There’s a current undertone in the IT industry that security is going to become a big problem in the future. The reality is, that it already is. Particularly in the area of data privacy. We worry about our data being safe when in a lot of cases we have already given permission to give it away, sell it, or make it so that it is no longer under our control.
Here I’m not talking about anything untoward happening, it would be legal, if perhaps in some cases be questionable ethically. People sign up for some service, and let face it, whoever reads the terms and conditions of what they are signing up for? We trust the company, which has been proven to be a bad idea in several well-publicized events.
It started with search engines
Search engines, when the internet was still in its relatively early stages, used to have terms and conditions for you to sign up with. Not too bad though right, I mean, what could anyone do with that data? I know a long time ago I saw search engines where you could watch the search queries in semi-real time, to see what people were searching for.
These days, search engines are a behemoth of advertising power, primarily because they get to know what people are interested in in advance of any purchasing decision. That makes them very effective. That doesn’t matter to you though does it, you get to search for free? It depends upon whether anything is tracking you in any other services that these companies have. By aggregating this data, they can know a whole lot about you, certainly your spending habits, and website surfing habits too. Still okay?
It moved to social media
Then there came social media, where you signed up for a login, and got to give away a whole bunch more extra data, in exchange for using the site. What could go wrong there, you’re not doing anything wrong?
Well, that’s correct, but how would you know if that data was used in some way against you, to manipulate you into doing something that you wouldn’t normally do? You’re not that gullible, right? Wrong, some sales and marketing tactics are able to influence you in such a way so as to make it very unlikely that you will do anything other than what they want you to.
That would never happen either, nobody is allowed to do that with your data, are they? There are personally identifiable information laws that prevent this. Well, yes, there are, but identifying that it is happening is one big issue, and then proving beyond reasonable doubt is another. A case in point here would be Cambridge Analytica.
Don’t mention governments
This isn’t meant to do anything other than identifying that, given the right amount of power and influence, no data is truly secure. The point here is that governments have long since had the ability to spy on their citizens – most likely indirectly – by joint agreement, you scratch my back, and I’ll scratch yours. This is done for the purposes of being able to detect and locate terrorists. Whether you agree with that sentiment is not up for debate here, the point is, someone is always watching you, always able to look at any of your data.
A government wouldn’t abuse your privacy though right if you’re a law abiding citizen? Let me answer that first – ordinary citizens work for governments – they may be security vetted but are human after all. A breach of data might not even have been on purpose, but where there are ways into systems, there are ways for data to leak. The point I was going to make though, is that you’re missing the point. Because of this, no data is truly secure. You cannot prevent people from seeing the data, given enough money, resources and power – which government have.
How safe is your information?
Now, if you’re getting here, you’d have to be thinking that your data is not safe at all. I know I think that. I have zero trust in most systems on which my data resides, laws or not. The reason is that technology has exploded, which has meant that legislation and laws have not been able to keep up in any meaningful manner. The government needs to be able to be connected to cutting edge technology and systems, to produce and amend laws with it, which would be very hard to do.
As I previously mentioned, there are laws in each country, region, state that dictate what can and cannot be done with respect to privacy. Therein lies the problem – you cannot guarantee that the laws in the country that you are connecting to the website offer you the same level of protection as those where the webserver(s) reside.
You don’t easily know where those web servers reside – not without a bit of work. Then you’d have to work out the applicable laws. Not going to happen. And we won’t even get started on the legal case to prosecute if you could prove that a breach had occurred that was against the law.
Like security in IT systems, there is something called zero trust security, meaning that you do not implicitly trust anything until that entity has proven themselves to be trustworthy. And in our case, I’m not sure how you would prove yourselves trustworthy, as everyone is trustworthy until they’re not.
So to answer my own questions, I would say don’t put data onto a system that you don’t mind losing control over, or it becoming public knowledge.
What data falls into a grey area?
On your cell phone, you have a bunch of gadgets – not least of which is a GPS receiver, which case track you. That might not seem to be a thing of concern, but what if hackers managed to infiltrate the government systems and look at your data, and use to in combination with your location, such as financial records, to do bad things. Not saying that is going to happen – and if it did, it would cause a massive outcry, but if could.
What about your camera or phone? You’ve probably already given a large number of applications the permission to access these devices any time they want to. You know, when a screen appears saying Application1 want to use your Camera. Accept or Deny? Once you accept, that choice is often made. So, if someone is using this technology to listen to or watch you, how could you tell? You probably couldn’t because it would seem like the normal operation of an application, or you would need deep forensic technical skills to find out.
What about putting photographs onto social media platforms, and them having facial recognition, to know who you are, who you are with, where you were and when, and doing what. It seems like a lot of less fun tagging people now and helping to train that AI engine to find and identify you.
I’m not saying that companies are doing this on a regular basis, but I do try to mention something random, and say it when I am close to the phone and see if my search results adjust. A few times I’ve been quite sure that is has dialed in too quickly to be just AI.
You must decide if applications that make use of your hardware have the potential to compromise your privacy, or whether you only provide them with information that if leaked could not cause any issues.
What can we do?
The only thing you can do is to assume that your data is not safe. That it is not protected at all and act accordingly. To put things in place to protect it by a different means – to be more purposeful with what data you share and how.
What I mean by this is, if for example you had documents that you wanted to put on cloud storage, like Dropbox, that sort of thing – and I’m not suggesting they leaking data in any way, but you could encrypt it first, and by a different service, or on your own computer. It’s a pain, but it’s now much safer. Still can be hacked into, but much harder to do now.
The other thing you could do is find paid versions of these applications, where part of what you are paying for is that data privacy and security. You are paying so you can find a service that will not leak the data, otherwise, they would be in breach of your contract. In this way, you have only one place to go, and the data security should be very clear, which will make it at least a bit safer – then it comes down to how much is the data that you’re storing really worth to you, and should you even be storing it?