June 2009 Transcript: Daniel Downs

AJ: Welcome back to First Monday Podcast, I'm AJ Hannah

Joy: And I'm Joy Austria. That was Daniel Downs, lead author of Internet Security: Who is leaving the 'virtual door' open and why?.

AJ: Joy, you've got a Macintosh, right?

Joy: Yes, I do.

AJ: And I'm a PC fan.

Joy: Yes, you are.

AJ: But Macintosh has been known for not having a lot of problems with Internet security

Joy: Because the thought was most viruses were geared toward PCs and apparently that's not true any more.

AJ: Yeah, so what are you going to do about it? Who ya gonna call?

Joy: [laughs] That's a good question because I have no security on my computer, on my Mac, and it's starting to dawn on me that maybe I should (1).

AJ: Well I wouldn't worry about it because Internet crime happens to other people, right?

Joy: That's what most people think...but

AJ: But when we talked with Daniel Downs we found out that it seems like a lot of people don't know about protecting themselves from cyber crime.

Joy: Actually the results of his study, are pretty surprising and it's not what you would think so Daniel was kind enough to take some time out of his schedule to talk about his article with us.

AJ: Daniel, thanks for joining us.

Daniel: Sure, thank you for inviting me on.

AJ: Why don't you tell us a little about yourself.

Daniel: I am currently a doctoral student in criminology at the University of Illinois Chicago and I am finishing up my dissertation currently. I am also working as a teaching assistant and I've also taught stats and research methods in the past, but right now I'm just trying to focus most of my time just trying to get done.

Joy: What made you want to do this study?

Daniel: The computer and Internet changed the way we shop, bank, learn. And what people need to realize that with this new technology brings new crimes. So, with that said, last year Symantec Internet Security, they estimated over a million viruses, forms, trojans, malicious code on the Internet and that's up over 570% in just two years. So it's becoming a big deal and a lot of people aren't aware of the threats that, on the Internet, when they're on the Internet. And also, another really big thing are these Botnets, which Symantec also thinks that there's over four and a half million Botnet computers. Before computers used to crash and people would know something is wrong with their computer, now computers just get taken over and no one has any idea, so that's even a little bit more alarming.

But that said, previous research is limited in that they don't provide much information about who's knowledgeable about Internet security and why people choose to use prevention and detection tools. So the important question is how well do users really understand Internet security this is the basic premise and purpose of this study. It's to advance the literature by examining knowledge about Internet security and utilization of prevention and detection tools. Our second purpose was to test the relationship between Internet security knowledge, and practice, and individual demographic factors, community composition characteristics, and factors found from three different theories.

Joy: Tell us a little more about your methodology.

Daniel: Okay so for the methodology of this study we used seven waves of web-based surveys and this was conducted between January of 2005 and November of 2005 and this was in Chicago. The way we selected respondents, where we used a complex sampling design. This involved first sampling Chicago police beats and then randomly sampling residents within each of those selected beats. And the sample, because it was web-based, obviously they had to have Internet access. The sample was limited to Chicago residents and you had to be over seventeen to partake in this study.

Now, with that said, there's a few limitations. First, the generalizability of the results are limited, because the research was conducted in one city and was based on responses from relatively, a relatively affluent sample, so it may not generalize as well. Second, all of the data are based on self reports and when we're talking about self reports they suffer from basically all the issues related to self reports - over and under reporting of Internet security knowledge and behavior. One last issue with the study and another limitation is we did not ask if they had actually been victims of cyber crime, which is obviously an important question, something for future research.

AJ: So you started off by quoting some numbers from Symantec, which is a company that is one of major providers of Internet security software. Do you feel that it's possibly a conflict of interest there, by using their numbers in your study? I mean can you trust it as a source?

Daniel: That's a good point. Yeah, that's true, they do have a conflict of interest and they're probably targeting those people or creating fear so that people are purchasing their technology and their software. I, I don't know if, how, how valid the source is, but I would, I would imagine based on some of the other research that I've seen and the amount of money that people used based on identity theft and fraud that there is a lot of malicious code and malicious programs on the Internet.

AJ: Okay, because I had compared it some of your other sources where there were joint studies. So I'm not questioning you, I'm just saying for our listeners out there that to kind of recognize that those numbers may be a little suspect.

Daniel: Yeah, they could be fabricated, I would definitely recommend doing some research to determine what other companies are saying. However, the important thing is that people are knowledgeable about Internet security and that they're using it.

Joy: Okay, well then based on your results describe for me the type of person who is knowledgeable about Internet security.

Daniel: Males, compared to females, they reported more knowledge about Internet security. They updated their anti-virus software more frequently and they were more likely to use a pop-up blocker. Based on ethnicity there were fewer racial differences than we had first expected. Compared to whites, African-Americans updated their anti-virus less frequently. However, there were no other differences between whites and African-Americans in terms of their security knowledge and their use of Internet security, like pop-up blockers, parental controls, so, that's a really interesting finding. However, compared to whites, Latinos were less knowledgeable in general about Internet security.

Based on community, poorer communities updated their anti-virus less frequently and older participants were less knowledgeable and less likely to use a pop-up blocker compared to younger participants. So that's pretty consistent with structural [social] inequality (2). We also based another part of the study on this idea of diffusion of innovations. What we found was that more Internet usage at home was associated with more knowledge, updating anti-virus protection software more frequently, and being more likely to use a pop-up blocker. And lastly people who had positive views about Internet security, or more positive views about information technology, so this is the utopian view, they reported more Internet security knowledge versus those people who had more dystopian views and they reported less Internet security knowledge.

Joy: Let's say that Mayor Daley appoints you as the Head of the Chicago Internet Security Task Force, what kind of policies or programs would you develop using the results of your study and what you know about this subject?

Daniel: Okay, good question. First and foremost raising people's awareness is important. Some type of an extensive awareness program, educational programs would be important especially targeting those groups that may be more vulnerable to cyber crime. Definitely developing a long-term strategy to address cyber security. Another important thing would be to develop some type of software solution that could be effectively deployed across multiple platforms both for business and personal. Another important thing would be making it easier for people to report cyber crime, so develop some type of web-based reporting system for cyber crime. Another thing that would be important is to increase the skills of people who work in the criminal justice system to catch and prosecute cyber criminals. That seems to be an area that definitely needs to be increased and worked on. New PCs could also be sold with security software installed, which this would help a lot of people as well as insure that Internet providers supply free Internet security. This may also help a lot of people that are vulnerable to cyber crime.

Joy: Okay, those all sound great but you know with government funding being stretched thin and government officials not wanting to incite public outrage at wasteful spending, what arguments would you give to persuade the American public that we need to provide government funds and dollars to create these sorts of programs, to improve citizen knowledge about Internet security?

Daniel: Right. The growing cyber crime threats are one of the single biggest things to affect our economy and in the long-term could be our physical security as well, so what we need to do is properly address it.

A few things the government could do in regards to Internet security is try and regulate the way banks and businesses protect their customers. I know there's a few things that groups are advocating for and they're talking about doing. One is developing a new modern identity management system that replaces the old social security system, which when it was originally created it was never intended for this broad usage. So when someone gets a hold of your social security number they can steal your identity, so they're trying to work on a way to develop a new system. Also, I know that they're trying to track ISPs and they're trying to recognize which ones are sending out spam and which ones are botnet computers sending out worms and they're trying to find a way that they can remove their access or just immunize them.

So I know these are new things they're working on but let me just talk a little bit about the money people are spending on identity theft and why it would be important for the government to start funding some of this education as well as some policies. In 2007 consumers lost about $240 million to Internet related fraud and identity theft and businesses in 2005 spent over $67 billion dealing with identity theft, malicious code, malware which includes viruses, worms, Trojans, rootkits, you know all these things so we're spending a lot of money. If the government could spend just a portion of that, we could all probably save a lot of money.

AJ: Okay, you talked about tracking ISPs to go after people who are using the net for spaming or other illegal activities, but don't they run the risk of stomping over people's privacy in the process of protecting them?

Daniel: Right, that's a good question because when the government's involved then you're faced with the idea of government snooping and looking at what you're doing and Big Brother.

AJ: So what would you recommend to help balance privacy with the need for increased security?

Daniel: So, one of the things that could be done is, the criminal justice system needs to find a way to criminalize the e-criminals. What the government can do to help protect is try and regulate the way people are losing their money through identity theft so regulate banks and regulate businesses like I had said might be a good thing as well as maybe mandating Internet security through Internet providers which may keep people safe.

AJ: Dan, can you talk about the relationship between Internet security and the digital divide?

Daniel: A lot of people have talked about this idea of the digital divide and one of the main reasons why this study was conducted is because what we're interested in, is because the digital divide is shrinking that that's no longer really a big issue, but the issue is a knowledge divide now. So, now that people have access and access is easier and it's cheaper, people are now on the Internet, but the divide now still follows those same structural inequalities but it's now with knowledge. So that's the basic idea of those people that are vulnerable, they have access they're just not gaining the knowledge to protect themselves.

You know one other thing is the idea of Internet security knowledge is important but what we found is getting them [people] to actually behave, getting them to actually use it, that might be a whole nother thing. So you make them knowledgeable but now you have to teach them how to use it and so that's another thing that, another policy implication is that you just can't make them knowledgeable you actually have to show them what to do and how to use it to protect themselves.

AJ: After talking with Daniel about Internet security, do you have any better on how to protect your Macintosh?

Joy: Well I definately know the reasons why I should protect my Macintosh, but I'm still a little unclear about what I should do, what software I should get.

AJ: It's not as straight foward with a Macintosh as it is for a PC but a quick Internet search brings up several sites containing more in depth information about the basics of Internet security for the average user or the beginning user or even for the experience user. OnGaurd Online is available at www [dot] ongaurdonline [dot] gov, is a great starter resource with definitions and how-to's covering basic computer security, email scams, identity theft, malware, online shopping, phishing, spyware, and wireless security.

Joy: And as always, Wikipedia has good background information and links to extra resources listed in their entry for Internet security (3). So thanks AJ for looking all that up.

Joy: And up next is Jennifer Kelley with another Podcast Review

Jennifer: Welcome to First Monday Podcast Review, this is Jennifer Kelley.

Technology conferences, lectures, and presentations are premiere venues for professional development. You have the opportunity to hear experts and researchers, to learn about new and emerging technology, sit in on important, potentially world-changing discussions. Yet attendance has its literal and figurative costs. In addition to travel and registration expenses conference halls and meeting rooms can be crowded and under-ventilated forcing you to sit shoulder to shoulder with live-blogging strangers jostling each other for that one electrical outlet in the room. So if you could stay home and listen to these presentations from the comfort of your own home for free, you probably would.

IT Conversations, which bills itself as the "longest running podcast on the planet", brings you keynote speeches, conference presentations, discussions and debates without the hassle of actual conference attendance.

The conference itself is made up of twenty, ongoing series including a half dozen O'Reilly Media conferences, Singularity Summit and Supernova Conference presentations, plus several stand-alone podcasts. Individual podcasts range in length from a short 15-minute argument about the inaccessibility of Internet data to an hour and a half-long panel discussion of blogging strategies.

As the topics range so does the sound quality, depending on the source. Conference presentations can be tinny and sound as if they were recorded from the audience, or they can play quite clearly. Moira Gunn's podcast, Tech Nation, has the production power of Public Radio, while another series, Technometria, often features poor quality call-in conversations.

Each IT Conversations episode begins with a brief introduction of the content, a musical interlude featuring the IT Conversations jazzy saxophone music, and often a brief comment from either the executive producer or executive director encouraging listeners to join the Conversations Network as a paid member.

Free registration for the Conversation Network allows users to rate episodes, create a personal playlist and receive a free email newsletter. Paid membership helps support the not-for-profit network and provides access to episodes without promos, introductions or music. Listeners can also subscribe to individual channels, the entire IT Conversations channel or play or download individual episodes from the website.

With such a diverse collection of content, IT Conversations is practically guaranteed to hold something of interest for everyone, whether you didn't make it to the Tools of Change Conference last year or just enjoy Interviews with Innovators, you can surely get your tech fix with any one of IT Conversations' hundreds of podcasts.

For First Monday Podcast this is Jennifer Kelley.

Joy: Thanks again to Daniel Downs for taking time out of his schedule to speak with us. If you'd like to read his article there's a link in the Extra Features on our website.

AJ: I'm AJ Hannah, thanks for listening.

Joy: And I'm Joy Austria, thanks for listening and we'll see you guys next month.

(1) Joy would like to note that she is still technological neophyte. While she is slowing developing into quite a gear head, refining her web authoring abilities, and working on her programming skills, she realizes that her MacBook laptop has some sort of security system on it. She's not sure what or how it works, but thanks to her conversation with Daniel she's reading up on the topic.
(2) In the article, Daniel discusses three theories that explain users' knowledge and security practices: structured social inequality, diffusion of innovation theory, and utopic vs. dystopic perceptions of computers in society. To learn more about these ideas please refer to Daniel's article at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2251/2067 (accessed 7 June 2009).
(3) The editors note, even though this particular Wikipedia entry has been marked for improvement, it still offers a decent, basic introduction to the topic of Internet security. Listeners knowledgable about this subject are encouraged to help improve the Wikipedia entry and/or contact AJ and Joy with suggestions for resources on Internet security. We will post your recommendations on the website.