Full disclosure – I’ve long been a fan of many of Google’s services. I’ve used Gmail since the first beta, rely on Google search all day long, use a Pixel as my smartphone and listen to music all day long through their music service. It pains me when my favorite tech brands make poor choices, and unfortunately, Googles leadership seem to have forgotten their founders original scree, “Don’t be evil,” in favor of behaving like any profit-driven, ethically-ambiguous megacorp. The latest scandal comes from one of Google’s recent tech acquisitions in the form of a failure to disclose the presence of microphones in the Nest Secure home devices. Now, the presence of microphones in security devices shouldn’t come as a surprise, but Google’s failure to mention it in any documentation is a glaring breach of trust on their part.
What this means for you
When I first heard this news, I though to myself, “Well duh, of course these things have microphones. They are security monitoring devices,” and thought that, once again, naive consumers were purchasing and installing the devices without RTFM (“reading the fine manual” except substitute your own f-word). But no, Google (and Nest) didn’t actually document the presence of a microphone at all until it recently revealed that the Google Assistant technology could now be used on the Nest Secure device which, oh by the way, uses voice control…which, erm, requires a microphone…that is already on the device. According to Google, the microphone was disabled by default and can only be activated when the user specifically enables it. Which doesn’t make the whole failure to disclose any better, because how do we know it wasn’t enabled, and why should we trust them to be telling the truth now?
Unfortunately for you, even if you were being a careful consumer and reading the fine manual (or label, or reviews, etc.) the only way you would have known there was a microphone in the device would have been to dismantle it yourself, but why would you do that because the product documentation clearly lists the device’s specs, doesn’t it? Does this sound familiar? Like some other technology megacorp abusing its users’ trust? Is it going to take dragging these companies in front of Congress to get them stop being so lackadaisical with our privacy? Well, before we do that, let’s make sure we elect Congress critters that know iPhones aren’t made by Google.
Remember a couple weeks ago when the adultery website Ashley Madison and assorted “sibling” sites were hacked? The alleged hackers were holding the data hostage and demanding (parent company) Avid Life Media be held accountable for what the hackers claimed was the fraudulent business practice of offering website “patrons” the opportunity to pay have their data completely erased. The data has been released (including the supposedly erased data), it is now searchable thanks to websites like Have I Been Pwned, and it’s wrecking lives like, well, a proverbial home-wrecker. It doesn’t take much imagination to envision why this is happening – marriage as an institution in America has been on some fairly rough ground lately, but you don’t come to this blog for that kind of gossip…
So here’s my IT angle on the whole mess:
- Just one, simple piece of data in the wrong place at the wrong time can be a game changer. In the case of the above, finding someone’s email address in the database separate from any other context can utterly destroy trust. And this doesn’t have to be a spouse or a family member: it can be a congregant, constituent, employee, employer, customer, client, prospect, competitor, adversary or worse – a true enemy. Many have said that their accounts were created for research (I didn’t even put that in quotes), and many probably were and even have official documentation backing up that claim, but when data is released without context, the victims don’t have any control over how the data is viewed or used.
- Most agree that Avid Life Media’s IT team had more that adequate protections and data encryption in place, but like every other business, they were fighting a losing battle. As I’ve said repeatedly (as has most of the industry), the current battle against digital intrusion is a war of attrition, and the attackers have the upperhand. They only have to succeed once to win, but we, in defending our organizations, cannot stumble even once. In case you are having trouble envisioning why this is, imagine a game of soccer where you are the goalie and the hacker is the other team. It’s just you versus the entire team, and there are multiple balls in play. They only have to score once to win. You, on the other hand, can only hope to get one of the opposing team out on penalty to slow them down, but guess what? They have a rather deep bench. And there are no time outs.
- Do your employees or vendors have access to data or systems to which they shouldn’t? Some believe the hack was an inside job. Keep in mind that you have to trust someone at some point to manage your security. Though it may be difficult or even painful to examine your operations for disgruntled employees or customers, unethical or inhumane practices reap as they sow, as Avid Life Media is perhaps experiencing first hand.
- Things done on the internet can never be erased. Even if you pay someone to do so, and they make an honest attempt at it, the internet never forgets. Want to keep something secret? Keep it as far away from the internet as possible. Can’t (or won’t) do that? Count on it not being secret and at least you’ll be prepared for when it does become public. Also, there are very few levels of obscurity on the internet, in most cases, things are merely forgotten or overlooked, but they never truly disappear from view.
- Privacy and security are hard won, and increasingly so as time progresses. Expect the costs of maintaining these things to continue to rise.
With all the recent, high profile hacks it’s hard to not be a “Debbie Downer” when it comes to the current state of security and privacy – but don’t fool yourself into thinking that things aren’t as bad as they might seem. Taking a realistic view on internet privacy and security is important in achieving a balanced perspective when making decisions on what to spend (both in dollars and energy) on defending yourself and your business. It’s not the end of the world. Not nearly. But it’s rough out there, and likely to get worse before it gets better. Be prepared, be realistic: plan for the worst and hope for the best.