with No Comments

Post No.: 0936security

 

Furrywisepuppy says:

 

Privacy isn’t a solo concern since we’re deeply enmeshed in other people’s networks. You can be careful with your own data but your friends, family, work colleagues and anyone you accept into your social networks or send a message containing sensitive information to may be lackadaisical. So be careful with the personal data you allow them to know but don’t want others beyond them to know. Visitors to people who have always-on smart speaker devices in their homes may also not know that these devices are listening to everything they’re saying too. So the invasion or violation of privacy occurs between friends, family and acquaintances as well, not just governments and corporations, whether intentionally or accidentally.

 

Indeed, more consumers voluntarily own car cameras, doorbell cameras, smart speakers, smartphones and other recording devices – we’re recording ourselves, and others; often without their consent. Sometimes it’s in the name of ‘personal or home security’. People freely upload a lot of information, images and videos of themselves in the public domain. They love, even crave, being watched. We can assume someone must’ve snooped on us but we had actually posted a piece of information publicly online ourselves. Some even post their own crimes online (e.g. their public road speeding antics for that 15 seconds of fame!)

 

Surveillance is now a major part of capitalism – data fuels commerce. Many in the business regard data as the new oil – Post No.: 0929 chewed over the value of our personal data. It’s about connectivity and liberal data-sharing versus privacy and the custody of your own data. Demanding privacy at the same time as demanding ‘free’ and convenient services appears incompatible.

 

The nature of the Internet and our modern networked working lives and lifestyles may mean that we’ll need to accept a greater loss of privacy. Many services need our data to work, and this data also needs to be stored somewhere. And unlike physical assets, anyone with an Internet connection could potentially access and appropriate it from anywhere in the world too. We moreover mightn’t even know they have because copying data leaves the original copy intact.

 

Amazon uses the enormous amount of data collected from third-party sellers on its e-commerce platform to improve the sales of its own branded products. That’s an incredible amount of detailed information on its competitors to its own individual advantage, and that’s bad for competition in the marketplace as a whole i.e. it’s anti-competitive behaviour.

 

In reality, via services like Facebook and Google is precisely how national intelligence agencies like the NSA and GCHQ acquire much of people’s private data. Apple even helped develop a special iPod that spied on people for the US government. We take Google Earth and Maps for granted even though they’re essentially spy tools.

 

So we could argue that private corporations, particularly the tech giants, are the ones advancing the mass surveillance dystopia. Their product ecosystems aim to infiltrate every facet and moment of our lives to ultimately get us to serve their interests and maximise their profits. They’d send adverts to our dreams if they could figure out a way to! They’re also the main information gatekeepers for many today, and disinformation shared on their platforms shape political outcomes.

 

Google once intercepted data on open Wi-Fi signals when travelling around recording Street View images. (We should all be securing our routers though – yet, analogously, just because someone lets their child play in the park, it doesn’t mean it’s a free-for-all for child abductors!) It wasn’t like people were choosing to use their services at the time so that they could ‘opt out’ of being data-mined in this way. And the company didn’t beforehand openly declare they were doing this so what else do organisations do without telling us? They only admitted to tracking Android users’ locations even though location services were disabled eventually.

 

Amazon got fined for keeping voice recordings for years that parents thought they’d deleted from their Alexa devices, and for allowing their employees unrestricted access to footage from customers’ Ring doorbells.

 

Even if we accept our data being collected and stored, we worry about organisations keeping our data secure (and accurate). We could be held to ransom by criminals who’ve stolen our data, our identities themselves could get stolen, financial data tampered with, we could be targeted with even more spam, and this could all cause disruption to our lives. Both public and private organisations (including large ones like Yahoo!) have experienced major data leaks or hacks. Private corporation data breaches are so commonplace they seldom make the headlines anymore. Facebook even tried to deflect blame for a huge data leak of 533 million accounts by rationalising it as a normal industry occurrence!

 

You can check whether your email addresses have been compromised via the website haveibeenpwned. Check that the URL of this link is legit by hovering your mouse over it. Woof.

 

Things are only as strong as their weakest links, and this is most true regarding security – large businesses frequently use subcontractors and any of these could use your data in malign ways or accidentally leak it. You can do your own best to ensure the privacy and security settings you want on your social media accounts are set – but third-party developers could still access your data via your social connections. Security flaws are constantly found that need patching (Google G Suite apparently stored some client login data in unencrypted plain text for 14 years!) New threats are continually being discovered and they can affect any operating system.

 

Laws in some jurisdictions state that any serious data breaches must be reported to the information commissioner. But how many data breaches have been kept internally shush about to protect a business’s reputation? Uber paid a large ransom to hackers, covered that expense as ‘bug bounty’ and pretended that no customer data was stolen. (They even employed a ‘kill switch’ to prevent law enforcement from investigating their data!) Once it’s out there, it’s practically impossible to undo. Users have to basically change their passwords, and perhaps numbers, move house or so forth.

 

A single external hacker with a laptop and an Internet connection can potentially cause so much devastation to so many people’s lives from anywhere in the world. It only potentially requires just one insider to leak, or one hacker to access, so much of our private or consumer data and cause so much havoc.

 

It’s not just deliberate leaks of personal or government data but also corporate data, like leaks of game development or movie scripts.

 

Accidental leaks are also a risk. Privacy and measures against data leaks are becoming progressively difficult in this modern world of cloud computing, mobile phones, fast data transfer speeds, the expanding range of ‘Internet of things’ (e.g. internet-connected/smart TVs, home security systems and children’s toys), smart cities and the ever-increasing connectivity in ever-growing areas of our lives.

 

Whistleblowers like Edward Snowden, Julian Assange (WikiLeaks) and Chelsea Manning deliberately leaked sensitive data (but usually after redacting the private data of innocent parties and highly sensitive information that could harm individuals if disclosed first) to expose corruption or other questionable acts that they believed were in the public’s interest. ‘Noble cause corruptions’, where the greater good justifies the means, are rationalised by both sides – keeping secrets for national security versus leaking secrets for the public interest.

 

So those who whistleblow against the State will be accused of treason, not hailed as heroes, by some quarters for revealing national strategic secrets or simply information that gives opposing nations fuel even if what was leaked was a nationally shameful act. (It’s not just non-democratic countries – the US government will try to silence or harass those who oppose them too. And war crimes will be kept classified, as if the government thinks it’s okay to commit crimes as long as one doesn’t get caught.) Yet such leaks have somewhat improved the oversight mechanisms regarding mass surveillance practices, procedures and government secrecy (introducing the USA Freedom Act, while reforming a section of the Patriot Act).

 

However, many cyber security breaches aren’t the result of technical failures, leaks or hacks. Attackers commonly exploit the trust and goodwill of users in order to gain access to systems – examples of ‘social engineering’ include crafting phishing emails or pretending to be tech support personnel and simply asking for people’s usernames and passwords. Fraudulent emails and websites are by far how most reported security incidents grab a foothold. Seemingly legitimate messages are often tied to everyday events or recent news events, such as when people are expecting to be contacted because of a parcel delivery or a vaccination appointment. They’re then asked to click on a link to give their bank details to confirm their identity or something else.

 

Users are the biggest threats to their own security when they use predictable passwords, fail to hide their own passcodes, post on social media that they’re about to embark on a trip and when they’ll be back (so burglars will know when to break into their homes), fail to keep software updates up to date, don’t check if there’s a secure connection on websites before sending data, open infected emails, click on malicious links, install unverified software, not make regular backups, and so forth.

 

Ransomware can be the most destructive for its victims – this is when (claims that) critical data has been stolen and locked from the owner and the only way for them to (ostensibly) re-access it is to pay a ransom otherwise it’ll be permanently deleted. For an organisation, it’s not just one’s own staff who could make a mistake – an information security breach into a company can come indirectly via a contractor with weak cyber security measures too. We’re only as strong as our weakest links again, whether it’s from the service provider’s side or the end user’s side, or their friends, or their friends’ friends, etc. if we share sensitive stuff with them.

 

But when multiple actors are culpable along a sequence of events that lead to an error – where if any segment in that sequence were absent then the error would’ve been averted – responsibilities tend to be passed onto others in that sequence, unless the law compels one party to primarily take the responsibility.

 

We cannot just be wary of foreign products. Products from western companies constantly have security flaws that need patching up too. TikTok collects just as much data as other major social media platforms. Its company also allows underage users to sign up or use its app as much as any other. Suddenly banning foreign products merely out of suspicion or caution is typically at least partly, if not mostly, about economic protectionism. (What happened to the democratic principle of ‘innocent until proven guilty’ too?) Then again, this behaviour is mutual!

 

Even mere metadata can be useful to criminals because with enough of it, it can be traced to an individual. Perfectly pseudonymising or anonymising our personal data is extremely difficult when datasets are comprehensive (such as on social media platforms) or can be cross-combined – your own unique individual identity can be nailed down via the data that firms gather about you. Some experts claim that knowing just 4 data points of the times and/or places when and/or where your credit card has been used can be enough to narrow the user down to uniquely you. And once you’re identified, a thief could work out your home address from where you’re most frequently located when you make tweets, and therefore when you’re not at home (e.g. when you tweet about your holiday when abroad). A de-identified dataset can be linked with an identified dataset to re-identify individuals in the first dataset.

 

Woof. We want our information to be read by only the people we want (confidentiality), to be changed by only the people and processes we authorise (integrity), and to be available to read and use whenever we personally want (availability).

 

Comment on this post by replying to this tweet:

 

Share this post