I see the FUD (Fear, Uncertainty, Doubt) acronym thrown around a lot these days. If you disagree with someone you throw a FUD card at them, as if it is sufficient on its own to discredit an argument. TechCrunch gives a good example of this as they defend Apple.

They give their perspective on the controversy surrounding mobile location data and conclude there’s no need to worry just because Apple made three mistakes; the critics of Apple are accused of spreading FUD. What’s the opposite of FUD, rose colored glasses?

It’s a long article but here’s the meat of it. The attack requires someone to already have access to your phone and that must mean they have access to all your other information. TechCrunch concludes that the failure to prevent access negates any further worry because you probably already are screwed.

Theoretically, someone could steal your phone, hack it, and get access to this data. This could potentially show them where you were up until the point they stole your phone. (Of course, given that they stole/found your phone, they would probably already know that.)

But wait. If they stole/found your phone, couldn’t they also have access to information like your address, the addresses of friends/family, all your phone numbers, perhaps some passwords, maybe monetary information? Yes, but that’s not as sexy of a story.

Here are four simple reasons why they are wrong:

1) Six months is a long time. TechCrunch says “given that they stole/found your phone, they would probably already know [where you were]”. Not so, not at all. As anyone who has worked in digital forensics knows, you can take data from a device without knowing anything about the individual who owns it. I have even engineered a distraction, then imaged a device, and left before the owner returned. It is easier today than ever with remote apps and hidden services. The controversy is not about the hours or even days of movement on a stolen phone — knowing where you are when your phone is stolen — it’s about the months and even years of movement as the lawsuit in Germany proved in 2009.

2) Asset value may be related to surveillance. Addresses and phone numbers are sensitive, but everyone knows they tend to be in the public domain (e.g. phone books) and are easily changed. While a list of your addresses and phone numbers (static data) may be worth protecting, it has a much lower surveillance value than a database that shows where you have been every minute of the day for the past six months (active log). You should be able to specify that when you want to share a phone number that does not mean you also want to expose more valuable location data.

3) Opt-in rather than opt-out. You might be able to guess a little about someone from the records they keep for themselves, but a tracking system they do not know about is invaluable for investigators and surveillance. Someone may choose to only keep a few phone numbers, no addresses, no passwords…but how do they choose to reduce the amount of location data stored on their iPhone? Even more to the point a user may select how long they want to store call and message records. They may have a habit of regularly deleting the records on their phone. But if they want to reduce the location data…?

4) *Someone* could hack your phone? No need to hack the phone with so many remote vectors open. What about someone who hacks third party marketing firms or engineers an app to aid the theft of location data? Who trusts Apple to protect the information from exposure through non-hack channels since they say in their TOS that they may share the information on a phone with whomever? They clearly leave the door open to the old infamous ChoicePoint attack vector.

Let me recap how that breach unfolded in 2004. An attacker used stolen identities to set up businesses that looked legitimate to ChoicePoint. The attacker then opened 50 ChoicePoint accounts over twelve months in order to avoid suspicion as they stole identity information. The District Attorney on the case told me that someone at ChoicePoint only grew suspicious when a Nigerian in Los Angeles named Olatunji Oluwatosin called and said he had a common American name but he could not pronounce it. He then was arrested with five phones and three credit cards that he had registered with stolen identity information. As an aside, Oluwatosin’s attack was not the first major breach of this kind. An almost identical one happened two years before, leading to nearly $1 million in fraud. The difference in 2004 was that it happened after the 2003 California breach notification law (SB1386).

I would wager that many inside ChoicePoint before 2004 had a big stack of FUD cards they would throw at anyone who dared to say information was at risk. After 2004, due to California law, they could no longer use a FUD card to avoid dealing with the security of information — too much was available to too many people without the consent of the owners.

I hope that helps clarify why the controversy surrounding the iPhone tracking data reveals something much more serious than just an Apple oops moment. If consumers have to use laws or an online fuss to affect the privacy settings in an Apple device, it means Apple’s privacy advocate and security team inside their organization lack the necessary influence to represent consumer concerns.

A privacy screw up like this probably happens at Apple because no one was vested with the authority or presence to put their foot down and say “location info is too valuable to collect and store for a long time — we have no justification for the risk — no more than 7 days” or “users must have an opt-out”. Perhaps even that is being too kind. Maybe no one calculated the risk of collecting location data at all, which would be an even more disappointing possibility. Hopefully they are looking at the root cause for the failure and increasing the scrutiny of products before launch, but so far their public explanations have not been encouraging.

There are many issues in the TechCrunch analysis, and I could go on about how wrong they are (e.g. even anonymous data can be abused and need privacy protection), but I want to end with a brief favorite. Compare and contrast these two statements:

I’ve been sitting on panels about location issues for a few years now. The discussion always falls to the same place: privacy and security.

[…]

Let’s be honest: no one is going to be talking about this issue in a few weeks.

It seems that they predict no one will talk about this location issue of privacy and security because the discussion always comes back to this location issue of…privacy and security. Got that?

A Representative for New Mexico, Republican Steve Pearce, says the oil industry is at risk of a shut down if forced to avoid killing a species of lizard.

Pearce has received over $1.2 million in campaign contributions from the industry he is trying to protect. He recently explained to a public gathering that protection of a nearly extinct lizard would interfere with the availability of funds for his next campaign, as well as possibly affect the economy of southeastern New Mexico and west Texas.

Pearce, focusing on the reptile this week in town meetings throughout his congressional district, said people would be put in peril if the federal government classifies the dunes sagebrush lizard as “endangered.”

“Most of the oil and gas jobs in southeast New Mexico are at risk,” he said. “In the ’70s, they listed the spotted owl as endangered and it killed the entire timber industry.”

I spot a problem. The spotted owl was not listed as an endangered species until 1990, as clearly stated in a US Fish and Wildlife Service record of review. Pearce is off by 20 years!

April 30, 1990. The status review team recommended that the northern spotted owl be listed as threatened throughout its range. This review resulted in the final listing on June 26, 1990.

Moreover, the timber industry actually saw profits boom in the 1990s, after the owl was listed as endangered.

Despite predictions of disaster for the industry after federal logging was reduced in Oregon to protect endangered species, profits of the 12 largest publicly traded forest products companies in the Northwest were up 43 percent in 1994 compared to 1993, the Oregonian reported.

So Pearce is spreading false information about the risks and the effects of regulation.

What he should explain is how his financial backers have enjoyed uncontrolled oil and gas drilling. They simply don’t like following the rules. Don’t make me bring up the BP disaster. Their disdain for the health of residents in Pearce’s districts, combined with herbicide spraying by the ranching industry, has forced a rare lizard to the brink of extinction.

Saying that an oil company is at risk in this scenario is like saying the coal industry is at risk of failure if it has to protect its canaries in the mines.

The oil industry is very hardy and resilient. It not only can survive the protections required to save a desert lizard but it actually can generate jobs when required to find solutions to prevent and detect environmental damage (reducing overall cost burdens by removing the need for high-cost cleanup). Protection of the lizard should be thought of in terms of overall risk reduction to residents and as a potential test for creation of long-term employment opportunities.

The Chicago Tribune reports that a plaintiff named Bonhomme alleges she has been the victim of an elaborate hoax run by a woman in the suburbs of Chicago who pretended to be a man.

James, his young son and about 20 other friends and family members Bonhomme had been communicating with for months were characters allegedly created by a woman in Chicago’s west suburbs.

The depth of the alleged deception stunned Bonhomme. Janna St. James, who lives in Batavia, had allegedly used a voice-altering device to pose as Jesse James on the phone, coordinated numerous storylines with her characters that advanced in emails and instant messages, and sent and received mail — including children’s drawings — from all over the world.

The attacker courted the victim online for years. The victim has filed suit for damages and apparently also hopes to force the attacker to explain her motivations for social engineering.

At first the suit was dismissed but an appeal has been successful; this could lead to precedent on those who falsely present their identity within the context of social engineering. The court ruled that the persistence of the attack helped them allow a claim used for businesses — fraudulent misrepresentation.

Hoping to find some answers, Bonhomme filed a lawsuit that was eventually moved to Kane County, where in December 2009 a judge dismissed her complaint. But last month, a divided Illinois appeals court reinstated the case, rejecting St. James’ argument that she was creating fiction and therefore wasn’t liable.

“The concepts of falsity and material fact do not apply in the context of fiction,” her attorney had written, “because fiction does not purport to represent reality.”

The court allowed Bonhomme’s fraudulent misrepresentation claim, which typically applies only in a business situation, to move forward, in part due to St. James’ “almost-two-year masquerade of false statements.”