Anyone can buy online ads and track your location in real time
Month: October 2017
Nowhere to hide. How technology is getting control over our private lives.
Last week Gizmodo published an entertaining story of a part-time sex worker Leila who found herself in distress after observing a few of her ‘secret life’ encounters among friend suggestions on her ‘public life’ Facebook account, despite doing her very best to keep the two identities apart. While Facebook is traditionally reluctant about revealing its friend candidates selection criteria (just as it is about nearly all its social algorithms), it is quite clear that the location service activated on her ‘public life’ phone played not the last role. Reports from many Facebook users suggest that random members of the public whom they met a few times on a train on their way to work often ended up on their suggested friends list. This research supports the point too.
This can hardly be referred to as something we didn’t come across before; everyone knows that services like Facebook collect our location information to ‘provide us with better user experience’, as everyone of us most certainly acknowledged after looking through the social network’s usage policy (just kiddin’ mate, of course no one in sound mind ever did that). However, Leila’s experience helped draw attention to the hidden implications of giving this powerful right to Facebook, and gave us a yet another reason to rethink the whole approach to our offline privacy. Indeed, every single connected person out there leaves an enormous trail of evidence. Twenty years ago each of us was a creeping pinhead-sized point on map. Today, we rather look like endlessly unwinding balls of yarn, with the escaping thread being our ever expanding online footprint. It is needless to say that it is very easy to get to the ball by following the thread, and it is very easy for someone to pull the whole thread up once they have caught the ball.
Clearly, the only way to stay incognito is to get rid of the thread. This can be harder than you might think at first, and switching the location service off might not be enough. A Nectar card you scanned at the petrol station in the morning, an Uber that takes you home after a night out, a YouTube video you watched through a Costa WiFi all give away your locations throughout the day without any assistance of the location service. No one can tell where this data travels further. Besides being used for sending you straightforward marketing materials or tailoring the price you pay for the service, it may easily be aggregated by third party businesses (just have another quick look through that usage policy) and then used for any imaginable purpose.
To get rid of your data trail, not only you need to disable the standard ‘senses’ of your phone (location, WiFi connectivity, camera and mic) to stop direct information collection. You should also walk through the list of your apps and assess each and every of them critically against their capabilities of distinguishing your identity from the others’. Typically this would mean that you have some form of an account with them. You never know what information about you and when an app may be collecting and accumulating in its knowledge base. Too many pieces of seemingly harmless or even anonymised details can be put together to establish identities of specific people with sufficient probability – just like it famously happened with NYC celebs’ taxi travels.
But that’s not it either, and the final aspect is a real toughie. The issue is that certain types of apps collect well enough information about us to make assumptions about our identities basing on surprisingly indirect facts. This is predominantly a capability of highly diversified collections of apps from the same vendor that offer a number of services of different kinds.
Suppose you plan to take your cat to a vet for the first time. You open Google search and look for any vets in your area. Once you are satisfied with your choice, you ring them up, arrange an appointment, and add a timed entry to your Google calendar. If Google is really lucky that day, you also use their Maps service to find out the best route to get there.
After a few days you’re off to the vet. Now, if you use one of the Google’s services anonymously or from your second phone over the vet’s WiFi network while waiting to be asked in, Google can make an assumption, basing on the knowledge they already hold about ‘known you’ (a selection of places you are likely to be at at this time and day, or even the exact place if you had used Maps), that this anonymous person is likely to be you. They may not be certain about it at first (meaning they would assign a lesser weight to this assumption and probably ignore it this time – while still keeping a note of it somewhere), but after one or two coincidences of this kind they will have evidence of sufficient weight to associate the anonymous surfer with your known identity. Neural networks are particularly good in tracing and aggregating large arrays of data to identify higher level relationships between seemingly unrelated facts.
This means that protecting your privacy is not an occasional or one-off activity, not something you can enable when you need protection and disable when you don’t. If you have reasons to split between two or more personalities – and sex workers are not the only or even the widest social group here; most of politicians and showbiz celebrities have very similar issues, – the task of keeping your privacy should become a strategy with clearly identified goals, conditions, and a well-defined process that fulfills and supports it.
And there’s definitely more to this to come. Wearables and IoT stuff, which are only making their first steps into the ‘big Internet crowd’ will add up to this world of glass heavily. The rise in data mining and neural networks will make it very simple to conduct high-quality automated research basing on indistinct and incomplete information very soon. So it’s a good moment to stop reading, go outside, look around, and breathe in the air of freedom without risking of being noticed by anyone – or anything. The chances are very high that your kids will only be dreaming of the times when privacy was achievable so easily.
(Picture credits: many thanks for the playing kittens to Stuart Rankin)
When the theft is inevitable
The hack of Equifax data centre followed by the Yahoo’s revelation of the exposure of its 3bn user accounts (in contrast to 1bn reported before) once again drew attention to the question of exposure of our private and personal data retained by global information aggregators. Due to enormous amounts of information they hold about you, me, and millions of others, they are quite a catch for cyber criminals. As the number of attacks similar to the one that targeted Equifax and their sophistication level will undoubtedly be increasing in near future, so will the chance of your personal data ending up in the hands of criminals.
While there is little we can do about Equifax and their security competencies, we certainly can do a lot more about platforms and services within our control. I am not talking social networks here; surprisingly, the fact that we understand the risks they pose to our privacy helps us perform some form of self-moderation when sharing our private details through them.
Such institution as banks, insurance companies, online retailers, payment processors, and major cross-industry service providers like BT, NHS, or DVLA, especially those under the obligation of KYC or AML compliance, hold enormous amounts of information about their customers, often without them realising this. The scope and value of this information expands far beyond payment card details. A hacker who gains access to a customer database held by any of those companies would almost certainly obtain an unconditional capability to impersonate any customer at any security checkpoint that does not require their physical presence (such as a telephone banking facility or a login form on a web site). For example, they could order a new credit card for themselves through your online banking account, or buy goods on Amazon in your name – but you’ll never see any of them.
This means that we may soon face an even steeper rise in the numbers of identity thefts and related fraud offences, and the Equifax precedent shows that we should take reasonable steps to protect us from those despite all the security assurances given to us by the information custodians. While in most cases we can’t influence online aggregators as to what details to keep and what security methods to employ, we can choose to strengthen the security checkpoints instead, and do this by tightening identity checks, limiting levels of access they grant us, and monitoring them for any suspicious activity.
Employing two-factor authentication is one of the best approaches to tightening the identity checks. If an online service offers it, use it. Even if the attacker manages to use your stolen identity to change your password through the legitimate password recovery procedure, they will be unable to sign in without having access to your second factor.
Limiting access levels is primarily about setting up artificial limits on the actions that you – or the impostor – can conduct with your account. These include any maximum amounts of money that can be spent in one day or month, hours of the day during which the account may be accessed, permitted locations and so on. Many online services offer support for such limitations, and it’s wise to use them. This is mainly a corrective facility that would help minimise your losses should your account get hacked.
Monitoring is about setting up e-mail or text notifications that would inform you about any usual and unusual activity around your account. Having a notification system in place is often the fastest way to identify that your account was hacked. Checking consistency of your account data manually from time to time may help much too.
Finally, it is always a good idea to follow the principle of the least disclosure. If the service doesn’t ask you for some details, or allows you not to answer – don’t give the details away just because. It inevitably turns out that the less a service knows about you, the better it is for you. Again, if you are offered a choice between providing less safe and more safe details, choose wisely. For example, setting up a recurring payment to be collected by direct debit is safer than have it charged monthly to a credit card.
To summarise the above,
1. Most online services suck at security; expect your details to be stolen one day.
2. Minimise the impact of the prospective theft by securing your sign-ins, limiting legitimate access, and setting up access monitoring.
3. Don’t give your personal information away unless required/forced to do so.