Thinking back to a recent day in November when I crisscrossed Manhattan as I often do—from a morning meeting to a midday lunch to my daughter’s school pickup—I pictured myself as a small dot on a map of the city grid. I might blink red for a moment here, then there, over the course of the day. Taken together, and cross-referenced with the other data I produce like phone calls, credit card transactions, etc., these points could easily be connected by lines tracking my movements to become a visual representation of my day’s activities.
I wasn’t thinking of some far-fetched science-fiction scenario. This exact kind of interactive graphic was used in the New York Times’ recent investigation into the way location apps collect user data from millions of Americans. The startling images show users being tracked in schools, hospitals, police stations, and homes, all without proper mechanisms for consent or oversight. The article has generated widespread debate, a vital first step in bringing about needed reform and regulation, but we cannot wait for well-timed exposés to drive our approach to privacy. Something this important demands we take a more proactive approach.
I’d like to first flag a key point in the report that I have written about here before: that we as individuals must be proactive in protecting ourselves online. We should not take the language offered up front by developers at face value. Often, the messages that ask for our consent when enabling location tracking omit crucial information about how the data will be used. Apple, for instance, only requires developers to stipulate a relevant use for the information, such as traffic monitoring or receiving local weather information. The fact that location data is then sold to third parties, from advertisers to hedge funds, is omitted from the text most consumers see. Instead, it is buried deep in highly technical privacy policies, where the average person cannot make sense of it—even if anyone bothered to read that far before clicking “Okay”. As a result, everyone should assume the worst when choosing to share data with developers; likely, it is going to be passed along, stored, and, no matter their intentions, potentially subject to hacking.
Another concern that I mentioned here earlier, one that perhaps gets less attention than it deserves, is the problem of security and accountability in smaller companies. Of course, we should continue to be wary of the familiar tech giants having access to troves of consumer data, but their lesser-known counterparts can often present even greater risks. Because they get less publicity, they may be more inclined to use data in questionable ways. They may also have fewer resources in place to apply strong security and privacy practices across their operations. These factors conspire to make putting sensitive data into the hands of smaller players a potentially greater danger than handing it over to a Google or Facebook.
Apple and Google, in particular, wield tremendous power as gatekeepers of their respective app stores, and, as the saying goes, with great power comes great responsibility. Should they ban apps or entire companies when they violate privacy standards? After how many offenses? It’s easy to keep passing the buck and hope the public forgets before the next breach or story. There is a glaring lack of common standards and regulations to enforce them.
Another worry I have, which has not yet gained traction in the conversation, is the way in which artificial intelligence will intensify and accelerate these threats. Today’s algorithms are already powerful when it comes to triangulating common denominators from disparate data points. They will only get smarter and faster over time, and if we continue feeding them more and more data, the consequences can become dystopian rather quickly. I’m always quick to point out that there will also be much good produced by AI finding hidden connections and causations, especially in health data, but the dark side cannot be ignored. Algorithms that know more about us and our behavior than we do ourselves are too powerful to go without oversight. At the very least, there must be accountability for abuse.
The measures companies are taking now to protect consumers from privacy breaches are inadequate in the face of AI’s capabilities today, let alone in the foreseeable future. Companies might say they protect their users by avoiding collecting data such as names, emails, and addresses; obfuscating data to make it less precise; or deleting it after a period of time (often after passing it along to advertisers). These are all piecemeal methods that still leave users highly vulnerable. Much of the missing data can be easily reconstructed to become personally identifiable and a major security risk. We need to develop better solutions, while also being mindful that the technologies at our disposal are simultaneously being used to develop better ways of breaching those solutions. We’ve already seen 3D printed heads get around facial recognition locking systems, and AI-generated fingerprints fool biometric scanners.
Clearly, the answer is not solely in upgrading to the newest, most advanced security protocols. In fact, the latest cool security device is often the most vulnerable because it is relatively untested in the real world. The most important thing is restoring the simplicity of settings and clarity of choices, as untrendy as that sounds. I recently discussed how defaults matter more than anything. The best security measures are completely irrelevant if they are not turned on. Companies must explain up-front, in language that the average person can understand, what he is signing up for when he enables location services, or any setting for that matter.
The tech companies that provide platforms for developers should mandate the use of such straightforward disclaimers, rather than allowing for vague or misleading disclosures. And legislators must do their part, too, not simply put on a display of outrage when the private sector falls short of expectations. If we faced an epidemic of violent bank robberies, the public would demand that law enforcement step in instead of just blaming the banks. In the same way, legislative bodies and the Federal Communications Commission should be held at least partly responsible for failing to defend consumer data.
As always, individual security does not exist in a vacuum. We are simultaneously part of larger systems that can be monitored, hacked, manipulated. We have seen this clearly as the investigation into 2016 election interference continues. The latest Senate report provides unprecedented detail in explaining how Russian actors exploited U.S. social media platforms. From the oft-mentioned Facebook, Twitter, and Instagram to the smaller Tumblr, Vine, and Reddit, the effort was comprehensive and sophisticated, carefully targeting groups such as African-Americans and with messages designed to influence their voting behavior.
In these revelations, it has become clear that any indifference on the part of tech companies is seen as an opportunity by hackers and propagandists. The arena of social media has become the latest battlefield between democracy and authoritarianism, and its architects can no longer feign ignorance or helplessness when it comes to solving the problem. Meanwhile, the latest revelations about Facebook selling access to private messages makes me wonder how much worse hackers are than the company’s own business model. Mechanisms for proper use, that protect the individual and promote the values of society more broadly, must be built into the structure of the system. And yet, as we rightly demand these actions from the corporate sector and the regulators, we must demand the same of ourselves—by being thoughtful, informed consumers of the products that shape our digital world.
*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/who-is-responsible-for-data-security