WP_000796

The three kinds of privacy threats

WP_000796We talk a lot about privacy on the net nowadays. Some claim that privacy is dead, and you just have to cope with it. Some are slightly less pessimistic. But all agree that our new cyber-society will redefine and reduce what we once knew as personal privacy.

The privacy threat is not monolithic. There are actually many different kinds of privacy threats and they are sometimes mixed up. So let’s set this straight and have a look at the three major classes of privacy.

Peer privacy

This is about controlling what data you share with your family, spouse, friends, colleagues etc. Tools for doing this are passwords on web accounts, computers and mobile devices, as well as your privacy settings in Facebook and other social media.

This is the fundamental level of privacy that most of us are aware of already. When this kind of privacy is discussed, it is usually about Facebook privacy settings and how to protect your on-line accounts against hackers. Yes, protection against hacking is actually a sort of privacy issue too.

Provider privacy

Who knows most about your life? You, your spouse or Facebook? Chances are that the service providers you use have the most comprehensive profile on you. At least if we only count data that is stored in an organized and searchable way. This profile may be a lot wider than what you have shared yourself. Google knows what you Google for and your surfing habits are tracked and blended into the profile. The big data companies also try to include as much as possible of your non-digital life. Credit card data, for example, is low-hanging fruit that tells a lot about us.

But what exactly are they doing with that data? It’s said that if you aren’t paying for the product, then you ARE the product. The multitude of free services on the net is made possible by business models that utilize the huge database. Marketing on the service provider’s own page is the first step. Then they sell data to other marketing companies or run embedded marketing. And it gets scary when they start to sell data to other companies too. Like someone who consider employing you or who need to figure out if you’re a high-risk insurance customer.

The main problem with provider privacy is that there aren’t any simple tools to guard you. The service provider can use data in their systems freely no matter what kind of password you use to keep outsiders out. The only way to master this is to control what data they get on you, and your own behavior is what matters here. But it is hard to live a normal cyber-life and fight the big-data companies. I have posted some advice about Facebook and plan to come back to other aspects of the issue in later posts.

Authority privacy

The security and privacy of Internet is to a large extent enforced by legislation and trust, not by technical methods like encryption. But don’t expect the law to protect you if you do a crime. Authorities can break your privacy if there is a justified need for it. This can be a good compromise that guards both our privacy and security, as long as the authorities are trustworthy.

But what happens if they aren’t? Transparency and control are after all things that make the work harder for authorities, so they don’t like it. And a big threat, like terrorism for example, can easily be misused to expand their powers far beyond what’s reasonable. Authority privacy really becomes an issue when the working mode changes from requesting data on selected targets to siphoning up a broad stream of data and storing it for future use. There has been plenty of revelations recently showing that this is exactly what has happened in the US.

There can be many problems because of this. It is, first of all, apparent that data collected by US is misused. The European Union and United Nations are probably not very dangerous terrorist organizations, but still they rank high on the target list. Data collected by authorities is also supposed to be guarded well and used for our own good only. But keep in mind that a single person, Edward Snowden, could walk out with gigabytes of top secret data. He did the right thing and spoke out when his own ethics couldn’t take it anymore, and that’s why we know about him. But how many secret Snowdens have there been before him? More selfish persons who have exchanged data for a luxury life in some other country without going public. Maybe your data? Are you sure China, Russia or Iran don’t have some of the data that the US authorities have collected about you?

And let’s finally play a little game to remind us about how volatile the world is. Imagine that today’s Internet and computer technology was available in 1920. The Weimar republic, also known as Germany, was blooming in the golden twenties. But Europe was not too steady. The authorities had Word War I in fresh memory and wanted to protect the citizens against external threats. They set up a petabyte-datacenter and stored all mails, Facebook updates, cloud files etc. This was widely accepted as some criminal cases had been solved using the data, and the police was proud to present the cases in media. The twenties passed and the thirties brought depression and new rulers. The datacenter proved to be very useful once again, as it was possible to track everybody who had been in contact with Jews and communists. It also brought a benefit in the war to come because many significant services were located in Germany and foreign companies and state persons had been careless enough to use them. The world map might look different today if this imaginary scenario really had happened.

No, something like that could never happen today, you might be thinking. Well, I can’t predict the future but I bet a lot of people were saying the same in the twenties. So never take the current situation for granted. The world will change, often to the better but sometimes to the worse.

So lack of authority privacy is not something that will hurt you right away in your daily life. Your spouse or friends will not learn embarrassing details about you this way, and it will not drown you in spam. But the long term effect of the stored data is hard to predict and there are plenty of plausible harmful scenarios. This really means that proper privacy legislation and trustworthy authorities is of paramount importance for the Internet. A primary set of personal data is of course needed by the authorities to run society’s daily business. But data exceeding that should only be collected based on a justified suspicion, and not be kept any longer than needed. There need to be transparency and control of this handling to ensure it follows regulations, and to keep up peoples’ trust in the authorities.

So what can I do while waiting for the world to get its act together on authority privacy? Not much, I’m afraid. You could stop using a computer but that’s not convenient. Starting to use encryption extensively is another path, but that’s almost as inconvenient. Technology is not the optimal solution because this isn’t a technical problem. It’s a political problem. Political problems are supposed to be solved in the voting booth. It also helps to support organizations like EFF.

Safe surfing,
Micke

More posts from this topic

Asian mother and daughter talking to family on digital tablet

Kids need better protection – An open letter to developers and decision makers

Tuesday February 9th is Safer Internet Day this year. An excellent time to sit down and reflect about what kind of Internet we offer to our kids. And what kind of electronic environment they will inherit from us. I have to be blunt here. Our children love their smartphones and the net. They have access to a lot of stuff that interest them. And it’s their new cool way to be in contact with each other. But the net is not designed for them and even younger children are getting connected smartphones. Technology does not support parents properly and they are often left with very poor visibility into what their kids are doing on-line. This manifests itself as a wide range of problems, from addiction to cyber bullying and grooming. The situation is not healthy! There are several factors that contribute to this huge problem: The future’s main connectivity devices, the handhelds, are not suitable for kids. Rudimentary features that help protect children are starting to appear, but the development is too slow. Social media turns a blind eye to children’s and parents’ needs. Most services only offer one single user experience for both children and adults, and do not recognize parent-child relationships. Legislation and controlling authorities are national while Internet is global. We will not achieve much without a globally harmonized framework that both device manufacturers and service providers adhere to. Let’s take a closer look at these three issues. Mobile devices based on iOS and Android have made significant security advances compared to our old-school desktop computers. The sandboxed app model, where applications only have limited permissions in the system, is good at keeping malware at bay. The downside is however that you can’t make traditional anti-malware products for these environments. These products used to carry an overall responsibility for what happens in the system and monitor activity at many levels. The new model helps fight malware, but there’s a wide range of other threats and unsuitable content that can’t be fought efficiently anymore. We at F-Secure have a lot of technology and knowledge that can keep devices safe. It’s frustrating that we can’t deploy that technology efficiently in the devices our kids love to use. We can make things like a safe browser that filters out unwanted content, but we can’t filter what the kids are accessing through other apps. And forcing the kids to use our safe browser exclusively requires tricky configuration. Device manufacturers should recognize the need for parental control at the mobile devices. They should provide functionality that enable us to enforce a managed and safe experience for the kids across all apps. Privacy is an issue of paramount importance in social media. Most platforms have implemented good tools enabling users to manage their privacy. This is great, but it has a downside just like the app model in mobile operating systems. Kids can sign up in social media and enjoy the same privacy protection as adults. Also against their parents. What we need is a special kind of child account that must be tied to one or more adult accounts. The adults would have some level of visibility into what the kid is doing. But full visibility is probably not the right way to implement this. Remember that children also have a certain right to privacy. A good start would be to show whom the kid is communicating with and how often. But without showing the message contents. That would already enable the parents to spot cyberbullying and grooming patterns in an early phase. But what if the kids sign up as adults with a false year of birth? There’s currently no reliable way to stop that without implementing strong identity checks for new users. And that is principally unfeasible. Device control could be the answer. If parents can lock the social media accounts used on the device, then they could at the same time ensure that the kid really is using a child account that is connected to the parents. The ideas presented here are all significant changes. The device manufacturers and social media companies may have limited motivation to drive them as they aren’t linked to their business models. It is therefore very important that there is an external, centralized driving force. The authorities. And that this force is globally harmonized. This is where it becomes really challenging. Many of the problems we face on Internet today are somehow related to the lack of global harmonization. This area is no exception. The tools we are left with today are pretty much talking to the kids, setting clear rules and threatening to take away the smartphone. Some of the problems can no doubt be solved this way. But there is still the risk that destructive on-line scenarios can develop for too long before the parents notice. So status quo is really not an acceptable state. I also really hope that parents don’t get scared and solve the problem by not buying the kids a smartphone at all. This is even worse than the apparent dangers posed by an uncontrolled net. The ability to use smart devices and social media will be a fundamental skill in the future society. They deserve to start practicing for that early. And mobile devices are also becoming tools that tie the group together. A kid without a smartphone is soon an outsider. So the no smartphone strategy is not really an alternative anymore. Yes, this is an epic issue. It’s clear that we can’t solve it overnight. But we must start working towards these goals ASAP. Mobile devices and Internet will be a cornerstone in tomorrow’s society. In our children’s society. We owe them a net that is better suited for the little ones. We will not achieve this during our kids’ childhood. But we must start working now to make this reality for our grandchildren.   Micke

February 8, 2016
BY 
403340472_5e736d8151_o

Want to Know how Adblocking Works?

Adblocking made waves last summer after Apple announced that it would bake content blocking capabilities into iOS 9. Content blocking lets users filter out content that they don’t want to load, and in this case, it worked with Apple’s Safari web browser. And there’s one kind of content that typically irritates people more than anything else – ads. So Apple’s content blocking capabilities swiftly lead to adblocking on iOS devices, with many companies developing these apps to help secure and improve people’s web browsing experience. This includes F-Secure, who released a free adblocking app last September. Now, F-Secure Labs has written up a brief whitepaper explaining, in detail, how F-Secure Adblocker works. Without getting into too much detail, F-Secure Adblocker basically checks for information about web traffic with F-Secure Security Cloud (a cloud-based service that powers many of F-Secure’s security products). If F-Secure Security Cloud is able to identify the source of web traffic as an advertising server, it lets Adblocker know, and Adblocker can filter out the advertising content, leaving you with the information about sports, news, business, or whatever else you’re browsing for. Using Adblocker also speeds up your browsing, protects you from malvertising, and saves bandwidth for those of you trying to save money on your data plans. Not bad for a free app. Plus, it all operates in accordance with F-Secure’s Privacy Principles. F-Secure can’t connect the information about your web traffic with anything else about you, so you don’t have to worry about sharing information with companies looking to exploit your personal data. The paper is a quick easy read and gives you a comprehensive breakdown about how Adblocker works, so it’s worth checking out if you’re interested in learning how products being ad free can improve your web browsing experience. [Image by Chris Schmich | Flickr]

February 5, 2016
BY 
Data Privacy Day

It’s Data Privacy Day, but What does that Mean to You?

Today is Data Privacy Day (or Data Protection Day as it’s known in Europe). Unfortunately, that doesn’t mean you get gifts, so it hasn’t caught on in the same way as holidays like Christmas. But what you do get is the chance to take part in the conversation about how you see the boundaries that separate your public life from your personal life. So what do you have to say about this? And why is this topic so important anyway? Well, F-Secure Security Advisor Sean Sullivan posed this question to just over 1,000 people in the US and UK in 2014. While about 83% of respondents said they don’t have anything to hide (slightly more in the UK than the US), 89% said “no” (again, slightly more in the UK than in the US) when asked “Would you want to share everything about your life with everyone everywhere, all the time, forever?” [polldaddy poll=9289730] The point being – people think about privacy in different ways, and a lot of what they think is shaped by the conversations about privacy that we have. A recent F-Secure survey posed a variety of security and privacy related questions to almost 9000 people in 11 different countries. You can see the breakdown of some of the results below. When asked about whether they were concerned about data privacy, and if they changed their Internet habits as a result, many people disagreed with the statement (more Americans seemed concerned compared to other nationalities). So people are either unconcerned about their data privacy, or at least not enough to change their behavior. However, other questions focused more on particular threats to online privacy, and these responses indicated considerably more people are concerned about these threats. The majority of respondents said they avoided using public Wi-Fi – a well-documented security and privacy risk. And an overwhelming majority of respondents said they avoid installing apps asking for unnecessary app permissions (which are critical for controlling what apps can access what data). Avoiding using certain apps or services strikes me as an indication that people are concerned about these things. And they’re right to be worried about these things, which becomes more apparent when confronted with questions that highlights how vulnerable their online privacy actually is. I asked Sean about this, who pointed out the way we talk about things like privacy on Data Privacy Day/Data Protection Day is more significant that people might think. “In North America, we say Data Privacy Day. In Europe, we say Data Protection Day. They refer to the same thing, but represent it in different ways,” says Sean. “I want to protect my data because privacy is important to me. I don’t want everyone to know my phone number or my credit cards number, so I try and use services that don’t collect this information.” “It’s not because I’m emotionally attached to my personal space, even though that’s important, but I feel like that information could be used in ways that may be harmful. And that aspect isn’t always clear when people talk about online privacy.” Just over a year ago, Sean wrote that he’d like to ask people “Are there things in your past that are best left forgotten?” Maybe today is a good day to start talking about that.

January 28, 2016
BY