An attempt to classify privacy concerns: lions and tigers and bears, oh my! And those pesky Chinese!

Spook
 

19 June 2015 – We always seem to be awash with stories of egregious data breaches. A constant barrage.

I just returned home after two weeks in the U.S which included a FireEye cyber workshop, my trip having been preceded by an IBM Analytics/Cyber Security conference. I’ve been doing a lot of research into major privacy stories covered in the news over the last few years, most especially on the recent Chinese attack on the U.S. Office of Personnel Management, in preparation for an eTERA White Paper on the subject.

Jan Dawson (founder, Chief Analyst at Jackdaw, a technology research and consulting firm) has done even more research.  During his thirteen years as a technology analyst, Jan has covered everything from DSL to LTE, and from policy and regulation to smartphones and tablets.

 

Even more impressive is Dana Tamir, Director of Enterprise Security at Trusteer, an IBM Company. She leads activities related to enterprise advanced threat protection solutions. She has written scores of blogs, articles, white papers and led multile webcasts. At the IBM conference I had the opportunity to attend a series of sessions that Dana led which took us through the a “real-world” threat and and attack and security-related solutions. We went through detailed and intricate data discovery, assessment and classification.  I will have a more detailed post shortly specifically on the IBM conference.

But one thing they both noted is that we have an overall perspective and both Jan and Dana have provided by way of background a useful walk-through classification of the major privacy concerns we as consumers … and businesses … seem to have and how each of these is (or isn’t) relevant to the different companies that compete in this industry. It is not always about “attacks”.

 

No doubt there are other facets of privacy concerns that aren’t completely captured here, and it goes beyond the “attack” motif in the daily press.  But the vast majority of concerns we have, and the headlines about privacy issues, tend to revolve around one or more of those outlined here.

And the reality is we’re all different – each of us has a different tolerance for these different categories of privacy risk.

So a short overview:

1. Sensitive personal information being exposed to other people
 

Description: One of the greatest fears people have is information they consider particularly personal or sensitive being shared with people they don’t want it shared with.

Examples:

  • I’m a school teacher who also has an active personal life. But I don’t want pictures of me drinking or partying exposed to the students, their parents, or perhaps even the other staff at the school where I teach
  • I’m gay but, for the time being, have chosen only to share this information with certain people and definitely do not want this information shared with others – whether family members, colleagues at work, or neighbors
  • I’m divorced and have recently started dating again and I don’t want my ex to know anything about my new life

The list could go on, but you get the picture – this fear is about personal information being shared with other individuals (not corporations or advertisers) beyond those I’ve chosen to share it with, especially in situations where I have chosen to share some of this information with specific groups or individuals but not others.

Companies most likely to cause this concern: In general, the companies most likely to commit breaches of this particular facet of privacy are those through who and with whom users proactively share certain information with other groups, which for the most part limits it to social networks such as Facebook, Google+, and the like. Facebook has certainly had several periods when its users were exposed in this way, often because default privacy policies were set too open or when policies or settings changed without due notice to users.

The vast majority of the privacy stories concerning Facebook over the last several years have been in this category, with relatively few other companies affected in quite the same way, at least not frequently.

2. Personal information being “read” by computers

Description: We fear our personal information is being “seen” or “read”, not by other human beings, but by computers used by companies to personalize services, to serve advertising, and so on.

Examples:

  • My email provider has computers which view the contents of my emails to filter them into appropriate categories
  • My search provider sees all the searches I enter, and which results I click on, and slowly builds a profile of which search results are likely to be most relevant to me
  • My photo service performs machine analysis of my pictures to make them searchable.

In this case, the fear isn’t that human beings are seeing the personal information we’re sharing (though sometimes misunderstandings do occur on this point, or there may be skepticism that human beings really can’t see this information if they want to), but a vague sense of creepiness that machines are delving into some very personal information.

Companies most likely to cause this concern: On this point, it’s hard even to come up with examples that don’t sound like they’re talking about Google, which feels like the ultimate symbol of this kind of computer snooping. There’s no true breach of privacy here from a human perspective, but these types of services can create a vague sense of unease among at least some users.

3. Fear of one company knowing too much about us

Description: We fear that, even though many services may collect personal information about us, more and more of this information seems to be consolidating with just one or two companies, which are coming to “know” an awful lot about us.

Examples:

  • My email, calendar, contacts, photos, search history, and so on are all hosted by a single online service provider
  • My call records, email, calendar, contacts, phone search history, text messages, music, and books are all on my phone
  • The vast majority of my news and video consumption, most of my social connections, my interests, and my political views are all known by the social network I use.

In this case, some users may be genuinely uncomfortable about this enormous amount of knowledge held by a single company – a worry in its own right – which fits to some extent in the same category of vague unease as the previous concern on this list. However, in other cases, it may be a factor in other worries listed below.

Companies most likely to cause this concern: As a broad concern, this issue could affect any one of a number of companies, from Google to Apple to Facebook to Microsoft to Samsung. Any company which either provides a very broad range of services or provides smartphones and other devices is at least potentially in a position to “know” an enormous amount about its users. However, much depends on how data is collected, stored, and used.

Companies which gather and store this data for the explicit purpose of building profiles of their users for purposes other than personalizing their services may also foster some of the other concerns listed. Google, in particular, has seen a number of stories about this aspect of its business, and especially about its decision a couple of years ago to unify its logins and data across all its services, over which several European jurisdictions are still pursuing legal action.

4. Fear of data being sold to advertisers

Description: We fear that not only do the companies whose services we use collect lots of data about us (see 2 and 3 above), but they sell this data in some form to advertisers.

Examples:

  • My search provider uses information from previous searches to allow advertisers to reach me when I make future searches
  • My smartphone vendor uses broad profile information about me to provide targeted advertising from companies who want to reach people like me
  • My social network uses information about my interests which I have provided explicitly and information gathered through my other actions on the service to serve up ads which seek to reach people with my demographics and interests

The reality is few of the companies we’re talking about here really do “sell” data to advertisers. What they do sell to advertisers is the ability to target their advertising to users based on their interests (whether explicit or implicit), and/or their demographics. The data itself is not shared with the advertisers except perhaps in an aggregated form as an indication of the size of target markets, for example. There are companies that do sell this kind of information, but they exist outside the world of consumer technology providers.

Companies most likely to cause this concern: This is a tricky one to define, because these companies don’t technically sell the information to advertisers. However, the very act of allowing advertisers to target users causes the same unease among some users as some of the other items I’ve described. There’s no breach of personal information per se, just as with 2 and 3, and unlike number 1 on our list.

But there’s a sense our privacy is being invaded because advertisers are being allowed to reach us based on the profiles our providers have built up about us. This is obviously particularly true for companies which are heavily dependent on advertising business models, such as Google and Facebook, but it also applies, in a narrower way, to companies like Apple which have advertising products like iAd that allow for targeted advertising.

5. Fear of an accidental breach of security
 Description: We fear that, because service providers and device vendors collect the information described in the various points above, there is always the potential this information is shared with third parties through no deliberate action on our part or on the part of the provider or vendor.

Examples:

  • My social network provider is hacked, exposing my personal information
  • There is a bug in the privacy settings on the online service I use which allows people I have no connection with to see personal information I store in the service
  • My device collects information about me which should be private but can be exposed through a loophole in the security settings

In none of these cases did the provider deliberately share information with anyone else but, in some cases, the argument can be made the provider should have done more to protect sensitive data, either to ensure its software was bug free in the most important security aspects or to protect it against malicious attacks.

Companies most likely to cause this concern: All companies are to some extent vulnerable to these issues, but those that collect the most data (even if for entirely legitimate purposes) have the most at risk if there is a breach. Google, Facebook, Apple, and others have all been the subject of stories along these lines over the last few years, whether as a result of bugs, hacking or other factors (such as rogue employees). These stories often say more about the desire of malefactors to access valued information than they do about security policies but, in some cases, they reveal shortcomings in company security that can build into a narrative over time (Apple has seemed at risk of this outcome at various times).

POSTSCRIPT

I’ll have a longer post next week, but right now I am bit blasé about the Office of Personnel Management hack, even if it is the Chinese government behind it. It is not … by any stretch … the most dastardly thing they have done in cyberspace. It’s just the most recent one that we know about. It’s getting a lot of press because personally identifiable information (PII) was compromised. That information includes names, social security numbers, date and place of birth, and current and former addresses according to the OPM FAQ. It may also include job assignments, training records and benefit information.

This breach has crossed streams with a breach a year ago that did involve investigative files. David Sanger and Julie Hirschfeld Davis at the New York Times do a good job of untangling these two incidents in their recent article. It takes some close reading to understand that the headline, “Hackers May Have Obtained Names of Chinese With Ties to U.S. Government”, isn’t about this incident but the hack of an OPM contractor a year ago.

Right before I headed home I managed to attend  aCenter for Strategic and International Studies briefing on the China hack and to put all of this in perspective, here are five Chinese hacks that are worse than the breach at OPM:

1. February 2013. DHS says that between December 2011 and June 2012, cyber criminals targeted twenty-three gas pipeline companies and stole information that could be used for sabotage purposes. Forensic data suggests the probes originated in China.
Why it’s worse: Espionage is one thing, sabotage is another. This incident crosses into what might be called “preparation of the battlefield”-laying the groundwork for military operations. In this incident, the hackers targeted an entire sector. They weren’t going after business data or stealing designs. The worst you can do with PII? Gain account access. The worst you can do with this info? Blow up pipelines.
2. March 2015. Canadian researchers say Chinese hackers attacked U.S. hosting site GitHub. GitHub said the attack involved “a wide combination of attack vectors” and used new techniques to involve unsuspecting web users in the flood of traffic to the site. According to the researchers, the attack targeted pages for two GitHub users-GreatFire and the New York Times’ Chinese mirror site-both of which circumvent China’s firewall.

Why it’s worse: This incident gets closer to the line North Korea crossed-interfering with our right to free speech. We haven’t quite articulated a norm in this area, but the International Strategy for Cyberspace comes close. In this case, China targeted GitHub because it was hosting pages for organizations that circumvent its Great Firewall. It may be time we put out a Monroe Doctrine for cyberspace, which would, make clear that trying to stifle freedom of speech in this country crosses a red line. We could go further and make it official policy to bring dissidents from other countries under this veil of protection. Taking a page from the Kennedy doctrine, the United States could declare that it will pay any price, bear any burden, host any website and defeat any denial of service attack in the cause of Internet freedom.

3. October 2011. Networks of forty-eight companies in the chemical, defense, and other industries were penetrated for at least six months by a hacker looking for intellectual property. Some of the attacks are attributed to computers in Hebei, China.

Why it’s worse: This campaign was carried out on a massive scale. It’s information that’s of direct value and it crosses the line from espionage to downright theft by targeting intellectual property.

4. January 2010. Google announced that a sophisticated attack had penetrated its networks, along with the networks of more than thirty other U.S. companies. The goal of the penetrations, which Google ascribed to China, was to collect technology, gain access to activist Gmail accounts and to Google’s Gaea password management system.
Why it’s worse: Like the October 2011 incident, this campaign was done at scale and sucked many of our technical giants dry. The hackers also appear to have targeted dissidents, crossing not one but two lines (though many believe the targeting of dissidents was a red herring).
5. February 2012. Media reports say that Chinese hackers stole classified information about the technologies onboard F-35 Joint Strike Fighters.
Why it’s worse: Under current norms, military technology is fair game but this one is devastating if true. The hack targeted classified information on one of our most advanced weapons platforms. The info could save the Chinese decades in research and development. Worse, it could be used to find vulnerabilities that could be exploited in combat-think the pilot episode of Battlestar Gallactica.

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top