Even if you haven’t read the seminal novel 1984 in many decades, you will surely recall the omnipresent “Big Brother” and the even more haunting reminder/warning that “Big Brother is watching you.” Rather than actually representing a single person (or even celestial being) readers quickly come to realize Big Brother is the result of countless numbers of citizens informing on their family, friends and neighbors in service of the Party “groupthink“. Fast forward to the present, where, believe it or not, Big Brother is watching and listening, but maybe not quite in the way Orwell had originally imagined.
Most of you have come to accept that devices like Amazon’s smart speakers, Echo and it’s petite sibling, Dot, are always listening, ostensibly to be able to snap to action the second you shout, “Alexa!” But what you might not realize (or remember) is that Amazon is recording and keeping a copy of everything the device hears after you speak the trigger word. Depending on how cynical I’ve made you about technology over the years, this may or may not come as a surprise to you, and if you’ve been reading this blog for any length of time, I even wrote about this nearly three years ago. Despite very clearly dancing on knife-edge of child-protection laws in 2016, regulation has not halted or even slowed the proliferation of millions of eavesdropping, smart-devices.
If you are curious about what your own Alexa-powered smart speaker has recorded in your private home or office, have a look at http://www.amazon.com/alexaprivacy. Fortunately for our house, most of these recordings consist of teenagers ironically asking Alexa to play Despacito, our family belting out the lyrics to various Queen anthems, and desperate searches for recipes based on the contents of pantries ravaged by previously mentioned teenagers. More importantly, despite living with someone who is a staunch advocate of privacy and who has made no effort to hide that fact, our family has obviously agreed to give up some of that privacy for the (sometimes meager) convenience and amusement the device offers. We also have a Ring doorbell on our porch and have also opted into sharing some of that video footage (at our discretion) with our neighbors, again potentially sacrificing some privacy in trade for a technologically amplified neighborhood watch.
Each person and family must decide how much privacy they are willing to sacrifice in exchange for security, and keep a very watchful eye for the point at which the sacrifice escalates from privacy to the abrogation of personal freedoms. Though we aren’t explicitly told how Orwell’s Oceania transformed into the nightmarish surveillance state, it’s easy to see how they got there. The seductive lure of convenience and personal gratification is a sure-fire way to gradually erode personal privacy and security without raising an eyebrow, just as sure and slow as a stream carving a grand canyon.
Last year was not a good year for Facebook. Starting with the Cambridge Analytica, the social media giant seemed to stumble through a series of gaffes that literally erased billions from Mark Zuckerberg’s net worth. Yet, here we are again with the social media giant continuing to act with cavalier indifference towards its users’ privacy, and at this point, are you really surprised? We’re all adults here – I’m in no position to tell you what you should be keeping private or not, but I feel it’s my duty to make sure you are aware with whom you are sharing data, and that they are NOT here to serve you, but vice versa. And let’s put one big, stinging fact on the table – despite all of this, Facebook’s stock bounced back easily from last year’s drubbing, and is now poised to surge ahead thanks to better-than-expected fourth quarter earnings.
The latest proof that Facebook doesn’t care about your privacy
A few years back, Facebook instituted two-factor authentication for its login process, asking user’s for a phone number as the second factor. At this point, 2FA is the new security hotness, and millions are already smarting from a variety of virus infections, identity theft and account hacks to agree that 2FA was the best way to secure their accounts. While they weren’t (and still aren’t) wrong, could they have guessed that Facebook would start using that phone number as a means for other people to search for you, even if the searcher wasn’t someone you actually knew? How about doing this without even asking if its OK? This setting can be changed, but by default it’s set to allow “Public” access to use the 2FA phone number to help others find you. I don’t know about you, but that feels like the opposite of what everyone thought sharing this number with Facebook would do.
Strike two this month comes in the form of Facebook openly admitting that it receives data from many apps, including ones that help users track menstrual cycles, heart rates and website viewing habits, even if the user didn’t have a Facebook account. If this looks eerily similar to a recent article I wrote about a certain cell provider who was not being a good steward of your data, it is because it is yet another iteration of the same questionable practice.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Full disclosure – I’ve long been a fan of many of Google’s services. I’ve used Gmail since the first beta, rely on Google search all day long, use a Pixel as my smartphone and listen to music all day long through their music service. It pains me when my favorite tech brands make poor choices, and unfortunately, Googles leadership seem to have forgotten their founders original scree, “Don’t be evil,” in favor of behaving like any profit-driven, ethically-ambiguous megacorp. The latest scandal comes from one of Google’s recent tech acquisitions in the form of a failure to disclose the presence of microphones in the Nest Secure home devices. Now, the presence of microphones in security devices shouldn’t come as a surprise, but Google’s failure to mention it in any documentation is a glaring breach of trust on their part.
What this means for you
When I first heard this news, I though to myself, “Well duh, of course these things have microphones. They are security monitoring devices,” and thought that, once again, naive consumers were purchasing and installing the devices without RTFM (“reading the fine manual” except substitute your own f-word). But no, Google (and Nest) didn’t actually document the presence of a microphone at all until it recently revealed that the Google Assistant technology could now be used on the Nest Secure device which, oh by the way, uses voice control…which, erm, requires a microphone…that is already on the device. According to Google, the microphone was disabled by default and can only be activated when the user specifically enables it. Which doesn’t make the whole failure to disclose any better, because how do we know it wasn’t enabled, and why should we trust them to be telling the truth now?
Unfortunately for you, even if you were being a careful consumer and reading the fine manual (or label, or reviews, etc.) the only way you would have known there was a microphone in the device would have been to dismantle it yourself, but why would you do that because the product documentation clearly lists the device’s specs, doesn’t it? Does this sound familiar? Like some other technology megacorp abusing its users’ trust? Is it going to take dragging these companies in front of Congress to get them stop being so lackadaisical with our privacy? Well, before we do that, let’s make sure we elect Congress critters that know iPhones aren’t made by Google.
Surprisingly, most people don’t realize that the popular idiom, “The Devil is in the detail” is actually derived from the more encouraging phrase, “God is in the detail,” i.e. pay attention to the small things as they are important. Both adages are more relevant now than ever, particularly because the average human is now daily agreeing to privacy policies with which, if they were to actually read the fine print, would probably not agree to at all. Such is the case with the numerous policies you are “accepting” when you install apps on your smartphone. What policy acceptance? The one hidden behind a small pop-up that says your data will be shared with other parties to improve your experience, or some other vaguely worded reminder that you are sharing data with a company in exchange for the free (or sometimes paid) use of an app.
What this means for you
“Yeah, yeah, I know, they are watching my every move,” my clients have said to me, “I’ve got nothing to hide.” Or, “It’s a small price to pay for this wonderful app/service/game.” Except most aren’t aware of how much data is being tracked, or what it can used for, aside from advertising. If you’d like a small taste of how this data is being assembled and the level of detail it can offer into everyone’s daily routines, read this article from the NY Times, “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret” – it’s a very easy read and has some nice interactive visual aids to bring the point home. Despite its approachable tone, the content of the article should be unsettling for everyone. For example, when asked to explain why their prompt to grant access to very precise coordinate data and permission to share with 16 companies was instead presented as a way to “recommend local teams and players that are relevant to you,” a spokesperson for the app responded (emphasis ours):
Let’s be honest here: I’m in this business up to my neck, and even I don’t read those privacy policies, but only because I know exactly what I’m trading for the use of a “free” app. You have a much more relatable excuse: “Ain’t nobody got time for ‘dat.” You are not wrong, but in the pursuit of better deals, faster commutes, cheaper gas or just weather updates, we have traded a precious commodity: privacy. And lest you forget, privacy is not about hiding secrets, but about not wanting to share everything about your life with complete strangers who only view you as a profit center. This is yet another glimpse of the elephant on the internet around which everyone is still carefully tip-toeing. Make sure you are paying attention!
Image courtesy of TAW4 at FreeDigitalPhotos.net
Back when I first heard about Facebook I was working for a private university known for its “dry” campus. I was asked to consult on the case of a student who was being disciplined for violating the no-alcohol policy because a picture had been discovered of them buying booze at a nearby supermarket. It had been uploaded by the student’s friend to a hot new website called Facebook. I distinctly remember discussing this with staff and faculty at the time, predicting, “This is going to get a lot of kids in trouble.” There was discussion of banning access to the site, but filtering internet content back then wasn’t as straightforward as it is now, and the discussion was tabled with a promise to review the issue at a later time. Fast-forward to the present, where Facebook is still getting a lot of people in trouble, and themselves as well.
From the frying pan, to the fire, to…incinerator?
It might be hard to believe, but it was only June when we had to air out the latest load of dirty laundry from Facebook. Prior to that, they have been blog subjects seven times this year alone, and none of them were for something good! I’d say this month’s two-fer entry might be their pièce de résistance of colossal cock-ups, but there are still 90 days left in the year, and Facebook seems bent on setting some sort of record for destroying themselves.
First, they were caught red-handed letting advertisers use phone numbers provided by users for authentication purposes, something they had previously denied. To add insult to injury, it’s also come to light that they will also target individuals through contact information uploaded by their friends through the Facebook app, even if the individual never provided any sort of consent for such use.
If that isn’t enough to get your blood boiling, how about 50M Facebook users having their accounts compromised? Rather than the old-fashioned password hack, attackers exploited a bug in Facebook’s “View as” feature which allowed them to essentially steal the authentication token used to provide continued access after you’ve initially logged in. Think of this token as a VIP wristband you might wear at an event that also gets you access to the backstage. This token not only provides you a quick login to Facebook but to dozens of other connected services, such as Instagram and WhatsApp, that allow users to authenticate through Facebook instead of creating a unique login and password. Just like the wristband, Facebook only looks at the token and not the person using it, to determine what they are allowed to access, so you might get an inkling of why it being stolen is kind of a bad thing. The investigation is still ongoing, but according to Facebook, no passwords or credit cards were stolen, and it doesn’t look like the perpetrators of the September breach used their “wristbands” get into the various third-party platforms it could have granted access to, but I’d put even money on Facebook having yet another, “Wait, hold my beer,” moment, so don’t put the pitchforks too far out of reach.
Unfortunately for the two billion humans who are still trying to get some sort enjoyment (or livelihood) out of Facebook, there really isn’t any platform that comes close to being able to replace it. Your choices are “deal with it” or go cold turkey, the latter of which I don’t see any of my Facebook-hooked friends doing any time soon. If you’ve tied your various other online services to Facebook’s login in the pursuit of convenience, it only makes giving up Facebook that much harder and further illustrates just how dangerous this type of practice can be – Facebook login gave everyone a shovel, and quite a few people dug a hole that they have no idea how to get out of. Sadly, not climbing out of that hole and permanently putting the shovel aside essentially rewards Facebook for their negligent security practices, something that we should not do if we ever want the service to be something more than a way for advertisers and hackers (and Facebook!) to exploit for their own profit.
For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
A lot of my friends and colleagues are always surprised that I don’t have more gadgets around my house, especially items like Amazon’s Alexa or Google Home, seeing as I am a long-time customer of both mega-companies and utilize many of their services on a daily basis. Those of you who have been paying attention know that I’m pretty keen on privacy, and have also seen me write on the topic time and time again, mostly because companies like the aforementioned sometimes have trouble respecting our right to privacy. It’s not that I have something to hide, it’s that I am very specific about what I want to share, and that does not include sharing private family conversations with a work acquaintance, which seems to be what happened to a Seattle couple via their Amazon Echo device.
Entre nous becomes menage a trois
What many fail to truly understand is that in order for any voice-activated device to work, it must always be listening to everyone nearby, waiting for its moment to shine. In the case of the incident mentioned above, the Echo device thought it heard its vocal trigger, “Alexa” (or something phonetically similar) woke up, heard another trigger, “Send a message,” which caused to start recording what it thought was a legitimate message, which it then dutifully sent on to the unintended recipient. The couple had no idea their conversation was recorded and were only clued in when the unintentional eavesdropper called them to warn them about the incident.
How many times has your phone (iPhone or Android) self-activated because it thought it heard its vocal cue? Mine does this about 2-3 times a month, mainly because it hears (or thinks it hears) me saying “OK” and “Google” all the time, when in fact, I’m just having a conversation with someone nearby. It’s even self-activated because of audio from a podcast or song, which is really weird and creepy sometimes. Hackers have demonstrated the ability to completely compromise late model devices, and it’s a known intelligence exploit to compromise surveillance subject phones explicitly for the purposes of turning on the microphone as the ultimate audio bug. We carry these devices everywhere, and now they are in our most private spaces. It’s just you and me, and the internet now.
What scant regulation we have as a country that protects our personal privacy is mostly built around the concept of “Personally Identifiable Information” which, according to Wikipedia is, “…information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.” If you think of PII at all (most of don’t as a rule, which is part of the problem) you may enumerate bits like date of birth, social security number, mother’s maiden name, street address, phone number, etc. While those definitely qualify as PII, there is a ton of other information that falls into this category that the average person wouldn’t necessarily consider sensitive, such as a Twitter or Instagram account name, that without context, seems harmless. Thanks to the internet and data aggregation, everything can be connected, and now that pretty much all of our information is stored digitally, more readily stolen. A recent breach of DNA-testing firm MyHeritage put us one step closer to a dystopian future where the security and privacy of our own genetics will be at risk.
What this means for you
Fortunately for its 92 million customers, their DNA information wasn’t stolen, just encrypted emails and passwords. One could ask what sort of world we are living in that this constitutes (relatively) good news, but in the face of the massive Equifax debacle with zero consequences for any of the culpable, it seems that having your account and password stolen from yet another online service provider is now counting as the new normal. As horrifying as that is to consider, consider the nightmare scenario where not only are your DNA test results available somewhere on the internet, an insurance or mortgage company has bought this info and is using it in their underwriting process to evaluate your qualifications. It doesn’t matter that the information was originally acquired illegally or without your consent, there are no laws or regulations currently on the books that govern the use of genetic data, and judging from recent legislation coming out of Congress there is currently little interest in protecting the average citizen from anything, let alone an issue over which most Congress critters have an incomplete grasp. What’s to be done? Definitely don’t stop being outraged at yet another massive data breach that will largely go unnoticed by everyone. Make sure you understand where your government representatives stands on data privacy, and if it doesn’t match your standards, demonstrate your disapproval with you voting hand.
It’s been a solid three weeks since Facebook last graced our blog, but just like the proverbial bad penny, it just can’t stop turning up in the news for all the wrong reasons. There is a worn adage that claims there is no such thing as bad PR, but in Facebook’s case, I’m betting they’d rather stay out of the spotlight for a little longer. During CEO Mark Zuckerberg’s grueling congressional testimony earlier this year, Mr. Zuckerberg assured senators that Facebook users had complete control over who sees their data as well as how you share it. In a recent interview with the NY Times, Facebook has now owned up to previously undisclosed data-sharing relationships with four Chinese manufacturers, including Huawei who is viewed by American intelligence officials as a national security “threat” due to its close ties with the Chinese government.
What this means for you
According to an agreement Facebook entered into with the Federal Trade Commission in 2011, Facebook is not allowed to override a user’s privacy settings without first getting explicit consent. As part of the partnership agreement with these manufacturers – Huawei, Lenovo, Oppo and TC – Facebook granted privileged access to these partners to data collected through Facebook apps installed on their devices, even to the point of overriding the user’s explicit denial of access. Facebook executives have argued that they had adhered to the letter of the 2011 consent decree because the data in question (your data, your friends’ data, and your friends’ friends’ data) never actually leaves the device, and is only used “locally” to power applications and social media platforms. I’m no lawyer, but that sounds like splitting hairs, and as has been amply demonstrated by the Cambridge Analytica debacle (not even 2 months old, mind you!) relying on a partner company to adhere to Facebook’s privacy policies is not guaranteed, nor apparently something they can even enforce, once again demonstrating a clear gap in trustworthiness. Should you continue to use Facebook? As long as you keep your eyes open to the fact that Facebook might not be as transparent as they promise, even in the face of Congressional scrutiny, and more importantly, the watchful eye of journalistic rigor.
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.