Vie Privée, Internet Et Peur du Loup!

Comme une trainée de poudre, la semaine passée, s’est propagée l’idée qu’Internet est un monde dangereux où il ne fait pas bon mettre une souris dehors. Partout, une information, assez nébuleuse, s’est dissiminée faisant état d’études décrivant l’horreur du décor: La Presse, La Gazette, Globe and Mail, Toronto Star, CTV, juste pour identifier les coupures que j’ai eu l’occasion de lire.

Michel Leblanc, un de mes anciens étudiants, mais je pense qu’il est plus juste de l’identifier comme un des gourous de la blogosphère québécoise, a eut un coup de sang pour ce qu’il considère comme un mythe; plus posément, il explique (sur Canal Argent) que ce n’est sans doute pas plus dangereux que le monde réel.

Mais ce texte dont tout le monde parle, sans citer, quel est-il? Après quelques recherches, (notamment sur le site de Michael Geist), j’ai l’impression qu’il s’agit plutôt de deux textes: l’un, selon le papier de La Presse, viendrait d’Industrie Canada (obtenu par ledit journal grâce à la Loi sur l’accès à l’information); l’autre, drôle de hasard, est sorti avant-hier et s’intitule «7 Laws of Identity – The Case for Privacy-Embedded Laws of Identity in the Digital Age», signé par Ann Cavoukian, commissaire au Information and Privacy Commissioner of Ontario.

Relativement à ce dernier document, la dangerosité est affirmée mais aucunement démontrée. 2 paragraphes, sur 24 pages, sont utilisés pour décrire cet état de fait:

«But as the value of what people do online has increased, the Internet itself has become more complex, vulnerable, and dangerous. Online identity theft, fraud, and privacy concerns are on the rise, stemming from increasingly sophisticated practices such as “phishing,” “spear-phishing,” and pharming. Keeping track of multiple accounts, passwords and authentication methods is difficult and frustrating for users. “Password fatigue” results in insecure practices such as re-using the same account names and passwords at many sites.»

Plus loin on peut lire:

«The consequences of these problems are severe and growing. The number of “phishing” attacks and sites has skyrocketed. There are reports that online banking activity is declining. Recent regulatory guidance on authentication in online banking reports that “Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.” (référant ici au Federal Financial Institutions Examination Council, Authentication in an Internet Banking Environment, October 2005) Consumer trust of the Internet is low and ever-dropping (référant cette fois au National Consumers League, A Call for Action: Report from the NCL Anti-Phishing Retreat, March 2006) Clearly, the status quo is no longer a viable option.»

Deux documents américains donc, dont l’existence d’études chiffrées sur l’ampleur du phénomène de l’hameçonnage semble encore une fois absente. Peut être plus surprenant encore, la présence d’une étude de Microsoft dans le rapport du NCL (page 43) où l’on explique à l’annexe 4 «Internet Fraud “Battlefield” – The Big Picture» que «the potential harms are serious and range from bank fraud to cyberterrorism».

Microsoft: le mot est lancé. La connexion semble très marquée avec l’organisme gouvernemental et cela dérange manifestement certains commentateurs. Michael, toujours à la fin pointe de l’information, est de ceux-là et son propos est sans équivoque:

«More troubling is the close connection with Microsoft as the release and accompanying press coverage at times feels like an infomercial for the software giant. The Ontario Privacy Commissioner’s Office has worked with Microsoft in the past, however, this intiative goes to great lengths to extoll not only the Seven Laws, but also the company itself. The White Paper devotes nearly three pages to Microsoft’s much-criticized Passport program and its CardSpace identity management feature that will be included in Vista, its forthcoming operating system upgrade.

The Office’s seemingly unqualified embrace of Microsoft strikes me as a mistake for several reasons. First, there are other companies developing similar solutions and they should be granted equal airtime. Second, the CardSpace feature includes a significant DRM component. When combined with the Vista licensing terms that prohibit circumvention, users are entrusting both their privacy and total computer experience to Microsoft (see Wendy Seltzer’s review of the implications of the Vista terms and how that trust is being repaid). Third, while it is good to see privacy commissioner offices in Canada working with the business community, they must take care to maintain sufficient distance to be advocates for privacy, not for particular companies and their products. There is a fine line between co-operating and becoming co-opted and there is reason to believe that this initiative falls on the wrong side of the line.»

Même si je ne suis pas un fanatique de la «neutralité technologique», ce choix délibéré pour UNE technologie en particulier provenant d’UNE seule compagnie semble effectivement troublant. À la première ligne du document, il est donc annoncé «This paper recognizes and is inspired by the “7 Laws of Identity” formulated on an open blog by a global community of experts through the leadership of Kim Cameron, Chief Identity Architect at Microsoft.» Outre le doute que l’on peut avoir sur le plan méthodologique, l’a priori positif donné à l’entreprise est effectivement non équivoque.

Quant au contenu, les 7 «Lois», quelques (trop) brefs commentaires (J’y reviendrai lorsque j’aurai le temps de plus approfondir).

1) Personal control and consent

Consentement (ou liberté): que de crimes commis en ton nom!

2) Minimal disclosure for limited use: data minimization

Pas mal!

3) Justifiable parties: “need to know” access

Vraiment bien. Face à la difficulté de savoir réellement qui dispose des informations personnelles, on semble privilégier ici une plus grande transparence des utilisations par les personnes (commerçants) qui en ont besoin.

4) Directed identity: Protection and accountability

RAS.

5) Pluralism of operators and technologies: minimize surveillance

Comme pour le point 3, c’est un peu le constat que la surveillance est une fausse sécurité dans un contexte électronique, ouvert de surcroît.

6) The human face: Understanding is key

Super, sauf que j’ai bien peur que l’on reproduise les pratiques rédactionnelles habituelles avec des contrats illisibles et infinis faisant de ce souhait un voeux pieux.

7) Consistent experience across contexts: Enhanced user empowerment and control

Nul peut être contre la vertu! mais a priori, beaucoup de doute sur la capacité ou plutôt l’intérêt d’un consommateur à monitorer ainsi ses données.

Enfin, il me semble que si des solutions doivent être trouvées, elles ne sont assurément pas 1)} uniques et 2) uniquement technologiques.

Sur la multiplicité des voies possibles, il y a notamment l’information des consommateurs. Le rapport du NCL précité (voir l’annexe 1) semble d’ailleurs le mettre en première position. Et puis, pourquoi avoir laissé tombé les recommandations proposées par Industrie Canada en juin 2005 (sous un ancien gouvernement) «Working Together to Prevent Identity Theft», où l’on demandait notamment de s’assurer que les banques et autres organismes détenteurs de renseignements personnels sensibles soient plus transparents quant à leurs mesures de sécurité.

Sur le fait que la sécurité n’est pas principalement technologique (mais davantage organisationnelle et éventuellement juridique), ce n’est pas de moi, mais de Bruce Schneier dans, notamment, «Secret and Lies» qui a prétendu:

«If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology»

Je ne remets pas en cause l’existence de dangers: mais attention aux «vendeurs de peurs».

Comments

  1. Vincent,

    I urge you to read my description of what this about at:
    http://www.identityblog.com/?page_id=354

    I appreciate you tackling these problems in such depth. But I urge you to think a bit more deeply about what I’m proposing. Establishing the principle that there must be pluralism, and that the user needs to be in control, and understand what is happening with respect to their identity and information, are really key.

    Please spend some time contemplating some of the alternate futures, and who might support them.

    Go through my web site over the last couple of years as a body of work and I hope I can garner your support.

    Best regards,

    Kim Cameron
    Architect of Identity
    Microsoft

  2. Thanks Kim for your answer; it’s always a pleasure to generate interaction with a post, particularly when the answer come from the person directly in charge with the project.

    I of course read The 7 laws paper before writing my post and the notion of pluralism you mentioned in your answer is not particularly obvious to identify in it. The principle 5 needs (for an external person as me) some precision and the fact that MSFT seems to be the only company involved in this project is quite dubious.

    Concerning the 7 laws, I gave very quick comment on each of them in my post. To make a link with your comment, it’s not because consent of people is required that their rights and consideration would be safe. In fact, usual will (contract) is very often a poor solution considering the length of clauses, lack of plain english, illegibility, etc. (see The Colour of eConsent)

    At least, I’m always surprise by the fact that a serious study as this one is not based on solid statistics on identity theft and others pleas. I’m interested by cyberspace for 15 years now and we had several opportunities to appreciate “fake fears” (EDI or Die, Y2K, etc.) and “fake hopes” (B2B in 2001). So, sorry for suspicion.

    The good news is I’m pretty sure we want the same thing: more security and more trust in eBusiness (even if I’m not the sure lack of trust is so obvious: ecompanies never do so much business). But the solutions I mentioned are not the same: «Working Together to Prevent Identity Theft», proposed several of them; education is an other too. With respect, both of them seem to me more urgent as an universal technical tool you propose. One more time, it’s a external perspective on a pending project and I hope to be wrong.

    Thanks again Kim for your comments.

    Vincent Gautrais.
    http://www.gautrais.com
    http://www.gautrais.com

  3. Kim,
    I have to say, notwithstanding the excellent job you have done, I share VG’s comments. I would add that we are in an age where the security paranoia seems to be a reason for numerous infrigements on fundamental rights and an ever better reason, for some peoples/corporations to make a bucks.