Pogue’s Poor Position on Privacy
New York Times journalist David Pogue recently posted about a cool service which is giving away free international phone calls. He then got a fair amount of comments from folks worried that this service might be giving away the calls for a more nefarious purpose such as data mining. I love Pogue’s posts and articles in The Times but I think his response to these comments was a bit short-sighted. He gets some things right when he talks about the privacy we’ve already sacrificed in our daily lives, but he gets it wrong when he describes the value of, for example, listening in on phone calls:
All of the much smaller potential abuses make a whopping assumption: that somebody actually *cares a whit* about you and your mundane daily communications. Yes, of course someone at the phone company could look over your phone records and figure out whom you call. But who would ever be so bored, and–forgive me–what could ever be so boring?
True enough for mundane communications. However, what’s a mundane checking of your bank balance to you is instant identity theft for an adversary. If network security taught us anything it is that an attack which is trivial to manually execute is usually trivial to automate. Imagine someone selectively tapping calls only to a bank’s customer service phone number? How many account numbers, mother’s maiden names, birth dates, and–at least portions of–social security numbers could be harvested? If you went without any voice analysis at all and just listened for the touch-tones you’d already have a wealth of information. Think dsniff for telcos.
Pogue is right however with respect to this specific service. There is nothing new to worry about. We’ve had plenty to worry about all along. Whether that worry is “neurotic” as Pogue describes, I’ll leave to my readers. I’d use voice encryption if it was an option, but until it is I’m not changing the way I live my life.