SERIES: Security Now!
DATE: December 6, 2007
TITLE: Is Privacy Dead?
SPEAKERS: Steve Gibson & Leo Laporte
SOURCE FILE: http://media.GRC.com/sn/SN-121.mp3
FILE ARCHIVE: http://www.GRC.com/securitynow.htm
DESCRIPTION: This week Steve and Leo take a break from the details of bits and bytes to discuss and explore the many issues surrounding the gradual and inexorable ebbing of individual privacy as we (consumers) rely increasingly upon the seductive power of digital-domain services.
INTRO: Netcasts you love, from people you trust. This is TWiT.
LEO LAPORTE: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting.
This is Security Now! with Steve Gibson, Episode 121 for December 6, 2007: Is Privacy Dead? This show and the entire TWiT broadcast network is brought to you by donations from listeners like you. Thanks.
It's time for Security Now! with Mr. Steve Gibson, the guru of technology and security and privacy. Hello, Steve.
STEVE GIBSON: Ah, Leo, I think after, well, we're in our third year now. You and I have known each other for decades. You can drop the “Mr.”
STEVE: Ah, yes.
LEO: Decades? Is it really…
STEVE: Has it been decades?
LEO: Well, yeah, Tech TV was launched, well, we have the 10th anniversary of Tech TV is in May. Almost a decade.
STEVE: And of course we knew of each other well before that.
LEO: Oh, well, you're world famous. The creator of the Apple II light pen. Many don't know that.
STEVE: Ah, yes.
LEO: And then SpinRite, of course, has been going - how many years old is SpinRite?
STEVE: SpinRite is 20 years old.
LEO: Whoa. Really. Wow.
STEVE: Yep, it's - I guess not quite. Sue, who's been with me for seems like forever, this month she celebrates her 20th anniversary in my employ. And my tech support guy, Greg, sent me an email, like, last week, saying, hey, just didn't know if you noticed it, but I've been with you for 17 years. So that's stability for you.
LEO: Yeah. And you know, I think a lot of software vendors might not say - might not trumpet the fact that they've been around for two decades. But you are on Version 6, and you have been updating it. And in many ways I think because how hard drives operate really doesn't change that much, right, I mean…
STEVE: Well, exactly. I think the issue is that I really went down to the fundamentals with SpinRite. And those haven't changed. And you know, god knows drives have gotten insane. I will never forget when I sent my lead tech guy out to get a bigger drive for our server. And he went off to Fry's, our local electronics retailer. And he came back, and we thought maybe, oh, wow, you know, could it be 800 megs? That would be so much more than we have now. I think we probably had, like, 120 or something. And he came back with sort of a sheepish look on his face. And he says, I hope this is okay. And I said, what? His name was Jim Ralph. And he said, well, I got a gig. I said, a gig? I mean, no one had ever seen such a thing, a gigabyte. It was like one of the full, five and a quarter inch, full height drives with a huge tower of heads inside, just crammed with platters in order to get a gigabyte.
LEO: Amazing, amazing.
STEVE: So it's like, whoa, times have changed. But SpinRite, as we know, has kept up with it. And but still the fundamentals of drives have not changed. So all that has remained the same.
LEO: It's pretty amazing. Yeah, I remember very well my first 20MB drive. That was a big deal, when they went to MFM.
STEVE: Well, in fact I think that was in my first XP, a real steel tank IBM XP, had 20 megabytes. It's like, oh…
STEVE: Oh, sure, right, XT, of course.
LEO: And I think that was an extreme, or extended. That was the one that went - because the first IBM PC had a 4.something 77 MHz processor.
STEVE: 4.77 MHz, 8008 processor. And a cassette interface.
LEO: No drives. Not even a hard - not a hard drive, not even a floppy. And then the XT was the first with a hard drive. And then the AT was 286, wasn't it? I'm trying to remember now. We'll get emails…
STEVE: Yeah, the AT, the Advanced Technology. It was a PC/AT, and that was a 286.
LEO: I think that was 8 MHz. And then if you got a clone AT, I remember we got clone ATs that were, ooh, 10 MHz, but they were very unreliable. They couldn't - the memory couldn't keep up with the processor.
STEVE: Right, they were sort of being overclocked.
LEO: They were basically overclocked.
STEVE: Well, it works. And then, of course, the clone market happened, and Asia got involved. And so things really went wild at that point.
LEO: We were trying to run a BBS, I set up a BBS for one of the first Mac stores in San Francisco. And it just was horribly unreliable, and it's because we put it on a 10 MHz processor, an AT clone. And now in retrospect I know exactly what was wrong, we were overclocking the thing, and we weren't - it just was failing all the time.
STEVE: Right, and there were all kinds of third-party tools that were like, you know, they were called the “overthruster” and the “overdrive” and all kinds of, I mean, literally with a potentiometer, you know, a dial sticking out the back.
LEO: You'd turn it up.
STEVE: You'd turn it up until the machine locked up and stopped working. And then you'd back it off a little bit. Oh, I mean, it was the Wild, Wild West back then.
LEO: Man, it was funny. Well, we're going to come back to the 21st century now. Although some day I really want to do, maybe get together a number of people like you with histories going back that far and do a computer history show.
STEVE: Jerry Pournelle would be perfect, too.
LEO: Pournelle, yeah. Wouldn't that be fun?
STEVE: And Dvorak. It really would be, just a nostalgic, old cranky old men, this is the way things used to be.
LEO: Yeah, we'll do that. I've always wanted to do that, yeah.
STEVE: You know, speaking of contemporary stuff, I forgot to ask you when we were talking before we began recording, did you get your Kindle?
LEO: Not yet. Did you get yours?
STEVE: Oh, yeah.
LEO: Mine's supposed to come today or tomorrow.
STEVE: Okay. Well, we'll wait to talk about it until you've had some experience with it. I really…
LEO: Are you happy so far?
STEVE: I really - I'm addicted.
LEO: I would like to wait, frankly, because I think the best thing to do on something like this is to give it a few weeks.
STEVE: Yes, I agree.
LEO: So maybe after the holidays because we're going to be pretaping a lot of shows over the next week or so. But maybe after we've both had time. I'm going to probably take it to Egypt and really have an experience with it. Maybe early next year we can talk about the Kindle.
STEVE: Yeah, that'd be good. I wanted to use the power of the podcast to ask our listeners, if they are Amazon users, to check out my review, which is online, and give it a thumbs-up if they think it's worthy because there are - what happened is, the Kindle, if nothing else, is incredibly controversial. It's just phenomenal how many people hate it without ever using it or seeing it. And so if you look up the Kindle on Amazon, there's more negatives, that is to say, one stars, than there are five stars; yet none of the one-star people own it or have ever seen it or used it. They just know they hate it. And so anyway, what I did was I created a simple URL for our listeners, if they'll just go, use a web browser, and put in snipurl/skr [snipurl.com/skr], stands for Steve's Kindle Review, that'll take you to my review of the Kindle, what I think about it, what I think it means. And the problem is there are already so many, and I'm late in the game because a lot of beta testers were sticking reviews up, that no one is seeing mine. So I'd love it if our listeners would put in snipurl/skr [snipurl.com/skr] for Steve's Kindle Review. And much as they were able to vote this podcast the 1 Technology and Science Podcast, it would be really cool if people would say, yes, this review was useful to me, which would raise its score so that people who are actually considering buying a Kindle might have a chance to find mine. Because right now I'm, like, down on the fourth endless page of reviews. And…
LEO: Well, it won't be too long because it said now 248 people have found this review helpful, so…
STEVE: Except that 2,800 and some odd have found other people's reviews helpful. The reviews have been there for so long. And mine, you know, I waited until I owned it. And as you suggested, I waited a week of using it and really got a sense for how it is and compared it to the other eBook readers and so forth. So anyway…
LEO: I don't see how to vote on…
STEVE: It's down at the very bottom, at the bottom of the review. There should be a, yes, I found this helpful.
LEO: And each comment it says - oh, no, that's the comment. Oh, I have to go to page 2. You have two pages of…
LEO: Was this review helpful to you?
STEVE: There it is.
LEO: But then it doesn't give me anything. It just says report this. Maybe I'm not logged in? No, I'm logged in. Anyway, I'm going to vote for you because you obviously put a lot of thought into this.
STEVE: Thank you. And 248 or 58 or however many people have also found the button to say yes, it was useful, so it must be there somewhere.
LEO: Apparently I'm not smart enough. Or my browser, I'm using Safari, maybe my browser isn't smart enough. Anyway, that's, yeah. And again, I want to kind of give it a long chance. Now, you and I are kind of - the other thing is, you and I are avid eBook readers, so…
STEVE: And that's, yes, that's the way I…
LEO: We're an unusual crowd.
STEVE: Yes, that's the way I start out. I explain who I am and that I really want it to be a good thing. I want it to work. I want to believe, like in Tinker Bell, so her light gets brighter, I want to believe in eBooks and want them to succeed. And I'm really happy with the Kindle, so.
LEO: Great. Let us move on to the topic at hand. Now, last week we talked about third-party cookies, and particularly in relationship to this whole issue of PayPal and DoubleClick. Have you heard from anybody from PayPal or DoubleClick? I haven't.
STEVE: Nope. Not a peep.
LEO: Not a word.
STEVE: Not a peep.
LEO: Not - isn't that weird.
STEVE: Well, I just think, I mean, frankly, as we said, I guess it was, what, two weeks ago because we did a Q&A last week, my sense is that PayPal is a company desperately in need of competition. They, I mean, they really have cornered the market. And in my own endeavors to get any kind of contact with a human, it's just been hugely thwarted. It's just impossible to find anyone there. And I've heard, anecdotally again, from people, I mean, I've personally never had a problem using PayPal services of any sort, except that I would love to get that virtual debit card, and I can't because the automated process doesn't recognize me properly. And I've tried several times, literally for hours, with my phone on speakerphone, on hold, trying to get a hold of someone. And it's just virtually impossible to find a human being. So, I mean, they're sort of a classic Internet service. Unfortunately, you know, they're also a behemoth. And for whatever reason, despite the fact that our podcast has proven reach, it didn't reach anybody at PayPal. Or at least they didn't reach back.
LEO: Well, maybe they didn't have anything to say. Maybe they have no answer for us, you know? Weird, just weird. But, yeah, no, nothing from my half, my side, either. Anything else you want to cover before we get underway here with our new show?
STEVE: I did have and do have a really fun, this is sort of a different and humorous, even, SpinRite story to share with people. It came in at the beginning of November from Thomas Martin, who said, “I've listened to so many people talk about how SpinRite has either helped them get lucky or saved the day. My story is not as exciting, but it made me the savior of many. I have a Generation 3 iPod that had…” - or he says, “I had a Generation 3 iPod that had a hard drive issue a couple of years back. And I was so pissed, I actually made it a doorstop for my office. Over time, all my friends and their friends started giving me their iPods that had stopped working due to hard drive issues. Now, the funny thing is, over about three years I collected exactly 26 dead iPods.”
STEVE: “I had paperweights, bookends, doorstops. It was just a running joke. Considering how many episodes of Security Now! I've listened to, I should be slapped for not thinking about SpinRite sooner.” He says, “Recently with my Generation 5 iPod I had Vista tell me it could repair the drive on my storage device. Then synching failed. At that time I was listening to you talk about how some guy got lucky dating a woman thanks to SpinRite. Then it was like that light bulb went off. I went…”
STEVE: He says, “I went to GRC and purchased a copy during the episode. And like magic, my Gen 5 iPod was working again. Then I started looking around my office at all the bookends and decided to try it on them.” He said, parens, the iPods he collected from his friends.
LEO: I guess once you, I mean, it's hard to get an iPod working with SpinRite because you have to get a connector and everything. But once you do it once, it's easy because now you've got all the hardware.
STEVE: You've got the cables and things. He says, “Go figure, it worked time and time again. I found myself over the next week calling friends and telling them their iPods worked. Thank God most of my friends filled out owner information.” Funny, it's not until I'm just reading this now to you, Leo, that I realized what he meant by that. That's how he was able to figure out who…
LEO: Whose was whose.
STEVE: Exactly, which iPod belonged to who.
LEO: Otherwise they all look the same.
STEVE: I guess now we've got iPods filled with oldies. But anyway, he says, “Maybe I should have sold them all on eBay. But my goodness, I felt silly having listened to you for this long and never drawing the relationship between SpinRite and my broken doorstops.”
LEO: Great story.
STEVE: So I thought that was…
LEO: Does he say how many total that he had, I wonder?
STEVE: Well, yeah, he says he had 26.
STEVE: 26 dead iPods. So he must have just had, like, an iPod circus in his office, with bookends…
LEO: Interesting. He was the one people went to. I guess once you have the first 10, people start to recognize you as the guy to give your - I have a dead iPod. If I had known, I would have given him my dead iPod.
STEVE: Donate your dead iPods, and Thomas Martin will fix them for you.
LEO: See, I know that SpinRite will fix this. I know it's a hard drive thing. But I just - it's the pain of getting all the, you know, the equipment and the connectors and all that stuff.
STEVE: Yeah, well, and Leo, it's why I didn't own an iPod until they took the hard drive out. Because it's just - you just, I mean…
LEO: You know better than anyone they're going to fail.
STEVE: I was going to say, no one knows better than I do how flaky spinning magnetic drives are, especially in a little consumer device that you're inherently going to sort of just toss around.
LEO: Right. Yeah, exactly. And now, ladies and gentlemen, without further ado, let us move on to our topic of the day.
STEVE: You know, I wanted to sort of address explicitly something that we've touched on tangentially many times, but you and I have never really discussed. And I know you've got interesting and probably some strong feelings about the issue. And that is the way technology is impinging on our privacy, I mean, to an increasing degree.
LEO: Well, and this kind of takes off of what we were talking about with DoubleClick and PayPal.
LEO: Because as you surf the 'Net you assume that there are some protections of your privacy. But as it turns out, as we learn more and more, there aren't.
STEVE: Well, and it's pervasive, too. Certainly with computers we have the problem. But even with more and more technology we're seeing an increasing level of, well, first of all, just sort of passive action, but then also increasingly aggressive action. I mean, there was a funny episode of a TV show, it was a sitcom with Paul Reiser, I can't think of the name of the…
LEO: Oh, I loved that. “Mad About You.”
STEVE: “Mad About You.” Yeah, he and his wife, it was - actually I thought it was really very, very clever.
LEO: Great show. I enjoyed that show.
STEVE: And there was one episode where he was really upset with his TiVo because, as he explained it to his wife, his TiVo had decided that he was gay. And…
LEO: And that, by the way, is a takeoff on a famous Wall Street Journal story, “My TiVo Thinks I'm Gay.”
STEVE: And of course so, you know, we know that TiVo, those users who have TiVo, it has this facility where you can give shows thumbs up and thumbs down, sort of basically rating shows that you like or dislike. And the idea is that using sort of this network awareness technology that we're seeing more and more, sort of an early form of social networking, you'd be training your TiVo about the things you like, and then it would be recording things that are like the things, that it thinks are like the things that you like, based on some sort of networking model. But the other thing that's going on, of course, and again, it's in the privacy statement as you go to the TiVo website, they tell you that everything you do with the TiVo is recorded. They know when you fast-forward through commercials. They know when you stop watching a show midway. They know exactly what your season pass schedule is, that is, all the shows that you've elected to have TiVo record for you. I mean, basically it's like having a Nielsen box sitting there watching everything you do. And in issues of privacy discussions with people, they've said, yes, except that families who are Nielsen families, who are knowing that they're being monitored, they're being reimbursed for having themselves monitored. Whereas with TiVo you actually pay a subscription fee in order…
LEO: I can tell you, TiVo makes a lot of money selling that information, by the way, because I've seen those reports, and they have offered them, they offer them at Tech TV to us. And they're very expensive.
STEVE: No kidding. So you've actually seen, like, that kind of data.
LEO: But, and I have to say this, and this is the case in a lot of these privacy invasions, it's aggregate data. It's not about any individual. I can't find out what Steve Gibson watches, TiVo [indiscernible].
STEVE: Of course.
LEO: But I can't buy that information. But I can buy what everybody who watched the Screensavers - they gave us once a report for the Screensavers, and it's a graph. You can watch how many times each episode, each part was rewound, watched, watched again. There's spikes where people apparently rewind several times. It's very, for a television programmer, hugely valuable.
STEVE: Yeah, I can see that. Now, of course, the problem is that TiVo does know me…
LEO: They know. You bet.
STEVE: …because, yeah, exactly, they know. And as we know, unfortunately, anything that any company knows can be forced from them by subpoena.
LEO: By government.
STEVE: Exactly. So again, clearly they're producing aggregate, anonymized summaries, which is all that anyone would want in general anyway. And I can't imagine why it represents a specific privacy threat to me for Uncle Sam to know specifically what shows I'm watching. And you can argue I guess maybe that, I don't know, do terrorists watch different shows than regular people?
LEO: I think in the case of your TiVo, it probably isn't a huge loss. But think about your library card or what movies you rent. In fact, the Patriot Act allows the government to find out from grocery stores what food you buy. And they've asked in the past, who's buying hummus? And…
STEVE: Well, yes. And in fact I posted to our newsgroups that I was going to - I wanted to discuss this topic, and asked people sort of in general, are there any pet peeves that they have. And there was a report from one of our posters who mentioned that his wife needed to do something, I don't remember exactly what the details were, but she was able to look up on the website everything they had ever purchased at the grocery store. So, I mean, you know, that sort of data exists. And I'm sure it's useful for improving the quality of their service at some level. But it is there, and it's being aggregated.
LEO: Do you have a grocery store club card? There you go. Every time you use it…
STEVE: Yeah, it's funny, I spoke to some security conference years ago, and I don't remember now, I don't remember which one it was. But I was followed on my talk by another privacy guy. And, I mean, this was sort of at the rabid end of privacy, sort of an EFF sort of person, who literally told the audience and recommended that they do what he does, which is when he's in line at the supermarket, he turns to the person behind him and invites them to swap supermarket cards. And he said, and I suggest you do this, and pass the idea along. The idea being it's just…
LEO: Screw with them.
STEVE: It's completely, yes, it's completely scrambling up their database. And certainly, if this thing were - if that were to become viral, and everyone were swapping cards with someone else, you can argue, okay, well, some of the same data is still being collected. But there's certainly no longer any value to the idea that this person is buying this because there is no sense anymore of a certain individual there.
LEO: Right. Somebody told me that club cards, you can ask for the house club card, an anonymous - you can either get an anonymous club card, which you can always do, or ask for the house club card and swipe that one. And apparently there's some sort of, because of privacy issues…
STEVE: Oh, so there's a law that they have to…
LEO: I think in some cases. You should ask about that, yeah.
STEVE: That does make sense.
LEO: Now, an interesting point that many privacy, maybe kind of more equitable privacy advocates would say is, well, here's the deal. If it's explicit, in other words, if a company says we're going to aggregate and sell your data, and the company offers compensation to you, something of value - in the case of a grocery store club card you get big, big discounts. There's a real incentive to use them. And as long as they're upfront with this is what we're doing, this is who's getting the data, and this is the, you know, we know you're giving us valuable information, so here's your compensation, what's wrong with that?
STEVE: Right, I know, I completely agree with you. I think there are a number of things, a number of perspectives into this. There's the issue of the benefit tradeoff, disclosure, transparency, and control.
LEO: Perfect, perfect.
STEVE: And so for example you want to, for example, transparency is - I want access to the data that you have about me. I want you to be transparent about what you're collecting, what you have collected. And then the control issue is, and I want to be able to delete some of it that I don't…
LEO: I love that.
STEVE: …that I don't want you to have. I want to be able to make you either selectively or in whole forget what you know about me.
LEO: And that's - I like that. And of course, you know, also not only what you collect and give me control of it, but what you might be doing with it, as well, who you might be giving this to.
STEVE: Ah, indeed. And yes, repurposing of collected data is a real danger because you could argue that Company A is in a certain business, and its users, its customers have agreed to, you know, the general benignness of what Company A would do with the data that they collect. But when Company B purchases Company A, who has a whole 'nother agenda, I mean, I think it's one of the reasons that people are very uncomfortable about the idea of Google purchasing DoubleClick. It's like, okay, DoubleClick was sort of bad enough by themselves. Google, I mean, search is another perfect example of knowledge-based aggregation because we know that Google is a rabid cookie planter. They're planting cookies everywhere they can. And they know about everything I search on.
LEO: Boy, and we also know that even if they don't collect personal information, those searches in aggregate say a lot about you, as we found out when a reporter got that AOL search information and was able to track down the person based on the search information alone.
LEO: Because it tells you so much about you in aggregate.
STEVE: Yeah, I think that the other issue is what I call the “benefit tradeoff.” And, for example, I would argue that we TiVo users probably get very little benefit from the fact that TiVo is getting tremendous benefit from selling our data, except maybe that it's keeping TiVo from going out of business, and we'd like TiVo not to go…
LEO: It's part of the business model, yeah. But no, you make a point. We don't get - otherwise we don't get anything out of it.
STEVE: Right. And as you were saying, the club cards give you a substantial discount. So there's a substantial benefit being returned for our willingness to recognize that what we're getting in trade for that benefit is a discount, and that we're providing a benefit to the club. Similarly, I find myself more and more using the fact that Amazon knows a lot about me. The fact that TiVo knows a lot about me doesn't help me. But using that networking model now, Amazon knowing a lot about me often is suggesting things that I find interesting. It's like, oh, I mean, the whole idea of people who bought this book also bought these books. And it's like, oh, look at that. Well, that might be a book that I'm interested in also, or a service or whatever. So, I mean, there I could see - it seems more transparent to me. I'm acknowledging, I guess I'm implicitly assuming, because Amazon is being very transparent, if they say that people that bought or looked at these things that I'm looking at also looked at these, well, they're telling me that that data was aggregated about those people. So it's obvious that it's being aggregated about me.
LEO: Right. Well, that's what they say. You bought this, you might like this, as a result.
STEVE: And the other thing, some - and I know that, Leo, you and I are about the same age. Sometimes I'll go to get some, like, especially DVDs because I've sort of lost track of them all now, I mean, I have so many movies. I'll go, I'll see something about a DVD, I go, oh, I've got to get that.
LEO: And you already have it.
STEVE: Yes. Yes. And it's so nice now because Amazon warns me, says, oh, by the way, did you realize that six weeks ago…
LEO: You bought that?
STEVE: You already bought this? It's like, oh, gosh.
LEO: That's nice.
STEVE: You know, it's got to be around here somewhere.
LEO: They have a new feature which allows you to publish publicly everything you've bought or some things that you've bought on Amazon. And there's a social networking aspect of that. And they give you the, you know, you have to opt in. You have to explicitly say it. I actually did it just the other day. The thing is, Amazon also gives you a reward. They encourage you, and this is a very smart move on their part, with this Amazon Associates. In fact, many book authors make more money by selling their book through Amazon with the associates fee than they get from their publisher. It's several bucks sometimes from Amazon when people click a link on your web page to buy a book.
LEO: So Amazon is smart that way.
STEVE: Well, another example of a concern that people may not be aware of is, for example, there is a third-party DNS facility. We've talked about OpenDNS…
LEO: I use it, yeah.
STEVE: …a couple times. Unfortunately, their privacy statement has raised concerns among people. Basically they're saying, if anyone asks us to let people know who's performed what lookups, we're going to provide that information.
LEO: Anyone, or any government agency?
STEVE: Oh, I'm sure government agency. You know, someone gives them reason to compel them to turn over their logs, they'll do that. Well…
LEO: I'm sure your Internet service provide would do exactly the same thing.
STEVE: Right, although our ISP would have to be filtering and explicitly logging our DNS lookups in order to do that. OpenDNS is saying, yes, we're keeping logs. And we're making them available if we need to. So again it's - by aiming your PCs at a single DNS service, you're essentially telling them, based on your IP - and there is no cookie transaction, thank goodness, in DNS. So it is purely IP based; although, again, by subpoenaing records from your ISP, all the IPs you've had and when you've had them can be known. So again, it would be possible for a government entity to determine all of the websites that you have, you or your computer, has gone to during the window through which these logs are valid.
STEVE: So again, it's something that's happening to an increasing degree as we become more and more reliant on technology.
LEO: And you know, this example of me releasing my Amazon information, I think some of us are just kind of accepting of the fact that everybody knows what we do, and aren't too shy about what we do. But it's probably good to be aware of it. Another thing that's concerning is that the Patriot Act allows government to ask for any of this information and prohibits the person they're asking from telling you, or anybody else, or going public in any way with it.
STEVE: Well, and in fact I think that's one of the reasons - oh, relative to the issue of concern, what I have found in spending a lot of time over many years talking to people is there is really a spectrum of concern.
LEO: Yeah, yeah.
STEVE: There are people who just - who have given up.
LEO: Well, I'm a public figure, so it doesn't - I have no privacy.
STEVE: Well, exactly. Or there are people who have just said, look, you know, I have no illusions about the fact that we're being tracked and watched and aggregated, and I have nothing to hide, so it's no concern for me, you know, that sort of person. And on the other - there is, however, another end of the spectrum, which are people who, just for their own reasons, are really concerned. I mean, they want the knowledge of what's going on. They want the control. And I think more on principle than anything else. It's not that they're doing anything wrong. They're just sort of, on principle they object to the idea that entities they don't know are profiting from the information being gathered, might do so, might be compelled to release it, I mean, they just don't like the idea, just sort of on principle as opposed to for some specific reason.
LEO: Well, I liken them to you because, for instance, you will tell us about not using scripting, the absolute most secure way to be. And many of us are not willing to trade the convenience. I'm going to continue to run scripts because it's so convenient. But I'm glad that people like you exist, and I'm glad that these hardcore privacy advocates exist, so that at least we are given the choice. And that's the point, right?
STEVE: Well, I think that's exactly right. And relative to the Patriot Act, one of the concerns about technology and this database aggregation is that the Patriot Act, as an example, represents a dramatic change in policy that does affect, exactly as you said, Leo, it affects the nature of what can be done with the data, which is to say, five years ago when these things were going on pre-Patriot Act in the U.S., the bar was much higher for what a third-party entity like the government had to do in order to obtain that information. But by a change in legislation, suddenly the laws have changed, yet the same kind of data aggregation that was going on then is going on now, yet it's far more accessible to entities that wish it, under terms that are much easier. And as you said, under disclosure laws that prevent them from even acknowledging that they've been asked for this.
LEO: Yeah, the secrecy scares me a little bit. And frankly, that's the other side of it. It's one thing if DoubleClick knows what I'm up to. You know, I'm more worried about the government doing this. I think that's the first step towards repressive government.
STEVE: Well, and I have to say, I mean, yes. I hate the idea that we're being, for example, spied on; that I might send an innocent piece of email that uses some hot keywords in an innocent context, and it's just going to set off some alarm bell somewhere and bring my email to someone's attention. It's like, wait a minute, I'm doing nothing wrong, just I object to the idea that something innocent could come under scrutiny. To me that seems to cross a line. I'm not exactly sure how to describe the line that it crosses. But it just - that bugs me.
LEO: Well, you expect that. If you live in China, you expect your government to be watching on you. It's part and parcel of what the government does in repressive nations. We live in a free nation where we believe that we have the right to certain privileges, including privacy. Privacy may not be specifically in the Constitution, but I think it's accepted that it is one of our fundamental rights.
STEVE: One week ago, or I guess it was last week, I'm sure you heard in the news that some wacko strapped a bunch of flares onto himself and went into one of Hillary Clinton's campaign offices. And as I was listening to the news, I noted that they very quickly determined that he had purchased flares earlier that day. And I was thinking, running through my mind as a security guy, it's like, okay, interesting.
LEO: How did they know that?
STEVE: They figured out, yeah, they figured out who he was. And then was there an immediate pull of his credit card charges to determine what he had been doing in the recent past? And it's like, okay, well, I don't know that that's the technique that was used. But here we've got a guy, and it's really important to know whether this is really a bomb, if he just needs roadside assistance, you know, in a critical way. And I guess I feel of two ways about that. It's like, well, I mean, I'm glad that they were able to determine with some level of confidence that these were automobile flares, automotive flares, and not TNT that he had stuck to himself. But you hope that some due process was in place that protects all of us from that kind of scrutiny. And again, that the bar is high enough for the obtaining of that kind of information.
LEO: Well, the CEO of Sun, Scott McNealy, very famously said, and it was some years ago, “Get over it, privacy is dead.” And I don't think he was talking about government privacy. But it certainly has deteriorated even then, even since he said that. And I think it's true that computers in many ways pose the greatest threat, computers and widespread Internet databases pose the greatest threat to privacy in our history.
STEVE: Well, and even email. Back in the old days, when you would type out a letter or even print it on your Series 1 HP laser printer, which predated the Internet, and you'd fold it up and stick it in an envelope, lick it, and off it would go, lick the stamp and so forth, I mean, your paper mail was probably private. It wasn't guaranteed to be private, but…
LEO: Well, it was by law, that doesn't mean somebody couldn't have read it.
STEVE: Exactly, I mean, steaming open the letter is a standard mechanism.
LEO: But that's a onesie-twosie, and that's what's changed in the computer era of they can scan this stuff en masse, they can scan it, as you said, for keywords. They can watch us much more effectively than they ever could before computers.
STEVE: Yes. I think that's exactly the thing that has changed is that, as our lives have moved more into an electronic mode, I mean, what isn't online, Leo? Frankly, I use my Visa card as cash. I don't use cash, counting out change in my wallet any longer. It just, you know, it's not as convenient. Which means that there is a record of every single thing I purchase available from the people that I have my cards with.
LEO: This is sometimes called your “data smog,” or your “data trail.” And we all have one. Unless you fall off, drop off the grid entirely, I don't know how you avoid that. And I think, you know, this is a security show, but it really does - security and privacy are tightly linked. I mean, one of the reasons you want to be secure is to preserve your privacy, one of the most important reasons.
STEVE: Yes. Well, I do know people, we've talked about this before, who routinely delete their cookies. They understand about cookies, they delete them just as part of their process because they would just like to shed, even though the expectation is that this is anonymous, they just - they're people out on that end of the spectrum who just say I'm going to do what I can to shed this kind of surveillance. I mean, they're probably people - another example is the electronic highway toll systems. I have a little EZ Pass puck in my glove compartment. And when I'm going to go on a toll road down here in Southern California, I'll stick it up underneath my window. And it goes beep-beep when I drive through. And so somewhere someone knows that I've just driven down the freeway at that point. So again, there's an increasing level of this kind of surveillance, passive and active, just in our lives. And even cell phones. My cell phone is on all the time. I carry it with me when I go out. And presumably, based on which cell tower I'm nearest, it's pretty much possible to figure out where I am at any given point.
LEO: Yeah, in fact the point I guess some people make is that it's not only the toll plaza that you go through, but in theory government could hide these receivers all over the place and track you in much more detail. Not only do they know you went through the bridge at the toll booth, but they could know where you are every moment of the day.
STEVE: So yes, so I'm sure there are people who don't carry cell phones because they're aware that it allows them to be located. They will not take toll roads when there are alternatives…
LEO: It's getting harder and harder.
STEVE: …because they would rather not feed that information. They don't use TiVo because they don't want their television-watching habits…
LEO: They don't use the credit cards. They don't use the Internet. They don't fly anywhere.
STEVE: Yeah. Yeah, you're right, Leo.
LEO: Pretty soon you're living in a log cabin in Idaho.
LEO: You're Ted Kaczynski.
STEVE: I think that, in conclusion, it's the case that no modern lifestyle today can conveniently, as you say, be off the grid. And the best people can do is to be aware of what's going on and decide where they fall in the spectrum of concern. And that for people who are concerned, I would really hope that there is transparency and control that gives them control over this kind of aggregation.
LEO: But again, maybe Scott McNealy wasn't so far off when he said privacy is dead. But we certainly will do our best on this show to help you do what you can, at least in a reasonable, sensible way, to protect your privacy. I don't think it's time to give up yet.
STEVE: No. And I don't want, I mean, I want the convenience of my Visa card. I want the convenience of not having to stop for the toll booth when I go - and there's the alternative, too. I mean, even though I've got the little electronic puck that bings when I go through, if I were that concerned, I could go through the manual side and throw coins into the fountain and have the arm go up. So…
LEO: Or put it in the Mylar bag when you're not going through the toll booth. I'm sure people do that.
STEVE: Oh, that's interesting, yeah.
LEO: They give you that little Mylar bag to block it if you don't want to use it.
STEVE: To block RF, yeah.
LEO: Right, right. Well, Steve, I hope we haven't brought people down with this discussion. But I think it's important to talk about.
STEVE: I think the goal was just to raise awareness. I mean, again, we've said there's nothing we can do to really be functional in a contemporary, technological, connected society and avoid this kind of surveillance. But again, it's a matter of the knowledge, you know, let people know what's going on. They can decide where they fall in the spectrum. And as you said, we'll give people tools to help them give them some control.
LEO: A lot of security really is about privacy, after all. If you want to know more, for instance, if you want transcripts, if you want 16KB versions for the bandwidth impaired, please go to Steve's site, GRC.com/securitynow. GRC.com/securitynow. GRC's a great place to go, though, for other things. Steve has a whole array now, a complete toolkit of free security utilities, everything from ShieldsUP to Unplug N' Pray, Shoot The Messenger, DCOMbobulator, his new Perfect Paper Passwords, it's all at GRC.com. And that's also where you'll find SpinRite, which is the best, bar none, hard drive maintenance and recovery utility, GRC.com. Next week, questions and answers - your questions, Steve's answers. Steve, is it too late - I guess it's too late for next week because we're going to tape that one ahead. But if people want to ask questions for future shows, and I know you can't answer them individually, but where should they go?
STEVE: Absolutely, I want to encourage people, I really have a good time reading through these things, and I get ideas for future show topics. And of course that's where we get the content for our Q&As. It's GRC.com/feedback. So just anytime, GRC.com/feedback. That takes you to a page with a form where you can anonymously or non-anonymously send me a note that I will receive.
STEVE: Yeah, I did look this morning because I pulled from the server the accumulated updates since the last time. Just to give some people a sense for why they may not hear from us, or we may not read their question, I had 18,000.
LEO: From what? From just…
STEVE: Just accumulated, 18,000 submissions. Which is not to say I don't want more because, I mean, I really do want people to keep them coming as our shows raise questions in their minds, or life raises questions in their minds.
LEO: Yeah, yeah. But we, you know, and I say the same thing about my own email, I try to answer as much as I can. And I have help, I've hired somebody to answer some. But you can't always get a response from me, certainly not a substantive response, because I just get too much email.
STEVE: Well, and one of the nice things is that there are many questions which come up again and again and again. And so…
LEO: We can answer those, absolutely, yeah.
STEVE: Well, I'm able to see sort of a trend in questions, and then choose a good representative one for the Q&A. So even though I'm not answering a specific individual's question, I've answered a question that has been asked ten times when I've been scanning them.
LEO: Right. Want to pass along a little holiday gift from us to you our listeners. The folks at ScotteVest, and I know you know Scott Jordan, and you - do you wear any ScotteVest stuff?
STEVE: I don't because it's so hot down here. All I can think of is like the hoodies and things. And…
LEO: They have polo shirts. You should look at the polo shirts. They have stuff for men and women. They do have great hoodies. I wear their pants. They have shorts, they have vests, they have jackets, hoodies, everything you could want, and it's all for geeks because it's got pockets galore. Their patented PAN, Personal Area Network, that allows you to run the cords from your iPod or MP3 player or your phone through special channels in your jacket or your hoodie. They even have hats that have a space for an iPod. I'll tell you, this is a really great place, ScotteVest.com. And our gift to you - thanks to Scott, by the way, for doing this - is 20 percent off anything on the website if you use my name, Leo, when you check out. That's the coupon code, LEO. So thank you, Scott, for doing that. Some part of the proceeds goes to TWiT, but it's also a gift to you guys. 20 percent off anything on the ScotteVest site. Does not include TWiT merchandise sold from ThinkGeek. That's a separate deal. But anything sold on the ScotteVest site. ScotteVest.com, use my name, LEO, for 20 percent off. Kind of a little way of saying Happy Holidays from TWiT and ScotteVest.
STEVE: Very cool.
LEO: Now, we're going to take a break, come back next week. We're getting closer and closer to the holidays. I should say Happy Hanukah to you. It began this week.
STEVE: Merry Christmas.
LEO: Yeah, Merry Christmas is coming up. I'm going to be in Egypt for Christmas. But guess what? We are not going to miss an episode.
STEVE: That's right.
LEO: I don't know how.
STEVE: Actually I was just going to say, we're doing double episodes for the next two weeks and then cramming one fifth one in, just so that we can maintain our record of never having missed a week.
LEO: Ah. Never having missed a week. That means we're going to tape five in the next two weeks. But that's okay, we're going to do it. Thank you, Steve. Have a great day. Have a great week. We'll talk again next week on Security Now!.
Copyright © 2007 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/