Security and Privacy - 2014 in Review

The year 2014 was a big year for security and privacy. Big in a sense where people around the world were exposed to the reality that our privacy and security is at risk each and everyday. It was a great year for security and privacy awareness because there has never been a year in my memory when security and privacy took a very central role in our public debate. This is why I want to take a look back at the most important events in 2014 that highlighted the importance of security and privacy protection.
Data Breaches in Major Retailers
Less than a year after the Target data breach, two major US retailers fell victim to another attack. This time it was Home Depot and Staples. The Home Depot data breach saw the theft of 56 million email address, credit and debit card numbers. The attackers apparently gained access to their network using a vendor username and password - almost similar to how the Target attack began.
The Staples data breach was smaller in scope - it exposed just a little over 1 million customer credit cards. This attack was caused by a malware infecting multiple point-of-sale machines in multiple locations - again very similar to the Target attack. This breach could have been worse had it not been caught earlier. Apparently Staple was alerted to a possible problem when multiple customers complained of fraudulent credit card transactions after making purchases in their store.
Although the Home Depot and Staples data breach had similarities with the Target breach, there is no clear and proven link that the people responsible were the same. It did teach us a very important lesson - that most major retailers have the same security vulnerabilities - ie. point-of-sale machines have weak security features. A lot of retailers also have the habit of providing their vendors with log-in credentials with no clear limits on network access. These vulnerabilities were magnified this year and most retailers have stepped up their security.
Privacy Invasion - Apple Data Dump and the Uber Scandal
In August 2014 the whole world woke up to a massive data dump of nude celebrity photos exposing celebrities like Jeniffer Lawrence. The photos were taken from the celebrities iCloud accounts after falling victim to a very sophisticated and targeted phishing scam. Have you ever received an email claiming to be from Apple support telling you to confirm your iCloud account by clicking on a link and providing your email and password? Yeah these celebrities fell for that or a variant of that. This caused a huge PR problem for Apple as rumours started circulating that the iCloud infrastructure was hacked. This allegation was never proven and Apple has continued to deny this. Apple however did put in place some improvements to its iCloud security. Now every time you log-in to your iCloud account on a new device it will force a two-factor authentication process (ie. send verification code to your iPhone). This is a good step forward but two-step verification should be default on any log-in attempt. If you want to know how to activate two-step verification on your iPhone read this Apple Support page.
Uber, the world's fastest growing start-up and taxi hailing service came under fire this year after reports of privacy invasion. It started when news broke that a Uber executive used the company's access to track the movement of a journalist. It then got worse when it was revealed that employees have access to "GodView" where they actively track VIP customers without their knowledge and consent. Uber's CEO had to issue a lengthy public apology and promised to strengthen its privacy policy. In the wake of these privacy violations came a Twitter movement to #deleteuber.
These two privacy breaches to me shows how our personal information is protected by 3 important factors that need to work together. The first factor is the user. The user must be vigilant in protecting their log-in credentials. If you receive an email asking you to click a link and ask's for your password - don't give it. If you are worried that the email is authentic call the customer service for the company asking for your credential and validate the request. We should also start the habit of using strong passwords and two-step-verification. The second factor is the security features provided by the company we do business with. Companies that collect and manage our personal information should also be vigilant in protecting our privacy. It should actively seek out weaknesses to their security procedures instead of waiting for nude celebrity photos from leaking in the internet. The third and final factor is the culture of the company. If the company's culture does not punish privacy breaches - in the case of Uber it actually promoted it when its Executive started tracking a journalist - then no amount of user vigilance and security measures will suffice. Companies that have access to our information should have strong internal process to review and punish privacy breaches. It should have a clear guideline on when information is to be collected, stored and accessed. Each employee's access to information should only be up to the level where the employee is able to perform his/her specific task. Nobody in the company should have a "GodView". I hope that the Apple and Uber story has taught all of us a very important lesson that protecting our privacy requires everyone's cooperation.
The US Government flip-flops on surveillance reforms
On January 17, 2014 President Obama delivered a speech to the American people promising major reforms in the NSA. He promised sweeping reforms to limit the scope of NSA mass surveillance and ensure that the privacy of American citizens is protected. He also proposed some reforms in how the FISA Court works by supporting the presence of a public advocate that would give the court some adversarial element. Although his speech defended the NSA programs he did acknowledge the need for reforms which was a good step in the right direction. This speech started some serious talk about reform in the US Congress and Senate which resulted in the USA Freedom Act gaining bipartisan momentum in Congress. This bill was met with severe opposition and lobbying from the Security establishment and the Obama administration did not put the full political weight of the White House behind it. This resulted in a watered-down version of the bill passing the House. It was then sent to the US senate which a lot of people expected to pass but something changed. ISIS came out of nowhere and fear won over reason. The US Senate killed the bill in November. This was a major blow against meaningful reform of the NSA's surveillance program.
What about Obama's promise about reform? Well, on December his Justice Department requested the FISA court to re-authorize the NSA's mass surveillance programs for another 90 days. Since the FISA court has no public advocate the request was approved. If Obama was indeed serious about reforms he would have allowed the program to lapse without any clear reforms in place. He also signed into law HR 4681 which formally institutionalizes warrantless mass surveillance of US Citizens under section 309 of the act. (read full text of HR4681 here)
Right now it is safe to say that any kind of meaningful reform in the NSA is dead. Not at least until a new administration comes into office. Not until another Snowden opens our eyes to the evil of surveillance. Not until we all become victims to the horror and evil of government warrantless surveillance.
Encrypt it all - Apple and Android turn encryption on by default
All the major tech companies were implicated by Edward Snowden's revelations about the Prism program. According to the leaked documents, the NSA had direct access to the servers of all major technology companies - Google, Apple, Facebook, Yahoo, Microsoft, Twitter, etc. All the companies implicated were unanimous in denying that they provided a direct tap into their servers. They all however mentioned that they comply with government data requests under existing legal provisions. This to me is not an outright denial but a play in words. Yes they do not provide a direct tap but when they are served with a FISA court issued order they will comply. To me this means the same.
The Snowden revelations put a lot of pressure on these technology companies not only in the USA but also abroad. Since these companies have customers from all over the world, the data that the NSA has access to through them will also be global. This infuriated a lot of countries and some have even threatened to balkanize the internet (i.e. Facebook can only store data on Brazilians on servers located inside Brazil). These technology companies had to distance themselves as much as possible from the government's surveillance program. They started by releasing reports on the number of government data requests they received in a quarter. 
Then Apple took it a step further. It announced that upon the launch of iOS 8 data encryption will be turned on by default. This means that the data stored on iOS devices running iOS8 will be encrypted and only the user has the key. This essentially makes Apple technically incapable of complying with government orders to provide data since it would not be in possession of the encryption key. This announcement was welcomed by those concerned about the reach of the NSA and was soon followed by another technology giant - Google also announced that the next Android version will have encryption turned on by default.
The decision by Apple and Google to provide out of the box encryption to their customer is a great leap forward to giving users greater control of their data. If user data is encrypted by default and the encryption key is known only to the user then this puts an added layer of protection against warrantless state surveillance. While privacy advocates celebrated this move, the heads of the CIA, FBI and GCHQ cried foul. Using their own twisted logic they claim that the decision made by Apple and Google will only endanger more lives and make the work of law enforcement harder. There are now calls for Congress to pass a law forcing technology companies to build backdoors to their encryption for the government to exploit. If you want to read a good rebuttal to their argument read this primer from Center for Democracy & Technology
What to take away from all this?
One thing is clear to me when I look at these events - 2014 was a big year for security and privacy. More people are now aware of the scope and capability of governments in spying on them. More people are now aware of the threats that criminal elements pose to their personal and financial data. More people are now aware of the need to better understand the balance that needs to be struck between the role of government in security and the individual's right to privacy. I hope that in 2015 we continue to talk and debate these issues. We should fight hard against any attempt by people to use fear to cloud our judgement. We should resist the urge to believe in the flawed appeal that in order for us to be truly secure we have to give up our privacy. We should also get rid of this whole idea that only people with something to hide require privacy.
Let use make sure that in 2015 we continue this discourse and debate. Let us keep the pressure on government to reform and let us demand stronger privacy protection from internet companies that we do business with. As individuals we should also be more vigilant in protecting our privacy - we should also start using stronger passwords and two-step verification. The sad reality is that right now, privacy protection starts with us. If we do not value our privacy then companies and the government will have no reason to.

Comments

Post a Comment

Popular posts from this blog

Justice is blind but the scale is rigged when it comes to whistleblowers.

Image
General David Petraeus was sentenced to two years probation and a $100K fine for leaking classified information (link to  plea deal ). This sentence is nothing short of an insult to the justice system in the United States. It is a clear example of how the justice system in the United States is rigged.  Let us recall what got Petraeus into this mess by looking at two things - i. What did he leak? ii. What was intention for leaking the information?  What did he leak? Petraeus leaked names of covert operatives, war plans for US forces, and detailed discussion with senior officials including the US President. This information was contained in notebooks that Petraeus kept for himself. He then gave Paula Broadwell access to these notebooks to help her write his biography. The information contained in those notebooks are highly classified by any standard and had the potential of endangering US covert operatives.  When Chelsea Manning leaked the Afghan war-logs to WikiLeaks th
Read more

Tim Cook on Privacy.

Apple is leading the way in promoting user privacy in the digital age and recently Apple CEO Tim Cook delivered a speech during an event in Washington where he made some very important and controversial points about privacy in the digital age.  "Like many of you, we at Apple reject the idea that our customers should have to make tradeoffs between privacy and security...We can, and we must provide both in equal measure. We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.” This statement is supported by Apple's action being the first major phone manufacturer to make encryption as a default in its Operating System. It goes to show how serious Apple is in protecting customer privacy and in not making money out of customer information. There are hundreds of millions of iOS devices all over the world and each one is connected to the internet. Whenever these devices connect to the internet
Read more

How a robbery in 1976 robbed US citizens of their privacy in the digital age.

B altimore - Shortly after midnight on March 5, 1976 Mrs. Patricia Mcdonough was robbed just outside her home. She was able to take a good look at the robber and his 1975 Monte Carlo automobile. A few days after the robbery, Mrs. McDonough started receiving threatening phone calls from the man claiming to be the robber. Mrs. McDonough started recording some of these threatening phone calls and notified the police. On March 13, the police asked the telephone company to install a terminating accounting equipment on Mrs. Donough's telephone line to determine the origin of the calls she was receiving. The police found out that most of the calls were made from pay-phones near McDonough's residence.  On March 16, in the general vicinity of Mrs. McDonough's home, someone asked a police officer for help in opening the locked door of his 1975 Monte Carlo. The officer helped the man, took down his plate# and notified the investigating officer.  The police ran the plate # and tra
Read more