"If Something is Free, You're the Product": Why Privacy Matters More Than Ever
The first installment in this series was similar to any sensational news report: there was a scary but nebulous information, followed by good actionable information, but closed with no long term actions.
Take the National Public Data data breach (see CNBC's article “‘Was my Social Security number stolen?’ Answers to common questions on the National Public Data breach” at https://www.cnbc.com/2024/08/23/was-my-social-security-number-stolen-national-public-data-breach-questions.html).
This story had a sensational headline and terrifying details about how everyone’s information was leaked. All of it – full birth name, date of birth, social security number, address history, email address, and phone number.
Some reports did include information about putting your credit in a security freeze, a very smart move regardless of the reason. Even fewer stories had information about securing a Social Security Number from misuse, another smart move. At best, only ~2% of the audience followed that advice.
Almost none of the reports covered the foundational problem, implications or long term strategies to protect your information.
Long Term Consequences
Most will never contemplate the long term consequences of the unyielding storm of cyber attacks. Sadly, most will become numb to the situation.
A day doesn’t go by without a story related to another cyber attack, a government or healthcare system held hostage by malware, negligence, or a misconfigured server/service causing another egregious invasion of privacy. The adoption of technology happened faster than the contemplation of the long term impacts.
In short, the loss of privacy has led to a growing security risk. Those risks may not be as straightforward as identity theft or other similar fraud. Most never consider how the information is leveraged for social engineering attacks.
The attacks may be as simple as account takeover, where the information is used to fraudulently gain access to an account. The attacks may be more egregious, where an scammer pretends to be a grandchild in need of bail money or the officer of the court trying to resolve a bench warrant for a fee for not showing up for jury duty.
Social engineering attacks can also be the opening salvo to sensationally take down companies. One famous incident was described by Kolide in “What Everyone Got Wrong About the MGM Hack” https://www.kolide.com/blog/what-everyone-got-wrong-about-the-mgm-hack
When we begin to fully understand the impacts of these intrusions we can better prepare our individual response. As consumers of technology in our daily lives, we can no long abdicate the management of privacy and security to the institutions and governments we rely upon.
Zero-Knowledge Encryption Tools
Perhaps the best guidance is from Benjamin Franklin when he said, “Three can keep a secret, if two of them are dead.” Or as Sergeant Schultz from “Hogan's Heroes” would say, “I know nothing! NOTHING!!”
领英推荐
Simply put: privacy is the first key to mitigating security risk. When I gave the comparison of my wife and I going to dinner in 1994 versus today, it was demonstrative of how intrusive technology has eroded the privacy we once took for granted.
Let’s take an anniversary dinner in 1994. I may call a nice restaurant to make reservations, my name would be written in pencil in a book. We would get dressed up and drive to dinner. We’d enjoy the evening, pay in cash, and return home. The only record of the event was the name in a book that wouldn’t last the balance of the year. In recent years when we follow the same plan we noticed so many more became aware of the evening out.
Today we’re invariably asked to make a reservation online. In that one task, an online service and my “free” email provider became aware of our plans. The email also put an appointment in my calendar. While driving to dinner, both of our mobile phones as well as the car recorded the journey in detail. Once seated at the table, I review the reservation ticket left for the server and it had our dining history with restaurant listed, from what we usually order to how much we usually spend. Finally, the evening was paid for with a credit card letting the bank and all the card processing service know what we did and where. All those companies joined our celebration and none of them helped out with the bill!
The backlash to this digital exhaust trail has been the privacy accelerator movement. The movement has given rise to a wide range of zero-knowledge encrypted tools. Those tools work like their other counterparts but only the consumer has access to the data they hold.
For example, a free email service may offer some of the strongest security available to consumers. This security may include support of the data encrypted in transport and at rest, strong passwords, multi-factor authentication with authentication apps or hardware keys. However, they service also has a key to the data allowing it to leverage the information in building a marketing profile of the account holder. As the saying goes, “If something is free, you’re the product”.
As long as there is another key to the vault, there is no real privacy or security. The zero-knowledge encrypted privacy tools allow consumers to manage access to their information without any extra effort required.
For example, most never consider the gold mine of information that messaging tools hold. For example, SMS, the venerable standard of messaging, is an un-encrypted protocol and its design does not provide end-to-end encryption. That means it can be easily scanned and consumed by other systems. Similarly, the messaging functionality contained within social media platforms is not only not encrypted, it will be actively monitored by the platform for various reasons.
Missing the days when a conversation was between A and B (and everyone else can C their way out) has given rise to private messaging applications like Signal Messenger (https://www.signal.org). Signal, a free and encrypted messaging platform, works like any other messaging platform. That includes one-to-one messaging, group chats, voice/videos calls and does all of it without ads or tracking.
It also has all the little features consumers have grown to expect like message reactions, emojis, GIFs, typing indicators, sent/received/read indicators, disappearing messages, and has clients supporting all of the popular platforms (iOS, Android, Mac, Windows. Linux).
The information exchanged is only visible to the consumers and cannot be accessed by Signal itself. They’re proud enough to list some of the requests by government entities and the results of those inquiries at https://signal.org/bigbrother/
As an example, the “MLAT order from Luxembourg for Signal user data” (https://signal.org/bigbrother/northern-california-order/) demonstrates exactly what information they were able to reveal for a court request. In short, it was nothing.
Using such tools doesn’t mean you’re doing something wrong, nefarious, or have anything to hide. It simply means your business is just that: your business. As a consumer you may honestly value your privacy or no longer want to constantly feed surveillance capitalism. It really doesn't matter and the choice is yours.
For some, like those living under an oppressive regimes or have alternative lifestyles, it’s a lifeline. Having the ability to have private thoughts and conversations without any extra effort is tremendous. The only requirement is that all participants have the application installed and an account created using only a phone number and backup password.
We’ll be covering more zero-knowledge encrypted tools and tactics that will reduce your digital exhaust, provide more privacy and security with no extra effort in the next installment. For now, I encourage you to join me and others in the privacy accelerator movement.