Tag Archives: Internet security

Swapping privacy for (real) cookies

Brownie Cookies photo by Robert S. Donovan, creative commons

Brownie Cookies. Photo by Robert S. Donovan, Creative Commons

by Lois Beckett, ProPublica
October 1, 2014

In a highly unscientific but delicious experiment last weekend, 380 New Yorkers gave up sensitive personal information — from fingerprints to partial Social Security numbers — for a cookie.

“It is crazy what people were willing to give me,” said artist Risa Puno, who conducted the experiment, which she called “Please Enable Cookies,” at a Brooklyn arts festival. The cookies — actual cookies — came in flavors such as “Chocolate Chili Fleur de Sel” and “Pink Peppercorn Pistachio.”

Interactive installation/sculpture artist Risa Puno swapped cookies -- a Pink Peppercorn Pistachio cookie, anyone?  -- for people's private data and even fingerprints, at the Dumbo Arts Festival in New York. The cookie escapade was part of Heather Hart's Barter Town project in New York.

Interactive installation/sculpture artist Risa Puno (right) swapped cookies — a Pink Peppercorn Pistachio cookie for your driver’s licence, anyone? — for people’s data and even their fingerprints, at the Dumbo Arts Festival in New York. The cookie escapade was part of Heather Hart’s Barter Town project in New York. Photo courtesy of Risa Puno

To get a cookie, people had to turn over personal data that could include their address, driver’s license number, phone number and mother’s maiden name.

More than half of the people allowed Puno to take their photographs. Just under half 2014 or 162 people 2014 gave what they said were the last four digits of their Social Security numbers. And about one-third — 117 people — allowed her to take their fingerprints. She examined people’s driver’s licenses to verify some of the information they provided.

When people asked Puno what she was going to do with their information, she refused to say. Instead, she referred them to her terms of service, a full page of legal boilerplate displayed in tiny print, which gives her the right to display the information and share it with others.

Puno’s performance art experiment highlights what privacy experts already know: Many Americans are not sure how much their personal data is worth, and that consumer judgments about what price to put on privacy can be swayed by all kinds of factors.

While most people will say they value privacy, there’s a clear dichotomy between “what we say about privacy and what we do,” said Alessandro Acquisti, a Carnegie Mellon privacy expert.

A study published last year by Acquisti and other researchers found that people’s willingness to pay for privacy depended on whether they perceived that their data was already protected. In one experiment, one group of people were given a free $10 Visa gift card and told their spending would be anonymous. Another group was given a $12 gift card and told their purchases would be tracked. The groups were then given an opportunity to trade gift cards. It turned out that the vast majority people with the higher-value but tracked card were not willing to give up $2 for privacy. But about half of the people who started out with the higher privacy lower value cards wanted to keep them.

“The answers to questions such as ‘What is privacy worth?” and ‘Do people really care for privacy?’ depend not just on whom but how you ask,” the authors wrote.

Because the Brooklyn data giveaway was part of a performance art piece, Acquisti said, participants may have felt that “it was very low-risk to provide information.”  The giveaway was part of a game: it would seem fun to play along, and also seem unlikely that the data would be abused.

“Traded all my personal data for a social media cookie,” one participant tweeted, along with a photo of a cookie frosted with the Facebook logo.

Puno said some participants did not even eat their cookies 2014 they just wanted to take pictures of them. Cookies decorated with the Instagram logo were so popular among photographers that Puno required “purchasers” to give their fingerprints, the last four digits of their Social Security numbers and their driver’s license information. Many still agreed. “They wanted to hold it against the sky with the bridge in the background,” she said.

While she’s happy with the response to her project, the 33-year-old artist was shocked that people seemed very comfortable giving away the kind of data that’s often used in security questions: pet’s name, mother’s maiden name, place of birth, the name of your first teacher.

People called those questions “easy points,” she said. “They didn’t recognize them as security questions, or they didn’t care, but that’s how people ‘hack’ into celebrity iClouds, by guessing their security questions.”

She was also surprised to find that people would give her more data than they actually needed to earn a given cookie. “That to me was baffling,” she said. “If I were thinking about giving away my information, I wasn’t giving away more than I had to.”

Puno still won’t say what she’s going to do with the data. She says she’s considered destroying it. On the other hand, she said, the disclosure forms are also “precious artifacts of what people are willing to do. I kind of want to hold onto them forever.”

Creative Commons

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

This story was co-published with Mashable.

Notes:
Risa Puna’s web site is here.

Facts and Opinions is a boutique for select journalism, without borders. Independent, non-partisan and employee-owned, F&O is sustained entirely by readers: we do not carry advertising or solicit donations from foundations or causes.  We appreciate your interest and support by purchasing a day pass for $1; subscriptions start at $2.95 per month A subscription is required for most of our original work. Subscribe for free to Frontlines by entering your address in the form on the right (we won’t share your address). Follow us on Facebook or Twitter.

Posted in Also tagged |

Build a better password; the world won’t beat a path through your door

 

In the course of writing her book, Dragnet Nation, ProPublica reporter Julia Angwin tried various strategies to protect her privacy. In a series of blog posts, she distills the lessons from her privacy experiments into useful tips for readers.

by Julia Angwin, ProPublica

Passwords are the first line of defense between your private data and an attacker 2013 whether it is a criminal hacker or a spy agency.

But most of the conventional wisdom about building passwords is terrible. People are often told they should change their passwords every three months; that their passwords should be made strong with multiple symbols and letters; and the passwords should not be written down anywhere.

Computer scientist Ross Anderson has summed up this terrible advice as “Choose a password you can’t remember, and don’t write it down.” Faced with that impossible task, most people use passwords that are easy to remember 2013 the most popular password is still 123456 2013 and use it for every single account.

It’s actually better advice to choose a more secure password and write it down somewhere in a safe place. After all, it’s much less likely that someone will break into your house and steal your master password list than it is that someone will hack into your account from afar through a weak password.

However, even if you write down your passwords, you still face the difficult task of dreaming up the dozens of passwords that seem to be required for modern life. At first, I tried to make up my own passwords, but after I stumbled on this password-strength estimator, I realized that many of my homegrown passwords were still easy to crack. So, after much searching for a perfect password strategy, I came up with a two-tiered solution for building strong passwords:

  • For less important passwords 2013 such as for my frequent flier and online shopping accounts 2013 I used password management software called 1Password to generate and store passwords. Like its competitors, LastPass and KeePass, 1Password generates strong passwords from strings of letters, numbers and symbols and stores them on my machine in an encrypted file.
  • For more important passwords 2013 such as the password to my 1Password vault, my e-mail and online bank accounts 2013 I used a simple, low-tech passphrase-generating system called Diceware. It works like this: roll a six-sided die five times, then take the numbers you roll and match them up to the Diceware word list, which contains 7,776 short words. This will give you a five-word passphrase that is hard for attackers to crack, but easy to remember.

Re-published by F&O under Creative Commons licence

Further reading:
Privacy tools: how to safely browse the web, by Julia Angwin

 

Posted in All, Current Affairs Also tagged |