Saturday, May 17, 2008

Risk

I, like many people these days, keep my important information on the internet. In this day and age, the big companies I entrust my privacy to are all as secure as I could ask for, and keep getting better. For example, Google (who is going to be my example for the brunt of this article) has never been hacked or lost any user information (as far as I know). But security doesn't lie entirely in the cloud; a key challenge is getting information in and out, and the security on that really hasn't changed.

So how do we protect our online identities? With passwords, of course. Now, there have been a few advances in password security – such as guidelines on what kind of passwords to use – but for 40 years of innovation, that really doesn't feel like much. Of course, that could mean that passwords are Good Enough™, but considering that someone could just watch you type one in, I don't think that's true. It's like building a walled garden with a moat, barbed wire, and lasers: if someone steals the key, they can just walk in the front gate.

To be fair, we've had this same problem for years. But recently I've noticed a trend: more and more information is ending up on the internet, and quite a lot of it is going to the same places. To see why this is a problem, let's take a look at the engineering definition of Risk:

Risk = (probability of an accident) x (losses per accident)

The probability of an accident is equivalent to someone getting my password, and doesn't really change. But the losses per accident are going up and up and up. Take a look at my Google account right now: I use a fair number of services – probably more than most – but the trend is the same for everyone. Hypothetically, someone could get access to

  • Every email I have sent or received (Gmail)
  • Where and when I will be (Calendar)
  • My address and credit information (Google Checkout)
  • Pictures of me and my friends (Picasa)
  • Everything I have searched for or clicked on on Google (Web History)
  • My health information

Wait, health information? Yep! Coming soon to a Google near you, personal health information1. All the time we are moving more information into the digital world, and for the most part, that's a good thing. But the risk to us is increasing at the same rate, and that makes me a tad nervous. I have to ask, what would it take for stealing passwords to become a lucrative business? I'm not the only one who has noticed the problem; some research is going into building a better lock, using technologies like fingerprint or iris scanning, and there are other approaches too. One possibility being thrown around is using usage patterns to detect when someone malicious is in the account, and cut them off from any information until they confirm their identity2. Another idea I had was partitioning the information within the account, to mitigate the risk of someone getting access. For example, I'd use a different password for Gmail and Google Reader than the rest of my services, since those are the most likely to be compromised. But regardless of what, if anything, gets implemented, a word of advice: keep your passwords safe!

Footnotes

  1. It's not just Google – Microsoft has a product of its own in development for storing health information.
  2. The parallel is credit card companies. If you start to purchase more than usual, or in different locations than usual, you may find your credit card cut off until you make a phone call.

No comments

Post a Comment