I am Spartacus! (And You Can Be Too!) Ensuring Privacy through Obfuscation – Mike Kiser
The Third Servile War was over. The slave army has been defeated, and the survivors are offered a pardon by their Roman captors. The only requirement was that they identify Spartacus, their leader (Kirk Douglas). Rather than give away his identity, however, they all begin to yell out “I’m Spartacus!”—thus preserving his anonymity by overwhelming the Romans with possibilities. (Spoiler alert: they all die as a result.) What lesson can we learn from them about preserving privacy through obscurity? The right to be forgotten has been held as fundamental human right by various governments. The recent Facebook scandal and a series of large scale breaches has centered the discussion on the privacy implications of this right. Most people agree that the right to be forgotten should allow users to remove accounts and material that they have created in the past — but how easy is it to disappear from online social media and networks in an effort to preserve one’s privacy? To find out, I created a fake identity and gave it accounts across 24+ sites, including the “usual suspects” (gmail, twitter, facebook) and some not so “usual” (Ashley Madison and MySpace). The privacy agreements and the experience with these sites demonstrated how difficult deletion is for end users. Governments have not mandated these privacy protections for users systematically—and even if they had, enforcement would be problematic; there is little incentive for businesses to prune existing user data. Since users cannot rely on governments to ensure privacy, a different method of privacy assurance is proposed: privacy through obfuscation. Existing accounts and personal data may be protected through obfuscation techniques, common in other research such as location cloaking. An open-source proof-of-concept (“Spartacus as a Service”) is presented that allows for these techniques to be employed on several well-known online applications. This prototype seeks to ensure that privacy is maintained without relying on organizations removing all data from their systems—effectively yelling “I’m Spartacus!” on behalf of the user.
Mike Kiser is insecure. He has been this way since birth, despite playing a number of roles over the past 20 years—from the Office of the CTO to Security Strategist to Security Analyst to Security Architect—that might imply otherwise. In spite of this, he has designed, directed, and advised on large-scale security deployments for a global clientele. He is currently in a long-term relationship with fine haberdashery, is a chronic chronoptimist (look it up), and delights in needlessly convoluted verbiage. He has been a speaker on topics ranging from identity governance to security analytics, network security, and various related privacy issues, and is the co-host of a podcast illuminating all things identity. In a past life, he developed mathematical models to simulate collisions between galaxies.