may make me sound like I'm about to make a hat out of tinfoil but bear with me because my paranoia is completely justified. I know the truth and it's not "out there" as in "The X-Files," it's right here and it's a harsh reality that people really don't want to admit to: The reality is that there is no real privacy any more.

The fact is that today, should you become "of interest" to any person or group with serious power, whether that power is economic, political or criminal, you can kiss your privacy goodbye. And even without the Masters of the Universe on your case, there aren't really any organizations you can trust with your privacy.

IN THE NEWS: EU data retention law blasted on privacy issues

For example, remember in 2009 when I wrote about how Sprint had allowed various three-letter government agencies to track the location of cellphone users some 8 million times without a warrant being requested? Sprint actually made it easy for the agencies by creating a self-service portal! What happened when this was revealed? Nothing! No one in power cared that due process was being ignored!

"Ah," you might say, "but that was Sprint. We know they aren't consumer-oriented like, say, Apple, so of course they can be persuaded to do bad things."

Oh, really? Then what about the very recent revelation that Apple has built into its the operating system for the iPhone, the iPod Touch and the iPad a fairly well-hidden subsystem that keeps a log of all geographic fixes the system acquires through Wi-Fi or cell towers?! For what purpose is this done? No one knows; it seems that nothing is done (yet) with the data.

ANALYSIS: Apple iPhone location tracking has been no secret, researcher claims

So far, Apple hasn't commented on this "feature" but the fact that he subsystem is there and that it was hidden is enormously suspicious. Even if there's nothing funky about this -- say Apple did it for some defensible reason -- then it's still a huge problem because the subsystem is a huge privacy violation waiting to happen.

What's that? You admit Apple may be playing fast and loose but you think the government does care about privacy? And why would that be? Oh, you're thinking of the recently launched "National Strategy for Trusted Identities in Cyberspace" proposal are you?

Well, back in January I wrote a column about NSTIC, which is a program being driven by the National Institute of Standards and Technology (NIST).

The NIST website for NSTIC explains the proposal "is an Obama Administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure -- such as routers and servers."

PROPOSAL: White House releases trusted Internet ID plan

Just to refresh you on the NIST pitch, here's their big sell: "The NSTIC envisions a cyber world -- the Identity Ecosystem -- that improves upon the passwords currently used to login online. The Identity Ecosystem will provide people with a variety of more secure and privacy-enhancing ways to access online services. The Identity Ecosystem enables people to validate their identities securely when they're doing sensitive transactions (like banking) and lets them stay anonymous when they're not (like blogging). The Identity Ecosystem will enhance individuals' privacy by minimizing the information they must disclose to authenticate themselves."

In my original column I made several points about why this proposal for an "Identity Ecosystem" (yes, those are ironic quotes) was a bad idea, which included the government's own inability to manage the online security of their various agencies and their endless record of project mismanagement. I still stand by those as key arguments against the NSTIC proposal producing anything that will have a significant impact in any reasonable amount of time, and would argue that anything that is produced before the next ice age will be deeply flawed.

The fact is that any artificial engineering of a large scale "ecosystem," whether natural or manmade, carries with it serious risks of something going wrong because ecosystems are collections (systems) of interdependent processes that quickly become more complex than anything we can model.

For example, consider that in the real world "exotic" plants and animals introduced into the U.S. over the last century now cause economic damage estimated to be in excess of $138 billion per year! Many of those introductions were things like grasses and toads and were made by real scientists, people who, one hopes, weighed the evidence and concluded that the risks were acceptably low or nonexistent and they still screwed up.

My problem with the NSTIC "Identity Ecosystem" is that what's being suggested will be an artificial thing with a huge array of intentional, engineered interconnections and interactions and, as a guaranteed result, it will be rife with unintended consequences.

Now I'm not sure how many people agree with me and, indeed, some people think that the whole boondoggle has some kind of potential. For example, Aaron Titus, chief privacy officer of Identity Finder, a company that specializes in identity protection and data loss prevention, wrote a very thoughtful blog posting on NSTIC that was very supportive but covered his bet concluding:

"While we're concerned about the unsolved technological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create ... Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy ... If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace."

Aaron's quite right in his concerns but quite wrong that there's hope for NSTIC to be successful. It's simply too big, too complicated, there's too many moving parts and too many stakeholders, and way too much that can and will go wrong.

The point is that when it comes to your privacy, Sprint doesn't care, Apple doesn't care and the government doesn't care. No one cares but you. And me. And I can't trust you.

Anyway, enough of this. Gotta go, got to make it to the supermarket before they close; I'm out of tinfoil.

Gibbs is getting paranoid in Ventura, Calif. Your private thoughts to backspin@gibbs.com.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022