Postgraduate symposium abstract – Stranded Deviations

I’ve just submitted a finalised abstract for a twenty minute paper I’ll be giving at the UNSW postgraduate symposium on Monday September 3. (Specific time and location TBA.)

The symposium theme is ‘Making Tracks’ so, naturally, I’ll be using plenty of dinosaurs in my presentation.

Title and abstract are copied below.

I might actually blog about some of this stuff one day, though the rest of the year sees me quite busy writing other things so it may take a while =/

====================

Stranded deviations: Big Data and the contextually marginalised

Knowingly and otherwise, we all leave traces when we use digital technologies. As social and practical interactions moved to the digital realm, facilitated by technological breakthroughs and social pressures, many have become understandably concerned about user privacy. With the increased scale and complexity of stored information, commonly referred to as ‘Big Data’, the potential for another person to scrutinise our personal information in a way that makes us uncomfortable increases.

However, it can also be argued that because there is so much personal data stored in various digital systems our privacy is retained ‒ we all become lost in the noise. Attention is a finite resource so it becomes unlikely that we will experience a privacy breach by a real person. In practice our traces are most often treated as data, computationally analysed, rather than content, scrutinised by biological eyes.

‘Security through obscurity’ may appear to be an inadequate concept here because privacy breaches occur regularly. However, ‘cyber attacks’ are directed at targets who stand out from the noise, chosen based on some form of profiling. Therefore, within any context, certain individuals become disproportionately targeted. Those regularly contextually marginalised have the most to lose from participating in a culture of Big Data, raising issues of equal access.

In this paper I bring these ideas together to argue that the privacy discourse should not only focus on the potential for scrutiny of personal data, but also the systems in place, both social and technological, that facilitate an environment where some users are more safe than others.

A few quick notes on passwords and security

I recently read through Thomas Baekdal’s ‘The Usability of Passwords’, a great piece on the relative strength of passwords under various methods of hacking attacks. (Also check out the updated FAQ!) Rather than seeing mixed case passwords with random symbols as the epitome of secure, we find that, in fact, passwords “can be made both highly secure and user-friendly”.

The 3 common word password ‘this is fun’ can last 2537 years under a common word attack. In contrast, the 6 random character, mixed case, symbol and number password ‘J4fS<2’ only lasts up to 219 years under a brute force attack. Obviously, the difference between them is negligible in practice – how long can such attempts realistically proceed before being noticed and stopped? – but the point is that being forced to use the latter within various IT services is partially unjustified. (I say ‘partially’ because some people would still use ‘god’, one of the top-five most common passwords according to Hackers, if given the opportunity.)

So, really, there’s not too much need for a ‘Ultra High Security Password Generator‘. Yeah, it’s a secure password, but it’s probably more secure in practice to have a random set of words you remember than to require a written down (or typed!) string of 63/64 characters you need to have constantly accessible (read: actually not secure).

Relevant side note: incorporating complex rules for passwords (at least one vowel, up to three digits, two consonants in the second half of the alphabet, two letters that rhyme with but don’t appear within eight places of ‘J’ in the alphabet, &c) actually makes a password less secure because there exist (publicised) rules to limit the iterations needed for cracking. This is why I felt smugly but probably irrationally secure using my original 6-character password for my old Hotmail account years after they revised the password requirements to 8-characters minimum – if it was a password that did not comply with the rules, then it would probably not be attempted. Yeah, I was probably naive, but the account is closed now so w’evs.

A few days ago I was also linked to a PC World article that talked about Google’s new(ish), optional two-step login process. I don’t know why I wasn’t aware of this earlier! The standard authentication model relies on “something you know–and that something is often easily guess[ed], cracked, or otherwise compromised”. Google’s two-step login, however, requires two pieces of information, “both something you know–your username and password–and something that only you should have–your phone”. Every time I go to a new computer and log into Google I have to type my password and also include content from a text message they send to my mobile. On my work and home computers I just need to go through this process again every 30 days – an added security measure just in case I accidentally leave myself logged on at another computer.

A bonus side-effect of this added step is that I can change my Google password to something more fun – like ‘fluffy bunnies’ – and not concern myself with the associated, potential security risks! (Of course, I probably shouldn’t now that I’ve said it publicly. Damn you, blog readers!)

If anyone out there is interested in setting this up, you can find instructions on the gmail blog.

Anyone have annoying password anecdotes to share?

-33.899519 151.176735