Return to perspective: The iPhone, privacy and parenting

A reflection on a fiery response to my 4th of July posting about the dangers of defaulting one's way through the iPhone activation process.

Michael Tiemann
Michael Tiemann is president of the Open Source Initiative and vice president of open source affairs at Red Hat. Disclosure.
Michael Tiemann
7 min read

Wow! I come back home after attending some 4th of July parties in Chapel Hill, and I find there are more flames on my recent blog posting than in any fireworks show I've seen. How did this happen? And what does it mean? And what am I going to do about it?

How did this happen?

The answer is pretty simple. I wrote a long and convoluted blog posting about identity theft, its epidemic proportions, and the challenges of raising children in such a hostile environment. I then explained how the unthinking act of supplying one's Social Security number (SSN) to any agency not directly connected with Social Security is a violation of the original design of the SSN, a violation of instructions printed on the card (until 1972), a violation of consumer protection and privacy laws passed as recently as 1974, a violation of expert testimony presented to Congress in 1992, 2000, and as recently as last month. Based on these facts, I argued that the reason identity theft is epidemic in this country is precisely because people have either ignored these facts or have been simply unaware of them. I then finished with a twist, noting that the iPhone activation procedure asks customers to do precisely what the security experts agree you should never do, which is to supply a Social Security number as personal identification information. And if you have been following the blog, you know that my wife Amy is going to be getting an iPhone, so I was using the blog to share with her (and all the other parents reading along) some friendly family advice informed from my 20+ years as a computer scientist.

Well, when she picked her jaw back up, she said "You buried the lead!" I turned my article upside down, putting the most important stuff up front; CNET then (re)published the blog in their big news section, and the fireworks began!

That is how it happened.

What does it mean?

One day after the blog went live, it received over 90 comments, most of them berating my intelligence, integrity, and fitness as a journalist (which, as a blogger, I do not claim to be). Many of them contradicted facts of my own personal experience by saying that "the author has obviously never activated a cell phone before" (which is not true--I have done so many times, as recently as last year). Many more argued that my post was idiotic because "it is standard operating procedure to demand SSNs to pass a credit check." It may be true that it is standard operating procedure, but (1) that doesn't make it sensible operating procedure, and (2) that doesn't make me an idiot for pointing out the dangers of following a broken procedure.

And to prove I'm not the only guy who thinks this is wrong, consider this video of CNET's own Rich DeMuro, where, at time marker 1:05, his generally upbeat demeanor turns a bit uncomfortable as he admits that giving one's SSN is "a little weird for some people." Alas, by 1:25, he has acquiesced to "standard operating procedure," but I do give him some credit for at least acknowledging something is wrong with this picture, even if he does not see fit to explore alternatives. Other bloggers are also hip:

After a day's reflection I realized I could have made an even stronger argument by comparing the U.S. incident rate of identity theft with the rate of another large, technology-rich economy that actually respects and protects personal privacy. The European community does this by forbidding companies to collect and/or or retain personal information. The differences in approach reveal a significant difference in outcomes: the U.S.:EU identity theft rate is 20:1. Would that number have changed people's responses? I don't know, but I am inclined to think not, since they seemed unwilling to accept virtually all other facts I presented.

But I'm not writing to ask for your sympathy, I am writing to fit the motto of the (parent.thesis) blog, which is:

"We aren't raising our children for the world we live in, we're raising them for the world they'll live in."

What the numbers show today (both the explosive growth of identity theft and the explosive comments against any information explaining why it is such a problem in the U.S.) is that the trends of the world in which we live today define a world of the future in which I cannot imagine living. The movie Brazil creates a fairly vivid picture of what life is like when one's credit score is more important than anything else, a world in which identity is more a function of computers and corruption than authentic action and personal relationships. As a very, very dark comedy, I loved the movie. As a world in which to live, it would be a total nightmare. I'm writing in the hopes that as parents we can look at the ways in which technology trends affect the status quo and say "yep--that's good enough for my daughter," or "nope, that's not going to stand for my son."

A number of people took me to task for picking on Apple for something that is industry standard (demanding somebody's SSN to perform a credit check). I can assure you that had Amy seen a phone she liked better than the iPhone, and had that phone required a SSN for activation, I'd have written about that instead. But the more I got thinking about the question "Why pick on Apple?" the more clear the answer became.

I left Silicon Valley for North Carolina just as Apple launched its new Think Different campaign. It was an impressive campaign, and it spoke to the aspirations of a company in the middle of a much-needed renaissance. I believe that the campaign worked, in that people at Apple started thinking differently. They created the iPod, a device that was different in small but important ways, and which revolutionized both the music industry and the consumer's experience of music. They were thinking differently when they decided to sell single songs for 99 cents, an idea that the music industry rejected outright at first. But Apple prevailed, and as far as I can tell, it's been a huge success (though not with me--I rip my own CDs for higher quality on playback). They were thinking differently when they proclaimed that DRM was hurting sales, and the numbers again suggest that Apple was right and that the RIAA was dead wrong about what protects music best. So I now expect Apple to innovate, not just in electronics, but in business models as well.

With that perspective, does Apple need to propagate (perpetrate) a continued abuse of personal privacy just to do business with AT&T? The typical wireless carrier offers customers a $200 cell phone for $10 in order to lock them into a two-year contract. In that scenario, a credit check is essential because the carrier is extending $200 of credit for a $10 down payment! Another way to look at it is a customer:carrier risk is 10:200, or 1:20. The iPhone costs $600 to the consumer, and without a wireless carrier, they get little more than a WiFi-enabled iPod--not exactly worth the $600 price. Thus, the iPhone customer is 60 times more committed to his or her phone than the budget cell phone client, or in customer:carrier risk ratios, it's the customer who's carrying the 3:1 ratio. If Apple were thinking, they'd have convinced AT&T that the iPhone itself is the credit check. The same Apple that could see the stupidity of DRM on music tracks cannot see the recklessness of exposing their customers to a bogus and superfluous credit check process. So, upon reflection, I think that Apple did fail that aspect of the iPhone. And I am astounded that so many people flamed me for talking about information security in a technology blog. Information security is a technology-related subject!

What am I going to do about it?

I do see it as my responsibility, as a parent and as a blogger, to identify technology trends, good and bad, and to educate both my family and my readers as to what I see. I see my writing as generational, meaning that I cover topics that are relevant today, but have implications 20 years into the future. I don't believe we do our children any favors by limiting our frame of reference to a 90-day product refresh cycle, nor do we empower them by living the assumption that neither we, nor they, can change the world. And maybe Apple will change its activation procedure to one that is more customer-friendly and privacy-conscious. Stranger things have happened.

My next post will be an optimistic one, not that this one isn't--it reflects a deep optimism, and a sunny one too. Stay tuned...