The New Web: Your Identity is Everywhere

One aspect of the so-called “new” web that isn’t being adequately addressed is the issue of privacy and data security. This matter was recently made apparent to me in spades.

Last summer, frustrated with the overwhelming noise of its cooling fan, I sold my XBox 360 to a kid from Toronto who was visiting his dad in Teslin. He got a great deal that included a subscription to XBox Live, Microsoft’s internet-gaming network.

Out of the blue the other day I received a call from Visa fraud services enquiring as to whether I’d just authorized a couple of charges from XBox Live. Clearly, I hadn’t.

It turned out that my credit card was somehow connected to my old XBox Live account, which this kid was using. He’d just charged $200 worth of stuff to my Visa.

I was lucky the kid exhibited such relative restraint with his purchasing. The total loss could have been a lot worse for me.
If nothing else, I learned a valuable lesson: in the modern web world, I’ve got to exercise more caution regarding where I store personal information and data. What’s more, I’ve got to be aware of how access can be gained to that data.

On the modern web, your information exists somewhere else. And all a third party needs to access it, typically, is a password.

Back in the day, you stored your data on your own hard drive and it was as secure as you wanted it to be. Just turn the machine off at night and you could rest assured that your data was safe. If you wanted to sell the thing, just delete all your files and, in general, you were good to go.

Now, as more and more of the computing experience takes place in a web browser, it’s not so much about what’s on your computer, but what you leave access to “out there.” As we begin to store more and more of our files on web sites like Google, Flickr, and MySpace – all hither and yon across the internet – we make them easier to access. It’s an opportunity that’s ripe for identity thieves.

How many sites like these do you use to store and manage important personal or business data? How secure do you feel knowing that access to that data by anyone is just a password away?

In a sense, it’s rather irrelevant how you feel about your password security.

After all, password were originally conceived of as a way to protect data. Today, however, with the widespread adoption of web services, passwords are proxies to personal identities and they offer insufficient protection.

What’s more, contemporary technology nearly defeats the purpose of password-based security.

Most modern web browsers, like Firefox, will remember your passwords for you. In theory, this sounds like a great idea. In practice, should your Mac or PC fall into the hands of another, it’s very bad for you.

Assume you sell your computer. Even if you delete all of your personal file from the computer, Firefox will retain knowledge of and access to all that is yours online. In a sense, you’re selling your internet identity with your PC.

Imagine that: the new owner has access to your PayPal, GMail, Flickr, Google, and MySpace accounts. You’ve forgotten the passwords. In a sense, the new buyer of your computer has become the new you.

On the other hand, assume you don’t sell your computer. Leave someone alone in a room with your computer for a moment and with just a few clicks of a mouse Firefox will gladly display your passwords for them.

And so, my point is this: our personal information world is growing beyond the scale of our physical control. We all have important personal and business data scattered about the web and, if you’re like me, you probably have forgotten about some of the stuff you placed elsewhere. What’s worse, you’ve probably forgotten how to access some of it.

This vast new universe of information management is governed and defended by a decrepit, faulty system of names and passwords which are just about as secure as a bathroom door lock.

I would suggest that, unless the new generation of online services comes up with a better system of security, 2007 will turn into a crisis year for them. This industry needs to stop thinking of new, funky things to do with the web and conceive of a more robust system of data protection and security management for its users.

The web represents a new era in computing but it still depends on aging, decrepit methods of data security. A new paradigm needs to be developed that’s based on the protection of the user him or herself rather than the data they are accessing.

In regards to my XBox problem, the kid was fortunately dumb enough to have left the account password unchanged. I logged in via the XBox Live web site and wreaked havoc on his identity. I even managed to cancel some of the services he’d used my money to purchase and generally maim his gaming experience. So there was some visceral compensation to me.

Unfortunately, Microsoft refused to remove my credit card from the account as it was being used by this kid. I was forced to cancel my Visa and there’s only a slim chance that I’ll be refunded that fraudulent charges.

I’ll chalk it all up to learning.

Originally published in the Yukon News on January 5, 2007.
©2007 Andrew Robulack