Over the past 2 weeks, all of you have probably been beset with numerous emails from the various websites and online services with whom you regularly (or even infrequently) interact, notifying you that their terms of service/use or privacy policies have changed. Depending on how closely you may be paying attention to the ceaseless flood of data we call our inboxes these days, this might have struck you as rather odd. You might have also noticed a common set of letters sprinkled throughout these emails, “GDPR”, an unfamiliar anagram that seems to have an inordinate amount of influence over all of these companies, including ones we all assumed determined what exactly we could view as private or public. In this case, this particular bit of alphabet soup stands for “General Data Protection Regulation” and it is a new set of rules that govern how EU citizen data should be handled globally, starting May 25, 2018.
For the most part, the GDPR only governs data protection and privacy for EU an EEA citizens, and is designed to provide better protection and control of their personal data to those individuals, as well as unify the regulatory environment for international organizations that collect and use that data. Without diving into the gory details, the core intent of the GDPR is to require any organization that handles data generated by EU/EEA individuals to clearly disclose what, how and why data is being collected, how long it will be retained and if it is being shared with third-parties. These same users have a right to request a copy of the data collected, and in certain appropriate circumstances, request to have that data erased or removed.
What does this mean for Americans?
While you may think this should have zero impact on you as an American citizen, there are two things to consider. We all interact with businesses and organizations that operate globally. You could probably name 5 companies that have specifically changed their policies to comply with GDPR by scanning your inbox: Facebook, Google, Twitter, Instagram, and Microsoft are just a few of the ones in mine. The “side-effect” of these companies reshaping their operations to comply with GDPR means an improvement for users in terms of privacy and security for everyone, regardless of country. Though some companies may make changes to only their non-US operations and processes due to budgetary or resource constraints, it typically makes better long-term sense to streamline or consolidate operations around the most secure and compliant technologies. A rising tide of privacy protection raises all boats.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.
The concept of a virtual assistant isn’t new – the practice has been around for easily a decade, if not longer, and traditionally taken to describe someone hired to work as a personal assistant that wasn’t physically located near the person they were assisting. Initially received very coolly, the practice has become fairly commonplace, though somewhat outmoded now by easier-to-use technology and the internet itself, both of which enabled concept of a virtual assistant in the first place.
When Google and Apple introduced their voice-activated “assistants” there was a thought that our smart phones might actually be able to act as, well, real assistants. Heck, I was counting on it, given the amount of time I’m stuck in traffic. And sadly, we find that both platforms, as well as the many copy-cats and voice-enabled apps that followed were barely usable on a good day, and more often a source of amusement than anything else. Amazon’s Alexa is perhaps the closest we’ve come to having a useful, voice-activated device, maybe until now. Google’s CEO Sundar Pichai demonstrates Google Assistant scheduling an appointment via phone as part of the Google I/O Conference keynote, and it’s an exciting glimpse into the future some of us have always dreamed of.
Would you take a call from a truly virtual assistant? What if you didn’t know the person on the other end wasn’t human? More importantly, would you trust Google to set your calendar for you? I’m willing to give it a try!
While I know I should be grateful that it’s a slow news week for technology, it makes writing this blog a little challenging. However there are a few bits of news that may be of interest to at least some of you. Taken individually, each item is probably not worth more than a “Hmph” from the average reader. Together they form a lumpy potpourri of cautionary tales that only serve to highlight our favorite elephant on the internet.
No one should be surprised that if you put a wifi-enabled infotainment system in a new car, someone is going to try to hack it. Dutch researchers from Computest did just that, and succeeded in compromising the system significantly by gaining access to the root account of the in-vehicle infotainment system, which allowed them to view various telemetry data including current and previous locations, address books and even the car’s microphone. Additionally, the researchers hypothesized that they could have accessed the car’s acceleration and braking systems, but stopped short of doing so for fear of being sued by VW. To its credit, VW’s engineers took the Computest’s findings under advisement and have supposedly plugged the exploits for certain models, but it’s unclear how they would handle the millions of cars on the road that do not have the means for an over-the-air update to patch the vulnerabilities. Researchers also concluded that Volkswagen, prior to Computest’s discovery, had not properly tested the infotainment system for these types of security issues. Volkswagen excuses this failing as part of their transition from automaker to “mobility provider”, which only serves to highlight how big companies, to this day, struggle to balance profit with security.
Surprising: The Internal Revenue Service online tax submission platform went down on April 17. I don’t remember this happening in recent years, and their track record may go as far back as when they first started taking digital submissions in 1986.
Not Surprising: The reason the IRS went down – a core computing platform reliant on technology built in the 1960s. That’s right, the IRS processes some of it’s data on technology that’s over 50 years old. I can’t even wrap my head around how they can actually keep that technology going when we struggle to keep two-year-old laptops functional. This is the organization that handles our tax dollars, at “work”. However, I do concede that replacing this ancient mainframe powering the IRS is probably akin to performing open-heart surgery on oneself while keeping pace in the Boston Marathon – not a casual undertaking, and something that can only be done once. You’d think they have enough money for this, but apparently the project to do just this is millions of dollars over budget and years behind schedule. Surprise, surprise.
Do you remember when a technology company in the media spotlight usually meant something exciting and shiny was being announced? Those days seem so distant now. Back then, Jobs was giving us “one more thing,” Google was actually trying to not be evil, Flash was still doing amazing things on the web, Facebook was connecting us with long-lost friends and relatives, and Yahoo was the darling search engine and homepage for millions. Unfortunately for all involved, their present-day state reads like a click-bait-y “Where are they now?” article, and it’s just as depressing as you might think, at least as far as Yahoo Mail is concerned.
So where is Yahoo now?
The former internet giant was divvied up in 2015 between Oath Inc (aka Verizon) and a new company called Altaba. Oath took over the ailing portal and email services, while the more profitable parts of the business, including Yahoo! Japan and their investments in Alibaba were consolidated under Altaba. While it may be hard to comprehend why anyone, let alone Verizon, would pay to take over Yahoo Mail, apparently the revenue potential of millions of eyeballs trying to read emails surrounded by advertising whetted someone’s appetite. Whatever tantalizing profit potential that might have existed, it’s considerably less thanks to a $35M fine handed down by the SEC for the company’s failure to inform its investors of the 2014 breach, which, keep in mind, was a paltry 500M accounts breached as compared to the 3 billion accounts breached in the previous year. Oh, and don’t forget, it’s also highly likely that the US government scanned your Ymail for terrorist activity as well. Would you think less of me if I started calling this service “Why-mail”? Or maybe “Y-R-U-still-using-this-mail”. Oh, how the might-Y have fallen. Alright, I’ll stop now, please don’t unsubscribe!
It used to be a simple topic to explain: if the hacking attempt to undermine or subvert a government entity was sponsored by another country, it was considered cyberwarfare, and if by a geo-political group, (but not a recognized nation) cyber-terrorism. Everything else fell into the lesser evil that was Spam used by desperate marketers, and viruses used by anarchists and pranksters to sow chaos and prove hacking prowess. Six or seven years ago, for most of us, malware was a nuisance, sometimes a business headache and relatively uncommon. Spam was a significant threat, but mostly in that it prevented us from reading important emails in a timely fashion.
Welcome to 2018
Malware and spam has become so prevalent that no device with a processing unit is safe, translated to essentially anything that can connect to the internet. On top of this, both criminal and subversive political entities (nations, terrorists and even activists) have thoroughly integrated these tools within a larger internet-powered toolkit that also includes social media and big-data algorithms. The result? These shadowy groups have developed an eye-popping ability to coalesce disparate demographic niches or divide communities according to various agendas, most of which could be considered detrimental to the advancement of humanity. Hacking a nation to swing an election used to be science fiction, but now it seems way closer to home than we thought. Ransomware made criminals $24M in 2015, $1B in 2016, and is predicted to top $5B in 2017. This particular type of malware became the darling of online-organized crime and has held businesses, hospitals, churches and even an entire city hostage for crippling amounts of time. Personal information and identity theft has become so commonplace that even the massive Equifax breach has been essentially forgotten. You may not have realized it, but the real cyberwar isn’t being fought between nations. This is a war for the legitimacy and integrity of the internet, and we are all on the front line. What’s perhaps most terrifying is that it’s no longer clear who the bad guys are, and if there is anyone standing up for the average human just trying to make it through the day without being hacked, breached, phished, spammed or misled.
Image courtesy of freebieshutterb at FreeDigitalPhotos.net
We might be setting a blog record as Facebook makes our front page for the fourth week in a row. Lest you think I’m resting on my laurels and taking easy swings at low hanging fruit (mixed metaphors for the win!), Facebook’s fall from grace might be the biggest tech story of the decade, and this is happening alongside Intel’s monstrous security flaw, the Equifax breach (remember that one?), and the dismantling of Net Neutrality. And those are just the ones I can recall off the top of my head! I’d love to be writing about other things, but due to its sheer size and global reach, this evolving disaster is something from which we cannot (and must not) look away. The Cambridge Analytica debacle is the gift that keeps on giving, but unfortunately it’s the mother of all white elephants as far as Zuckerberg et al. are concerned, and I’m sure a large helping of “do not want” is being served around the table at Chez Facebook.
It’s like watching a slow-motion derailment
Mark Zuckerberg may be one of the richest technocrats on Earth at the moment, but that didn’t stop Congress from skewering him in a multi-hour, publicly televised congressional hearing. On the whole, I’d say he’s lucky some of the Senators are in their 60’s and 70’s, and clearly did not have a solid grasp of Facebook’s technology, allowing him to sidestep some of the more naive or ill-informed questions. But several, more savvy Senators put him square into a glaring spotlight that he could not dodge: What is Facebook doing to combat hate speech? Is Facebook a Monopoly? Are Cambridge Analytica and Russian “troll farm” Internet Research Agency somehow connected? Was Facebook selectively biased towards left-leaning content? Perhaps most telling was Sen. Durbin’s (D-Ill.) line of questioning: “Would (Zuckerberg) share the name of the hotel he stayed in last night?” to which the CEO responded, “No, I would not choose to do that publicly here.” Audible laughter from the room rang that point home.
Given the attention focused on digital privacy, two US Senators have hitched a new bill to the hype train named the CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) Act which calls for much more strict and well defined consent from consumers, putting the onus on providers to secure a user’s affirmative consent, ie. “opt in” as opposed to the current policy trend of requiring users to “opt out.”
And in case you need any more confirmation that Facebook might not have your best interests at heart, California’s own Senator Kamala Harris zeroed in on what I believe is a key takeaway from this current circus. When asked by Sen. Harris, point-blank, about the decision made at Facebook in 2015 to not notify users that their data had been inappropriately shared with Cambridge Analytica, Zuckerberg admitted, “in retrospect it was a mistake.” This was an important question, as Facebook’s failure to notify users of this breach is probably a direct violation of a deal the internet company reached with the SEC in 2011 that barred the company from making misrepresentations about the privacy or security of consumers’ personal information.
In case you are curious as to whether your information was shared with Cambridge Analytica in the breach mentioned above, you can click this Facebook link for an immediate look at what, if any, of your personal information was shared.
If the past few weeks haven’t opened your eyes to the Facebook monster, let me share a picture with you that will be worth way more words than I could possibly write.
Go ahead. Click on that picture and take a good look. That’s an actual screenshot of my Facebook account settings. And no, I did not set that particular label anywhere in my profile. Nor do I participate in the various Facebook personality quizzes (“What type of shoe are you?”), and as you might have guessed, my posts are usually for the business, especially in the last few years. I was most active when I first opened my account, and slowly tapered off when Facebook and I “grew apart,” to the point where my usage is purely mercenary and academic. Also, as any of you who socialize with me probably already know, that label isn’t inaccurate, but it is a gross over-generalization of my political viewpoints. Plural.
What the F…acebook?!
You can find this bit of data by going to your Facebook Settings, clicking the “Ads” icon on the left menu bar. Expand the “Your information” section, and then click the “Your categories” tab. If you are disturbed about the categories with which you’ve been labeled, you can click the faint “x” on the right side of each label to delete them. You can also tell Facebook that you don’t want advertising targeted based upon your profile information by turning off each category, but if you read carefully, they tell you (in small print), “We may still add you to categories related to these fields.” You can bet that whatever you remove in the categories section will probably be put back in the near future. And who knows what stuff they aren’t showing us.
Labels aside, even knowing what I know about Facebook and its recent flaying in the news, this particular thing struck me as a perfect, stark example of how Facebook (and the internet) has categorized everyone. Apparently the variations of this particular category are Very Liberal, Liberal, Moderate, Conservative, and Very Conservative. Does it make you wonder what advertisers are doing with that particular bit of data? Does it make you wonder how many of those “advertisers” were actually propaganda outfits using this data to drive a wedge between you and your friends and family, purely for political and financial gain? Perhaps you are smart enough to spot the fake news, but what about your Facebook “friends”? Or their friends?
It might seem hyperbolic to use this particular phrase when talking about Facebook, but it’s pretty clear from recent news that we are in fact in an abusive relationship with the world’s largest social media platform and we are the abused. What’s particularly gross about this is that we opted into this dysfunctional, lopsided relationship, a point that Facebook clearly makes in a recent blog post defending itself against the most recent allegations of poor behavior: Android users of the Facebook apps may have had their phone numbers, call data and text messages scraped for years, including time periods where the app wasn’t even installed on the device in question.
Did we really opt-in to being exploited?
Unfortunately, if there’s anything we continually re-learn (and fail to apply the lesson) it’s that we don’t read the fine print and instead trust that other humans aren’t going to screw us over in exchange for whatever convenience for which we trade our privacy. The only one who reads these ridiculously obtuse service agreements are the lawyers and industry analysts (and then only some of the time) and only after the proverbial poop has hit the fan. Telling its user base that they opted in from the start does not excuse the fact that Facebook did this knowing full well that the majority would have no idea what exactly they were agreeing to, or if they did, they wouldn’t care or would forget over time, resulting in a digital version of Stockholm Syndrome. Whatever it is, it ain’t healthy.
If you use Facebook and are at all concerned about what Facebook knows about you (and your loved ones), you should take a moment to download your Facebook data and look through it. I reviewed mine and was relieved to find zero phone call, SMS or contact data, but this is only because when the Android Facebook app first started asking for access to my Contacts, I refused the permission and immediately removed the app from my phone. However, my data does include a variety of information I would consider sensitive including IP addresses, “Like” history and posts going back nine years, enough for an outfit like Cambridge Analytica (or any savvy advertiser) to build a reasonably accurate profile for marketing and propaganda purposes. I’m not upset about this – I knew this information would be publicly view-able and treated it as such. What was disconcerting was the list of advertisers that had my contact info: 280 companies, most of whom I have never heard of, and quite a few international firms, mostly European, judging from the names. And these were the ones that Facebook knows about. Very clearly, they haven’t been good stewards of our data given the recent unauthorized use by Cambridge Analytica. Considering how limited my use of Facebook has been over the nearly 10 years, this is likely minuscule compared to more prolific users. Review your data – you can’t take it back, but at least you can get a glimpse just how much of yourself you’ve been sharing with the world.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As you should be painfully aware by now, data is not only proving to be the currency of the information age, but also the key to political power, and when you are the world’s largest social media company (as well as one of the largest, period), you have a ton of data at your virtual fingertips. It should come as no surprise that Facebook plays a considerable role in shaping the values of millions of people. After a painful mea culpa about Russia’s exploitation of Facebook to stir up dissent prior to the 2016 elections, Facebook and it’s CEO are being called on the carpet by the UK government to answer allegations that the company shared data on 50 million Facebook users with a consulting firm tied to both the 2016 US Presidential Elections as well as the infamous Brexit vote earlier in that same year.
Was last week’s article strangely prophetic?
Though I didn’t know about the bombshell announced today concerning the improper (and possibly illegal) transfer of data that should have been protected by Facebook, the media has been circling the embattled company like wolves, and as I mentioned in last week’s article, plenty of everyday folks I talk to regularly have expressed a growing sentiment that I also seem to write about with growing frequency. While the reports surrounding this controversy are shocking to me because of the vulgar disregard these people seem to have for anything resembling a moral compass, they are not surprising to me. I’d like to say the icing on the cake was the revelation that Google (“Don’t be evil.” c. 2000) has admitted to providing technology to our government to aid with its military drone program. I’m also willing to admit that the Google of 2000 is nothing like today’s behemoth that holds the internet in the palm of its hand, but again, they are part of this problematic elephant on the internet. We have all built a monster that somewhere along the way got away from its handlers and is being used to do as much harm as good. The only one who is going to rescue us is, ironically, ourselves, but only if we wake up and take responsibility for important aspects of our lives-privacy and critical thinking-that we have ceded to the internet in exchange for entertainment and convenience. Should you delete your Facebook? At this point, the value of that act is almost entirely symbolic (and maybe financial if enough people make this choice), but your information is still out there, in the hands of people with very questionable moral fiber. The real question is now, “What do we do about it going forward?”
Image courtesy of Miles Stuart from FreeDigitalPhotos.net