Data Insecurity and What We Can Do About It

The schadenfreude was brimming over from news outlets and on social media when earlier this week it was revealed that online dating/cheating website AshleyMadison.com had been hacked. How fitting that the users of a site, whose stated purpose is to facilitate infidelity, now face the very real risk of having their proverbial undergarments displayed in public for the world to see.

Meanwhile, several major retail chains including Costco, Walmart, Sams Club, and Rite Aid, have all shut down their online photo services after a data breach at their service provider PNI Digital Media in Vancouver, Canada. No schadenfreude here. Just outrage, frustration, concern, and frantic calls to credit card providers.

Online Data and Inherent Insecurity

“What is the internet?” a student asked me a couple of years ago. The simple answer is it’s a network of interconnected computers; a network that has been designed to share information. No wonder then we’re having such a hard time keeping our information private: The internet is in many ways the literal manifestation of Stewart Brand’s famous statement that “Information wants to be free”.

Over the past few years we have been forced into a tidal change in our perception of data security. Whereas our primary concern used to be viruses and incursions on our personal devices, over which we have some semblance of control, today the concern lies with the vulnerability of our data stored on online services - in the “cloud” - over which we have no control or even say.

In 2014, large swaths of credit card data was stolen from several online and brick-and-mortar retailers, private celebrity photos were stolen from automatic cloud storage, a major entertainment company was brought to its knees over a major data breach, and popular publishing platforms like WordPress were under near constant attack. In 2015 the trend has continued with amplified strength. The breaches at AshleyMadison.com and PNI are only the latest and most public examples; government entities are also under attack and everything from tax information to medical records have been compromised in both the US and Canada.

These types of breaches are now so common we are beginning to treat them with a sort of resigned complacency. That may seem like a bad thing, but in my mind it may be the beginning of an evolution in our attitude towards online (in)security that will help us find a way forward.

Credit Cards and Facing Facts

"Mr. Rand-Hendriksen? Are you currently on vacation?"

"No, why"

"So I can safely assume you did not just buy drinks at a bar in Fort Lauderdale, Florida?"

"Definitely not."

"All right. We just flagged a couple of questionable charges on your credit card. I'm going to cancel it. You will be refunded for these fraudulent charges and a new card will be issued in a day or so."

If you’ve held a credit card for any length of time there is a good chance you’ve either received a call like the one above or had your credit card cancelled and replaced over a breach or expected breach of security. Much of the value and efficiency of the credit card system lies in the security measures put in place to protect us, the consumers, from fraudulent charges. These in turn stem from the realization, by legislators and credit card providers, that the technology is inherently insecure. However many layers of security you place on a card, there will always be a way to bypass them. That said, in comparison to the alternatives - cash and cheques - the credit card is infinitely more secure, so we accept the risks. Or rather, the banks and credit card companies accept the risk.

I think the solution, or at least part of the solution, to the problem of online data security can be found in how credit card security is handled.

When you are granted a credit card, the onus of security is shared between you and the issuer: You are responsible for keeping your PIN code secret, using the card only in “safe” locations, and reporting back to the issuer if you lose the card or anything is amiss. The issuer in turn is responsible for ensuring fraudulent charges are detected and remedied and that if and when your credit card information is breached, the damage caused is remedied immediately.

Contrast this to online services today: You are responsible for keeping your password secret, using your account only in “safe” locations, and reporting to the service provider if someone breaches your account in any way. The service provider in turn is responsible for… nothing. If your data is breached, they will at best issue an apology. “Too bad your private photos are now plastered all over the internet. Maybe think twice about taking photos of yourself next time.”

What’s needed is for the online service providers to admit something they have so far worked hard to ignore: That when you give access to data through the internet, that data is inherently insecure. In the cloud or on any device connected to the internet, your data is only a lost password, a stolen laptop, a missed server update, a decades old code error, or a disgruntled employee away from being breached. That is a fact, and no level of security layers will change it. More disturbing, this insecurity now reaches beyond the internet to intranets, and even well shielded ones, as the story of the Stuxnet virus has taught us. Combine this with the revelations of the Snowden leaks, and you can be safely assured that any bit of data you choose to transmit through any network in the world can and will be intercepted either by a government, military, or private entity.

Which is to be expected seeing as the internet is an information distribution network.

Securing the Insecure

All this begs the obvious question: Can data be secure online? The simple answer is not really. The more complicated answer is it depends on what you mean by “secure”.

Reading between the lines of reports and conversations about all these data breaches and online attacks, it is clear we as a society still think of data in analog terms. In the past information could be printed on a sheet of paper, locked in a safe, and assumed to be pretty secure. The contents of folders with the words “Top Secret” or “Your Eyes Only” or “No Copy” could be expected to remain top secret, for your eyes only, and not copied, at least as long as those with access to those folders were properly vetted.

In our online world this is very much an anachronism. We need to move beyond the thinking of data as something that can be locked in a box and start thinking of data as something that wants to be free. If you can plug into the internet and gain access to a piece of information, whether that be your online dating profile, your bank info, your latest purchases from a bookstore, or your medical records, so can someone else.

So what do we do? How do we secure what is inherently insecure? A lot of work is being done in this field, both in how we limit access and how the data itself is secured. From my perspective the most promising work is being done in encryption - making the data unreadable if it is breached - but even here the only barrier keeping prying eyes away from your data is a passkey.

In the longer run I think the answer lies in realigning our thinking about data security itself. Rather than assuming we can lock people out and prevent them from accessing the content, maybe we need to start assuming they will be able to access the content in the same way that credit card companies assume card information will be abused. With this as a premise we can stipulate new rules and regulations for service providers to take responsibility to protect their users when a breach occurs. We can also imagine new ways of storing data, like splitting datasets into two or more separate entities that need to be merged for the data to be useable. There are lots of possibilities here, and new innovations will vastly improve the security level of our data.  The common thread in all of this though, is the acceptance of our new reality of data insecurity.

What You Can Do to Take Control

The realignment outlined above is a long process that is currently in its infancy. In the meantime we have to deal with the very real threat of data breaches and online privacy incursions. So what can you do as an online citizen to better protect yourself? The answers are many:

Use a password manager

The number one vector of data breaches is still insecure or stray passwords. For all our amazing talents, our species is not skilled at creating and remembering strong passwords and keeping them secret. To remedy this we have password managers that not only create strong passwords for us but also remember them and even help us in the login process.

Many users hesitate to invest in a password manager - it seems like yet another frivolous expense that adds more complexity to already complex processes - but in reality a password manager can be both a time saver and a data saver. Even though data is inherently insecure, data with a strong password is less insecure because it’s harder to hack.

There are many password managers available, some device based, others cloud based. After extensive research I found myself choosing between 1password (device based) and Dashlane (cloud based). In the end I went with Dashlane because I need to sync my passwords across multiple devices. That does introduce the risk of an online incursion into my password database, but that’s a risk I am aware of and feel I can take.

Enable two-factor authentication

To further mitigate the risk of a single password being hacked, many services now employ two-factor authentication where in addition to your password you must be able to provide another key or action through a secondary device. Two-factor authentication is typically tied to an app on your smartphone and requires both your password and some interaction with the app to login to services.

Enabling two-factor authentication on your services does make logging in more complex and usually requires you to have access to your mobile device at all times. However, this added layer of security makes an unauthorized incursion into your data orders of magnitude more complex and is likely to turn away all but the most determined online villain.

Many online services, like Facebook and Twitter, now have two-factor authentication available. In addition there are several free and for-pay 3rd party services available that can be added to your login process including Google Authenticator.

Demand two-factor authentication from all your services

Two-factor authentication has only recently become a hot topic in the online space, and though services are adding this extra layer of security, it is often done retroactively after a major security breach. As a service user you have a voice, and you should use it to demand the services you use enable two-factor authentication to better protect you and your data.

Demand accountability from your service providers

Like credit card providers, online data services expose your data to inherent risk simply by storing that data in a way that is accessible online. It is our job as consumers to put pressure on the services and regulatory bodies to ensure the onus is put on the service providers to protect our data and protect us in the event of a data breach. Service users should not be left to handle the difficult task of fighting identity theft or rebuilding their public image after a breach caused by insecure data services. That responsibility should be placed squarely in the hands of the providers.

Spread your data over multiple services

Even though you’ll have a favored service for storing your data, it’s a good idea to diversify your portfolio; spread your eggs across multiple baskets if you will. By placing bits of data in different locations, a breach in one location will not impact all your data. This way you are also better protected from the risk of data loss in the case of a service having a major technical problem or being closed down for other reasons. Personally I have data stored across Drobpox, Box.com, OneDrive, Google Drive, and several other services. This might seem like a big spread, but because all these services provide convenient apps that connect and sync directly with my devices, the day-to-day management of data is no different from managing regular data on my devices.

Assume your data is insecure

Finally, and maybe hardest to implement, is the realization that any data you enter into a connected device, whether it be your computer, your tablet, your smartphone, your fitness tracker, or your smart watch, is inherently insecure. The simple answer here would be to say “don’t do anything you wouldn’t do in public online”, but that is neither realistic nor justifiable. We should be able to do whatever we want with our devices and our online storage. Our data is private, and any unauthorized incursion into that data is a crime.

Rather than limiting our behavior to account for the fact that there are people out there who will try to steal it, assume your data is insecure and take all the necessary precautions to protect yourself before a breach occurs: Educate yourself about automatic cloud backups and storage on your mobile devices, learn how to control geolocation and other privacy data in photos and other files, and review the privacy settings on your online services on an ongoing basis. If you choose to store or share private photos or other content online, do so only through trusted services and make sure you have the ability to revoke sharing privileges to anyone you share them with. If you use online banking services, make sure you do so only on trusted networks and over your phone provider network when in public. If you make online purchases, opt for the service to not save your credit card data so it must be entered every time a new purchase is made. And if you set up an account at a website you wouldn’t want anyone to know you frequent, consider using a pseudonym, a post box, and a privacy-enabled credit card to avoid future exposure.

The internet has brought us many great things and connected our society in ways we never thought possible. With that newfound level of connectivity we have to rethink our attitudes toward information and privacy and draw new borders around our private and public spheres. On the internet our information has found the means to be free. Our job now is to figure out what this new freedom means and how to manage it responsibly.