Increasingly common these days are the worms and virii that find prospective hosts by scanning
an infected host's Outlook address book for e-mail addresses. The most recent, of course, is SoBig.F,
the current worm du jour that's causing many a headache throughout the IT industry. SoBig
will not only scan an address book for its intended victims, but it goes one step further
to forge its own from: address to appear as though it's coming from someone you know.
In essence, this helps conceal the worm's angle of attack by making it appear to come from somewhere
that it has not.
While sifting through the hundreds of return e-mails I have been receiving from mail servers
across the globe, saying that I am infected and that my computer has been sending out copies of
the worm, I realized that since I'm not really infected this means that these people/servers sending me
warnings are one degree separated from me in the social network: they are in the address book of someone
who also has my address in their book. Essentially, they could be thought of as friends of friends.
My imagination took off. What if the worm was controlled, or at least monitored, by an overseeing intelligence
of some kind. If each copy reported its activities back to a central machine, for instance, that machine
could build an immense database which maps a huge portion of the social network that's layered on top of the
Internet (something that's being attempted, albeit in an above-the-board way, by Friendster).
Social Profiling
Imagine, just imagine, what could happen if such a database existed. For the sake of argument, we'll say you're
searching an online book merchant for the latest from Stephen Hawking. In the midst of your results,
the site mentions in a sidebar: "Books that your friends have been reading" along with a few suggestions. Scary stuff.
That's just one of the more benign ideas I've pondered. How about out-and-out social marketing. Prospective
customer X has received your mailer, and countless e-mail offers, and never responded. Well how about e-mailing
some of her buddies and associates: "Receive 10% off selected merchandise when _your friend_ places an order".
And of course, no discussion of social profiling could possibly be complete (though this one remains far from
complete anyway) without mentioning DARPA's Total Information Awareness, where your credit card purchases
could be linked with other consumer data to decide whether or not you're an unsavory character worthy of
surveilance. As far as I know, their plan stopped way short of its potential. With proper data, they could track
who is in your local social network, and link what THEY are buying as a group, which could be useful
in ferreting out terrorist cells who divide responsibilities instead of relying on the idea that one
individual would be the "purchasing agent" for the cell.
Are these possibilities all bad? You might be surprised to find that I'm not sure. While I advocate
and treasure my privacy, I recognize that public vs. private life is a tough distinction to make sometimes.
Maybe people are "leaking" data -- and rather than asking nicely for observers to stop observing and correlating,
we should instead be watching the watchers, and also making sure to prevent "data leakage" from the private
sphere into the public. How could I be irritated at a computer tracking where I shop for clothes, when
anybody I ever meet face-to-face can easily recognize the Express/Gap/whatever logo on my jeans? On the other hand,
there's only so much that one person could do with that bit of information, but large corporations have greater
ability to use and abuse simple facts.
