01-30-2013 | Keeping Secrets II

"One puzzle in security economics was how the world manages to function despite our reliance on computers and their terrible vulnerability. We are starting to realise that computer crime has split into quite separate mass markets and elite markets. In the first, PCs are compromised by automated attacks, such as malware loaded by porn sites, and sold for a few tens of cents each to spammers. In the second, smart attackers study a high-value target — a company CFO, or a diplomat — and send carefully-crafted emails that trick him into installing snooping software on his PC. These attacks don't cost tens of cents per machine, but thousands of dollars. The reason the world still works is that most of us are not worth the effort of a targeted attack."

"On the engineering side, the critical fact is that security (and privacy) don't scale. A secret diplomatic telegram known to a million US government employees just isn't secret anymore. And a national medical record system is no different. One was built in Scotland, making five million residents' records available to tens of thousands of doctors and nurses; in short order, the records of politicians, footballers and other celebrities were compromised. And a privacy-conscious celeb would not keep her money in a big money-center bank that lets 200,000 staff at 2,000 branches look up any customer's statement; a small private bank in Geneva is a much better bet. But that will never work for the masses; the average schoolteacher or bus driver is never going to pay $300 a month in account maintenance charges."

"So this leads me to a prediction about privacy economics. At equilibrium the elite will use private banks, exclusive clinics and so on, while the mass will have no privacy — as Scott McNealy famously remarked. Most people won't care, as no-one is particularly interested in them. In fact if you're poor it can be an advantage to have no privacy; if a shop knows you're poor it'll offer you discounts it won't offer to the rich. It's the rich who have an incentive to be inconspicuous, so they don't get charged extra. So my answer to "When does my right to privacy trump your need for security?" is "When I am prepared to pay for it."

-- Ross Anderson

Flashback: The Ruling Class of US Intelligence - Timothy Shorrock

Meta: Scientific Persuasion - old school Innovation Patterns.

No comments:

Post a Comment