AskTog: Interaction Design Solutions for the Real World
Interaction Design Section   Living Section   About Bruce Tognazzini
NN/g Home > AskTog > Columns > Security & Privacy Ask Tog, November, 1999

On Walls and Mouse Holes: Security and privacy

In the next decade, we could complete the transition from one person-one computer to the concept of a personal network, enabling people to tap into their personal cyberspace from any point on the globe.

The most fundamental requirement of such a personal network is that an individual be able to maintain the most private of information without worry. Before that can occur, we will have to build a multiplicity of new walls, as well as stuff closed the mouse hole permeating those few walls we have now. When this process is complete, we shall have achieved security. Privacy is another matter....


Start a conversation with a computer person about privacy and, within perhaps 30 seconds, you will discover that the subject has been subtly, but permanently, changed into a discussion of security. The problem is that privacy and security are not only quite different, they often appear almost unrelated.

The phone company has excellent security over landlines. Typically, the only effective way to listen in on such conversations is to tap directly into the line either at the subscriber's house or the central office switching equipment. Few Americans, as a result, have their phones tapped, and those that do invariably have someone really interested in what they are up to. Radio Shack scanners will not reveal landline phone calls.

Traditional phone service, therefore, is (relatively) secure, but is it private? A judge in the USA has recently ruled that phone companies have a First Amendment right to sell information about your private calls to whomever they wish.

This reveals the true benefit of security: With a secure system, you may rest assured that someone other than you, probably a well-established corporation, will be making a whole bunch of money off of your private information. No amateurs will be destroying your privacy for free.

Even though privacy may be the goal-a potentially elusive one at that-security is, nonetheless, an important prerequisite. Achieving security over a personal network that you may tap into anywhere in the world will require significant barriers.


For a personal network to reach acceptance, we will need more than a personal firewall. Rather, a whole series of secure, concentric walls must surround the user and his or her information.

The Castle Keep

The "castle keep" of medieval times was the private realm of castle owner and only the castle owner. This small tower in the center of the castle grounds formed the last bastion should the castle be overrun.

Each individual's private network should mimic the castle keep, offering refuge from all assaults by an increasingly dangerous and aggressive cyber world.

This is a particularly difficult wall to construct when supporting a personal network, for the owner must be given free and easy access to his or her personal cyberspace from an airplane seat, a cell phone, or a hotel room in Nairobi while, at the same time, every other human being and machine on the planet must be absolutely locked out.

We have systems that allow free and easy access; we have systems that provide high levels of security. To date, we don't have many systems that do both, unless you think typing in 30-character one-time passwords fits the definition of "free and easy access." Technologies in the form of cards or wristwatches or rings carrying one-time passwords, coupled with an easily-remembered personal code or fingerprint/voiceprint/retinaprint can and will be built. However, expect at least five to ten years for this to reach the masses.

(Macintosh System 9 software has some of this easy-access technology, including voiceprint recognition. Unfortunately, any idiot with a bootable CD can breach the resulting security in less than one minute.)

Beyond the Castle Keep

When people first think of a private network, personal cyberspace, whatever terminology they might want to use, they tend to think of only two spaces: the personal space and everything else. Such a construct, as in real life, would be far too limited. Instead, people need a growing series of walls that offer increasingly more restricted access to themselves and their spaces.

The Ramparts

The next wall surrounding the Castle Keep is the Ramparts, that outer defensive barrier (just before the crocodile-infested moat) shaping the extent of the castle grounds. A person's home is his or her castle, as the old saying goes nowadays; this wall defines the border of the space shared with close friends and family. Within this wall, the user may establish reasonably liberal connections between the user's private network and the private networks of intimates.

In my case, such a wall might be punctuated with gaping holes during the majority of the year. However, in October, the wall would close into an impenetrable barrier until Christmas morning, when the full extent of my botched attempts to buy Christmas gifts is again revealed and the returns begin.

This default separation of self from innermost circle is just as important in cyberspace as in "real life," if we expect people to embrace a personal network. Likewise, people should must be able to adjust the porousness of this wall without raising the ire of those being further restricted, something that will be a good trick.

The Town Wall

The area between the moat and the Town Wall offers a sharply limited connection between the individual's private network and trusted businesses, from employers to e-commerce outlets to healthcare resources.

Many people will elect to divide their town down the middle, separating work life from leisure life. Others may encourage both to flow together, viewing work and private life as a continuum, rather than as two distinct activities. What will be important is to offer people the ability and the tools to make these choices themselves, simply and fluidly.

Beyond the Town Wall

Finally, we have the connection between the private network and the "outside world." No one lacking specific permission to enter either town or castle property must be able to even begin to breach these walls. They might send entreaties, in the form of email messages (preferably not spam email messages), but they cannot get in. No way, no how.

As the next section will reveal, we have a long way to go in actually building such walls.


"Mouse holes" represent the breaches in our secure walls. Many holes are already in place today with many more awaiting new walls to puncture.

Today's Mouse Holes

Here are just a few recent ones:

Microsoft Word, until the latest releases, captured random blocks of text from user's RAM and encouraged its transmission to the world. Millions of people who have not updated their copies of Word continue to share, unaware, their innermost private thoughts with business associates, competitors, and employers.

Adobe products wander around home networks, entering our children's bedrooms, secretly pawing through their hard drives.

Browsers, upon every release, offer new inadvertent security holes that enable strangers to catalog and capture contents of users' hard disks, etc.

Data are left lying around all over the place in "recent files/documents" menus, etc. These subtle clues can enable the gifted snoop to reconstruct exactly what a user has been up to.

It turns out that Macintosh computers connected to cable modems can be accessed by any other Mac user in the neighborhood. Imagine waking one morning to find a 500 page print-out on your printer with a cover sheet that says, "Hey, Fred, mind dropping this off on your way to work? And, wow, how about those pictures you took of Joan! -Joe."


Such leaks could be amplified 1000-fold in tomorrow's personal networks. Imagine if anyone on the planet could use your printer and look at those "digital Polaroids" of your wife. DSL, with its lack of any semblance of firewall protection, offers that possibility.

One major privacy leak in a lifetime can destroy a person, but constant small leaks-the death of a thousand cuts-can do the job just as well, eroding users' trust in the system, leading to a new class of network-shy hermits.


A report from an Institute of Medicine committee identified 34 different groups that will either want or need to access your patient record. They ranged from physicians and nurses to chaplains, the patient's family, insurers, and such loosely defined individuals as "government policy makers" and lawyers. Only one person needs to take it upon themselves to share that information in order for it to propagate rapidly throughout the outside world.

Paradoxically, many people may not care. The USA has seen a severe erosion of privacy over the last fifty years with scarcely a murmur of protest except from those "crazies" who value privacy over commerce.

As one particularly astounding example of people offering up their most private information in a particularly self-destructive act, consider the "free" on-line Health Risk Assessments offered on the Internet by insurance companies today. Users are offering information on their driving habits, their smoking habits, and their use of legal and illegal drugs to the one group of people most likely to turn that information against them. Users seemingly don't mind: "It's fun!"

Brave New World vs. 1984

We all had to read "1984" in school, when it was Brave New World that was really apropos. In "1984," freedom had been stolen from the people by a tyrannical government; In Brave New Word, as in our world, the population welcomed the loss of privacy/freedom, all in the name of security. This trend shows no sign of letting up, even as communities prepare, with the financial aid of the federal government, to launch drone aircraft that can stay up for days at a time, armed with cameras capable of detail down to less than 1 centimeter, better than today's best military satellites.

Likely landscape of tomorrow's cyberspace

We can expect to see limited federal and state legislation on privacy, with emphasis on the privacy of healthcare information, rather than financial information, which is already well-established as "fair game." However, it is unclear at this writing exactly how secure medical information will be. For example, under current White House proposals, medical information absolutely, positively would not be handed over to the police unless, and I am not making this up, they requested it on official stationery. They may not need a warrant, but, by golly, they got to have a pretty letterhead.

At the same time, the White House does threaten to eliminate some of the more egregious practices of today, such as large corporations routinely screening new employees' health records, or drug prescription plans sharing with employees who among their ranks is HIV positive, etc.

We will see consumers connecting to trusted health resources: their own doctor or clinic, Dr. Koop, WebMD, etc. They will do so over highly secure networks, with published privacy policies.

Advertisers will make connections with potentially sensitive users indirectly, rather than directly. For example, should you join an asthma support group, you might "opt in" to receive advertising from pharmaceutical companies. However, your name would not then be peddled to the pharmaceutical company. Instead, they would supply your support group host with the ad, and the host would serve the ad to you, all without the drug company ever learning about you or your condition.

Depending on legislation, huge masses of both individual and aggregate information will likely become available, usable in both marketing and research. Like most aggregate information, clever individuals, through cross-comparison, will be able to derive significant personal information from it.

Consider this copy from a recent “ad” (spam) sent out to a few million USA householders:

Unlock incredible hidden secrets and more!
Investigate anyone and everyone from the privacy
of your own home. This program allows you to tap
into the very same information sources that are
used by Professional Private Investigators!
Track, Locate, or conduct a Complete
Background Check on ANYONE, at ANY TIME!
Quick, Easy, and Private.

Thank heavens it’s private. Wouldn’t want anyone spying on us while we’re spying on them.

Designers’ Responsibility

The solution to proliferating mouse holes is a "holistic" approach to privacy and security. Instead of companies employing a single security guy, typically a system-software programmer, everyone involved in software production and deployment should consider it an important part of their job to ensure that, at every turn, privacy and security are being enhanced, rather than degraded.

How can you enhance privacy without stifling innovation? After all, increased efficiency and productivity can only come at the expense of personal privacy and freedom. Not true: While this may have been a trend for the last 100 years or so, it is not some immutable rule. In fact, for every new approach that destroys privacy, you will usually be able to devise an alternative than will not only retain it, but enhance it.

Let us take a single example: the problem of increasing the availability of employees on the job. One of the earliest technologies to be deployed in this effort was a smart card that reported to a central computer several times a minute the current location of each and every employee, so that they could always be contacted.

It seemed only natural to make better use of this flood of data, so it was not long before bosses were receiving print-outs of how much time employees were spending at the water cooler, the lunch room, and even the bathroom. In the rush to pry, the original goal of the technology was all but forgotten.

Another technology offers the same ability to keep employees in contact, while at the same time actually enhancing the employee's privacy: Portable telephones. Whether they be cell phones, microcell phones, or local wireless phones, they offer the employee the ability to wander freely while still maintaining contact, and they do so without (necessarily) ratting out the employee's location. They thus enhance privacy, since before, should you ring the employee's phone in their office, you could ascertain whether he or she was in the office or not. With a portable phone, the caller has no idea where the employee is, while at the same time they can make easier contact with them than with the smart card approach.

For employers who judge their workers by how busy they look, such a scheme might well send chills down their back. For employers who, instead, judge employees by the quality of their results, such a system solves the employer's problem without shredding the last vestiges of the employee's privacy.

When faced with developing new solutions, look for the privacy-enhancing solution. It is there if you will only search. The privacy you save could be your own.


Institute of Medicine (U.S.) Committee on Improving the Patient Record. The Computer-based patient record: an essential technology for health care / Committee on Improving the Patient Record, Division of Health Care Services, Institute of Medicine; Richard S. Dick and Elaine B. Steen, editors. National Academy of Sciences, 1991

Don't miss the next action-packed column!
Receive a brief notice when new columns are posted by sending a blank email to

return to top

Contact Us:  Bruce Tognazzini
Copyright Bruce Tognazzini.  All Rights Reserved