To get people thinking about the related issues, Marshall Kirkpatrick has put together a list of questions well worth asking, and discussing. It is indeed timely.

Online social networking is already on fire, but there is a price to be paid as well - mashups galore are making it ever easier to get the data you want, as well as enable people to acquire data on you. I find it amusing that users scream when their Facebook accounts are disabled because they tried to mine some of the data within, but in the Scoble case and many others just face the facts - all those people you think are your friends aren’t really your friends. The majority of the people on that “friends list” won’t ever ask you out for a drink, help you move, or read your business plan, and they certainly don’t want you taking their email address to another site so that service can spam them with invitations to join the next best thing. I’m no particular fan of Facebook, but I can’t help but give them a thumbs up here. The myriad of user privacy settings they offer are there for a reason, to prevent pseudo-friends from taking users’ data while they are attempting to grab their own.

It’s a quandary for many internet users. The fact that some join and befriend in the first place makes them particularly vulnerable. It won’t be long before the type of intrusion exemplified by Robert Scoble/Facebook is going on undetected - its centralization makes it low hanging fruit. Meanwhile we’ve moved beyond the average person’s grasp of privacy - it no longer exists - the best one can hope is that the information available about them isn’t ultimately damaging.

No fire truck is going to arrive to help you if it is.

UPDATE: If the risk of all that social networking data floating around isn’t bad enough already, you can always worry about your ISP doing the mining.

UPDATE 2: Regarding the Scoble/Facebook drama, Paul Buchheit wonders: Why aren’t Gmail, Yahoo! Mail, and Hotmail blocking Facebook? Another good question, and with TOS excerpts to boot!

Interesting concept - Union Square Ventures proposes that while material goods have decreasing marginal utility, the value of data increases for each new byte added.

It’s a stretch that presumes the human user has potentially infinite interests. And to capitalize indefinitely on the data store, the human user would also need infinite desires, wouldn’t they? Neither is the case (at least after adulthood), and I suspect that beyond a point (closer to the y-axis that most think) the data is nothing but noise. While the marginal cost of the data storage is immeasurably close to zero, the computational costs (including CPU cycles and smart people creating new algorithms) to extract revenue from each additional bit should continue to rise.

And socialization leverages existing data stores, but only to a point - afterwards there are likely diminishing returns as well.

I received a note this morning suggesting that while the actual effect the “teaser freezer” program may have on the foreclosure problem is still up in the air, at least now there’s some data coming out to work with. The numbers are preliminary, and highlights are as follows:

• There are 80 million homes, and approximately 49.6 million mortgages. The average mortgage size is roughly $202,000.
• Roughly 63% of mortgages are fixed “prime” loans, and 14.5% are adjustable rate “prime” loans. “Below prime,” 6.3% are fixed rate, 6.8% are adjustable rate, and around 9.3% are FHA/VA loans.
• Of the roughly 6.5 million “below prime” loans, over half have some kind of teaser rate. Of that amount, roughly 1.8 million are adjustable rate loans with resets beginning in 2008 and 2009. 2/3’s of that amount may qualify for help - the remainder, or around 600k, will have to fend for themselves.
• Help is equally divided between rate freezes and streamlined refinancing assistance, and data suggests that around half of the refis may qualify for some FHA or VA loan.
• Of mortgagees, roughly 2.6 million are delinquent today - how many of them have missed only one payment in the last year and/or are adjustable rate borrowers with resets within the Hope Now “window” is unclear. And there are just under one million borrowers in some level of foreclosure as we speak.

ADDITIONAL NOTE: I’ve never made hay about the subprime borrowers, seeing them simply as the high yield tranche that always rears its head when money is easy to come by. As the data above suggests, they are only a small part of the overall mortgage picture, and credit risk was already built in. It’s the 7.2 million prime ARMs, many beginning their resets the first of next year, that people should be worried about.

UPDATE: More “facts” - compliments of the White House. I’d rather see facts coming from the GAO than the Office of the Press Secretary.

Bruce Schneier comments on data theft disclosure law, stating emphatically that the Data Accountability and Theft Act is too “watered down” to do much good.

I guess my intuition engine is still running.

The Data Accountability and Trust Act could be going to a House vote soon.

Somehow, someway, I smell “CAN-SPAM 2,” only much more serious. The legislation provides for consumer notice in the event of a breach, but only if there is “reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other lawful conduct.”

First, who the hell determines what a “reasonable risk” is? The FTC, after a breach? Second, consumers would be allowed access to their data, and a chance to correct inaccurate information. Isn’t that issue covered by the Fair Credit Reporting Act already?

The problem with notice is the speed in which it is executed. If data brokers had statutory liability for each breach, say tied to actual damages their breach caused, plus mitigation costs, they would spend a lot more money on internal security procedures, and be a lot more likely to notify affected consumers with speed and efficiency.

Right now, it sounds like they are being given incentives to cooperated with some governmental body, which thereby covers their own butts. And not much more.

***UPDATE***

Slashdot readers chime in on The Data Accountability and Trust Act.

Its on the laptop, and unencrypted, and now it has been stolen.

In much the same flavor, I say keeping unencrypted data on a laptop is downright stupid. And as long as IT departments, including but not limited to senior management, allows their employees to carry extremely sensitive (and liability prone) data around in their backpacks, this will continue to be a ridiculous issue.

Jon Oltsik of Enterprise Strategy Group reported on the state of security as large organizations, and the news is not good. You know the stories of data thefts at Choicepoint, Bank of America, and Siesint - large amounts of personal data stolen, and not necessarily via an IT hack. It seems they are the tip of the iceberg.

In the survey Oltsik’s firm conducted, roughly one-quarter of large firms (those with more than 1,000 employees) polled experienced a security breach in the last year. Can the news get worse? Well of course, or I wouldn’t have asked you that question.

It is one thing to be victim of data theft; it is quite another to not know whether you have been. And approximately 27% of those surveyed by ESG were unaware of whether they might have been breached. This is a much more dangerous situation. A firm that admits to a security breach reflects the fact that there are specific security protocols in place, and metrics for determining their effectiveness. A firm that has no clue if they have been breached is missing these policies and procedures, and/or any effective feedback mechanism.

You can read Jon’s full report in Want to prevent ID theft? Get back to basics, where he outlines more details from the ESG survey, and well as some simple suggestions to shore up data security.

Spamroll was officially taken out of not-so-secret, partially working, but still password protected development on Monday, March 7, 2005 at roughly 5pm MST.

Over the next few weeks, entries will be added to the archive for previously incomplete posts, including many which date back several months, while the site was under development. Meanwhile, new entries and data will be added daily, while any remaining kinks are ironed out.

Hope the site helps with your spam and phishing issues. Enjoy!

Regards,

The Management

An interesting note was posted by Russell Beattie, entitled Mobile Security Thoughts. Getting some scoop on the Paris Hilton “My Phone Was Hacked Craze,” I think everyone will get the hint about mobile security after the read.

Unfortunately, CNN, in the tradition of mass media skewing the picture in a wide ranging attempt to scare the daylights out of everyone, posted their own version of how to protect yourself in: You and Paris Hilton can prevent identity theft. Sort of. - Feb. 22, 2005.

Sorry folks, but it isn’t going to work on its own.

While quoting some obscure security expert, CNN notes you should do things like shred your receipts before throwing them away. Hey, maybe we should stuff them in old mattresses until they fade!

The last check of my credit receipts showed a bunch of XXXX’s where the credit card number should be. And AMEX is happy to send me a new card every year, with a new account number, each time I “lose” it to kitchen scissors.

Yes, there are simpler (and some more complicated) ways you can protect your address book, your credit information, and your identity as a whole. And it doesn’t take a genius, as thieves are usually (I say USUALLY) pretty dumb to begin with.

Simple stuff:

1) Don’t put outgoing mail in the mailbox by the street, and stick up the stupid little flag. Scumbags know there will be checks for bill payment in there. Drop it off at the post office or in a USPS mailbox.

2) Check your credit once a year, minimum. MyFICO.com is a good place for comprehensive, if paid for, reporting.

3) Get a post office box. Having inbound bills going to a different address than your home is a easy way to spoof thieves who think they know your mailing address from the numbers on the side of the house, when they call asking for a new credit account. Click here to find the most convenient one.

4) Don’t use internet services to keep your “rolodex” accessible. You put the onus of security in the service provider’s hands. If a thief is smart (most aren’t but good hackers are very), they will target the aggregators before they try and pickpocket your individual day planner.

More complicated stuff:

1) Keep important documents in a safe deposit box. Easy. Scan the middle of the road stuff, and shred. Not so easy. Using a combination of Adobe Acrobat and Pretty Good Privacy can keep your important documents safe and sound on your hard drive. But don’t forget to make periodic backups.

2) Purchase products only from reputable internet vendors. I say this, because such vendors are usually a little bigger, therefore they have more money invested in security measures.

3) Put a fraud alert on your credit report. MyFICO is still a good place to start for information on making that happen (as it takes a little time to do). I keep one on all mine reports, and it works, because I tested it!

I recently entered a T-Mobile store to check on how easy it was to open up an account. I like my existing service - this was purely investigatory, and, not so easy. Even with two forms of picture identification, T-Mobile quickly turned it down, citing the fraud alert, and suggesting I contact my credit reporting agency. Great!

Funny that the dummies over at T-Mobile are exactly the ones that kept fine Paris’s address book for her.

4) Now number 3 might suggest getting financial service (or other) is difficult. It isn’t, if you have a face to deal with. The meaning - use a local bank or branch, and get to know them by walking in for transactions. Also, don’t trade securities online only, while simultaneously buying your insurance online, and doing all your banking and shopping online. It isn’t the online part that is troublesome, but the aggregation of it that is. You need a face or two that know you well.

Despite their sometimes cheesy reputations, insurance agents and stock brokers are a great human connection to have in our virtual world. Your portfolio and insurance are important - keep their administration with someone you know and trust (and can actually have a cup of coffee with). If you are ever a victim, they can be EXTREMELY helpful.

5) When all else fails, hold the information aggregators responsible. I am surprised that more folks aren’t suing the daylights out of these folks (maybe they are, but I don’t hear much about it). Maybe that is because of cost, or maybe the powers that be don’t want you to know how much information is really floating around, but you get the hint - they (Choicepoint and others) have a lot!

If they screw up, it is their fault, plain and simple. Get a good lawyer. I am not one to going around causing trouble (I have never sued anyone), but the way these credit reporting and other information brokers operate is beyond sleazy and stinky. They won’t release information they have about you without charging a bundle, but they don’t think twice about selling the information, in bulk, to some bucket shop around the corner.

It is about the money, guys and gals. They need to be made an example of. Since Mr. Bush has tightened the screws on class actions, I believe it is everyone’s responsibility to make sure these folks pay for their arrogance.

Yes, this post ended with a call to order. And I meant it as such. No, I am not bitter, as I have never been a victim. But I feel sorry for those who have, as it is not always stupidity on the part of the consumer, but on the part of the information bureaucrats, the internet social networks, and your friendly phone company, that is causing so many innocent folks so much trouble.