Narrative: Declining Privacy & Security
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
Narrative: Declining Privacy and Security (Jan 24, 2017)
Written: January 24, 2017
In the online era, privacy and security, things which were previously safeguarded in physical ways (shutters and blinds, locks and keys) can no longer be so protected. Instead, so much of what we’d like to keep private or secure doesn’t even exist physically, but only digitally, and access to it can take place without anyone ever entering our homes or approaching our person. In addition, business models for many of the products and services we use daily rely on us giving away a portion of our privacy.
Is it inevitable that both our privacy and security will be eroded in the online era? Yes, in a number of different ways, not least that much information which was previously held discretely in separate locations or databases can now be far more easily aggregated for a much more complete picture of who we are. But also because no digital system is foolproof, and highly motivated actors will always be trying to breach security and obtain information that either has inherent value or can be leveraged to deliver that value elsewhere.
None of this means we have to simply resign ourselves to our fates – we still have decisions to make about which services we will and won’t use based on both their attitudes towards and effectiveness in protecting our privacy and security. We can decide which information we willingly yield up, opt out of tracking and targeting, and vote with our feet and wallets when companies and their services let us down. We can choose products and services which choose not to track us, or which do such tracking at a local rather than global level, while protecting that local data effectively.
At the same time, many of us – especially in the younger generations – are much less concerned about privacy than others, and accept as a fact of life that some measure of privacy must be yielded up as a trade for free or cheap content or communication services. Some make those tradeoffs consciously, and some make them blissfully unaware that that’s what they’re doing, but we all make decisions about those tradeoffs one way or another.
I’ll refer readers back to last week’s comment on this topic, even though the news has moved on a little. That item was about telcos lobbying for a change in laws regarding user data, whereas today’s news is about the Senate pushing through a bill that would enact the change, but the issues are the same. At root, the telcos have argued that they shouldn’t be regulated more tightly than the internet companies that already gather and sell lots of data on users, and that therefore regulations introduced last year should be overturned. Of course, both web companies and other entities like data brokers already gather, aggregate, and sell masses of user data, so there’s some merit to the argument that telcos shouldn’t be the only ones singled out here. ISPs have also argued that they’ve voluntarily agreed to codes of conduct which would bind them in similar ways without this regulation. Regardless, the optics of a move such as this bill are terrible both for the ISPs and for the (mostly Republican) senators who have backed it.
Google Maps will let you share your location with friends and family for a specific period of time – TechCrunch (Mar 22, 2017)
Location sharing is one of those really thorny privacy issues, and Google has gone back and forth on it over time precisely for this reason. In this case, it’s now opening the feature back up, though now in the Google Maps mobile app, and with some sensible limits, such as time- and person-based sharing. I can see a lot of utility in sharing my location with someone temporarily if we’re planning to meet up or if I’m on my way home and want to share an ETA. On the other hand, sharing that information with friends or family members means sharing it with Google too, and presumably also means your Google Maps app has to be running and tracking your location in the background, which has battery implications. For some people, those will be non-issues, but for others they make it less palatable to use these features. And of course the more openly you share your location (and the more companies track it) the more ways there are for hackers (and law enforcement) to access it too.
CTIA, which is the industry association that represents the largest US wireless carriers, is arguing before the FCC that it shouldn’t be subjected to new rules on sharing data it collects on its users. The carriers have argued that Google and other online service providers aren’t subject to the same rules (those companies are regulated primarily by the FTC rather than the FCC) and so for consistency’s sake the carriers should be treated the same way. This is really about a technical definition of the word “sensitive” – clearly the kind of data being talked about here is indeed enormously sensitive, but the real question is how disclosure of that data is regulated. This matters because, for example, AT&T as a fiber broadband carrier in certain parts of the country has offered a service discount for customers who consent to tracking of their web browsing history and so on, something which it argues Google does all the time without explicitly asking for users’ permission to do. What the carriers are arguing here is that it should be allowed to continue to do this kind of thing without having to ask users to opt in first. The carriers look likely to win given the current hands-off policy stance of the FCC, which means more erosion of user privacy for users, but the proper approach would be for the FTC and FCC to work together to craft a set of consistent rules that would apply to all players that get access to similar data, rather than each regulating in a vacuum.
via Ars Technica
US Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts (Mar 15, 2017)
The stories that broke immediately before this press conference and announcement from the US DoJ suggested only that Russian nationals were involved, but the formal announcement makes clear that these were Russian agents and not just citizen hackers. That’s a good reminder that state-sponsored attacks are among the biggest things all online service companies have to worry about in our day and age, whether the state behind the hacking is Russia, China, North Korea, or some other country. Yes, ordinary hackers will still try and occasionally succeed in breaching these systems, but state sponsorship can put massively more resourced behind a hack like this and often have more success. That, in turn, raises the bar for companies vulnerable to this kind of hacking in terms of their security defenses, but should also make users think about what information they’re entrusting to these systems.
Apple Joins Group of Companies Supporting Google in Foreign Email Privacy Case – Mac Rumors (Mar 14, 2017)
Given the way other big tech companies had weighed in on the related Microsoft case over the past few years, it was a little odd that more hadn’t sprung to Google’s defense in this one, but it’s good to see that they are now doing so. These cases have far-reaching consequences not just for user privacy but for the ability of US companies to do business in overseas markets, and those companies need to defend themselves vigorously. The final outcome of both cases is therefore worth watching closely.
via Mac Rumors
Now that I’ve finally got around to writing this up, it appears Google has patched the specific issue highlighted in this piece, but it’s still worth talking about for a couple of different reasons. For one, anytime you bring a virtual assistant into an existing conversation between two or more human beings, there’s a tension between the bot knowing as much as possible about each participant and using that to be helpful on the one hand, and avoiding exposing personal information about the participants on the other. Google appears to have screwed that up here in a way that could have been damaging or embarrassing for users, though it has now been patched. Secondly, this kind of thing can only happen when you collect and keep enormous amounts of data on your users in the first place – a company that neither collects nor retains such data in a profile could never expose it. It’s clear that Google didn’t intentionally do so here, but it was able to do so anyway because of its business model. Competitors such as Apple might argue that not collecting such data, or keeping it secured on a device rather than in the cloud, would make it impossible for a cloud service to share it with others. We’re going to have to work through lots more of these scenarios in the years to come, and the competition between companies that strictly preserve privacy and those that use personal data to improve services will be a critical facet of that evolution.
If ever there were a terrible week for the FBI to restate its case against encryption, this would have to be it, given the Wikileaks CIA leak which demonstrated that the CIA regularly engages in hacking of electronic devices, and claims to have the code for the tools themselves. Any backdoor for the government would be subject to the same sort of breach that has clearly affected the CIA and its hacking tools, so there is no reason to believe that the FBI would be able to protect these tools adequately if they existed. And the broader statement which is in the BuzzFeed headline here about privacy is chilling too. The reality is that there have always been aspects of citizens’ lives which have been inaccessible to law enforcement, not least their private conversations which happen outside earshot of bugs and wiretaps, and protections against self-incrimination, which should logically extend to things like smartphones too. And any tools created for or by the government to bypass such protections are inevitably going to fall into the wrong hands eventually.
Though the CIA leaks from Wikileaks earlier this week are worrisome in their scope and bad news for the vendors whose devices and platforms have been compromised, there’s at least some comfort in the knowledge that these tools have at least theoretically been subject to due process in the past. However, Wikileaks claims that it has the code for the hacking tools themselves and is debating releasing that code, which would make it available to any hacker who wanted to use it, dramatically increasing the potential for misuse for hacking regular individuals. Again, Apple has said (and Google also confirmed this evening finally) that most of the vulnerabilities have already been patched in recent versions of their respective software, so that should be some defense. But as I’ve said already this week, what a vindication of Apple’s refusal to cooperate with the FBI a year ago over hacking an iPhone.
via USA Today
I suggested this was the case in my coverage of the leak yesterday, but Apple has now issued an official statement to that effect as well. I would guess Apple is still digesting all the information leaked – there’s a lot of it – but it has said that most of the vulnerabilities outlined have already been patched in the latest versions of its software, and fixes for the rest should be coming soon. Samsung has also issued a statement on its TV vulnerabilities, but it’s far less reassuring – it only says it’s aware of and is looking into these hacks. In fairness, though, the Samsung hack appears to require a USB stick plugged into the TV to install it, which means that if you’re a victim you likely have far bigger things to worry about than your TV listening to you – this isn’t a large-scale remote hack that would affect the population as a whole.
via USA Today