Workshop on Economics and Information Security — WEIS 2009
by Iain Parris
Last week, I attended the eighth Workshop on Economics and Information Security — WEIS 2009 — hosted this year by UCL. From the PVNets project, Angela Sasse (UCL) co-chaired the conference; Sacha Brostoff and Miguel Malheiros (UCL) volunteered their time to help “on the floor”; and Dave Houghton (Bath) was attending as a delegate alongside me. A large amount was covered in only two days: 22 new papers presented, as well as four keynote speeches. Ross Anderson from the University of Cambridge has liveblogged the whole event. Papers were presented ranging from theorising a lemon market to explain apparently-nonsensical transactions in the underground stolen credit card details market, to the description of the “tragedy of the commons” in internet multi-homing; from delving through the privacy jungle of social networks to a novel economic model of how security under-investment may often be rational. Unfortunately, two of the papers that I found most interesting are currently “under embargo“, but should be fully public soon. The general theme of WEIS is well-expressed by Schneier (a keynote speaker of this year’s WEIS) in a blog post from 2006:
[WEIS is] the only workshop where technologists get together with economists and lawyers and try to understand the problems of computer security. And economics has a lot to teach computer security. We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure. … [In numerous real-world examples] the economic considerations of security are more important than the technical considerations.
As a privacy researcher particularly interested in both people’s perceptions of privacy and in social networking sites, perhaps the most interesting theory to me was presented by Joseph Bonneau and Sören Preibusch (Cambridge) in their paper The Privacy Jungle: On the Market for Data Protection in Social Networks. Bonneau and Preibusch evaluated 45 large social network sites (over 1M users each) for privacy, and from this formed a counter-intuitive theory: a rational approach for a social network operator is to “be good” when it comes to privacy, but not to flaunt this information. For instance, going to the trouble of obtaining privacy verification — which costs significant time and money in itself — but then hiding this away only for those who seek it out, rather than putting it up in lights on their front page. Making privacy salient, they suggest, will scare the pragmatic privacy majority off. But actually being good about privacy will keep (some) bad press at bay, and appease the privacy fundamentalists. The authors term this a privacy communication game. From the abstract
:
Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximise sign-up numbers and encourage data sharing from the pragmatic majority of users.
In questions, Rainer Boehme asked whether the survey would be repeated later, to observe changes. The answer was hopefully in a year, if not again after that. I will be keeping an eye out for such a follow-up paper. For an overview of the whole of WEIS 2009, Ross Anderson’s liveblog is the best summary available. I hope to be able to attend WEIS again in future years.