Two years ago, that sentence would have sounded like paranoid fiction. It does not sound like that right now.
I want to be clear upfront: I’m not here to argue politics. I genuinely do not care which side of the DOGE debate you’re on. What I do care about is that the data situation quietly unfolding within the Social Security Administration has real consequences for your business, your employees, and your clients, and most people are not paying attention.
Let me explain what happened, and more importantly, what it means for you specifically.
What Actually Happened
The Department of Government Efficiency, working inside the Social Security Administration, allegedly copied the entire NUMIDENT database to a cloud environment that bypassed the agency’s standard security protocols. According to a whistleblower complaint filed by the SSA’s former chief data officer, Charles Borges, this was done despite court orders limiting DOGE’s access to the agency’s systems.
The NUMIDENT is not just Social Security numbers. It is every record ever submitted in an application for a Social Security card: names, dates of birth, citizenship status, race and ethnicity, phone numbers, home addresses, and parents’ names and Social Security numbers. For more than 300 million Americans.
Court filings later revealed that DOGE employees used a third-party Cloudflare server not approved for SSA data, sent a password-protected file containing private records to outside affiliates, and that the SSA still cannot fully account for what was left in its systems or where it went. The Department of Justice has acknowledged in court filings that earlier statements about the scope of access were inaccurate.
Borges, per his complaint, warned his superiors that the agency might one day be forced to reissue every Social Security number in the country. A Senate investigation put the risk of a catastrophic breach at 65 percent.
Why This Is Different from Every Other Breach
Most data incidents involve something replaceable. Credit card compromised? You get a new one. Password exposed? Reset it. Account hacked? Recover it.
A Social Security number does not work that way. It is the root credential for your credit history, your tax filings, your employment verifications, your professional licenses, your Medicare records, and your background check history. Getting a new one, in the rare cases the SSA permits it, creates nearly as many problems as it solves, because nothing else in your financial life knows about the change.
If this data ends up in the wrong hands, the damage will not look like a fraud alert next week. It looks like a suspicious loan application two years from now or a tax return filed in your employee’s name before they can file their own. It could look like a wire transfer request that sounds exactly like your CFO, because someone has enough personal details to make it convincing.
The Three Business Risks Worth Taking Seriously
Your employees are now higher-value social engineering targets. If bad actors have an employee’s SSN, home address, employer, and parents’ names, they can construct pretexts that are genuinely hard to detect. Not a generic phishing email. A targeted call that opens with information that sounds like insider knowledge. Professional services firms, where staff regularly handle client funds and sensitive documents, are exactly the kind of target that makes this worthwhile for a criminal.
Your clients are downstream of whatever happens to your team. Accounting firms, law offices, and property management companies hold sensitive financial and personal data on behalf of other people. If an employee identity compromise creates an intrusion into your systems, your clients have a problem too. The liability runs in both directions and it runs fast.
The verification systems your business relies on may become unreliable. If large-scale SSN fraud materializes from this exposure, financial institutions will respond by tightening verification processes. Credit applications, employment checks, and background verifications may get slower, more expensive, or more complicated across the board. That is an operational headache even for firms that do not experience a direct breach.
What You Can Actually Do
None of this requires an expensive platform purchase or a consultant’s SOW. It mostly requires an afternoon and some attention.
Tell your team what happened in plain language. Informed employees are harder to manipulate. A staff that knows their personal data is out there is less likely to be fooled by a pretext that uses it.
Encourage everyone to freeze their credit at all three bureaus. It is free, it is reversible when needed, and it is still the most effective individual defense against identity fraud available. Experian, Equifax, and TransUnion all allow you to do it online.
Set up an alert through ssa.gov so you receive notification if anyone attempts to access Social Security benefits using your number.
Review your cybersecurity insurance policy for social engineering coverage specifically. Many policies cover breaches of company systems but have lower limits, or outright exclusions, for employee identity compromise that creates a business loss. Find out before you need to know.
If your firm does not have a written process for what to do when an employee reports identity theft, write one. It does not have to be long. It just has to exist before you need it.
The Bigger Picture
I have written before about the way cybersecurity threats have become environmental. They are not targeted at you specifically. They are more like pollution: pervasive, ongoing, not always visible, and best managed through preparation rather than reaction.
What makes this particular situation harder is that the exposure did not come from a criminal enterprise. It came from inside the institutions we were told to trust with our most sensitive information. That is a more uncomfortable conversation. But avoiding it does not change the exposure.
The firms that handle this well are not the ones with the most sophisticated tools. They are the ones that thought through what they would do before something went wrong, rather than figuring it out in the middle of it.
If you want to talk through what your firm’s actual risk picture looks like right now, reach out. That conversation is always free.
Quick and Easy: DOGE allegedly copied the Social Security Administration’s entire national database to an unauthorized cloud server, and the agency’s own cybersecurity officials raised the possibility of having to reissue every SSN in the country as a worst-case outcome. For professional services firms, the real risks are targeted social engineering of your employees, downstream exposure of your clients, and potential disruption to financial verification processes. The practical responses are mostly free and can be put in place this week.
You just don’t know it yet.
I had a conversation recently with a client that stopped me cold. One of their employees had been using a paid AI chatbot to help with administrative work. She was saving herself hours a day. She was sharp, resourceful, and genuinely proud of what she figured out on her own. Unfortunately, she had absolutely no idea she had been feeding client data into a third-party system that her company had never reviewed, approved, or consented to on behalf of the people whose information she was sharing.
When I asked her point blank, “Are you putting client data in there?” she said yes. Then, when I explained what that actually meant, she was horrified. Not because she did something malicious. Because she had no idea there was anything to be horrified about.
That’s the conversation I keep having right now, and I think a lot of business owners need to hear it.
The Part Nobody Explains
What most people do not understand about AI tools is that when you type something into a chatbot, that information does not necessarily stay with you. Depending on the platform, the service’s terms of use, and whatever privacy settings exist in your account, that data may be used to train the model. It may be retained. It may be stored on servers you have no visibility into.
Now, I am not here to tell you that every AI company is doing something sinister. Some are genuinely more careful than others. However, even the most responsible provider operates under a simple truth: unless the platform explicitly states it will not use your data for training purposes, and unless your clients have given you consent to share their information with that platform, you are operating in a gray area.
In professional services, gray areas often become very expensive problems.
The Real Risk for Accounting Firms, Law Offices, and Property Managers
Think about what your employees handle: client financials, legal correspondence, lease agreements, Social Security numbers, medical expense records, and attorney-client communications. This is not generic business information. This is sensitive, regulated, and in many cases privileged data.
Sharing that information with an AI tool, even to do something as mundane as drafting a summary or cleaning up a spreadsheet, is a data-sharing event. The fact that it feels like a productivity shortcut does not change what it actually is.
Cyber insurance carriers are already paying attention to this. Compliance frameworks are catching up. When something goes wrong, the fact that the employee “didn’t know” is not going to satisfy the client whose information ended up somewhere it was never supposed to be.
What I Tell My Clients to Do Right Now
You do not need to ban AI tools. I am not suggesting that. Some of them are genuinely useful and, in the right context, safe. However, you do need to stop pretending this is not happening in your office.
Start with a basic policy. It does not have to be long. It does not have to be complicated. It should answer three questions: which AI tools are approved for use, what categories of data can and cannot be entered into those tools, and who is responsible for reviewing and updating that guidance as things change. Because they will change, probably faster than any of us would like.
Then you need to have the conversation. Not a scary, disciplinary conversation, but a practical one. Most employees using these tools are doing so to do their jobs better. They deserve to understand the actual risks so they can make informed decisions, not get caught off guard as my client’s employee did.
A Word on the AI Companies Themselves
I get asked a lot about which AI providers are the most trustworthy. Honestly, that question is harder to answer than it sounds. This space is constantly shifting, and companies that have solid policies today often quietly revise them later.
What I tell people is this: do not base your data-handling decisions on trust alone. Base them on what the agreement actually says, what your compliance requirements demand, and whether you have any business reason to take on the risk. Copilot, for example, operates within Microsoft’s walled environment, which at least limits where your data can go. Even that is not a blank check to input anything and everything without thinking.
The honest answer is that we are all figuring this out as we go. Even me. The responsible thing is to proceed carefully, ask questions, and not assume that a productivity gain justifies a compliance violation.
Quick and Easy
Employees at professional services firms routinely enter client data into AI tools without understanding the associated privacy and compliance risks. A simple internal policy covering approved tools and prohibited data categories is not a luxury at this point. It is a basic part of running a responsible business.
Ever since they were hacked in 2023, genetics and ancestry website 23andMe has been more or less moribund, going from a high of $16 per share to $0.29 today and the resignation of their entire board of directors last month. When we last wrote about them in December of last year, the beleaguered DNA testing company had to revise their initial statement about only getting a “little” hacked (1.4M records) to admitting that they got majorly hacked (6.9M records). As you can imagine, this didn’t bode well for their marketability.
Why are we talking about them again?
It’s been nearly a year since the initial data breach, and judging by the lack of faith the recently departed board of directors had in the company’s founder, they aren’t likely to return to full potential any time soon, if ever. If you were one of the millions of people that sent them your DNA to analyze, you’ve probably already reaped whatever benefits (positive and negative) you will likely get from 23andMe, but they may not be done making money from your data. While they claim that much scientific good has been generated if you were one of the many who consented to allow your de-personalized data to be used by researchers, you may want to consider the consequences of letting a company who’s security practices led to their current downfall continue to have access to your data. Because you do have the option of asking them to delete your data. And seeing as you paid them for the privilege of providing your data, it seems rather mercenary for them to then take your data and continue to sell it without compensating you. Rather, they got hacked, exposed your confidential information, and then continued to (somewhat) operate. If you’d like to see some consequences, you can do your part by asking them to delete your data which can be done merely by logging into your account on their website and submitting that request. Do it. If a majority of their customers were to do this, perhaps it will send a warning to competitors to do a better job with your precious data, and a message to our government about doing a better job protecting our privacy.
Image courtesy of geralt at Pixabay
California is one of 7 states participating in a pilot program that allows drivers to store their license on their phone in their Apple or Google wallet. California’s rollout is part of a larger project called “Digital ID Framework” which lays the groundwork for a much broader implementation of identification that is intended to supplement and eventually replace physical ID’s like Passports, government badges, and Driver’s Licenses. Their vision is to link the various State-certified credentials, government programs with day-to-day practicalities like checking in at an airport, purchasing groceries through EBT, or proving to local agencies that you are a licensed cosmetologist. But don’t throw your Driver’s License in a drawer just yet.
What this means for you
First off, California’s pilot program is limited to 1.5 million participants at the moment, and obviously you will need to have an Android or late model Apple smartphone with a functioning digital wallet. Additionally, using Apple or Google’s wallet mobile Driver’s License only grants you the ability to use it to verify your ID at airports, so unless you are a frequent traveler, adding your license to your digital wallet is really more of a novelty at this point. The DMV also has a wallet app that adds a little more functionality: in addition to using it at Airports, the DMV wallet app allows you to verify your age at a select few stores in San Francisco and Los Angeles, and the reader function of the app allows you to verify identification of other DMV wallet users. Not exactly the bold new world you might have originally envisioned.
More importantly, your California mobile Driver’s License cannot currently be used for things like traffic stops or other law enforcement verifications. Some states like Louisiana and Colorado have begun adoption at this level, and as I mentioned above, California intends to expand capabilities of their Digital ID Framework to eventually make your phone a valid ID for this exact purpose. Until this comes to pass, and even when it does arrive, privacy advocates are recommending that you never voluntarily surrender your phone to law enforcement for any reason without a proper search warrant and legal representation. Even the Supreme Court has ruled in this matter. Even if you’ve done nothing wrong and are confident that there is nothing incriminating on your phone, it does not mean the person requesting your phone won’t abuse your privacy or their authority. For now, even if it seems like a very convenient feature, keep your phones in your pocket and your Driver’s License handy.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Back in October of this year, we wrote about DNA testing company 23andMe’s reported data breach. Initially thought to “only” impact 1.4 million people, 23andMe has revised that estimate to a whopping 6.9 million impacted users that had data exposed including names, birthdays, locations, pictures, addresses, related family members, but not, as the company has strenuously emphasized, actual genetic data. I’m fairly certain that little nugget is not providing the relief they might hope.
Why this should matter to you
Even if you nor any immediate family is a 23andMe customer, it’s important to understand why this data breach is particularly noteworthy. 23andMe wasn’t hacked in a manner that is more commonplace for large companies – hacked or stolen credentials for someone inside the company that had privileged access, but rather through a mass breach of 14,000 customer accounts that were secured by passwords found in dark web databases, ie. these stepping-stone customers were using the same passwords that were exposed in other breaches and leaks. The hackers used those compromised accounts to essentially automate a mass cross-referencing data harvest that in the end, exposed data on nearly 7 million 23andMe customers. This last data exposure is on 23andMe – it would seem they didn’t anticipate the built-in cross-referencing services that the genetics testing company offers would be turned against itself. Also, there was the minor omission of not enforcing multi-factor authentication to secure everyone’s accounts, which might have compensated for the poor password discipline of its customers. The two take-aways? Unique passwords and multi-factor authentication should be the minimum security requirements you should expect from any service that contains your valuable data.
Image courtesy of geralt at Pixabay
(Edited 12MAR2025 – Grammar and readability)
I’d hazard a guess that this could be more broadly stated that people world-wide don’t understand how their data is being used by companies and governments, but the basis for this generalization comes from a study published by the US by the Annenberg School for Communication entitled “Americans Can’t Consent to Companies’ Use of Their Data.” A bold statement for a country for whom a large part of their economy is derived from monetizing digital ones and zeroes, but the subtitle tells us the rest of the story: “They Admit They Don’t Understand It, Say They’re Helpless To Control It, and Believe They’re Harmed When Firms Use Their Data – Making What Companies Do Illegitimate.”
Doesn’t exactly roll off the tongue
The survey asked 2000 Americans 17 true-false questions about how companies gather and use data for digital marketing purposes, and if participants were to be graded on the traditional academic scale, most of the class failed, and only 1 person out of the 2000 got an “A”. An example of the type of knowledge tested:
FACT: The Federal Health Insurance and Portability Act (HIPAA) does not stop apps that provide information about health – such as exercise and fertility apps – from selling data collected about the app users to marketers. 82% of Americans don’t know; 45% admit they don’t know.
“Americans Can’t Consent to Companies’ Use of Their Data: They Admit They Don’t Understand It, Say They’re Helpless To Control It, and Believe They’re Harmed When Firms Use Their Data – Making What Companies Do Illegitimate.” Turow, Lelkes, Draper, Waldman, 2023.
You should read this paper (or at least the summary), but I understand it if you don’t. Even though it reads easier than your typical academic paper, the topic is uncomfortable for those who have an inkling of what’s at stake, and for most of us, we’ve already resigned ourselves to not being able to do anything about it because we feel powerless to do otherwise. And this is their point – this paper wasn’t written merely as an academic exercise. The authors are basically claiming that because very few of us can understand the variety and extent to which companies collect and use our data, there is no possible way we can give genuine informed consent for them to do so. But unless there are laws that protect us in this regard, American companies can do as they please, and they will do so because their responsibility is not people but to stakeholders, and in this current market, minding everyone’s privacy is not nearly as profitable as ignoring it.
This report now provides evidence that notice-and-consent may be beyond repair—and could even be harmful to individuals and society. Companies may argue they offer ways for people to stop such tracking. But as we have seen, a great percentage of the US population has no understanding of how the basics of the commercial internet work. Expecting Americans to learn how to continually keep track of how and when to opt out, opt in, and expunge their data is folly.
ibid, Page 18 (emphasis mine)
As is often the case with academic papers, rarely do the authors take on the monumental task of attempting to solve the issue, but they at least acknowledge that our lawmakers must acknowledge this enormous elephant on the internet before anything can be done to address it.
We hope the findings of this study will further encourage all policymakers to flip the script so that the burden of protection from commercial surveillance is not mostly on us. The social goal must be to move us away from the emptiness of consent.
ibid, Page 19 (emphasis mine)
Perhaps a letter to your elected representatives asking them if they’ve read this article and have any interest in doing something about it?
Image courtesy of TAW4 at FreeDigitalPhotos.net
Traditionally I like my year-end messages to be hopeful, but as I am someone who does not mince words when it comes to your technology, I don’t come to you at the close of 2022 with a message of optimism. If anything, I want to congratulate you for surviving this year with your sanity and health intact, if not your technology security. Accomplishing all three is something to be commended, and I am sad to report that not all of our clients were as successful, including a client and good friend who passed unexpectedly this year. This post is dedicated to him, and to everyone who fought the good fight this year, either against cyberattacks, Covid and everything between.
“Don’t take security for granted.”
This is my year-end message for you: If there is one trend I can clearly point to in this past year (and in years previous), is that you are the first and last line of defense in the war for your technology security. You are the first and last line of defense in maintaining your privacy. We here at C2 Technology are willing and able to throw ourselves in front of as many attacks as we can, but we can’t be with you in every moment, everywhere you touch technology, nor should you want us there. In almost nearly all cases of hacks that we have worked through this year, and numerous others I have read about, breaches and compromises have occurred because attackers are very successful at exploiting human, not technology, weaknesses.
One thing that I know for sure is that you can count on even more cybersecurity attacks in every aspect of your personal and business technology. There is big money in compromising your security – organized crime has moved, full-scale, into funding, staffing and managing highly effective fraud call centers and hit-squads whose primary objective is to trick you into giving them access to your stuff and then cleaning house. On top of this, there is no singular magic bullet, app, governing body nor enforcement agency that can protect you. Let me reiterate – there is no perfect, monolithic solution C2 or any other organization can provide to you to keep you perfectly safe. As with cold weather, layers are better than just a single, bulky jacket. Your best defense will be a collection of services, software and best practices. Your configuration of those layers will vary based on personal or organizational need, but everyone should at minimum be considering the following:
- Constant vigilance is the key. You should assume that you are under constant cyberthreat and act accordingly. As much as it feels distasteful say this given the current political climate, you should consider yourself on cyber-wartime footing with no armistice or ceasefire in your near future. You may have heard me jokingly compare this vigilance with paranoia, but my gallows humor may have done you a disservice in making light of this situation. Make no mistake, this is very serious, and I do not see anyone being able to let down their guard anytime soon. As I mentioned above, C2 can’t always be there for a magical, “Get down, Mr. President!” moment. All we can do is attempt to train you to spot the peril. If you have employees, you should bolster their vigilance with actual, formal training – not everyone will have the same level of urgency on technology security as the principals of the organization, but training and testing will help them understand the importance and impress upon them that this is a part of their job responsibilities, regardless of their role in the organization.
- If you aren’t using unique passwords and multi-factor authentication for your critical online accounts, you are doing the cyber equivalent of leaving the keys in your running car in a dangerous neighborhood. You should check your most-used passwords here, and if any of them show up on the list, immediately change that password everywhere you used it. Right. Now. If you can turn on multi-factor authentication for your banking and other critical service accounts and haven’t already done so, do so. Right. Now.
- Back up your files to a cloud provider on a daily basis. You can get a very reliable, easy to use service for as little as $7/month, and you might already have access to a form of cloud backups through Apple or Microsoft by virtue of other services for which you are already paying. Keep in mind, services like OneDrive and iCloud are a form of short-term backup, but do not normally provide long-term recovery of files deleted more than 30 days ago, nor can they fully protect against certain forms of ransomware attacks, so make sure you consult with your friendly neighborhood technology professional about what would be appropriate for your use case.
- Keep work and personal separate. This may be difficult to do especially if you work from home on your own technology, but the more you intermingle, the more risk you take from one side or the other. This also goes for using your home network if you have family that aren’t as security conscious as you, especially seniors and young children, both of whom are particularly vulnerable to scams that most of us spot in a heartbeat. Your technology professional will have ways to segment your work and home life, but it will result in additional expense and inconvenience.
- At the business level, antivirus and malware protection has evolved into what is now known as “endpoint protection.” The free software that comes with your new PC is NOT endpoint protection, nor is the product they are trying to upsell you. The primary difference between the two is that last generation products relied heavily on definition tables and scheduled scans of your files, which is not nearly as effective against modern malware tactics that sometimes don’t even involve something being installed in your hard drive, or software that literally changes by the hour. Endpoint protection relies on algorithms that are able to analyze the behavior of softwares and services to determine if they might be harmful, and more importantly, are designed not only to protect the device on which it’s installed, but also to protect the network to which it is connected, something that previous gen antivirus software could not do.
- If you deal with any kind of PII (personally-identifiable information) where that information is stored on your computer – even if only in transit – your hard drive should be encrypted, especially if the device housing it is easily stolen, such as a laptop. Fortunately, both Windows and Mac OS do include encryption, but it isn’t always enabled, and in the case of Windows, it is only readily available in the “Professional” (more expensive) variant of their OS.
- You should be making sure your operating system and main software apps are kept up to date. Microsoft releases updates on a weekly basis, and about half of them require a reboot to full apply. Windows 10 (and to a certain degree 11) is so stable that it can go weeks without rebooting but waiting that long can cause other problems that will be a lot more inconvenient than restarting your PC. We recommend clients restart their PCs as frequently as every 3 days – this accomplishes needed housekeeping tasks as well as clearing the “virtual crud” that all PCs accumulate through daily use, especially if you like having lots of windows and apps open.
Technology security requires a holistic approach, and I don’t mean tuning your chakras and making sure your gut biome is balanced. Every aspect of your technology, from internet provider to software services, every device used in the work process, all users, and even your clients’ and customers’ technology should be reviewed and considered when formulating your security approach. The days of “set and forget” are long gone. Protecting your technology is something that will require effort and, dare I say, constant vigilance.
While it shouldn’t come as a surprise to any of our long-time readers, millions of less savvy taxpayers might be shocked to discover their online tax filing software has been caught red-handed leaking sensitive information. As discovered and reported on by non-profit news organization called The Markup, several popular online tax-filing websites including TaxAct, TaxSlayer, and HR Block have been collecting and passing user information to Facebook, including names, income, refund amounts, filing status and even dependent names and scholarship amounts.
What does this mean for you?
Most people are unaware that just about every app and website out there that isn’t strictly not-for-profit (and even some of those as well!) has a side hustle they don’t overtly share with their users/visitors/customers: data collection and selling. If you dig into their “Terms of Service” or various other fine-print agreements normal people don’t read before clicking “Accept”, you will likely find some generic or vague language that essentially says you agree to share data with their “partners” in exchange for using their services. In the case of the tax filing services, you might have even paid for that “privilege.” Don’t you feel special? In their meagre defense, the data that was gathered was done so by a very widely used data-gathering tool called Pixel developed by the #1 data-glutton, Meta née Facebook, and in a couple cases, seems to have been inadvertent or perhaps careless implementation of the data collection tool. On top of this, when asked to comment on whether Facebook was soliciting this type of data (which is illegal to share without your explicit consent!), they of course responded that partners were expressly forbidden to send Meta that data, and that Meta has filtering in place to prevent the collection of this type of data, regardless of who was sending it. It’s also been reported earlier this year that Facebook collects so much data it doesn’t fully understand how it’s used, or where it goes within Facebook’s various systems and algorithms. Should you trust a company that doesn’t even have a handle on its own data to properly filter data it’s not supposed to collect? How would they even be able to report accurately on that?
Shortly after reporting on their findings, The Markup was contacted by the named tax websites who shared that the data collection pixel had been removed from their services. Is it safe to use these services now? Probably, at least going forward. If you’ve used these services in the past few years, the damage is already done – data collection has been done on your returns and the data leaked to Facebook, regardless of whether you have a Facebook account. Unfortunately, as before, there is not much you can do about the leaks except to let your congressperson know that you expect them to take better care of your privacy. You can also contribute to organizations like the ACLU who have been fighting this fight longer than most of us realize.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As someone who is beyond jaded by social media and the mega-corporations behind them, this news isn’t surprising, and I actually expected to see it long before now, but it gives me no pleasure in seeing our worst fears play out. Motherboard has published a story today about a Nebraska teenager and her mother being charged with several felonies and misdemeanors surrounding the teen’s self-induced abortion after their Facebook DM chat logs were turned over to Nebraska law enforcement by Meta. Despite the divisive act at the root of this incident and the current political storm raging around the overturning of Roe V. Wade, I’m hoping it highlights rather than distracts from the point of this week’s blog.
Social media is the exact opposite of privacy and confidentiality
Social media and its daily use have become so pervasive that for most people it’s just a de-facto part of how they live their lives, to the point where many can’t conceive of life without it. Regardless of whether or not the women from the above story acted illegally or immorally, there should be no equivocation about whether or not a social media platform will turn over your data to law enforcement. The answer is, “Yes, they will.” In this particular instance, Meta (aka Facebook) was abiding by a court-ordered search warrant. This doesn’t excuse them morally, but also falls well within expectations we have called out, over and over again. Following the overturning of Roe V. Wade, Motherboard reached out to all the major social media platforms asking them how they would handle just these types of requests in relation to women’s health and pregnancy rights, and none of them were prepared to go on record saying they wouldn’t do exactly what Facebook did in the above case. Unfortunately, abortion simultaneously highlights and distracts from the issue – it shouldn’t matter what is being kept private – only that it is private. In case it wasn’t clear: don’t expect anything you share on social media to remain private, regardless of how that platform professes to honor that privacy. The only commitment they are required to honor is to their shareholders or the equity firm backing the company, possibly even over the laws of the land.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
If there is one thing that is certain, if there is a useful technology invented that is supposed to benefit us, there is a corresponding negative usage that can and will be exploited. After the initial dopamine rush had worn off around Apple’s AirTags, people started waking up to the negative implications of a small, easy-to-conceal, wireless tracking device that utilizes one of the largest global networks in the world. Apple’s “Find My…” network is too useful to not be exploited, and the less ethical are already doing so.
What this means for you
Apple’s AirTags were initially created to track items that could be easily lost or stolen and ostensibly were made inconspicuous so that they weren’t unsightly and so thieves couldn’t easily find and discard the trackers. Once reports started flowing in of the “less orthodox” usage of AirTags, Apple immediately tried to get out in front of the problem by letting everyone know that AirTags themselves have unique, embedded serial numbers and their usage is tied to an Apple account – information they will surrender to law enforcement in a criminal investigation. But they glossed over something that more inventive hackers latched onto – what’s to stop someone from creating a “cloned” AirTag that simply bypasses Apple’s security measures? At the moment, nothing. Someone has already done so, and you can assume that Pandora’s box is not going to be closed any time soon without significant intervention from Apple.
Until that happens, you should get caught up on Apple’s lengthy advice on detecting and finding unwanted trackers. The article goes into great detail for Apple device users, so if you are an iPhone user, finding an unwanted Apple-made AirTag should be pretty straightforward (if not a wee bit unsettling). For the rest of us using Android devices, Apple has released an app called Tracker Detect (watch out for copy-cat apps!) that has to be activated manually. Not nearly as useful as its iOS counterpart, but at least they tried. If you’d like something a bit more robust and not funded by Apple, you can try AirGuard which was developed by a research team out of German university TU Darmstadt. I’ve tried both apps and while they appear to do no harm (other than possibly drain my battery faster), I can’t really verify that they work, as I apparently don’t have any unwanted trackers near me. Yay? Either way, if you suspect you are being digitally stalked, make sure you share your suspicions with your loved ones and authorities and get familiar with this site and its resources immediately!
Image by Thomas Wolter from Pixabay