19 June 2015 – We always seem to be awash with stories of egregious data breaches. A constant barrage.
I just returned home after two weeks in the U.S which included a FireEye cyber workshop, my trip having been preceded by an IBM Analytics/Cyber Security conference. I’ve been doing a lot of research into major privacy stories covered in the news over the last few years, most especially on the recent Chinese attack on the U.S. Office of Personnel Management, in preparation for an eTERA White Paper on the subject.
Jan Dawson (founder, Chief Analyst at Jackdaw, a technology research and consulting firm) has done even more research. During his thirteen years as a technology analyst, Jan has covered everything from DSL to LTE, and from policy and regulation to smartphones and tablets.
Even more impressive is Dana Tamir, Director of Enterprise Security at Trusteer, an IBM Company. She leads activities related to enterprise advanced threat protection solutions. She has written scores of blogs, articles, white papers and led multile webcasts. At the IBM conference I had the opportunity to attend a series of sessions that Dana led which took us through the a “real-world” threat and and attack and security-related solutions. We went through detailed and intricate data discovery, assessment and classification. I will have a more detailed post shortly specifically on the IBM conference.
But one thing they both noted is that we have an overall perspective and both Jan and Dana have provided by way of background a useful walk-through classification of the major privacy concerns we as consumers … and businesses … seem to have and how each of these is (or isn’t) relevant to the different companies that compete in this industry. It is not always about “attacks”.
No doubt there are other facets of privacy concerns that aren’t completely captured here, and it goes beyond the “attack” motif in the daily press. But the vast majority of concerns we have, and the headlines about privacy issues, tend to revolve around one or more of those outlined here.
And the reality is we’re all different – each of us has a different tolerance for these different categories of privacy risk.
So a short overview:
Description: One of the greatest fears people have is information they consider particularly personal or sensitive being shared with people they don’t want it shared with.
Examples:
- I’m a school teacher who also has an active personal life. But I don’t want pictures of me drinking or partying exposed to the students, their parents, or perhaps even the other staff at the school where I teach
- I’m gay but, for the time being, have chosen only to share this information with certain people and definitely do not want this information shared with others – whether family members, colleagues at work, or neighbors
- I’m divorced and have recently started dating again and I don’t want my ex to know anything about my new life
The list could go on, but you get the picture – this fear is about personal information being shared with other individuals (not corporations or advertisers) beyond those I’ve chosen to share it with, especially in situations where I have chosen to share some of this information with specific groups or individuals but not others.
Companies most likely to cause this concern: In general, the companies most likely to commit breaches of this particular facet of privacy are those through who and with whom users proactively share certain information with other groups, which for the most part limits it to social networks such as Facebook, Google+, and the like. Facebook has certainly had several periods when its users were exposed in this way, often because default privacy policies were set too open or when policies or settings changed without due notice to users.
The vast majority of the privacy stories concerning Facebook over the last several years have been in this category, with relatively few other companies affected in quite the same way, at least not frequently.
Description: We fear our personal information is being “seen” or “read”, not by other human beings, but by computers used by companies to personalize services, to serve advertising, and so on.
Examples:
- My email provider has computers which view the contents of my emails to filter them into appropriate categories
- My search provider sees all the searches I enter, and which results I click on, and slowly builds a profile of which search results are likely to be most relevant to me
- My photo service performs machine analysis of my pictures to make them searchable.
In this case, the fear isn’t that human beings are seeing the personal information we’re sharing (though sometimes misunderstandings do occur on this point, or there may be skepticism that human beings really can’t see this information if they want to), but a vague sense of creepiness that machines are delving into some very personal information.
Companies most likely to cause this concern: On this point, it’s hard even to come up with examples that don’t sound like they’re talking about Google, which feels like the ultimate symbol of this kind of computer snooping. There’s no true breach of privacy here from a human perspective, but these types of services can create a vague sense of unease among at least some users.
Description: We fear that, even though many services may collect personal information about us, more and more of this information seems to be consolidating with just one or two companies, which are coming to “know” an awful lot about us.
Examples:
- My email, calendar, contacts, photos, search history, and so on are all hosted by a single online service provider
- My call records, email, calendar, contacts, phone search history, text messages, music, and books are all on my phone
- The vast majority of my news and video consumption, most of my social connections, my interests, and my political views are all known by the social network I use.
In this case, some users may be genuinely uncomfortable about this enormous amount of knowledge held by a single company – a worry in its own right – which fits to some extent in the same category of vague unease as the previous concern on this list. However, in other cases, it may be a factor in other worries listed below.
Companies most likely to cause this concern: As a broad concern, this issue could affect any one of a number of companies, from Google to Apple to Facebook to Microsoft to Samsung. Any company which either provides a very broad range of services or provides smartphones and other devices is at least potentially in a position to “know” an enormous amount about its users. However, much depends on how data is collected, stored, and used.
Companies which gather and store this data for the explicit purpose of building profiles of their users for purposes other than personalizing their services may also foster some of the other concerns listed. Google, in particular, has seen a number of stories about this aspect of its business, and especially about its decision a couple of years ago to unify its logins and data across all its services, over which several European jurisdictions are still pursuing legal action.
Description: We fear that not only do the companies whose services we use collect lots of data about us (see 2 and 3 above), but they sell this data in some form to advertisers.
Examples:
- My search provider uses information from previous searches to allow advertisers to reach me when I make future searches
- My smartphone vendor uses broad profile information about me to provide targeted advertising from companies who want to reach people like me
- My social network uses information about my interests which I have provided explicitly and information gathered through my other actions on the service to serve up ads which seek to reach people with my demographics and interests
The reality is few of the companies we’re talking about here really do “sell” data to advertisers. What they do sell to advertisers is the ability to target their advertising to users based on their interests (whether explicit or implicit), and/or their demographics. The data itself is not shared with the advertisers except perhaps in an aggregated form as an indication of the size of target markets, for example. There are companies that do sell this kind of information, but they exist outside the world of consumer technology providers.
Companies most likely to cause this concern: This is a tricky one to define, because these companies don’t technically sell the information to advertisers. However, the very act of allowing advertisers to target users causes the same unease among some users as some of the other items I’ve described. There’s no breach of personal information per se, just as with 2 and 3, and unlike number 1 on our list.
But there’s a sense our privacy is being invaded because advertisers are being allowed to reach us based on the profiles our providers have built up about us. This is obviously particularly true for companies which are heavily dependent on advertising business models, such as Google and Facebook, but it also applies, in a narrower way, to companies like Apple which have advertising products like iAd that allow for targeted advertising.
Examples:
- My social network provider is hacked, exposing my personal information
- There is a bug in the privacy settings on the online service I use which allows people I have no connection with to see personal information I store in the service
- My device collects information about me which should be private but can be exposed through a loophole in the security settings
In none of these cases did the provider deliberately share information with anyone else but, in some cases, the argument can be made the provider should have done more to protect sensitive data, either to ensure its software was bug free in the most important security aspects or to protect it against malicious attacks.
Companies most likely to cause this concern: All companies are to some extent vulnerable to these issues, but those that collect the most data (even if for entirely legitimate purposes) have the most at risk if there is a breach. Google, Facebook, Apple, and others have all been the subject of stories along these lines over the last few years, whether as a result of bugs, hacking or other factors (such as rogue employees). These stories often say more about the desire of malefactors to access valued information than they do about security policies but, in some cases, they reveal shortcomings in company security that can build into a narrative over time (Apple has seemed at risk of this outcome at various times).
I’ll have a longer post next week, but right now I am bit blasé about the Office of Personnel Management hack, even if it is the Chinese government behind it. It is not … by any stretch … the most dastardly thing they have done in cyberspace. It’s just the most recent one that we know about. It’s getting a lot of press because personally identifiable information (PII) was compromised. That information includes names, social security numbers, date and place of birth, and current and former addresses according to the OPM FAQ. It may also include job assignments, training records and benefit information.
This breach has crossed streams with a breach a year ago that did involve investigative files. David Sanger and Julie Hirschfeld Davis at the New York Times do a good job of untangling these two incidents in their recent article. It takes some close reading to understand that the headline, “Hackers May Have Obtained Names of Chinese With Ties to U.S. Government”, isn’t about this incident but the hack of an OPM contractor a year ago.
Right before I headed home I managed to attend aCenter for Strategic and International Studies briefing on the China hack and to put all of this in perspective, here are five Chinese hacks that are worse than the breach at OPM:
Why it’s worse: This incident gets closer to the line North Korea crossed-interfering with our right to free speech. We haven’t quite articulated a norm in this area, but the International Strategy for Cyberspace comes close. In this case, China targeted GitHub because it was hosting pages for organizations that circumvent its Great Firewall. It may be time we put out a Monroe Doctrine for cyberspace, which would, make clear that trying to stifle freedom of speech in this country crosses a red line. We could go further and make it official policy to bring dissidents from other countries under this veil of protection. Taking a page from the Kennedy doctrine, the United States could declare that it will pay any price, bear any burden, host any website and defeat any denial of service attack in the cause of Internet freedom.
Why it’s worse: This campaign was carried out on a massive scale. It’s information that’s of direct value and it crosses the line from espionage to downright theft by targeting intellectual property.