The Role of Deliberate Obfuscation for Overall Data Security and Privacy

A new book by two New York University professors offers a fresh perspective on how individuals and corporations can hide their more private information in plain sight. The book, “Obfuscation: A User’s Guide for Privacy and Protest,” surveys the more interesting historical examples of the notion and provides some interesting context for practical use.

About the Book and Its Message

The authors, Finn Brunton and Helen Nissenbaum, first take us on a tour of the more notable obfuscation techniques, including World War II bombers releasing bits of chaff to evade early radar scans and more modern inventions such as CacheCloak and TrackMeNot. The latter program is a browser extension developed by one of the authors to help protect Web searchers from surveillance and data profiling by search engines. It does so by generating a series of false leads in the browser’s search history, thereby hiding the real terms typed by the user. This makes matters difficult for a profiling service.

These obfuscation notions aren’t new; honeypots and other decoy technologies have long been used to try to keep cybercriminals at bay. And there are products, such as one from Arxan, that can be used to defend applications against compromises by adding obfuscation code to your programs, making them more difficult to analyze and reverse engineer. Several vendors offer this technique, which can be used to successfully defend chip designs against reverse engineering.

The book provides a very complete view of these and numerous other strategies, such as swapping loyalty cards among consumers to avoid tracking purchase behaviors, using tools to confuse browser cookies, hiding important messages in speech recordings, using various phone SIM cards to confound trackers and other methods of avoiding ad-tracking technologies.

The book presents them in a way that will make it easier for people who are paranoid or just want to cover their digital tracks to protect themselves. While security by obscurity isn’t usually a recommended practice, there are steps you can take to make obfuscation a better fit. Even if you don’t think you have anything to hide, this book also informs readers how to be more careful about how you conduct your digital life.

Life After Reading ‘Obfuscation’

Perhaps after reading this book, you might find the inspiration to design a better opt-out policy when you are asking your customers for their information so you can provide more granular control over what they send you and how you use it. You might also have a better understanding of what kind of adversaries your company is up against, or how to more precisely target your obfuscation activities and determine what kinds of specific benefits would work to your advantage.

Finally, the right strategy will help you understand the difference between personal obfuscation, where the impersonation by a potential attacker is more difficult because you have included faked answers to a set of knowledge-based questions, and outright fraud, such as specifying an incorrect Social Security number to your bank to avoid taxation. This distinction is important for individuals who want to successfully deploy, implement and maintain obfuscation techniques as part of their personal security solutions. Certainly, enterprise IT managers and CISOs should be more aware of these techniques, too.

David Strom

Security Evangelist

David is an award-winning writer, speaker, editor, video blogger, and online communications professional who also...