% fortune -ae paul murphy

Really odd internet usage risks

Here's a bit from a real story - from a a TV station site in Orlando:

DAYTONA BEACH, Fla. -- Police officers in Daytona Beach are swabbing the mouths of persons of interest during traffic stops with special DNA kits in the hunt for an elusive serial killer, sources close to the investigation told Local 6.

And if you think the police will ever delete the DNA records of the "persons of interest" (i.e. males) who're proven to be uninvolved -then you've never worked with police.

Now, imagine, please, that the police in a city of about a million confront a scenario in which someone finds the body of a brutally murdered young girl about every three months - and there are more missing girls than bodies. As time passes more bodies are found, public pressures mount, schools and parents outdo each other in paranoia - but the police haven't got a suspect.

Search engines and ISPs can help identify people for the police to look at in this kind of situation because profilers say that the perpetrator can be expected to have both an unusual interest in news stories pertaining to the crimes and a drive to access certain kinds of pornography sites.

Outside the U.S., police would take informal access to related ISP and search records as a given, but in the U.S. this would be a foreground activity requiring court approvals - and it would therefore need something like the horrific situation suggested above to establish the necessary precedents for this kind of access to become common.

The typical city in the million people range serves a larger hinterland and retrieving five years worth of nominally deleted user access records from the backups made by search providers and ISPs will take some time. Eventually, however, the police would have on the order of perhaps 20 to 30 billion page read records to sort through.

That sounds like a lot, but the police are really looking only for the intersection for each of something like 60 monthly periods for two groups of page views - nothing a simple Perl script couldn't handle as a first cut reducing the number of account holders of interest to something in the hundreds or low thousands.

To illustrate one of the worst but less obvious risks (while cheerfully grinding a personal axe against wireless services) let me suggest that one of the accounts identified as of interest belongs to a typical suburban family whose make-up, history, PCs, and behavior all pass the police sniff test - but who use a wireless router to connect their PCs to each other and the internet.

Thus while police are making life miserable for a few hundred or more other account holders judged of possible interest - exposing to their families, for example, the existence and nature of their personal porn viewing habits - account monitoring brings the focus back to that suburban family; and, from them, to someone living four blocks away who does fit the profile - and has a seventh floor apartment with a balcony featuring a direct line of sight connection to the family's home.

Neither his current PC nor the old one they find in his closet has any porn on it - and his internet use via his own account is limited.

To the police this is a dog that doesn't bark: he's single, early thirties, doesn't have many friends, and seems quite smug about letting them search his PC.. and eventually (since the story needs a happy ending) they discover his hidden laptop and blah blah blah.

But here's the unhappy moral in the story: most home wireless users don't know who else is using their accounts and therefore don't know what risks the unknown usage may be exposing them to.

And a commensurate, paranoia inducing, thought: to look normal to an investigator, you have to have the age-and-sex appropriate amount of age and sex appropriate porn on your computer.

And, of course, there's the really scary corollary: I don't believe the precedent setting events required for this type of privacy invasion to become common have happened yet, but it seems almost inevitable that they will.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.