If privacy ever did exist, it’s gone the way of the unicorn. Yes Victoria, unicorns once existed. Before proceeding, I’d like to give shout out to the multi-talented Bill Brenner who gave me the idea of mood music for a blog. With that in mind, how about listening to The Unicorn song and letting it play as you read the rest of the blog. One might call unicorns and privacy birds of a feather.
The first time I took a look at Google Analytics I was surprised to see the breakdown of site visits by gender, age, and the name of the visitor’s favorite child. Ok, maybe not the name of the visitor’s favorite child. I wasn’t at all surprised that Google is able to provide this information, I just didn’t expect to see it there; I was just looking for page hits. This comes on the heels of me contemplating the insanity of fearing Covid tracking apps due to privacy concerns.
Really? People talk to Siri, Alexa, Cortana, and the unimaginatively named Google Voice Assistant, Google. Where do I apply for a job with Google as creative director?
People talk to their TV remote. Some people share their real-time location with Facebook and Twitter. In fact, some parents buy their children dolls that not only listen to what their kids say, but also upload every word to the Internet. One such doll, Cayla, was banned in Germany and the authorities recommended that parents destroy the doll if they have it.
Do you ever talk to Google on your android phone? Before you could say “Google” you were logged into your Google account. Who you are, what your phone number is, your gender, who your contacts are, etc. and much more is already known about you before you searched the web for something like, let’s say perpetual motion or privacy. That gives me an idea. I think I’ll register a website called “your_privacy.com” and present a 404 for the landing page. But I digress.
Some of us use anonymizing VPNs. Encrypted communications and spoofed locations are great, but if you don’t do things right, you will be uncloaked. At the RSA Conference 2018 I visited the BioCatch booth. The technology is quite interesting. BioCatch has a cool demo on YouTube. The part that was most interesting to me starts at 2:30 in the video, although the background information from the start might be good to see as well. Note: I am not promoting any product. Everybody has unique movements and VPNs do not mask these biometrics.
I have wondered if part of the purpose of ReCaptcha is to defeat anonymizing VPNs. Frequently when I am presented with a ReCaptcha I will be presented with difficult puzzles, and several of them. One type of biometric authentication involves measuring motions, as well as other aggregated personal metrics on touch screens. The principle applies to mouse movement as well. Where do you click on the images? How long between clicks? Motion paths, and where you aim to tag different types of images are personally identifiable biometric indicators. Creating the initial biometric template for comparison may not be as difficult as one may think.
I’m not saying to give up on trying to regain some of our privacy, but we will not regain pre-Internet levels of privacy, especially if we’re using social media. Covid tracking apps are the least of my privacy concerns. There will be events and circumstances in the future that will require a risk/reward equation to determine whether or not to participate in privacy related decisions.
An example of a privacy risk/reward equation that many people do not think about relates to your job. Your employer owns your company supplied computer and phone. Your employer can snoop on most anything. If there is an agreement to use specific monitoring software on your BYOD laptop then privacy is significantly compromised. Some corporate VPNs only tunnel traffic between the remote endpoint and company for performance or other reasons. It’s far from impossible to tunnel all of your traffic through the corporate VPN. Good old-fashioned network taps mean that your employer can capture and manipulate all of the traffic in and out of your computer. What’s the risk in the risk/reward equation? If you put all of your information out there on social media then the risk of the loss of privacy is diminished. If we assign a number to “risk” and another to “reward” then we can see that if the number assigned to risk is greater than the number assigned to reward then the equation tells us that risk probably isn’t worth taking. And so, the more “private” information we put out there, the less the value assigned to risk should be. What’s our risk reward equation for employment? Risk=some lack of privacy. What’s the reward? Reward=work experience, learning new skills, benefits, or simply money. Your answer probably is going to be to take the risk in order to be employed. Of course, what the risk is, what the job is and what your need or desire for money is will affect the risk and reward scores.
This is an equation I am frequently confronted with due to my use of an anonymizing VPN. Some sites refuse access. If I need to log into my bank, then I turn it off and take the risk. With respect to Covid tracking apps, some people have a simple knee-jerk reaction, while others do the math in order to make an informed decision. The Covid app is an example to illustrate the point, but situations deserving of the risk reward analysis confront us frequently. Do you do the math?
Randy Abrams
Senior Security Analyst
SecureIQLab