veryard projects - innovation for demanding change

internet risk

on this page

> risks
> how is internet different?
> technical mechanisms

on this site

> risk management
> trust
> authenticity
> information leakage
> e-commerce
> what's new about the internet?

web links

> risk digest

home page contact us

splitting into two camps

The supposed risks of the internet seem to drive people into two opposite camps.

In the one camp, there are those who see danger everywhere. In the other camp, there are those who argue that there is absolutely no crime, mischief or other evil perpetrated via the internet, that wasn't already possible before, so what's the big problem?

One camp is perceived as paranoid luddites, while the other camp is perceived as naive technophiles.

On this page, we identify some of the risks, and ask how seriously they should be taken.

risks

e-burglary

One of the popular worries about e-commerce is the possible (and probably exaggerated) abuse of credit card numbers. But if you book a holiday over the Internet, shouldn't you also worry about a hacker getting hold of your home address and the dates of your holiday, and connecting it with your recent purchase and insurance of expensive jewellery?

(I'm sure all the large insurance houses have excellent data security, but is this also true of all the agents and brokers?)

Even if you merely browse a site selling expensive antiques, this might be enough to trigger interest from a gang specializing in stealing antiques.

Many people would dismiss this as an irrational fear, because it would be unlikely that the hacker would also be a local burglar, and in any case the hacker wouldn't be certain that you were leaving your house empty, with the expensive jewellery in it.

This is bad logic. You shouldn't ask for the probability of a given hacker being a local burglar, but for the probability that any local burglar might also be a hacker - or have friends who are hackers.

In any case, like a good salesman, a professional burglar doesn't expect information to provide a guaranteed outcome - merely to identify hot prospects, where there is a better than average chance of a good haul. Imagine you were a burglar - ask yourself how you would use easily available information to enhance your success.

e-strangers

A friend from the US has forwarded me a warning to Internet-age parents. You teach your children to be wary of giving personal information to strangers - but then they go online and chat freely. Impersonation is rife - you think you are talking to a teenage girl in Michigan, but you may actually be revealing snippets of your identity and habits to a middle-aged man in your own town.

Computer studies are very popular on the school curriculum, but I wonder how much children are taught about the use and abuse of information. Or for that matter, the use and abuse of deductive logic.

(Of course, most adults are equally naive about the use and abuse of information. Even people working with computers often fail to appreciate how much information can be deduced from the personal data collected by banks, airlines, supermarkets and others, and to what uses this could be put. Or they take false comfort from the fact that the organizations they work with are incapable of making effective use of the information already available.)

Inference

e-cruitment

Some companies now advertise job vacancies on their website. Applicants are invited to submit a CV electronically.

There is rarely any authentication, so it is easy to submit spoof CVs. This would include maliciously compiled CVs on behalf of real people.

Having compiled a spoof CV, it is then possible to write a program that submits this CV (or variants of it) to thousands of companies.

trolling

A troll is a spoof message introduced into a list or chat room for the purpose of evoking maximum response. It is the web equivalent of those books of replies to silly letters written to famous people. Its author is masked, it has no restrictions on scope - often they are copied to other forums - it is designed to arouse an emotional response and ultimately poke fun at belief and trust. [source: Aidan Ward]

how is internet different?

dialectic - quantity becomes quality

Internet amplifies the power of a sad person by several orders of magnitude. Instead of writing a few anonymous letters in spidery handwriting, you can send thousands of copies.

And because it's so quick and easy, the message can be broadcast around the world before you've had second thoughts about sending it.

We are not good at judging probability at the best of time, but this increase in scale makes our intuitive judgements about probability even worse. When you are tempted to dismiss something as unlikely, remember that in very large systems, with very large volumes and densities of interaction, extremely unlikely things happen every day.

novelty and unfamiliarity

There are some parallels with the arguments about soft drugs. Proponents of soft drugs claim that dope is less harmful (its use less risky) than alcohol and tobacco, and if these are legal, so dope should be too. But that argument, although attractive, is invalid. The argument isn't about what risks would we accept if we were starting again from scratch. If this were the case, we might all agree that dope, for all its dangers, was at least better than booze, and e-commerce better than traditional commerce. The argument is about what additional risks we are prepared to accept on top of the risks we already have.

Other things being equal, the unfamiliar is usually riskier than the familiar, simply because we don't yet know how to handle it safely. Of course, that isn't an argument against ever trying anything new, but it is a warning about the additional risks involved.

barriers to entry

The late adopters of a technology are typically risk-averse. Further adoption of internet will be inhibited by perceptions of risk, whether or not these are "objectively" valid. It is therefore in the interests of technology vendors to address these risks seriously, from the perspective of the late adopters.

Thus the acceptability of electronic banking depends on several factors, but a perception that it is riskier than traditional banking, whether or not this is fair, will slow down the adoption.

technical mechanisms

There is a growing industry of security experts, developing and selling technical solutions and products and devices to deal with the supposed dangers of e-commerce and e-business.

There are several base mechanisms in play, including various forms of encryption and e-signature.

Meanwhile, there is a growing army of people motivated to crack these mechanisms.

Technical solutions are important, but they must be combined with social solutions.

acknowledgements

Thanks to Aidan Ward (as always) for stimulating discussion.

top

home page