This blog is a bit of an oddity. ESET UK were approached by Dan Damon, a reporter putting together a piece about “the complications of a digital world when someone passes away”, asking if there was someone at ESET who would be interested in being interviewed for BBC1 radio on the subject. The request got passed back to me. While I wasn’t able to get to the studio at that point, as I was on the point of leaving for a conference in Japan, I thought that the topic was interesting, and put together a sort of interview mock-up for discussion. Dan seemed to like it, but we kept failing to synchronise.
Finally, he was ready to get me into the studio, but it was at very short notice and I simply couldn’t get there at the time it was needed, so the project is abandoned. However, it seemed a shame to waste the “interview”. Though since I take the part of the interviewer as well as my own part, I suppose it’s really more like an Alan Bennett2-ish monologue.
By the way, I’m not aware that there is any such thing as an Internet Book of the Dead. Consider it a tribute of sorts to “The North London Book of the Dead3”, a story by Will Self4 of which I happen to be rather fond. I presume that Self’s title is in itself a sort of parody of one of the religious texts associated with Egypt and Tibet (and, no doubt, other cultures) referred to as “The Book of the Dead.”5, 6
What has been the impact of the Internet on the availability of data?
Perhaps we should ask first, how old is the Internet, in comparison to the data it contains? The timelines and statistics for the protocols, and applications, and the take-up of pre-web, web 1.0 and web 2.0 sites and services are misleading, however good your resources. A carefully crafted Google search brings up information on relatives of mine who died when international networks were little more than hardwire connections between (physically) huge mainframes and the web wasn’t even a gleam in Tim Berners-Lee’s eye.
I was a comparative latecomer to computing, but even I predate many of the milestones that most Internet users regard as prehistoric. Even 25 or so years ago, when I first got dragged into what we then called the “new technology”, if you wanted to know what was known about you and your family, you had to go places, make phone-calls and write letters (and cheques).
What sort of data are you referring to?
You needed access to church registers, births and marriages data, census information, electoral rolls and so on, and that only gave you access to barebones genealogical data: juicier information needed a far wider sweep and privileged access to resources and shadowy clusters of microfiche readers.
But all that’s changed now, surely?
It has indeed, and I don’t mean the upsurge of for-fee online genealogical databases. Those deceased relatives of mine might also show up in on-line national and local governmental resources, back-issues of local newspapers, local and historical blogs and other web sites. They probably never thought about this particular prospect of immortality, and if they did, took it for granted that their data were what we might now call “sterile” data (information to which the holders were entitled), and didn’t think about the more sinister implications of its continuing to exist.
In fact, those sinister implications were always there. Think back, for instance, to the use of the identities of dead people for forged passports in thrillers like Day of the Jackal.
But it’s changed much, much more for the living and breathing Internet generation?
Sure. Everyone who uses the Internet leaves footprints, and the dirtier the footprints, the easier they are to find. Everything you share online can come back to haunt you, and that doesn’t necessarily change when you start to do some haunting yourself.
You might never touch a computer keyboard yourself (I hear there are still people like that) but there are still lots of data around that are unique to you and sometimes freely available on the Internet: directories, commercial transactions, governmental data, credit ratings, and lots of stuff you may never have thought about.
Organizations that keep that sort of information are often subject to strict legal conditions: here in UK the Data Protection Act7 (possibly the most misunderstood legislation ever…) requires the people who hold your data to do so only when necessary and appropriate, to process it fairly, to maintain it properly and look after it carefully. (Other European countries are subject to similar restrictions, based on the same EC Directive8.) I can almost see your cynicism, but that is at least the intention.
Specialized and sensitive data, such as banking data and medical data, are subject to other laws as well. So, in general, some of the most important data should reflect a post-mortem change in respiratory viability. And while we still hear horror stories, those major systems tend to work efficiently – if not compassionately – most of the time. For example, when my father died, the government asked for his last month’s pension payment back before we’d even had time to arrange the funeral, acting on information from the bank, which had already closed his account.
And no, that isn't another emotional sideswipe at the present UK government. This was decades before Gordon Brown.
What about all the stories about lost CDs and USB sticks?
I didn’t say the system always worked! In fact, having spent a lot of my working life in the NHS (National Health Service), I know very well it doesn’t, much of the time.
Can you tell us more about that?
Not if I ever want to feel safe walking down a hospital corridor.
Are you saying that there isn’t too much of a problem?
Not at all. The more data there are, the harder it is to keep track. Even thinking of something as apparently transient as an email, there are inevitably ways in which a message can be intercepted, or misdirected, or survive past its natural lifespan. And that’s assuming that it travels between two trusted and trustworthy individuals. I’ve seen a million examples of mail inappropriately shared because one of the parties involved didn’t regard it as confidential, or simply didn’t think about the consequences of sharing it.
To lapse into the first person again, I’ve done a lot of online writing: for example, internet FAQs, posts to specialist forums and newsgroups, mailing lists, blogs and so on. The extent to which they replicate, with or without the writer's knowledge, is astounding. There’s even an instance of an e-book I didn’t know I’d written until years afterwards.
How do you write a book without knowing about it?
Well, it's nothing to do with having a ghost writer.
I wrote a magazine article for a security organization. They subsequently reprinted it as an eBook. I found out years afterwards when I was googling for publisher info on books I did know I’d written.
There are other disadvantages to being online for an author. I actually got hold of an illicit electronic copy of a more recent book before my author’s copies had arrived. And an illicit copy of another book has been available for years on a virus exchange site. Let’s not talk about the fact that Google appears to think it owns the entire corpus of online literature, irrespective of copyright.
As Woody Guthrie once wrote10, “I ain’t dead yet.” But these are examples that aren’t likely to change when I am, unless there’s a nuclear or ecological catastrophe.
Is this a good moment to raise the issue of social networking?
In the security industry, we talk a lot about the dangers of social networking, sharing information that may be valuable to burglars and scammers, or even spies if you happen to be married to the head of MI some-number-or-other. But it isn’t just about what you do, or information that you give away. Other people can give away information that impacts on you, like that photo of you next to Niagara Falls that your mate posts to his Facebook page, giving clear notice that you aren’t at home right now.
It’s not just about information, either. There is probably more misinformation than information in the online world, whether it’s deliberate deception, propaganda, fraud, well-meant lack of comprehension, or just data that’s no longer current.
Unfortunately, if you’re the victim of that sort of flim-flam, it’s not likely to go away when you do.
Dedicated to the memory of my good friend Graham Bell, for reasons that have very little to do with the Internet.
3. “The North London Book of the Dead”, from The Quantity Theory of Insanity, by Will Self. Bloomsbury Publishing, London, 1991.
9. Directive 95/46/EC: http://en.wikipedia.org/wiki/Data_Protection_Directive
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/