I attended a panel discussion yesterday on identity management and privacy. One of the pundits made the observation, in a rather ostentatious manner, that he had been asked for his address when he tried to buy windshield washer fluid at a store. “Kragen shall remain nameless…they had no business reason for this information” he thundered.
Unfortunately, this is the kind of uninformed position that is all too common in information security. People get their shorts up in a bunch about privacy, which is all fine and good, but then they seem to think that everything must be an invasion of their personal rights even though they do not take even the most basic step to confirm/review the risks in their entirety.
Call it the uninformed consumer, if you will, but this guy had all the hallmarks of an American cultural tradition of shoot first, ask questions later. Not the sort of thing I would have expected from a panel at RSA. In fact, the presenter said he was forced to exit the store without his washer fluid — the business was plain wrong and they lost his business. Good for him, but did he try to find out why a business might be forced by the authorities to treat windshield washer fluid as a controlled substance (as opposed to just a random opportunity for marketing data)?
Anyone familiar with engine tuning or meth lab investigations knows the market dynamics of windshield washer fluid (about 30% methanol), not to mention the market for the bottles themselves. Moreover, anyone familiar with the properties of methanol knows the environmental and health impact of its widespread use for illegal purposes.
This begs the question of how effective the control might be (e.g. compared to removing the methanol from the fluid, since even in normal/legal use it’s a toxic substance that is being sprayed into the air and all over the roads that people live on), but in this instance I just wanted to point out that a store is unlikely to let the employees know why they have to ask for the address/information, but at the same time the consumers might be happy to know that the police are trying to cut down on highly-toxic uses of meth in their neighborhood.
This reminds me of Cory Doctorow’s explosive reaction to an American Airlines screener (for now I’ll skip the more well-known example of the hunt for WMD). Profiling is a critical component of our every day lives and people need to learn to seek and sufficiently understand an “other” perspective before they rush into action and demand reform/justice. There are few things more counterproductive in security than reacting to the symptoms and causing widespread outages. In fact, if more people just did a little bit of “root cause” analysis, we might find a more informed and democratic path of resolution for real and present dangers to their livelihood. This would actually help law enforcement by taking the burden of ad hoc policy creation away so they can get back to their proper focus on enforcement.