I Want a New Drug

Slightly over 20 years ago, I co-founded the first anti-spam company, called MAPS. It was 'spam' spelled backwards, and also the Mail Abuse Prevention System. My co-founder was Dave Rand, and we were quite sure that the low cost of sending e-mail would cause an explosion of network abuse, where unethical advertisers would cheerfully externalize their costs onto the overall economy, and equally sure that spam would be like a noxious weed that overruns its ecosystem, because nothing eats it. We were, sadly, correct. Even more sadly, lawsuits against us by unethical advertisers cost millions of dollars, such that we ultimately had to sell the company just to pay our own lawyers. Lessons learned? First, no good deed goes unpunished. Second, check the water temperature before diving in.

Somewhere along the line we started to joke that spam was like a drug, and spammers were addicts, and they would do anything, up to and including selling their own children to sex traffickers, if it meant they could spam for one more day. This may seem overly severe if you weren't in the security business at the time and you didn't see the depths of depravity to which unethical advertisers swam in order to bypass any and all controls against their work. With two decades of perspective, I can certainly see it as “gallows humor” and maybe not as darkly funny today as it seemed at the time. I share this story with you to give you a glimpse into the minds of a couple of perennial do-gooders as we lost the Internet's first culture war. But also to familiarize you with the meme, ‘X is like a drug.’

Because, data is like a drug. It's not as some say, ‘the new oil,’ because while oil moves nations, it won't pivot an entire economy from top to bottom. Only a handful of megacorporations and their supply chains thrive or die on changes in the market for oil. Data, by comparison, affects everybody. Like a drug, it can reform and pervert what were stable systems or morality, literally making good people do bad things, which they somehow justify. Also, there is no escape for the non-addicts; we are at constant risk in every zone of our personal and professional lives due to the insatiable need for more data by addicts and their enablers. They will take our data no matter what depths of depravity they must swim to, and their justification for it will sound like cheap equivocations to the non-addicts who are their victims.

In the new virtual economy, value chains are not anchored by physical assets, and what a company can deliver is quite a bit more diverse than what they can get paid for. When I first heard that if I wasn't paying for a product, then I was the product, I knew it was so. I've tried to find some friend at Google who can charge me money to remember everything they know about me and use it to provide me services but never share that data with anyone else. Unfortunately, there is no amount of money I could pay to Google that would be worth as much to them as the many uses they can make of my personal information. There won't be a Private Google for me or for any of us, any more than the online news and other services I pay subscription fees for can offer me an ad-free experience or keep my personal information entirely private.

However, unopposed trends accelerate, and right now the General Data Protection Regulation (GDPR) is the only thing slowing the world's sell-off of whatever actual privacy any of us still have left, and I am not at all sanguine about Ireland's slow-rolling protection of the American technical industry's anti-privacy practices. We must, every person, every family, every company, every state and every nation, diligently notice and defend against every data predator and every privacy abuse no matter how benign it may seem. If you're shredding your junk mail to defend your family against identity theft but then playing Pokemon Go during idle times as you go about your daily business, then you're hugging a tree without noticing the fire engulfing the forest around you. Many of the companies who can observe your activities will leverage your data to constrain your future choices in small ways which add up to a form of ‘digital serfdom’ for you in the aggregate.

Closer to home and immediately to hand, I am dumping my company's online  expense reporting platform, after warning them several times, and getting only lame and misleading answers each time. They've turned on what they call ‘Smart  Scan’ for all our employees, and have removed any control for turning it off again, and this has been called a ‘policy change.’ What this means is that the personally identifiable information of our employees as they travel the world was simply too valuable for them to leave in our hands – they can't compete in the global data marketplace if they don't extract every possible one or zero from any information that comes into their orbit. Note that this is a paid commercial service, and I would pay more to keep our employees' privacy safe, but that option has not been and will not be offered to us. For the moment, this means we'll go back to e-mailed spreadsheets, while we audit the privacy policies of potential new online expense reporting services.

Sadly, last time we did a search with such audits, every single provider we evaluated, failed, usually for more than one cause. This may help explain why I've lost my capability to be astonished by the findings in this year's Verizon Data Breach Investigations Report (DBIR). It's a stunning piece of work and should be compelling in its own right. However, the data we're losing piecemeal due to surveillance capitalism is of gargantuanly greater magnitude than the data we're losing due to criminal breaches of our online infrastructure, and should concern all of us far more. I fear that we are all numb, and if we ponder the circumstances of our privacy it's to wonder where it will end or how it can end. Perhaps a motorcycling holiday in Scotland will restore my capacity for outrage. I'll try that and get back to you.

What’s Hot on Infosecurity Magazine?