Skip Navigation
BlackBerry Blog

Privacy: The Killer App

FEATURE / 10.02.18 / Pete Herzog

This article starts with a story. It’s a story you may have heard before, but bear with me because I tweaked it a bit. I basically killed off all the characters at the end to make it a surprise. Or maybe I didn’t. The suspense must be killing you.

In my update of The Gift of the Magi (pdf), Della sells her identity so she can freely use social networks and post about what an awesome husband Jim is. Then a lot of people will ‘like’ it and all 1,023 of her closest friends will know she’s in an amazing, stable relationship and not just being instructed by a marriage counselor to show more appreciation to each other.

Meanwhile, Jim spends all his time away as an entrepreneur at a start-up coding the next killer app for privacy to ensure that Della and everyone else is safer online. Identity theft will actually totally screw up your life if it happens to you. That’s not a joke, and Jim knows that. It happened to his uncle and involved smuggling wild mushrooms - not a euphemism. But that’s just back story stuff.

Well, if you know the original story, then you know how it goes. Basically, Jim never sees Della’s post because he avoids social media for privacy reasons. But it doesn’t matter because Della’s identity was already stolen, and the post was actually made by some guy in Oklahoma phishing for access to Jim’s work account to defraud his company.

Kinda like in the original story, but with less trying to impress your husband by cutting your hair to look “wonderfully like a schoolboy.” The story literally says that about looking “wonderfully like a schoolboy.” Apparently that kind of stuff sparked a lot of fan fiction, if you’re into that.

Anyway, fast forward five years and Della is killed by someone stalking people through social media, and Jim dies penniless from starvation because it was a killer app for privacy. Privacy. Who the hell expects to make money from a killer app for privacy?!

What, Exactly, Is Privacy?

Now I just made exactly three people on the planet angry when I made fun of privacy being a killer app. I know who they are too, and one I consider a good friend. The other two I don’t know so well because they don’t post jack on Instagram. Go figure.

Now we do know that identity theft is a real and brutal thing. We know that so much of our lives is online now that it doesn’t take much to roll us. And while my method of cranking Twilight videos up at work to drown out my personal noise is good, it’s not the best kind of privacy one can have.

The best kind of privacy is the one that the we can find in Fairytopia, Neverland, Raccoonworld, and between the pages of that mythical story of an impossible place called GDPR. There’s where we’ll actually find the privacy we need, the privacy that a killer app would be good for. Unfortunately, nobody would buy it.

Privacy is one of those things we ask the government for help with, as if it’s not our fault:

Please make us legislation so corporations leave us alone! Please oh somewhat democratically elected body who wants to know everything about me to keep me safe just in case I’m the reason we’re not safe. Please let me sign up to whatever I want and then take it back in a way that you need to permanently and irrevocably forget that I did that. I want to walk on the street and have someone ask my permission before they can publish any evidence that I was on that street.”

And then they try to. At least some try to. But it’s not going to happen. Because privacy doesn’t work like that.

The Problem of Privacy

I think the problem with privacy is that the masses don’t understand what the word actually means. As an operational control (ala OSSTMM):

Privacy is a control for assuring the means of how an asset is accessed, displayed, or exchanged between parties that cannot be known outside of those parties.

To apply privacy for people you need to prevent third-parties from knowing how something happens and not just censor some of it out. So how does that work? Well, it’s the means. So, for instance, we know that you take off your clothes because you go in your house in one outfit and come out in another the next day. But we don’t know how you did it. There’s no record of the means of how that happened.

We don’t know if, like me, you threw your clothes on the floor the moment you went inside and didn’t put any on again until you came out again. We don’t know if you ate mashed potatoes and gravy like that. That’s because the house walls provide that privacy control.

Therefore, when I vacation in Biscarosse and take my bathing suit off on the public beach I can’t expect to have privacy since there’s nothing to hide the means of anything I do on that beach.

So how does this apply to our data? That’s actually relatively straightforward. Any data on us that can be used to know how we do what we do is protected.

So, credit card data saying where we shop? Protected. What we bought? Protected. GPS data of where we went? Protected. Pictures of us walking down the street or videos of us shaking our booties at a nightclub? Also protected, unless of course we’re not identifiable. And any collection or correlation of data, even metadata, that can say something about how we do what we do is also protected.

Now “protected” is a weird concept in the legislation-making world. You see, there’s no actual barrier protecting any of that stuff. The only real privacy we can expect is the one we make ourselves with shutters and blinds. But in a world where how we do what we do to be part of a civilized society requires us to mingle, even if we don’t leave our homes. Yes, social networks, groups, chats, meetings, and everywhere else where we have to do civil society stuff.

Societal Controls vs. the Right to Be Forgotten

Ah, yes, society. Sometimes I think the raccoons are right. Society is really just a lot of interconnected dumpsters we subsist upon, and it’s tolerable as long as we just wash our hands a whole lot. Society says it wants you to let others know what you’re doing and how you’re doing it so you can fit in and others can feel safe when you’re around.

Recently I had a class reunion. There were classmates not findable online to contact. You should see how some of the people acted around them. It was like the fact that they were alive yet had no online presence made them something ranging from Amish to Theodore Kaczynski. Society and individual privacy are not exactly compatible.

Society wants you to give your private information away. It builds more and more means for you to not be private, to the satisfaction and entertainment of other members of society. Oh, and to make money too. Whether it’s taking advantage of you being around to see ads or to sell you something, the opportunity is only there if you can be identified. That’s the exact opposite of privacy.

So that leaves us with this problem that falls right in the lap of the legislators: How do you draft a right to privacy for people you don’t want to be private? I think that’s where the right to be forgotten comes in.

Most people think it’s about the long memory of the Internet. As it is now, every dumb thing you do can be recorded and remembered forever. Wear a dumb hat and be a meme. But that’s not what the right to be forgotten is really for. You see, they know you can’t undo yourself from memehood. Legislators know that.

It’s really about finding a way to balance identifying you for societal and monetary reasons with the fact that you shouldn’t have to be identified for societal and monetary reasons. So, they say, okay, we can invade your privacy but then we’ll forget we did it. Like the company computer support personnel who develop this incredible ability to forget people’s passwords mere seconds after you tell them. The only difference is the support people don’t want to remember. They’ve got enough to remember with all those characters in the Game of Thrones books and all.

So, once you have an idea of what privacy is as a control, as a thing that you can use to be protected, you realize that it’s just not something anyone can give you. Not in a law. Not in a social network. And certainly not anywhere outside your own four walls. So, you’re on your own to take care of it. Only you.

Learn the lesson from Della and Jim. In my version, privacy is a real issue and it could be the death of you if you’re not careful. Meanwhile, I’m going back to my Gift of the Magi fan fiction with Bella and Edward.

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.