Online Safety

Evidence continues to mount that the real problem on the Internet is that it is not as safe/secure as it needs to be -- not the popular neutralist myth that it is not open/neutral enough. (Parts: I, II, III)

• I would be surprised, if the succinct evidence that I have assembled below, does not deeply trouble the reader.  
• Moreover, it is also troubling that there is not more focus on the real and increasing problem of Internet safety/security because there is so much attention focused on making the Internet even more open and vulnerable than it already is.    

The Mounting Evidence of a Growing Internet Security Problem:

My prediction on World Privacy Day -- that it was "only a matter of time before there is a public earthquake over" the "Growing Privacy-Publicacy Fault-line" -- came true in less than a month. 

• Facebook's recent publicacy changes to their terms of service led to a quick consumer "earthquake" over who owns their private information online -- an earthquake that was triggered by a strategic blast from the Consumerist blog.
• In a matter of days, Facebook reversed its publicacy changes to its terms of service, restoring them to their previous state. 

Anyone that thinks this is an isolated incident, simply does not understand the powerful underlying tectonic dynamic here -- that there is growing tension on the privacy-publicacy fault-line.

Evidence continues to mount that the real problem on the Internet is that it is not as safe/secure as it needs to be -- not the popular myth that it is not open/neutral enough. (See previous posts in this ongoing series here: Part I, Part II)

• It is a sad state of affairs when there is more media and public policy attention paid to addressing potential "open" Internet problems, than to the very real and increasing Internet safety/security problems.

More evidence on the seriousness of the Internet's growing security problem:

"The Online Shadow Economy: a billion dollar market for malware authors." MessageLabs White Paper

• "The shadow Internet economy is worth over $105 billion. Online crime is bigger than the global drug trade."
• "With little chance of being caught and so much money at stake, it is little wonder that "a huge number of people are involved""
• "...malware is going to get more common and more virulent..."

 "Corporations Are Inadvertently Becoming the No. 1 Security Threat to Their Own Customers, According to New IBM X-Force(R) Annual Report"

The 'publicacy' trend, where technology increasingly makes public what used to be private, has reached another noteworthy milestone -- the popularization of location tracking of people via smart-phones. 

• Google just launched a new free app for smart phones, Google Latitude, that uses location-technology to track users' physical movements and to and share those movements or locations with others.  

  Lets look at how this new development increases tension underneath the growing "privacy-publicacy faultline" that I described in my post on World Privacy Day last month.

  • I have three takeaways.

  First, the obviousness of the "creepy" publicacy factor in this instance -- forced more respect for privacy concerns.

Evidence mounts that the real problem on the Internet, is not that it is not open/neutral enough, but that it is not as safe/secure as it needs to be. (Part I)

• Public policy priorities are really warped when there is so much discussion about addressing an unproven and potential net neutrality problem, and relatively little discussion about addressing the very real, serious and growing Internet safety/security problems.

Mounting evidence: 

"Cyber-Scams on the Uptick in downturn:" Wall Street Journal

• "Experts and law enforcement officials who track Internet crime say scams have intensified in the past six months as fraudsters take advantage of economic confusion and anxiety to target both consumers and businesses." 
  • "Cyber-assaults on many banks have doubled in the past six months in the U.S."     

"70 of Top 100 Web Sites Spread Malware" Information Week

• "That represents a 16% increase over the first half of 2008."

"Website infection rising, warns Websense" PortalIT News

Given that January 28th is World Data Privacy Day, its instructive to examine why there is such increasing tension underneath the surface of the Internet over the issue of privacy. I believe there is a growing "faultline" between two opposing tectonic forces -- one that believes in online privacy and the other which believes in the opposite -- online publicacy.

• (I coined the term "publicacy" in my July 2008 House testimony on online privacy because Internet technology has created the need for an antonym to describe the opposite of privacy.
• Many in the Web 2.0 community believe in the "publicacy ethos" where if technology innovation can make information public, it should be public and that there should be no permission or payment required to access, use or remix this new 'public' information.)

  I.  Why are there opposing tectonic plates of privacy and publicacy?

  A.  The growing pressure for privacy is captured in a Consumer Reports Survey from 9-28-08: "Consumer Reports Poll: Americans Extremely Concerned About Internet Privacy: Most Consumers Want More Control Over How Their Online Information Is Collected & Used."

Kudos to the group of Internet security experts who came up with the Top 25 coding flaws that lead to ~85% of all cyber-criminal activity on the Internet -- thanks for the heads up from Zero Day Threat and Byron Acohido's article in USA Today.

I look at this ~85-25 insight as the cyber-security community's version of the old 80-20 adage that 80% of effects come from 20% of the causes. 

• While the numbers are slightly off in this instance -- the concept is dead on. 
• If you want to get anything done in the real world, one has to use tried and true strategies like the 80-20 rule. 

To explain the rest of my mixed metaphor...

Here's an ominous assessment of the state of the open Internet and the future of cloud computing -- "The web is under attack, as are corporations and consumers" per Mary Landesman a senior security researcher for Scansafe -- in an excellent ZDNet post I recommend: "Security lessons not learned will haunt us in 2009."

Landesman's Internet prognosis is sober and realistic:

• "There was more web-distributed malware in July 2008 than in the whole of 2007."
• "...2009 may prove a pivotal year for the future health and viability of the web."
• "The power of distributed computing has brought malware to the masses via botnets. While systems administrators cling to desktop-security solutions, the attackers have clearly moved to the cloud."
• "In terms of malware, 2008 was a very bad year. But 2009 will be far worse."

Bottom line: If this Internet security assessment is even remotely on mark, (and I think it is dead on), too many people are worried about the potential health of the bark on some trees and missing the fact that the Internet forest is on fire. 

In other words, the debate over net neutrality/open Internet, has many missing the security of the Internet forest for the net neutrality trees. 

The threat of cyber-attacks pose the biggest risk "from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities" said FBI official, Shawn Henry to a  New York conference Tuesday per a story in the Sydney Herald.

• "US experts warn of "cybergeddon", in which an advanced economy - where almost everything of importance is linked to or controlled by computers - falls prey to hackers, with catastrophic results. Michael Balboni, deputy secretary for public safety in New York state, described "a huge threat out there" against everything from banking institutions to water systems and dams. Henry said terrorist groups aim for an online 9/11, "inflicting the same kind of damage on our country, on all our countries, on all our networks, as they did in 2001 by flying planes into buildings."

Rick Hodgin of TG Daily added in his coverage of the conference:

• "Christopher Painter, an FBI "specialist," described the basic weakness in fighting for cyber security. He said the threat is largely invisible and people don't always take it seriously. "It's not like a fire. It's hard to get your head around the threat. We often discover a company has been attacked and we tell them that and they don't know."

Bottom line: 

Out of sight -- out of mind.