Wednesday, September 2
Informatics East, Room 130
Indiana University Bloomington
PROFITS VS. PRIVACY?
STUDYING THE FAILURE OF THE WEB 2.0 INDUSTRY TO DEPLOY PRIVACY ENHANCING TECHNOLOGIES
It is now more than 30 years since the invention of public key cryptography. Yet, now, in 2009, the vast majority of Internet users still transmit their own personal information over networks without any form of encryption. When consumers check their Google Mail, Facebook or MySpace accounts using the increasingly ubiquitous free wireless networks in public places, they face a very real risk of theft and hijacking of their online accounts. While skilled technical experts and corporations have easy access to effective security technologies, most consumers still lack basic privacy online. The question we must ask is why?
Effective cryptography is no longer restricted by US export laws, protected by patents, or requires so much computing power that it is impractical for all but state secrets. Yet the market has still failed to deliver products that provide strong authentication and confidentiality by default. The problem is not restricted to cryptography and data security – the market has failed to deliver in other areas, such as the increasing amounts of personally identifiable information that is quietly collected by online advertisers, search engines and government agencies.
This thesis will argue that the failure of the market to provide services that are safe and secure by default is not a failure of the computer science research community, but the result of complex and skewed incentives that play out in the policy, legal and business spheres. As a result, those wishing to improve the state of basic security and privacy for end-users must look beyond the search for new algorithms and cryptographic techniques. They must instead work to solve the policy problems which have thus far frustrated the deployment of basic privacy enhancing technologies. This thesis will effectively weave together technical, legal and policy perspectives, allowing us to reach a level of depth and analysis which would be otherwise impossible if we approached this problem from a single angle.
This thesis will consist of a taxonomy detailing numerous market failures, followed by several in depth case studies, and proposed solutions.
I will first survey several ways in which privacy enhancing technologies can fail to reach consumers, such as skewed incentives by dominant service providers, patent thickets, usability problems, and outright government prohibitions on the use and export of particular technologies.
I will then present several case studies: An analysis of key privacy risks associated with log retention by search engines, and the failure of the market to protect consumers from this threat; a look at the industry-wide failure to provide effective cryptographic data confidentiality and authentication to users of “cloud” and other Web 2.0 services; the legal and policy issues surrounding the government’s ability to compel service providers into inserting privacy invading back doors into their own products; and an analysis of the behavioral advertising industry, and its decade-long failure to provide easy to use and effective opt-out mechanisms for end-users.
Finally, I will propose specific legal and policy solutions to the privacy issues highlighted in the case studies, as well as several policy solutions for the general failures highlighted in the initial survey.