SMALL cyber tuesday

I stood high upon a mountaintop

Naked to the world

In front of

Every kind of girl


From Spill the Wine

Eric Burdon


My favorite Eric Burdon song is “The House of the Rising Sun,” done when The Animals were a leading part of the British Invasion  headlined by The Beatles, and featuring the Rolling Stones, the Dave Clark Five, the Kinks, and the Who, among other notable British bands.  When The Animals broke up, Burdon joined War, and Spill the Wine was their first big hit. While the song lacks the power and emotion of The House of the Rising Son, the lyrics offer vivid imagery.  Imagine standing high on a mountaintop, naked to the world. Now set your sites a little lower. You might not be on a mountaintop, but you could, increasingly, be naked to the world.

Sean Owen, director of data science at Cloudera, recently contributed a piece to CrunchNetwork that explores just how much we may be inadvertently revealing of ourselves as our personally identifiable information (PII) is accessed and used. Owen poses the question: “What sharing (of PII) is permitted and who decides where to draw the line on our behalf?”  He then points out “There is a new threat to our ability to control the answer to this question, with which data scientists must now also contend. Surprisingly, this emerging villain is also the hero of the big data age: machine learning.”

Machine learning gives computers the ability to learn without being specifically programmed. It uses algorithms to identify insights in data that is not readily apparent at first blush. It has enormous application to guiding decision-making in an age characterized by an exploding volume of data. However, every upside has a downside.

As Owen notes, even enterprises that carefully share PII may be sharing more than they realize. He cites, as an example, Netflix sharing its viewing data as part of a contest. Owen writes “The data contained no explicit personal information… However, it was quickly cross-referenced with other public data to reliably discover the identity of many people in the data set. Certainly, more was shared than was obvious to anyone, and, in this case, it resulted in a lawsuit.”

There are abundant examples of how intuitive the data mining process gets. A favorite, the story about how Target managed to break the news to a father that his teenaged daughter was pregnant by looking at her purchases. How does that happen? Writing in the New York Times magazine, Charles Duhigg reveals Target assigns a unique code named a “Guest ID” to customers to track everything they buy.  And then, “Also linked to your Guest ID is demographic information like your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what Web sites you visit. Target can buy data about your ethnicity, job history, the magazines you read, if you’ve ever declared bankruptcy or got divorced, the year you bought (or lost) your house, where you went to college, what kinds of topics you talk about online, whether you prefer certain brands of coffee, paper towels, cereal or applesauce, your political leanings, reading habits, charitable giving and the number of cars you own.”  Target’s research revealed the buying habits of women in their second trimester, and when the teenaged daughter met the profile Target sent her coupons for baby clothes and cribs. Surprise dad.

At the moment there is relatively little a consumer can do to affect the burgeoning PII exchange. But it is useful to a least be aware that it exists. The knowledge gives us a fig leaf of control.

By Tom Davis, SDI Cyber Risk Practice

May 17, 2016