Theory and Practice
added: 05.01.2014, by Mike Spinney
“In theory, theory and practice are the same. In practice, they are not.” – Albert Einstein
Spent yesterday afternoon on the campus of Worcester Polytechnic Institute. That’s not unusual for me since my daughter attends the school (you’ll indulge a proud dad, won’t you?) and I live close enough to visit often. But yesterday I was there to attend an IAPP KnowledgeNet meeting.
Besides affording me the chance to visit Woo Town and drop in on my daughter on a week day (it’s finals time, though, so just briefly), there were some interesting items on the agenda. In particular, two members of the WPI faculty presented on privacy-related projects. Our faculty host, Prof. Craig Wills, has done groundbreaking research on how personal information is leaked to third parties while in the process of engaging web sites and social media (well before this was a major concern for most).
To open the afternoon, Prof. Craig Shue talked about research conducted on behalf of law enforcement that could help law enforcement agencies geolocate cybercriminals within one hour without having to go through the time consuming (up to a month or more) and notoriously unreliable process of obtaining a warrant and requesting user information from an ISP. Known as the Marco Polo Project, Dr. Shue’s efforts to date seem to show that the process, while itself imperfect, holds a great deal of promise.
Shue described (in simple terms, thankfully for my limited cognitive ability)how, when using a wireless router (as is often the case), a cybercriminal’s IP address can be pinged by packets of varying and unusual sizes and the responding transmissions can then be detected by a patrol car outfitted with a listening device. Through a process of triangulation, it is possible to home in on the offender. Shue said that, having proven the concept, the technology could be adapted for use by drones which could more quickly and efficiently navigate and sniff out their target.
Prof. Wills went last and talked about some of his work in identifying the “longitudinal privacy footprint” of online properties and how—whether disclosed or not—data collection and “leakage” takes place without an individual’s knowledge.
Both Shue and Wills seemed bemused at the questions, patiently explaining that their research is focused on understanding what’s possible and on actual behavior.
For me, it was more support for my position that the privacy profession needs to do a much better job at understanding and operating within the boundaries of actual consumer behavior rather than cling to the futile hope that they will pay attention to more rules and warnings and behave the way someone else thinks they should.