Site icon

The Death of Privacy: A Tale of Collusion and Corruption

In our technically advancing world, our personal privacy expectations must be reconsidered, re-conceived and redefined. We all expose ourselves through swipes, transactions, likes and tweets. Through handsets, television sets and mindsets, we voluntarily add our behavioral attributes to the associated handlers of our digital DNA almost entirely without consideration for personal privacy. We will review together the corrupt forces that colluded and conspire against us as well as the corruption and what, if anything can be done about it.

It is certainly not my intention to send you away feeling depressed or full of despair. Quite the contrary! It is my intention to enlighten and empower you and with a little luck, even entertain you about matters of personal privacy and information security.

I think it is safe to say and also a sad reality that it is a daily event where some form of personal information has been improperly accessed, absconded and abused. When you take a big picture perspective, we are essentially looking at four breach of privacy opportunities which are Company Use, Company to Entity Use, Government Use and Private Person Use.

Here are some recent headlines:

  1. F.T.C. Fines Google $22.5 Million for Safari Privacy Violations: The Federal Trade Commission fined Google $22.5 million on Thursday to settle charges that it had bypassed privacy settings in Apple’s Safari browser to be able to track users of the browser and show them advertisements, and violated an earlier privacy settlement with the agency.
  2. Verizon has been slapped with a $7.4 million fine by the U.S. Federal Communications Commission for failing to give 2 million customers the choice of opting out of the company’s marketing campaigns. It is the largest fine the FCC has ever imposed for a privacy violation of phone customers’ personal information.

There are many more! What I find amusing about this is these cases is that while these same companies fuss about the Government eavesdropping on them, they are at the same time quick to do the same to their customers. Speaking of Government agencies, let’s not overlook the recent and much larger revelation:

  1. The NSA is Spying on Millions of Americans: The Guardian newspaper confirmed what EFF (and many others) have long claimed: the NSA is conducting widespread, untargeted, domestic surveillance on millions of Americans. This revelation should end, once and for all, the government’s long-discredited secrecy claims about its dragnet domestic surveillance programs. It should spur Congress and the American people to make the President finally tell the truth about the government’s spying on innocent Americans.

    Do you think this is just an Edward Snowden era issue? This timeline actually begins back in 1952. Source: https://www.eff.org/nsa-spying/timeline

Privacy is the number one concern of Internet users; it is also the top reason why non-users still avoid the Internet. Survey after survey indicates mounting concern. (Source: The Center for Democracy and Technology) As individuals we become more and more accepting of that singular point where humans merge with their technology. Even if you decide to isolate yourself from the world around you shunning all forms and permeation of human technology, you would fail in an isolated illusion as technology is still capable of finding you. I propose we declare the death of privacy and embrace our new handlers with the collective force only technological consumers can wield.

As the volume and characteristics of cross-border data flows have been evolving, elevating privacy risks, and raising cross-border enforcement challenges. This has resulted in the need for a more global and systematic approaches to cross-border privacy law enforcement co-operation. (Source: Organization for Economic Co-Operation and Development OECD)

The force of accountability, of audit-ability and of a legal duty to protect our digital identities entrusted to them by us, the consumers. Those who have the power to peruse and use our personally identifying information should now have an undisputed legal duty to use this information without doing the individual or class of individuals harm. Those who have the power to intrude have a duty to be discreet, observing the fact that human emotions are frail, volatile and subject to wide subjective interpretation.

It is our personal responsibility to use technology wisely and our handlers’ responsibility to reinforce this personal responsibility. It is our responsibility to enforce, mandate, monitor and to magistrate over the corporate, the government and the individual handlers we knowingly entrust our privacy to. All others should face the full force of a globally unified common law.

Until there is truly a global standard, we will have a patch quilt of standards. Specifically in the United States, the Fourth Amendment of the Constitution provides, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Ultimately, these words endeavor to protect two fundamental liberty interests – the right to privacy and freedom from arbitrary invasions.

The interplay between the Fourth Amendment and electronic searches and seizures has received much attention from the courts in recent years. With the advent of the internet and increased popularity of computers, law enforcement has witnessed a continually increasing amount of crime occurring electronically. Consequently, evidence of such crime can often be found on computers, hard drives, or other electronic devices. Yet, the parameters of the Fourth Amendment do not cease in the realm of searching electronic devices. Many electronic search cases have involved whether law enforcement can search the company-owned computer that an employee uses to conduct business. Although the case law is split, the majority holds that employees do not have legitimate expectations of privacy with regard to information stored on company-owned computers.

Electronic surveillance and wiretapping has also caused a significant amount of Fourth Amendment litigation lately particularly in the post Snowden revelations. The real paradigm shift against a citizen’s privacy occurred following 911 when the USA Patriot Act was passed. The legislation’s provisions aimed to increase the ability of law enforcement to search email and telephonic communications in addition to medical, financial, and library records. One provision permitted law enforcement to obtain access to tapping stored voicemails by obtaining a basic search warrant rather than a surveillance warrant. Obtaining the former requires a much lower evidentiary showing. A highly-controversial provision of the Act included permission for law enforcement to use sneak-and-peak warrants. A sneak-and-peak warrant is a warrant in which law enforcement can delay notifying the property owner about the warrant’s issuance. It is widely held that this provision especially is violative of the Fourth Amendment.

The Patriot Act also expanded the practice of using National Security Letters (NSL) which is an administrative subpoena that requires certain persons, groups, organizations, or companies to provide documents about certain persons. These documents typically involve telephone, email, and financial records. NSLs also carry a gag order, meaning the person or persons responsible for complying cannot mention the existence of the NSL. Under Patriot Act provisions, law enforcement can use NSLs when investigating U.S. citizens, even when law enforcement does not think the individual under investigation has committed a crime. The Department of Homeland security has used NSLs frequently since its inception. By using an NSL, an agency has no responsibility to first obtain a warrant or court order before conducting its search of records.

At this point I imagine you are probably saying “Geez Michael, do you have anything positive for us? Are you ready now for some good news?

Security is now a game changer in business. For the first time that I can think of, a security breach brought down the CEO of a company. I’m referring to Target Corporation. In one respect it is a dangerous game to hold the CEO responsible for a security breach which would imply that everyone in a company now is subject to termination for a security breach. The differentiator here is that Target did not have a CISO which is a management decision. I’ll wager more CEO’s will be hiring CISOs if for any other reason than to protect their own skin. As a career CISO your career just got much more hazardous! Keep in mind that documentation is your friend, that single party recordings are legal almost anywhere and backup evidence to a location you would always have access to no matter what happens. For consumers and security practitioners everywhere, this is a significant event that will raise the bar for everyone and that is a very good change. Not only will it bolster the security practitioner career space but also help to raise standards for consumers who depend on corporate data custodians.

When it comes to an invasion of privacy and security, there are fortunately some easily identifiable common denominators we can indentify. Fundamentally we really have two risk vectors to be concerned with. The first being information under our control and information that is not in our control.

Securing your information is a real challenge for both the individual and the corporation. A recent IT security and privacy study of corporations indicated that:

Clearly there is responsibility everywhere to go around. As corporate leaders, we are concerned about protecting our business and our customers. Your employees, partners and our customers all pose risks to your business. As individuals we are concerned with what companies do with our data and we are concerned that that trust will be mishandled. We all have a part to play. What are some things the individual can do? When it comes to concern about your personal privacy, a balanced approach is the most appropriate. Anyone can tell you that the best way to protect your personal privacy and data is simply to turn the power off, lock the doors and avoid the world around you living in your protective bubble. But this is not a very useful strategy especially since the event horizon of the Internet of things is upon us and we have long passed by our ability to fully exist in a world without technology.

Our smartphones, tablets and mobile devices are increasingly becoming repositories of our personal information. It’s a gold mine of data that could be used to build a frighteningly complete picture of you as a person. It’s more than just your contacts, calendar, memos, and photos; it’s your Internet history, the calls you participate in and a multitude of communication messages, your banking data and social network logins. People say “my whole life is on my phone”, and while that hopefully isn’t entirely true, an increasingly large portion of our lives translated into our digital DNA is finding residence on these devices. So just how are we going about keeping it all secure? How do we deal with the threat of the less-than-thoughtful people around us, let alone the government’s intrusions and of course cyber criminals? How do we keep our devices and the accounts on them secured? And how do we train our children, the ones that are growing up in a world where ubiquitous internet is a fact of life, to understand the real threats that exist on the internet and how to protect themselves?

You need to decide what you are willing to live with. If you live on your smart phone, in email, on social media and are less concerned about privacy, then consider these recommendations:

If you are more concerned and prefer more anonymity, then consider the much bigger list of recommendations:

If I had more time, I’d get into the things any great CISO should do to eliminate about 96% of all security risks to their organization encompassing Governance, Technology and Vigilance collectively called The Security Trifecta but we can always talk about that offline.

What’s on the horizon?

I know this has been a whirlwind tour of a few current privacy concerns for both the individual and the corporation. I’ve only shared a fraction of what is a much larger issue. As always, being passionate about all things security and privacy, I’m here to continue the conversation and helping you take action so let me know what you think. If you need assistance, I’m over at Lazarus Alliance.

Exit mobile version