The Death of Privacy: A Tale of Collusion and Corruption

In our technically advancing world, our personal privacy expectations must be reconsidered, re-conceived and redefined. We all expose ourselves through swipes, transactions, likes and tweets. Through handsets, television sets and mindsets, we voluntarily add our behavioral attributes to the associated handlers of our digital DNA almost entirely without consideration for personal privacy. We will review together the corrupt forces that colluded and conspire against us as well as the corruption and what, if anything can be done about it.

privacy

It is certainly not my intention to send you away feeling depressed or full of despair. Quite the contrary! It is my intention to enlighten and empower you and with a little luck, even entertain you about matters of personal privacy and information security.

I think it is safe to say and also a sad reality that it is a daily event where some form of personal information has been improperly accessed, absconded and abused. When you take a big picture perspective, we are essentially looking at four breach of privacy opportunities which are Company Use, Company to Entity Use, Government Use and Private Person Use.

  • Company Use which will be defined by the internal practices a company or business entity employs when managing your personal information. For example, a company like Spider Oak may employ one way cryptographic hashing of your account information making it inaccessible to anyone else but the owner. The opposite end of the spectrum would be a company like Facebook that sifts through your personal data including private messages in an attempt to psychologically and financially manipulate you.
  • Company to Entity Use will be defined as either a Company to Third Party voluntary or involuntary sharing relationship. For example, when Google voluntarily shares browsing metrics they have collected on you with another analytics company for marketing purposes with or without your permission. Another example might be where a Third Party entity acquires your data from a Company with or without their permission such as when the NSA hacks into your email provider’s infrastructure, like Google and siphons personal data again without a warrant.
  • Government Use will be defined as information the Government collects about you with or without your permission. For example, when the Internal Revenue Service collects your financial data for taxation purposes. Another example would be when unnamed clandestine government agencies deploy cellular towers designed to intercept your cellular communications in real time to eavesdrop on everyone within range without a warrant.
  • Private Person Use will be defined as information a stranger collects about you again, with or without your permission. The interesting thing about this category is this information most likely has been made available to them by you. For example, you put your birth date and contact information into your Facebook, Google+ or LinkedIn profile. Pieces of information like this can help those who would steal your identity or conduct some malicious activity. To be fair, a large part of this category is dependent upon your carelessness and personal appetite for risk.

Here are some recent headlines:

  1. F.T.C. Fines Google $22.5 Million for Safari Privacy Violations: The Federal Trade Commission fined Google $22.5 million on Thursday to settle charges that it had bypassed privacy settings in Apple’s Safari browser to be able to track users of the browser and show them advertisements, and violated an earlier privacy settlement with the agency.
  2. Verizon has been slapped with a $7.4 million fine by the U.S. Federal Communications Commission for failing to give 2 million customers the choice of opting out of the company’s marketing campaigns. It is the largest fine the FCC has ever imposed for a privacy violation of phone customers’ personal information.

There are many more! What I find amusing about this is these cases is that while these same companies fuss about the Government eavesdropping on them, they are at the same time quick to do the same to their customers. Speaking of Government agencies, let’s not overlook the recent and much larger revelation:

  1. The NSA is Spying on Millions of Americans: The Guardian newspaper confirmed what EFF (and many others) have long claimed: the NSA is conducting widespread, untargeted, domestic surveillance on millions of Americans. This revelation should end, once and for all, the government’s long-discredited secrecy claims about its dragnet domestic surveillance programs. It should spur Congress and the American people to make the President finally tell the truth about the government’s spying on innocent Americans.

    Do you think this is just an Edward Snowden era issue? This timeline actually begins back in 1952. Source: https://www.eff.org/nsa-spying/timeline

Privacy is the number one concern of Internet users; it is also the top reason why non-users still avoid the Internet. Survey after survey indicates mounting concern. (Source: The Center for Democracy and Technology) As individuals we become more and more accepting of that singular point where humans merge with their technology. Even if you decide to isolate yourself from the world around you shunning all forms and permeation of human technology, you would fail in an isolated illusion as technology is still capable of finding you. I propose we declare the death of privacy and embrace our new handlers with the collective force only technological consumers can wield.

As the volume and characteristics of cross-border data flows have been evolving, elevating privacy risks, and raising cross-border enforcement challenges. This has resulted in the need for a more global and systematic approaches to cross-border privacy law enforcement co-operation. (Source: Organization for Economic Co-Operation and Development OECD)

The force of accountability, of audit-ability and of a legal duty to protect our digital identities entrusted to them by us, the consumers. Those who have the power to peruse and use our personally identifying information should now have an undisputed legal duty to use this information without doing the individual or class of individuals harm. Those who have the power to intrude have a duty to be discreet, observing the fact that human emotions are frail, volatile and subject to wide subjective interpretation.

It is our personal responsibility to use technology wisely and our handlers’ responsibility to reinforce this personal responsibility. It is our responsibility to enforce, mandate, monitor and to magistrate over the corporate, the government and the individual handlers we knowingly entrust our privacy to. All others should face the full force of a globally unified common law.

Until there is truly a global standard, we will have a patch quilt of standards. Specifically in the United States, the Fourth Amendment of the Constitution provides, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Ultimately, these words endeavor to protect two fundamental liberty interests – the right to privacy and freedom from arbitrary invasions.

The interplay between the Fourth Amendment and electronic searches and seizures has received much attention from the courts in recent years. With the advent of the internet and increased popularity of computers, law enforcement has witnessed a continually increasing amount of crime occurring electronically. Consequently, evidence of such crime can often be found on computers, hard drives, or other electronic devices. Yet, the parameters of the Fourth Amendment do not cease in the realm of searching electronic devices. Many electronic search cases have involved whether law enforcement can search the company-owned computer that an employee uses to conduct business. Although the case law is split, the majority holds that employees do not have legitimate expectations of privacy with regard to information stored on company-owned computers.

Electronic surveillance and wiretapping has also caused a significant amount of Fourth Amendment litigation lately particularly in the post Snowden revelations. The real paradigm shift against a citizen’s privacy occurred following 911 when the USA Patriot Act was passed. The legislation’s provisions aimed to increase the ability of law enforcement to search email and telephonic communications in addition to medical, financial, and library records. One provision permitted law enforcement to obtain access to tapping stored voicemails by obtaining a basic search warrant rather than a surveillance warrant. Obtaining the former requires a much lower evidentiary showing. A highly-controversial provision of the Act included permission for law enforcement to use sneak-and-peak warrants. A sneak-and-peak warrant is a warrant in which law enforcement can delay notifying the property owner about the warrant’s issuance. It is widely held that this provision especially is violative of the Fourth Amendment.

The Patriot Act also expanded the practice of using National Security Letters (NSL) which is an administrative subpoena that requires certain persons, groups, organizations, or companies to provide documents about certain persons. These documents typically involve telephone, email, and financial records. NSLs also carry a gag order, meaning the person or persons responsible for complying cannot mention the existence of the NSL. Under Patriot Act provisions, law enforcement can use NSLs when investigating U.S. citizens, even when law enforcement does not think the individual under investigation has committed a crime. The Department of Homeland security has used NSLs frequently since its inception. By using an NSL, an agency has no responsibility to first obtain a warrant or court order before conducting its search of records.

At this point I imagine you are probably saying “Geez Michael, do you have anything positive for us? Are you ready now for some good news?

Security is now a game changer in business. For the first time that I can think of, a security breach brought down the CEO of a company. I’m referring to Target Corporation. In one respect it is a dangerous game to hold the CEO responsible for a security breach which would imply that everyone in a company now is subject to termination for a security breach. The differentiator here is that Target did not have a CISO which is a management decision. I’ll wager more CEO’s will be hiring CISOs if for any other reason than to protect their own skin. As a career CISO your career just got much more hazardous! Keep in mind that documentation is your friend, that single party recordings are legal almost anywhere and backup evidence to a location you would always have access to no matter what happens. For consumers and security practitioners everywhere, this is a significant event that will raise the bar for everyone and that is a very good change. Not only will it bolster the security practitioner career space but also help to raise standards for consumers who depend on corporate data custodians.

When it comes to an invasion of privacy and security, there are fortunately some easily identifiable common denominators we can indentify. Fundamentally we really have two risk vectors to be concerned with. The first being information under our control and information that is not in our control.

  • Information under our control is straightforward; all information we choose to expose is on our terms and we are responsible exclusively for it.
  • Information outside of our control amounts to any external party – good or bad – that possesses information about you of any kind.

Securing your information is a real challenge for both the individual and the corporation. A recent IT security and privacy study of corporations indicated that:

  • Fully 75% say their organizations are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. [With the mass proliferation of technology and the Internet of Things, this should be no surprise and will not be trending downward any time soon.]
  • “Managing the complexity of security” reclaimed the No. 1 spot among 10 challenges facing the respondents to our security survey, all from organizations with 100 or more employees.
  • 58% see an infected personal device connecting to the corporate network as a top endpoint security concern, making it the No. 1 response, ahead of phishing and lost devices. [This is reason number one to implement a REAL BYOD program.]
  • 56% say cyber-criminals pose the greatest threat to their organizations this year, the top answer, ahead of authorized users and employees at 49%. [The big breaches reported this year all involved outsiders taking advantage of insiders. I’d really recommend company’s reconsider what technology employees actually need as opposed to want for starters.]
  • 23% have experienced a security breach or espionage in the past year. [Additional data suggests that only about 33% of all breaches are even reported to law enforcement. It’s safe to assume that of all entities out there, 67% are unaware, negligent, incompetent and or willful; take your pick!]

    (Source) InformationWeek 2014 Strategic Security Survey

Clearly there is responsibility everywhere to go around. As corporate leaders, we are concerned about protecting our business and our customers. Your employees, partners and our customers all pose risks to your business. As individuals we are concerned with what companies do with our data and we are concerned that that trust will be mishandled. We all have a part to play. What are some things the individual can do? When it comes to concern about your personal privacy, a balanced approach is the most appropriate. Anyone can tell you that the best way to protect your personal privacy and data is simply to turn the power off, lock the doors and avoid the world around you living in your protective bubble. But this is not a very useful strategy especially since the event horizon of the Internet of things is upon us and we have long passed by our ability to fully exist in a world without technology.

Our smartphones, tablets and mobile devices are increasingly becoming repositories of our personal information. It’s a gold mine of data that could be used to build a frighteningly complete picture of you as a person. It’s more than just your contacts, calendar, memos, and photos; it’s your Internet history, the calls you participate in and a multitude of communication messages, your banking data and social network logins. People say “my whole life is on my phone”, and while that hopefully isn’t entirely true, an increasingly large portion of our lives translated into our digital DNA is finding residence on these devices. So just how are we going about keeping it all secure? How do we deal with the threat of the less-than-thoughtful people around us, let alone the government’s intrusions and of course cyber criminals? How do we keep our devices and the accounts on them secured? And how do we train our children, the ones that are growing up in a world where ubiquitous internet is a fact of life, to understand the real threats that exist on the internet and how to protect themselves?

You need to decide what you are willing to live with. If you live on your smart phone, in email, on social media and are less concerned about privacy, then consider these recommendations:

  • Use encryption!
  • Don’t reveal personal details to strangers or just-met “friends”.
  • Beware sites that offer some sort of reward or prize in exchange for your contact information or other personal details.
  • Remember that YOU decide what information about yourself to reveal, when, why, and to whom.
  • Use a password manager.
  • Read the access privileges for apps carefully, and make good choices.
  • Keep your work and personal presences separate.
  • Be an activist!

If you are more concerned and prefer more anonymity, then consider the much bigger list of recommendations:

  • Use encryption!
  • Don’t reveal personal details to strangers or just-met “friends”.
  • Beware sites that offer some sort of reward or prize in exchange for your contact information or other personal details.
  • Remember that YOU decide what information about yourself to reveal, when, why, and to whom.
  • Use a password manager.
  • Read the access privileges for apps carefully, and make good choices.
  • Keep your work and personal presences separate.
  • Keep a “clean” e-mail address.
  • Realize you may be monitored at work, avoid sending highly personal e-mail to mailing lists, and keep sensitive files on your home computer.
  • Do not reply to spammers, for any reason.
  • Examine privacy policies and seals.
  • Disable GPS and Wi-Fi on your mobile device until you need them.
  • Read the access privileges for apps carefully, and make good choices.
  • Guard your date of birth and telephone number.
  • Make yourself more difficult to find on social media.
  • Be an activist!

If I had more time, I’d get into the things any great CISO should do to eliminate about 96% of all security risks to their organization encompassing Governance, Technology and Vigilance collectively called The Security Trifecta but we can always talk about that offline.

What’s on the horizon?

  • Data Security and Breach Notification Act of 2014: Requires the Federal Trade Commission (FTC) to promulgate regulations requiring each covered entity (proprietorships, partnerships, estates, trusts, cooperatives, and nonprofit and for-profit corporations) that owns or possesses data containing personal information to implement policies and procedures regarding information security practices for the treatment and protection of such information. Source: https://beta.congress.gov/bill/113th-congress/senate-bill/1976
  • Safe and Secure Federal Websites Act of 2013: Prohibits a federal agency from deploying or making available to the public a new Federal PII website until a certification is submitted to Congress that the website is fully functional and secure, as defined by this Act. Source: https://beta.congress.gov/bill/113th-congress/house-bill/3635
  • The United States has about 20 sector specific or medium specific national privacy or data security laws and hundreds of such laws among its 50 states. (California alone has more than 25 state privacy and data security laws). These laws address particular problems or industries. They are too diverse to summarize fully in this presentation. In addition, and my personal favorite would be the large range of companies regulated by the Federal Trade Commission (‘FTC’) are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement minimal data security measures or fail to live up to promises in privacy policies.
  • The Florida Information Protection Act of 2014: The Act requires notice to be given to affected customers and the Department of Legal Affairs (DLA) when a breach of security of personal information occurs. The act requires such notice to be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. The act provides enforcement authority to the DLA under the Florida Deceptive and Unfair Trade Practices Act to civilly prosecute violations. A violator of the bill’s provisions may also be subject to civil penalties, similar to current law, if breach notification is not provided timely. Make no mistake, this is the trend and you can expect most states to ratify similar laws but my bet would be that Florida’s stringent new breach notification law will encourage lawmakers to finally enact a federal standard which is long overdue.
  • PCI DSS V3 has some significant revisions especially along the lines of vulnerability and penetration testing as well as risk assessments. These begin to take effect in January.
  • Safe Harbor is a cooperative effort for the US to comply with EU countries more robust data privacy and data security requirements. The reality is that right now the US laws are less restrictive in part to allow the government to operate more freely with less oversight.

I know this has been a whirlwind tour of a few current privacy concerns for both the individual and the corporation. I’ve only shared a fraction of what is a much larger issue. As always, being passionate about all things security and privacy, I’m here to continue the conversation and helping you take action so let me know what you think. If you need assistance, I’m over at Lazarus Alliance.