I finally got a chance to see I, Robot last week. Frankly, I had many qualms about going to see this film. For one thing, every movie with Will Smith seems to end up being a Will Smith love-fest rather than, you know, an actual story. My main objection, at least before seeing the movie was that they didn’t use Harlan Ellison’s scrieen play. But I’m a sucker for summer sci-fi action flick so I decided to go anyway. Little did I know I’d be professionally insulted as well as underwhelmed.

I’ll try not spoil the story too much, for those of you who might want to go see the show. A key location in the movie is the world headquarters of “U.S. Robotics” the makers of commercial domestic Robots. The entire building is secured by Artificial Intelligence system called Vicki. (I forget the cute acronym.) They make a Big Deal out of the fact that Vicki is constantly monitoring everything in the U.S. Robotics buildings for security. OK fine. I can suspend my disbelief in AI for the sake of a move. The sentient Artificial Intelligence is a time honored trope in the science fiction.

But as things start to get tense in the movie, Our Hero, Detective Dell Spooner (Will Smith) and his geek robot psychologist, Dr. Susan Calvin (Bridget Moynahan) find themselves desperately needing to get into the U.S. Robotics building. Unfortunately, it’s surrounded by thousands of NS5 Robots who have inexplicably turned into bad guys.

As Del and Susan hide just out side the reach of the Evil Robots, they ponder how the heck they are going to get into the building, past Vicki’s perimeter security. Finally, Dr. Calvin comes up with a brilliant plan. I don’t remember the exactl dialog, but it was something like, “I know, we’ll sneak in through the service tunnel. It’s not monitored by Vicki because it’s only used for service!!”. And that’s what they do, they pry open a conveniently located man hole, hop into the service tunnel and sneak into the building. So there ya go, a security hacker lesson from I, Robot.

Um, OK. In other words, the screen writer wrote himself into a corner he couldn’t get out of so he wrote a plot hole that violated the most fundamental tenet of security, which is that YOU PLAN YOUR SECURITY ON WHAT COULD HAPPEN, NOT WHAT USUALLY HAPPENS.

Any security consultant who would suggest that a service tunnel doesn’t need to be monitored because it isn’t usually used by humans to get into the building would be laughed out of business. It’s like a police officer saying that you don’t need locks on your doors because most of the time burglars don’t try to walk in your front door. It’s like telling a company they don’t need firewalls protecting their intranet because most people interact with the company’s web site.

So we can all get a chuckle at the screen writer’s sloppy plotting and feel smug about the mature computer security industry. Even the most technologically phobic executive understands the basic needs of physical and network security in their company’s environment. We’ve got a rich industry of firewalls, authentication systems, authorization systems, intrusion detection systems, etc. etc.

It occurs to me that IT industry hasn’t yet adopted the same rigor in our thinking about privacy management. Ask any IT professional in a company about the tools they use to protect the prvacy of the personal information they are entrusted with and they’re likely to mumble something about having a privacy notice on their web site. Maybe they’ll talk about using SSL when transferring data from a browser to a browser to a server. And the really forward thinking folks may be able to articulate a strategy for encrypting personal informations when it’s stored.

All of these things are good, and I’d not speak against any of them. But do they really protect the privacy of their customers. How do the stewards of personal information know that they aren’t using data in ways that directly violate the promises they make to their customers? As the good folks at Hooked On Phonics found out the hard way, the FTC is starting to crack down on companies that violate the privacy promises that they make.

It’s most likely that the folks at Hooked On Phonics were not deliberately being malicious. It was just a case where one department in a company used sensitive personal information without any prior knowledge about the promises made by other departments in the company. All to often, the only preventative measure the companies have in place is to circulate a memo reminding people of the company privacy policy. In other words the typical privacy management strategy in a company is based on what usually happens, not what could happen, which is just as big a hole in its IT infrastructure plans as the plot holes in I, Robot.

- Calvin Powers

This entry was posted by Calvin () on Tuesday, August 24th, 2004 at 1:58 pm and is filed under Computer Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.