Day: May 22, 2008

LifeLock proves social security numbers can not be defanged

“I’m Todd Davis, CEO of LifeLock. And ..-…-…. is my real social security number.”

This was the full page advertisement in New York Times Sunday magazine. Except the SSN was not blanked out and this was no careless redaction error. LifeLock had developed an identity theft solution so reliable that the CEO was willing to disclose his own social security number to prove it. Brave indeed: SSN is by far more dangerous than the credit card numbers for many reasons: the card networks have already accepted the risk of payment card fraud and absorb losses (at least in the US; your mileage may vary by jurisdiction), cards can be revoked and the damages are bounded by the spending limits on cards. SSN on the other hand enables so-called “new account fraud” because it is used as an authenticator: knowing the SSN for a person counts as proof of being that person. Lenders are happy to extend credit based on this ludicrous authentication protocol and there is no Visa/Mastercard to underwrite that risk by refunding consumers for losses. (Full disclosure: more on this distinction appears in a chapter this blogger contributed to an upcoming book by Stanford press.)

This distinction has implications for a breach. Having a credit card number made public is easily recoverable and often with minimal damage. In the 2006 FTC Survey on identity theft, the median losses from existing card fraud were exactly $0. It would not be quite as impressive if the LifeLock CEO had published his credit card number in the newspaper, except it may run a foul of the card-holder agreement in case there are any requirements towards “due diligence” in security. But the social security number is an identifier US residents are stuck with for life. It can not be revoked or easily changed. If any protection service could control the risk to the point that an individual can publish their SSN in a newspaper, that would have been a major breakthrough.

Today a Wired article shows it’s too early for celebration. LifeLock is getting sued on behalf of three customers who claim that the service does not work. The attorney filing the charges points to the fact that the there have been 87 attempts to fraudulently use the identity of the CEO– including one that succeeded where the perpetrator succeeded in taking out a payday loan in Texas. In addition the article concedes:

“Davis said it’s possible driver’s licenses have been issued to other people in his name because of the widespread availability of his personal information – and because of what he described as the flimsy mechanisms in place to report that kind of fraud.”

This is not completely surprising: virtually all of the identity theft protection services depend on the triumvirate of credit bureaus for detection. Any new loan applications will be reported to these companies (in fact even the existence of a credit-check prior to granting the loan is recorded) and can be periodically queried. But a new driver’s license will not appear on the radar. This is not surprising: SSN is used in an open, distributed ecosystem without a centralized clearing point. Payment card networks have complete visibility into all transactions involving the card. Actions involving the SSN can only be reconstructed by putting together fragments of records from data brokers such as the credit reporting bureaus, Axciom, Choicepoint and Seisint (now owned by Lexis-Nexis) The case against LifeLock suggests that this patchwork solution is far from being a reliable identity theft defense.

cemp

Website monitoring: canary in the mine for traffic shaping?

Website monitoring is an established business. Perhaps the best known example is Keynote, whose statistics carry a weight akin to Neilsen ratings minus the subjective element of user preference. These systems measure the performance of websites as perceived by customers. Typically they have an array of sensors, distributed across the globe– the more dispersed, the better a picture that emerges– that periodically pings a website to check how quickly the pages load, whether any errors are returned or key services such as authentication experience an outage.

So far none of them have stepped up to the plate and offered to detect traffic shaping. Considering that network neutrality is under attack from all directions, this could be the next application. Suppose an ISP in North America decides to put the brakes on downloads from Netflix while prioritizing streaming video traffic from a competing website. (It’s not a stretch to imagine a kickback, revenue sharing model or even past grudge against Netflix could motivate this behavior.) An extensive sensor array would reveal this anomaly, provided there is at least one sensor inside this ISP boundary. The measurement may reveal an unexpected latency compared to other network locations in the same region or strange bandwidth caps in effect over time.

That still leaves open one question: whether the web service provider could have any legal recourse once they discover their traffic was being discriminated against.

cemp

Next version of MSFT office to support open document format

The times they are changing for MSFT. A recent announcement that the next version of the Office suite will support new open source formats may be the most revealing example.

Interoperability is a complex strategic game but can be summarized this way: interop always helps the smaller competitors against a large established player. This is a standard consequence of network effects. Before Word had significant market share and was the small, scrappy upstart trying to gain a beachhead position against Word Perfect, it was imperative to read and write WP documents. This allowed customers to switch to Word but still continue to interoperate with the majority of people still using the more ubiquitous application. The developers for Word Perfect, on the other hand, have no incentive to help accelerate this switch, so their application would not recognize the new format. Here is a divergence from the golden rule of getting along in a network world: “be conservative in what you send out and generous in what you accept.” If interoperability were the only objective, every application would be able to open documents published by any other formats while itself using a very well narrowly-scoped that would be easy for these other applications to understand.

The same pressure applied to Excel when it was competing for market share against Lotus Notes. As MSFT Office became the de facto standard in the enterprise and eventually for consumers, this pressure gradually eased even though the import/export capability for the “legacy” formats remained. At some point the scales tipped and the burden shifts to the competing applications with smaller market share to work with the leading formats.

Open source software follows the same path: it was imperative for Open Office to be able to accept Word documents, as well as save new documents in Word format. This mean that every new release of Office required catch-up effort from the community to add necessary interop functionality. (It did not help that the office formats were largely undocumented and had to be reverse engineered until the XML based Open Office XML specification, which itself fueled another line of controversy during its push for standardization.) Same goes for cloud services: it is no coincidence that Word documents, Excel spreadsheets and PowerPoint presentations can be uploaded.

The announcement that MSFT Office will support the new open-source formats is not due to a tipping point in market share. Its current position remains virtually unassailable. Even the Apple commercials that try to mock PC platform as a square, clueless fellow are forced to pay a backhanded complement by emphasizing that the latest generation of Macs can run Office. Is this the sign that demand for interoperability has arrived? Is the golden rule a more compelling option than trying to create lock-in effects by using proprietary formats and breaking changes on every release that force open source alternatives to play catch-up? At least the European Union is not convinced and announced its own intentions to verify this:

“The Commission will investigate whether the announced support of Open Document Format in Office leads to better interoperability and allows consumers to process and exchange their documents with the software product of their choice.”

Between the competition from free Open Office, disruptive Google Apps for the Enterprise, Adobe trying to unify presentation layer with PDF and now additional regulatory scrutiny, it is getting interesting for the future of desktop productivity software.

cemp