Privacy

Paradox of Progress

Paradox of Progress

Every five years the Director of National Intelligence releases a pretty substantial report on growing trends and they've recently released one called "The Paradox of Progress."  It's a fairly substantial report with numerous implications on American geopolitical positioning based on the assessments and assumptions made within it, and it's a report that most Americans will never consider reading. So I wanted to unpack it, key point by key point, and provide context as much as possible to help at least a handful of Americans slug through it.

Don't Dox the Dick

Don't Dox the Dick

Last week, I put out a call to action to contact your Congressional Representative because of a bill that had passed, with little fanfare, the Senate aimed at removing Obama-era privacy protections for consumer privacy.  While over 1,000 of you responded to this request, the measure unfortunately passed the House and the 100 pages of FCC regulations aimed at protecting user privacy is now no more.

While the Internet was outraged by a, now redacted, article posted by the Electronic Frontier Foundation (EFF), about a test program that users can opt-out of, Internet Service Providers (ISP) have not yet rapidly capitalized on the release of these regulations. In fact, the first people to capitalize on this loosening of regulations have been the people who most opposed their loosening in the first place! Self-proclaimed privacy advocate Adam McElhaney, has set up a viral GoFundMe page with the intent to crowdfund the money required to purchase the internet history of the Senators and Representatives who voted for these rollbacks.

This is dangerous.

Dog Whistle Politics Attack Consumer Privacy (Again)

Dog Whistle Politics Attack Consumer Privacy (Again)

In a quiet press release, lost among the battle to defeat the disastrous Affordable Care Act repeal U.S. Senator Jeff Flake (R-Ariz) introduced a bill to gut the regulatory power of the Federal Communication Commission (FCC).  The joint resolution is extremely short, stating that the Senate "disapproves the rule submitted by the Federal Communications Commission relating to 'Protecting the Privacy of Customers of Broadband and Other Telecommunication Services,' and such rule shall have no force or effect." 

Senator Flack, a huge recipient of the extremely conservative Club for Growth PAC, is more concerned with repealing everything Obama touched than he is in understanding the personal journey that privacy necessitates, or the implications a repeal of these rules would have on technology and the economy.

Privacy As Currency

Privacy As Currency

Arguments for and against the use of "Big Data" to tailor services and advertisements litter the blogosphere, but one thing is certain: Without this data, many of the tools society depends on would be inconceivable. However, these revolutionary tools aren't without consequences.  In one prolific example, captured by Charles Duhigg in his book The Power of Habit, the national retailer Target predicts the pregnancy of, and sends relevant advertisements to, a teenage girl at such an early stage of her pregnancy that her family, friends, and boyfriend had not yet been informed of the new development. The situation caused such an uproar among privacy advocates and those against general 'creepiness' of the situation, that Target artificially diluted the accuracy of its algorithms in order to prevent alienating future customers. 

While companies like Target grapple with the nuances of using this data, break through technologies have emerged that enable us to turn our unused rooms into mini-hostels, prevent food shortages in Philadelphia, and create insanely popular TV shows like Luke Cage. Unfortunately, these technologies face the same privacy concerns that Target once grappled with, and the privacy debate continues to evolve.  This evolution must continuously be refined as society and technology advance, or the political, legal, and ethical frameworks it helped create will no longer provide much protection. Unfortunately, while this debate has evolved around the safety of consumers and the protection of data, there has been little discussion about the economic security of consumers and their data.

Just as countless technological innovations were made possible throughout human history by capitalizing on previously wasted byproducts, data must one day cease to be treated as happenstance, and be understood for the value it possesses. It's not enough for the government to protect the only physical safety of its citizens, it must enable its citizens to be educated and capable enough to fight for their economic security in light of a booming industry. It's only in doing so that consumers will be able to understand the true cost of their consumerism.

 

(Updated) Security Bulletin: The OPM Hack & You

By now you should have heard about the massive data breach at the Office of Personnel Management, the government agency responsible for managing the personal records of every federal employee and member of the intelligence community. The most damning record comes to us in the form of the SF-86, a record that contains enough personally identifiable information to steal the identity of not only the professional obtaining the security clearance, but literally everyone they love.

This revelation is particularly sobering when it comes on the wake of a similarly damning bit of data mining:  Looking Glass.  The unfortunate realization that our security managers were right - be careful what you put on the internet - comes a little too late.  And, unfortunately, as both the OPM hack and the web crawler Looking Glass prove, you can be victimized even if you do everything right.

So, if you're a first cousin, or a spouse of a veteran, then everything necessary to end up with your identity stolen (your last known address, or two, your employer, your birth day, SSN, maiden names) is probably included in this data.  However, the amount of data leaked here is so massive that, unless you're named by a filtering program (like Looking Glass - or you post photos of your Mercedes on Twitter), you're probably not going to show up on any criminal's (or foreign government) radar.

For your average American, you might be included in this breach by name (e.g. "Airmen Johnny has coffee with Dr. Snuffy regularly"), but beyond your name you're probably without worry.


update: 16 june, 2015


From the CSID website:  $1,000,000 in identity theft protection services to be offered to those affected; notifications will be sent by e-mail or postal service by 19 June, 2015. SF-86s probably not compromised: "Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data."

Furthermore, this incident did not affect military records; no contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.

Unfortunately, there is a spearfishing campaign going on sending fictitious e-mails to DOD personnel. US Army CID states a phishing email is being sent to DOD personnel asking them to click on hyperlinks and enter a personal PIN number to verify their personal Information.

The Office of Personnel Management has issued a warning to its users to avoid clicking on links in e-mails, giving out personal information over the internet, or communicating with individuals of an unverified nature.




The Onion Router, Router

The Onion Router, Router

There's been a lot of publicity about a new router, called the anonabox, that promises to make all of your anonymous browsing dreams come true through an open-source software known as TOR. Given that I'm a lover of Kickstarter and an outspoken critic of a lot of voyeurism on the Internet in the post-Snowden world, a lot of my colleagues have approached me on what the hell TOR is, and whether or not this router is worth the pledge.

TOR, stands for The Onion Router, an open source software that has been keeping clandestine journalism safe for years. TOR is a vital tool to ensure the security and integrity of The Open Internet, and it is something that helps ensure journalistic integrity and the freedom of protest and speech. This is absolutely a cause worth supporting, and the anonabox promises to be a way to exchange money ($48) for the convenience of not having to download and tweak the open source TOR software onto each of your computers. However, as backlash against the project has already proven, the largest enemy is going to be unmet expectations.

Defense In Depth

Defense In Depth

Security can be an overwhelming topic to get started and as a result, a concept known as Defense in Depth has been making its way across the industry for the last couple of years.  Defense in Depth is an organized and systematic way to ensure that your network is as unattractive to hackers as reasonably possible. Keep in mind that there is no such thing as “unhackable,” so the object of security is to make the costs of attacking your network more than the benefit of doing so without incurring more cost in defense than your network’s security is worth. Defense in Depth does this by breaking the security process down into eight distinct phases.

  • Security Through Obscurity
  • Establishing Identity
  • Encryption and Hashing
  • Hardening your Devices
  • Preventing Intrusion
  • Adhering to Laws
  • Routine Maintenance
  • User Education

These sections are only a snippet of the fifteen pages that I've dedicated to security and privacy in my 140pg book, Understanding IT: Decoding Business and Technology. I've posted this to introduce the concept of Defense in Depth as it relates to the Malware Business Model and as a precursor to Cutting The Cord, Episode Four: Securing Your Network [Episode One and Two]. The topics covered here may be broad strokes, but before a specific technical understanding can be reached, the frameworks have to be established.

Big Data and Privacy

Earlier this week, the President's Council of Advisors on Science and Technology (PCAST) released a seventy two page report on the intersection of Big Data and Privacy with an unoriginal title of:  Big Data And Privacy: A Technological Perspective.  It started by first establishing the groundwork for the traditional definition of privacy, as defined by Samuel Warren and Louis Brandeis in 1890.  These individuals stipulated that privacy infractions can occur in one of four ways:

  1. Intrusion upon seclusion.  If a person intentionally intrudes upon the solitude of another person (or their affairs), and the intrusion is seen as "highly offensive" then an invasion of privacy has occurred.
  2. Public disclosure of private facts.  If a person publishes private facts, even if true, about someone's life - an invasion of privacy has occurred.
  3. Defamation, or the publication of untrue facts, is an invasion of privacy.
  4. Removing personal control of an individual's name and/or likeness for commercial gain is an invasion of privacy.

These infractions basically come down to a removal of the control that an individual has over various aspects of their life (being left alone, selective disclosure, and reputation), and PCAST tends to agree as they state a couple of times throughout their report about the need for selective sharing and anonymity.  The report went on to address a few philosophical changes in our mindset about privacy that were needed in order to better enable the successful implementation of the five aforementioned recommendations:

 

  • We must first acknowledge that private communication interception is easier
  • We need to extend "Home as one's castle" to become "The Castle in the Clouds"
  • Inferred Private facts are just as stolen as real data
  • The misuse of data and loss of selective anonymity is the key issue.

 

The report goes on to state that the majority of the concern is with the harm done by the use of personal data and that the historic way of preventing misuse of personal data has been in controlling access; a measure that is no longer made possible in today's nebulous world of data ownership.

Personal data may never be, or have been, within one's possession.

From public cameras and sensors to other people using social media, we simply have no control over who collects data from whom; and we likely never will again.  Which raises the question of who owns the data and who controls it.

And while the Electronic Frontier Foundation would complain (again) that this failed to address metadata (in spite of it equating metadata to actual data in the first few pages), this report comes on the eve of a unanimous vote in the House to rein in the National Security Agency making this a big week for big data privacy advocates.