Tag Archives: data security

Losing The Lottery

We’re all bugged. If you carry a smartphone, you may rest assured that it’s possible to identify that device as it moves through the world and interacts with various services. How difficult do you think it is, once someone has a device ID, to associate it with a phone number‘s owner?

I think none of that is a surprise to you, nor is it to me. I try to keep the list of organizations tracking me to a minimum and to a list of companies I trust. Unfortunately, that takes more effort that most people are willing to exert but it can affect you in more ways that you might know.

I uninstalled a lottery app this morning. It was doing a number of things that caused me concern. First, it alone was responsible for 65% of the data traffic from my phone when the phone was idle. The app was idle too, or so I thought. In fact, it was busy sending my phone number, my device ID, and several other very personal pieces of data (Facebook and Twitter ID’s among them) to…someplace. Who knows what happened to the data from there.

I installed this app a few months ago when the Powerball prize pool was ridiculously large. It seemed like a convenient way to input my tickets and get notified if I won anything. What I won, apparently, was the ability to be tracked as an individual and have my battery drained unnecessarily. Buh bye.

What’s the point today? I guess it’s a message for you as you’re on either side of the desk. As a marketer, we can’t violate our customers’ trust by using the permissions they give us to collect usage data and selling or sharing that data to companies with which the customer has no relationship. More than 70 percent of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API or Crashlytics. Generally, those companies are there to improve the user experience. The problem is that in many cases, app developers that that permission as carte blanche to send the data anywhere. I’ve seen how that data can be used for profiling and targeting and believe me, it’s frightening.

As consumers, we need to pay more attention to privacy and where our data goes. It’s not just to keep your battery from running down. Given the role that our smart devices play in our daily lives, it’s quite possible that a bad actor could know way more about you than you’d care to share. I don’t just mean by monitoring your texts or any unencrypted data you send. It’s also tracking your movements. As a positive, location-based services can help us (you get an alert for a sale at a store you frequent as you pass within a quarter mile) but the possibility of an unscrupulous third party misusing that data is exceptionally high. Check your app permissions. Why would a game need to know your location or have access to your camera, for example? Turn off the permissions that don’t make sense.

I’ll be looking up the results of the money I risked on Powerball some other way since trying to make my life a little easier made it a lot more risky in other ways. It was a good reminder to let my devices work for me and not for people who want to spy on me. You with me?

Advertisements

Leave a comment

Filed under digital media, Huh?, Reality checks

It’s Not Just Data

There is an interesting case that was argued before the Supreme Court the other day and it just might have an impact on your business.  There was also a lawsuit filed in an unrelated matter that could have the same effect.  A third item is a study that’s kind of scary. Let’s have a quick look at them and think about what they might mean to anyone who gathers information about their customers. 

First, the case before The Supremes.  It involves Spokeo, one of the large data aggregators.  Spokeo’s information about a consumer was almost 100% wrong.  As Justice Kagan said, “They basically got everything wrong about him. They got his marital status wrong. They got his income wrong. They got his education wrong. They basically portrayed a different person.”  The plaintiff was seeking a job when he filed suit, and worried that the errors in the report would affect his job search.  The other suit involves Ashley Madison.  They were sued for allegedly misleading users by inflating the number of women who belonged to the service.  As we have found out from the data hack, only a small percentage of the profiles belonged to actual women who used the site.  The company hired employees whose jobs were to create thousands of fake female profiles.

I suspect that a third form of data abuse will be in the courts shortly, as a recent study found that the average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.  None of the apps notify users that their information is being shared with third parties.  Data that’s wrong, data that’s fake, and data that’s shared without permission.  I suppose if we could get the fake guys to populate the wrong guys, sharing it without permission wouldn’t be a big deal.  Since it’s your personal information, it is.

If you gather data (and who doesn’t), you have a responsibility to keep it secure and not to use it for purposes beyond what the owner of the data (that would be you and me) reasonably expects you’ll be doing with it.  If you’re disseminating data, especially data that could impact someone’s life and not just your own business, you need to be sure it’s accurate.  And if you’re making stuff up, please just go away.

They’re not just data points, folks.  They’re people.  Maybe they’re lawsuits in waiting, or maybe they’re your spouse, kids, or parents.  Let’s be careful out there, ok?

Leave a comment

Filed under Helpful Hints, Huh?

It’s Not Just Big Brother

Another day, another horrible bit of news on the privacy front.  I’ll take it as a sign that another post on data collection and privacy is called for.  I think that by now we all know that everything we do in a digital world is collected and that nothing collected in a digital world is private.  Oh sure, maybe your Aunt Sally can’t see your phone records, but someone can, and it’s probably not someone who needs to know that you called a suicide prevention hotline 4 times last month.  As one writer put it:

Collection means access, period. Someone who wants information can always find a way to get it, and yet we’re only expanding methods of information collection: trackers, cameras, beacons, glass, drones. This puts all of us in a very public place, constantly.

Amen, and it’s a thought each of us needs to keep more forward in our minds.  The Pew Internet folks have been doing an ongoing survey with respect to privacy and the latest report (which you can read here) contains the following quote:

An executive at an Internet top-level domain name operator who preferred to remain anonymous replied, “Big data equals big business. Those special interests will continue to block any effective public policy work to ensure security, liberty, and privacy online.”

I’m not really aware of any recent business model that isn’t centered around data collection and monetization at least in part.  Retail, health care, entertainment and media, finance, and insurance are sliding their models to revolve more around robust data collection and usage.  We as consumers can say “fine, I will gladly give up data in return for convenience, better pricing, or an improved product”, but that’s a choice WE make, not the provider.  It implies informed consent.

The latest fiasco to which I referred earlier comes from Lenovo, which, as Ars Technica reported:

…found itself in hot water last week when researchers discovered that pre-installed adware from a company called Superfish was making users vulnerable to man-in-the-middle attacks. The adware installed self-signed root HTTPS certificates that made it easy for Superfish (as well as low-skilled hackers) to intercept users’ encrypted Web traffic.

In other words, by buying a Lenovo computer you made data which you thought was secure and private very much not so.  That’s the sort of corporate bad behavior which is intolerable.  But in order to respond, we have to be aware, and I suspect that this is only one example of this behavior.

OK.  Rant over.  The take away is this – if you’re a business, act responsibly and transparently.  If you’re a netizen, pay attention.  It’s not just Big Brother who is watching.

Thoughts?

Leave a comment

Filed under digital media, Helpful Hints, Huh?

An Extra Serving Of Data

I hope everyone had a lovely Thanksgiving. While you were cooking or trying to fight the traffic and weather to get to Aunt Sally’s, Twitter was busy deciding to help themselves to your data. I kid you not. This was how they put it:

twitter fail image

(Photo credit: Wikipedia)

To help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in. If you’re not interested in a tailored experience you can adjust your preferences at any time (read below). Additionally, if you have previously opted out of interest-based ads by turning on “Limit Ad Tracking” on your iOS device or by adjusting your Android device settings to “Opt out of interest-based ads,” we will not collect your apps unless you adjust your device settings.

Generally, Twitter has been pretty good about explaining how they invade your privacy.  When you think about it you probably realize that Twitter analyzes your tweets, retweets, location, and the people you follow to figure out which “Promoted Tweets” (a.k.a. ads) to show you.  Hopefully you know that all those little “tweet this” buttons around the web gather information about you as well.  OK, maybe it’s not exactly personally identifiable information, but I think we all know it’s not critically important for ad targeting to have your name.  Knowing that you are you (a unique identifier) across devices and services means someone knows a hell of a lot more about you than you might want them to know.  Adding one more bit of data – your name – is not difficult.

For example.  Do you want Twitter knowing you installed a dating app?  Do you want them serving ads on your timeline based on the dating app?  How about ads on your phone or computer outside of the Twitter environment?  It’s coming.  Just as Facebook, which gathers the same data (oh, you didn’t know?) is getting to the same place.

To Twitter’s credit, the page I linked above explains how to opt out of this data theft.  But why not make it opt-in?  I realize that a personalized web and mobile ad experience can be better for some folks and delivers much better results for the marketer, but someone needs to take a step back before they help themselves to another serving of my personal data.  It makes me sad and uncomfortable that we’re still having this discussion.  You?

Leave a comment

Filed under digital media, Huh?

Let’s Go Phishing!

Google put out a fascinating white paper on phishing attacks. No, it has nothing to do with a great jam band. If a title like Handcrafted Fraud and Extortion: Manual Account Hijacking In The Wild doesn’t get your attention, you’re not curious enough! It’s an interesting study on how online accounts are hijacked, usually leading to financial losses, stolen identities, and lots of other bad stuff.

The short version is that it’s basically human engineering – no fancy software involved. Taking advantage of people’s good natures, thieves mislead the recipients of their emails to give up details such as account login credentials or bank card information. Yes, there may be fake web pages involved (you DO know how to spot a fake, malformed URL, right?) but most of how these thieves hack in is based on ignorance, laziness, or both.

What can you do about this? Google recommends you should report suspicious-looking messages and you should type in URL’s to visit websites directly to login, rather than clicking through a link in your email program. As it turns out, there is also a pretty effective method for combatting phishing attacks called 2 step authentication.  Most platforms – Google, Facebook, Twitter, and others – use it and you should activate it for your accounts.  It means you’ll get a code texted to you which you must input to log in.  Does it add 15 seconds to a log in?  Yes, but it makes it extremely difficult for someone to hack your account unless they steal your phone too.  As the study shows, device theft is not at all a prevalent issue for hacking and this method has allowed Google to stop 99% of hijackings in the last few years.

It’s a good business lesson too.  We should spend more time thinking about systems that will prevent issues.  I suspect many of us think a lot about backups to repair damage but not enough about how to prevent it in the first place.  It may not be technology or software we need.  As with phishing, a bit of training and a heightened awareness of potential threats to the business can prevent a lot of fixing later on.

You agree?

Leave a comment

Filed under Helpful Hints, Thinking Aloud, Uncategorized

Canada Gets It Right

I’m not a lawyer and I don’t even try to play one on TV.

English: Supreme Court of Canada building, Ott...

(Photo credit: Wikipedia)

That said, the screed today is one citizen’s view of something that happened with our neighbors to the North and why I think it should serve as an example for us.  As has been happening here, the Canadian government is trying to expand the scope of warrantless, voluntary disclosure of personal information via digital.  There are bills before the legislature which would permit many of the same activities that have been occurring here for years to go on in Canada.   These include the warrantless disclosure of data to law enforcement as well as immunity from any criminal or civil liability  for companies that do so.  The Canadians are also considering allowing organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breech or possible violation of any law.  Read that carefully – ANY organization – including non-governmental.

The other day things changed:

The Supreme Court of Canada issued its long-awaited R. v. Spencer decision, which examined the legality of voluntary warrantless disclosure of basic subscriber information to law enforcement. In a unanimous decision, the court issued a strong endorsement of Internet privacy, emphasizing the privacy importance of subscriber information, the right to anonymity, and the need for police to obtain a warrant for subscriber information except in exigent circumstances or under a reasonable law.

Revolutionary?  One might think, except we’ve had a similar law on our books for a hundreds of years.  It’s called the Fourth Amendment and it protects each of us from unreasonable searches and seizures.  It also states the government must have warrants which are specific as to what the search is about.  No fishing trips permitted.  I’ll wait while the lawyers tell me I’m missing nuance and maybe I am.  That said, I’m outraged and sickened by what has been occurring with much regularity over the last 13 years and the fact that companies are complicit in allowing fishing trips by government.  It’s just as bad in my book that businesses grab data from users without explicit permission nor do they disclose what data is taken, how it is to be used, and when it is sold to third parties.

Today isn’t meant to do anything except call your attention to the issue.  If you’ve not been paying attention to it you should.  No one can enter your home without permission or a warrant.  Why would you allow them into your digital home without either?

Leave a comment

Filed under digital media, Huh?, Thinking Aloud

Change the Game

I read this article from the WashPo with great interest:

Businesses, governments and universities reported a 69 percent increase in data breaches in the first half of 2008 compared with a similar period in 2007, according to a study by a nonprofit group that works to prevent fraud.

As long as hundreds of thousands of sites have data that they need to secure, this issue isn’t going away.  Unless, of course, we change the game.

Why not store all data in one place, much the way we store much of our own data in “the cloud.”  Then when you or I start up a business, only give us access to the portions of that data we need and DO NOT let us store it ourselves – we tap the central repository to get what we need – no more, no less, and even then we don’t actually get it (it’s all read-only).

Think this won’t work?  Where does your Facebook data live?  Not on your PC.  When all those apps tap it, think they’re hitting you up?  Nope.  They get what they need, keep what’s truly theirs, and only use a key of some sort to associate the two.

Sometimes the way to solve the problem is to change the way the game is played.  It HAS to be easier to monitor and secure a single database than hundred of thousands (and I”m sure all the coders will tell me why I’m wrong).  Yes, a breech of the sole repository would be…um..bad but it will, IMHO, be far less likely.

And I guess a business guy writing about tech is changing the game as well!

Leave a comment

Filed under Thinking Aloud