While it shouldn’t come as a surprise to any of our long-time readers, millions of less savvy taxpayers might be shocked to discover their online tax filing software has been caught red-handed leaking sensitive information. As discovered and reported on by non-profit news organization called The Markup, several popular online tax-filing websites including TaxAct, TaxSlayer, and HR Block have been collecting and passing user information to Facebook, including names, income, refund amounts, filing status and even dependent names and scholarship amounts.
What does this mean for you?
Most people are unaware that just about every app and website out there that isn’t strictly not-for-profit (and even some of those as well!) has a side hustle they don’t overtly share with their users/visitors/customers: data collection and selling. If you dig into their “Terms of Service” or various other fine-print agreements normal people don’t read before clicking “Accept”, you will likely find some generic or vague language that essentially says you agree to share data with their “partners” in exchange for using their services. In the case of the tax filing services, you might have even paid for that “privilege.” Don’t you feel special? In their meagre defense, the data that was gathered was done so by a very widely used data-gathering tool called Pixel developed by the #1 data-glutton, Meta née Facebook, and in a couple cases, seems to have been inadvertent or perhaps careless implementation of the data collection tool. On top of this, when asked to comment on whether Facebook was soliciting this type of data (which is illegal to share without your explicit consent!), they of course responded that partners were expressly forbidden to send Meta that data, and that Meta has filtering in place to prevent the collection of this type of data, regardless of who was sending it. It’s also been reported earlier this year that Facebook collects so much data it doesn’t fully understand how it’s used, or where it goes within Facebook’s various systems and algorithms. Should you trust a company that doesn’t even have a handle on its own data to properly filter data it’s not supposed to collect? How would they even be able to report accurately on that?
Shortly after reporting on their findings, The Markup was contacted by the named tax websites who shared that the data collection pixel had been removed from their services. Is it safe to use these services now? Probably, at least going forward. If you’ve used these services in the past few years, the damage is already done – data collection has been done on your returns and the data leaked to Facebook, regardless of whether you have a Facebook account. Unfortunately, as before, there is not much you can do about the leaks except to let your congressperson know that you expect them to take better care of your privacy. You can also contribute to organizations like the ACLU who have been fighting this fight longer than most of us realize.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As someone who is beyond jaded by social media and the mega-corporations behind them, this news isn’t surprising, and I actually expected to see it long before now, but it gives me no pleasure in seeing our worst fears play out. Motherboard has published a story today about a Nebraska teenager and her mother being charged with several felonies and misdemeanors surrounding the teen’s self-induced abortion after their Facebook DM chat logs were turned over to Nebraska law enforcement by Meta. Despite the divisive act at the root of this incident and the current political storm raging around the overturning of Roe V. Wade, I’m hoping it highlights rather than distracts from the point of this week’s blog.
Social media is the exact opposite of privacy and confidentiality
Social media and its daily use have become so pervasive that for most people it’s just a de-facto part of how they live their lives, to the point where many can’t conceive of life without it. Regardless of whether or not the women from the above story acted illegally or immorally, there should be no equivocation about whether or not a social media platform will turn over your data to law enforcement. The answer is, “Yes, they will.” In this particular instance, Meta (aka Facebook) was abiding by a court-ordered search warrant. This doesn’t excuse them morally, but also falls well within expectations we have called out, over and over again. Following the overturning of Roe V. Wade, Motherboard reached out to all the major social media platforms asking them how they would handle just these types of requests in relation to women’s health and pregnancy rights, and none of them were prepared to go on record saying they wouldn’t do exactly what Facebook did in the above case. Unfortunately, abortion simultaneously highlights and distracts from the issue – it shouldn’t matter what is being kept private – only that it is private. In case it wasn’t clear: don’t expect anything you share on social media to remain private, regardless of how that platform professes to honor that privacy. The only commitment they are required to honor is to their shareholders or the equity firm backing the company, possibly even over the laws of the land.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Last year was not a good year for Facebook. Starting with the Cambridge Analytica, the social media giant seemed to stumble through a series of gaffes that literally erased billions from Mark Zuckerberg’s net worth. Yet, here we are again with the social media giant continuing to act with cavalier indifference towards its users’ privacy, and at this point, are you really surprised? We’re all adults here – I’m in no position to tell you what you should be keeping private or not, but I feel it’s my duty to make sure you are aware with whom you are sharing data, and that they are NOT here to serve you, but vice versa. And let’s put one big, stinging fact on the table – despite all of this, Facebook’s stock bounced back easily from last year’s drubbing, and is now poised to surge ahead thanks to better-than-expected fourth quarter earnings.
The latest proof that Facebook doesn’t care about your privacy
A few years back, Facebook instituted two-factor authentication for its login process, asking user’s for a phone number as the second factor. At this point, 2FA is the new security hotness, and millions are already smarting from a variety of virus infections, identity theft and account hacks to agree that 2FA was the best way to secure their accounts. While they weren’t (and still aren’t) wrong, could they have guessed that Facebook would start using that phone number as a means for other people to search for you, even if the searcher wasn’t someone you actually knew? How about doing this without even asking if its OK? This setting can be changed, but by default it’s set to allow “Public” access to use the 2FA phone number to help others find you. I don’t know about you, but that feels like the opposite of what everyone thought sharing this number with Facebook would do.
Strike two this month comes in the form of Facebook openly admitting that it receives data from many apps, including ones that help users track menstrual cycles, heart rates and website viewing habits, even if the user didn’t have a Facebook account. If this looks eerily similar to a recent article I wrote about a certain cell provider who was not being a good steward of your data, it is because it is yet another iteration of the same questionable practice.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Seagate recently announced a new hard drive that can store up to 10TB of data on a standard 3.5″ hard drive designed for consumer-class devices, raising the bar by two terabytes from their previous models. If you are having trouble visualizing how much data that is, think of it in these terms: A single terabyte (1000 gigabytes) is equivalent to 1400 CD-ROMs of data, 2000 hours of CD-quality audio, 27,000 36mb photos (super high-res), or 85 million Word documents. And that’s just a tenth of this hard drive’s capacity. For large companies, 10 terabytes might be a number that was surpassed a few years ago (depending on the nature of their work), but the average home computer user rarely amassed more than 1-2 terabytes of data, even with lots of photos, music and backups.
What this means for you:
Unfortunately, hard drives are like closets, attics and rental storage: they will fill up with stuff, and at some point, it becomes nigh impossible to find the thing you are looking for without digging through a ton of old, mostly useless stuff. Unlike physical storage, hard drive storage is becoming increasingly easy (and cheap!) to expand. You don’t even need to buy hard drives if you don’t mind storing stuff “in the cloud” (which is just a bunch of hard drives somewhere else). Software is improving constantly to help us sort through this mountain of data, but the one technology that is still struggling to keep up with exploding data sizes are internet speeds, and accordingly, offsite backups are affected. On an average consumer broadband connection whose upstream maxes out at 5 megabits/second, backing up a single terabyte of data would take over 500 hours, and that’s at optimum speeds! If you happen to be one of the lucky few that have something like Google fiber, you could theoretically backup that same amount of data in 2 hours, but only if your backup service could even sustain that transfer rate (insider tip: it can’t). Long story short: just because space is available, don’t fill it up without some solid planning. Determine what data needs backing up and what you could easily replace. Examples of the latter include downloaded music, videos or audiobooks, applications and local copies of photos that are stored in the cloud.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Three major companies and a popular crowdfunding website joined the illustrious ranks of the hacked last week. At the forefront of media attention was mobile service provider T-Mobile who had to explain to nearly 15 million of its customers that anyone who had their credit checked while in the process of applying for T-Mobile service would now be enjoying the “benefits” a near perfect (for identity thieves) exposure of their data, including name, date of birth, social security number, addresses, phone numbers and even government-issued ID numbers. Online brokerage Scottstrade suffered a breach exposing nearly 5 million customers over a year ago that they didn’t even know about until informed by authorities investigating the matter. Rounding out the list of big names is everyone’s favorite business bad-boy, Donald Trump and his Trump Hotels business, of which seven luxury hotels appeared to have suffered a year-long breach in security that allowed thieves to siphon off guest credit and debit card data. And if that wasn’t enough, data thieves also managed to penetrate Patreon, a website used primarily by independent artists and entrepreneurs for fundraising, and exposed over 2 million users emails, passwords as well as their specific site activity.
What this means for you:
By this point, if you haven’t at least racked up two years or more of “free” identity theft protection from the numerous data breaches, you have been living the life of a true luddite and should share the secrets of your success (just not online, right?). What I’ve found among many of my clients, friends and family is that most have just furrowed their brows, shaken a symbolic fist at the faceless enemy/internet/corporation and more or less accepted this as a new fact of life. Many of them haven’t even taken advantage of the credit protection services offered as compensation for being a victim of one or more data breaches. As I’ve mentioned in the past, most Americans are now suffering a near textbook-perfect example of bad news fatigue, primarily because it seems like nothing can be done. But there are things you can do:
- Have a look at Have I Been Pwned to see if any of your email addresses show up. If they do, you should change your passwords, especially if the account that was “pwned” was associated with a password you use elsewhere.
- Sign up for any identity/credit protection services offered to you if they are still available. While they may not be able to prevent an attempt to use your identity, you are much more likely to catch it happening, and these companies can help recover from damage caused by the theft.
- Most critical online services such as banking and email offer two-factor authentication which can provide a much higher degree of security. Even though a hacker may have a password for your account, they won’t be able to access accounts protected by two-factor authentication.
- Understand what data you or your company is responsible for, and if you use vendors to process any of that data, make sure they are exercising proper diligence in securing their perimeter and your data. In the case of T-Mobile’s breach, credit-check vendor Experian was the source of the breach that will likely result in significant financial and reputation distress.
Though the average consumer is still many years away from seeing or using one, quantum computers are moving steadily from theory to reality, and seems to be following the same accelerated curve most other technologies follow. First theorized in the 1960’s, the field of quantum computing was formally established in the early 1980’s, but actual systems using quantum computing only appeared in this decade. Lockheed Martin purchased in 2011 what appears to be the first physical implementation of a quantum computer: the D-Wave One. Google launched its own quantum computing initiative in 2013 in joint effort with NASA, and Edward Snowden revealed in 2014 alleged plans by the NSA to build a quantum computer expressly for cracking encrypted data.
[Skip this section unless you really want a brain twister!] Quantum mechanics on its own is an incredibly dense and complex field of science, and even though quantum computing concerns itself with a specific application of quantum mechanics, it is just as inscrutable as modern computers are now to most people. In a nutshell, where modern computers process data by boiling down everything to zeros and ones (bits), quantum computers process data using qubits, which can exist as either a zero or one, or any number of infinite states in between. While you are trying to wrap your head around that one, consider this next mind-blowing fact: where traditional CPU’s solve problems by switching between one or zero (albeit very, very quickly) and testing a condition (is it 0 or 1), a quantum CPU can simulaneously solve for one and zero at the same time. Because of this capability, a quantum CPU would be vast leap forward both in speed and complexity as compared to a “traditional” CPU.
What this means for you:
Scientists and security experts are justifiably concerned that quantum computers could easily crack the toughest encryption methods in use today. Encrpytion that would normally take today’s computers thousands of years to crack could, in theory, be broken within hours on a quantum computer. It’s not a long jump to suppose that the first organizations to implement quantum computers will be nation-states and large corporations, and then the race will be on to safeguard data with even stronger cryptographic algorithms. Echoing an arms race not unlike the nuclear one in decades past, modern technology is advancing at a pace that most humans will never stay ahead of, and we are relying on a small number of people in power who continually demonstrate an alarming lack of understanding of technology in general. Its important for all of us to step up our game and to focus on, at minimum, learning more about the technology we use everyday, and when we hit our limit, making sure we are protected and led by more knowledgeable people we can trust.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Lest you think the tech giant missed having a finger in this particular pie, Google surprised no one by debuting their own wireless carrier service earlier this week. Though the service is invite-only at the moment and only offered on Google’s own Nexus 6, they’ve negotiated a deal with both Sprint and T-Mobile to piggy back on their existing, nation-wide infrastructure to create a coverage area without having to build it. According to Google, the limited launch of this service is more of an experiment as opposed to a direct challenge of reigning champs ATT and Verizon. The major differentiator to their service? A low-cost, pay as you use it, data plan with data tethering, wi-fi calling that can also be used from other mobile devices such as tablets and laptops.
What this means for you:
Unless you have an invite in hand, you can’t jump onto the Google Wireless bandwagon yet, and if Google stays true to the “we’re just testing the waters” mantra, maybe not ever. But if Google can deliver a solid service for a fraction of the price that the big 4 carriers are charging now, it’s going to have repercussions on the entire mobile landscape. As they’ve done with Google Fiber, this particular foray into the bloody wireless markets is an exercise in forcing a change in the status quo where major carriers are squabbling over how to charge consumers more for less service. However, Google surely has an agenda that includes profit (they are publicy held), and you musn’t forget that the largest revenue stream for them is advertising and data mining. The mad scramble for dominance in the mobile data market is about as close as we’ll ever get to seeing a modern gold rush, and you can bet Google has been preparing to stake a claim since before you and I even knew there was “gold in them thar hills!”
In the ever-escalating cloud services arms race, Microsoft just trotted out a whopper of a one-up over just about everyone in competition: Microsoft’s OneDrive VP just announced on the OneDrive blog that all Personal, Home and Education Office365 subscribers will have access to unlimited cloud storage for no additional cost. Lest you feel left out in the cold, business subscribers, Microsoft has plans to extend your storage in a similar fashion in 2015. All a part of its master plan, Microsoft envisions a future where everything is done in the cloud, and they want to make sure you are firmly rooted in their ecosystem.
What this means for you:
Before you rush off to move all your files to the cloud as Microsoft suggests, you should consider the implications. Cloud storage of any type is a double-edged sword: on the one hand, once you get your data uploaded, you can (supposedly) stop worrying about mechanical failures, such as hard drive crashes and sending your USB thumb drives through the wash. Another great benefit is your data is essentially accessible from anywhere on the internet. Setting up technology to provide this type of of service is not trivial. Even when you are as big as JP Morgan, it’s still possible to misconfigure your servers, so having a provider who is (probably) an expert at this is better than trying to do it yourself, especially if your company can’t afford a full-time IT professional.
On the other hand, your data is now stored on hardware (and a service) over which you have very little control, and which requires an internet connection. There is also the possibility that your data could be accessed without authorization, either by hackers who manage to penetrate the services security, or by the provider itself, who may be subject to government subpeona, or even by a provider employee with malicious intent.
Given the two sides of this very sharp sword, one must make a reasoned decision about whether to employ cloud storage as part of your technology profile. The most important factor will be the type of data you are planning to store: if any of the alphabet-soup laws apply (HIPPA for example), you may be severely limited in what you can legally store on a cloud-based service. Even if the laws don’t seem to directly apply, consider the consequences if any of your data were to be exposed on the internet for anyone to see: would it be damaging to your business or your clients? If so, you may want to rethink whether the cloud is ready for you.
Matt Honan, the Wired writer who had his digital identity stolen in a harrowing cyberattack last year, is back with another chilling article about yet another technology failing to protect us: this time it’s our beloved smartphones. More specifically, it’s the ones we’ve left behind, donated or possibly even sold via eBay, when we upgraded to a newer mobile device. The problem? Even though we may “wipe” the phones, the process may still leave enough information behind for the wiped phone to reveal sensitive information about their owners, including where the phone has been (geographically), what websites have been visited, and even phone numbers, addresses and other confidential data we thought erased.
What this means for you:
Depending on the type of phone you are discarding, and how it is wiped, this may or may not be an issue for you. For example, iPhones after the 3G mentioned in the article are encrypted by default, and if “reset” properly, the encryption key is destroyed, rendering any data on the phone unreadable, even if it is recovered. Most large organizations with a savvy IT department will only allow smartphones to access corporate email and files after your phone has been configured with proper security settings, up to and including an encrypted partition to store your email and any files you might access from the corporate network. Most Android phones should be able to encrypt all data (check “Settings -> Security”) depending on version of Android your phone is running, providing the same type of protection that Apple has on its late-model iPhones.
I can hear you saying, “I don’t have any data on my phone that is sensitive,” and unless you are 100% sure of this, always assume there is something on your phone you don’t want untrustworthy eyes seeing. Even older flip-phones have phone numbers, addresses and other data you might not want to share with a stranger. If you are at all in doubt, hold on to that phone until you can talk to a professional about wiping it securely. If you don’t plan on letting the phone have a second life through eBay or donation, take it to an eWaste facility or event that offers secure destruction. This process renders the phone (and any electronic device, like a hard drive) down to its basic metallic components, completely destroying any data stored in any component. Don’t have access to such a process? Drop your phone into a bowl of water for a day or, as the Wired article suggests, take a hammer to it (wear proper safety equipment please!) before disposing of it through a proper eWaste avenue. This isn’t a guaranteed method, but it will take a dedicated effort that most data scavengers will bypass in favor of the next discarded smartphone that will be an easier mark.