Not long ago if you went to McDonalds for a coffee, it came with a sticker on the cup. If you saved up six on a little piece of card (also on the cup), your 7th coffee was free. A simple system, and very private.
That sticker system was scrapped in 2020, for an app1. Suddenly, McDonalds have gone from knowing nothing about you, to collecting your financial info, your location and even looking at your search and browsing history. And for your <cough> convenience, you can sign-in with Facebook, Google or Apple.
OK, so I work in business too, and it’s imperative that you use data to understand customer behaviour and market to them. But do you really need this level of information? This is just one example of what I refer to as ‘creeping surveillance’.
How data about you is monetized
I can only guess at what all that data is used for in the example above2, but it’s typical of many apps that give you free stuff in exchange for data. I also don’t want to beat-up on McDonalds – as a reputable business they do provide opt-outs and are doing a lot to transform their business into a more sustainable one, which is great news.
Much more problematic are where the developer’s ONLY purpose for the app is to siphon your data – the user functions are merely a ruse designed to get you to install it. From games to widgets, productivity apps, and even ones that claim to protect your privacy. Whatever function you need, you can be pretty sure there’s a ‘data vampire’ app for that.
But why? Well, data about you is a lucrative business.
We value your privacy
It may be the biggest lie ever told. They sure do value it though. They value it because your privacy is up for sale all over the place – and mostly, WITH your consent3. Cookie walls – you hate them, so you click OK. Privacy policies – you hate them too, so you don’t read them. Data collection opt-outs are hidden or long winded. It’s all by design. It’s called obfuscation, and they want you to give in. Even user ‘privacy control panels’ are mostly designed to mislead you – all of which, incidentally, is not technically allowed under GDPR.
Data about you4 makes $billions for big tech, but smaller companies can still make huge profits from personal data collected from websites and apps. Depending on the level of detail, the data from just a few thousand individuals could net thousands of dollars for a small company, or even a lone developer. It all goes into a pot that profiles you to a scary level of detail – believe me when I say they can predict your actions better than you can. That’s why real time bidding ad-clicks can go for anything from a few cents to $2 and up. Remember, that’s just for a single user click on an ad.
It’s time for business to believe in choice
Creeping surveillance has become normalized when it really should not be – it’s dysfunctional. Many people believe privacy to be a human right. Even Mark Zuckerberg purchased the properties surrounding his own5 to create a privacy buffer for his family (which you contributed to, I’m sure he’s grateful). It’s not the only example – Larry Page, the co-founder of Google is a famously private person. The fact is that the people that want to trade on your privacy, crave it for themselves.
This is why data collection should be a choice. Just because you can, doesn’t mean you should. Let’s not forget that many people are happy with data collection – they want the most integrated and tailored experience possible. And they want it even though they know the ramifications; I’ve met ‘privacy professionals’ that think this way. Personally, I do my best to avoid tracking, apart from with the companies I trust, then I play the game. Surely looking for engaged people like that means you’ve found your hot prospect?
Talking from the business side for a moment, there are plenty of ways to combine tactics – tokenisation, anonymization, differential marketing (and more), in addition to what I’m sad to say has become ‘traditional’ data collection. Let people choose, it fosters trust. Make it simple to select what level of tracking people are comfortable with, including ‘none’. This layered approach will make your prospects and customers happy – if they trust you. It shouldn’t really trouble you unless you are Meta, Google, or swathe of other big names, of course.
The problem is that marketing teams are under so much pressure to get lead numbers up, lead quality suffers. This is often driven by sales management demanding more leads, only to complain about lead quality afterwards, at which point they blame marketing. So, whether you’re in sales and marketing or just reading this with a casual interest in privacy, consider this. When the starting gun was fired on GDPR in May 2018, many US websites worried about the legal consequences blocked European visitors, but the New York Times took a different approach. They dropped real-time bidding and behavioural ads and focused on contextual and regional ads instead. The NYT ad business continued to grow ‘nicely’ as they put it6, even without all that creepy targeting.
In my next blog I’ll be looking at what you can do to preserve your privacy. When you lose ground to this sort of creeping erosion of your rights, it can be really very hard to reclaim them, so it’s important that we all keep fighting.
1: This blog refers to the UK App; screen shot shows the privacy information from Apple’s UK app store. Data collection may vary by country or region
2: I have asked McDonalds why they need my browsing history on several occasions, but so far, they have not responded
3: Don’t get hung-up on consent folks, it’s not needed if a business has what’s called a ‘legitimate interest’ – which can be a rather stretchy, elastic term when in the hands of less reputable businesses
4: Note that I don’t refer to it as ‘your data’ – that’s because it isn’t
5: Why Mark Zuckerberg buys up properties that surround his 10 homes:
6: After GDPR, The New York Times cut off ad exchanges in Europe — and kept growing ad revenue, Digiday, Jan 2019:
GDPR at 4: the Good, the Bad and the Ugly
I have written several recent opinion pieces to reflect on the fourth anniversary of the European General Data Protection Regulations (GDPR). I wanted to summarise them here for the readers of Elnion.
Much of the commentary from me and others has been somewhat negative, pointing out what has not worked – and there is plenty that has not. However, we should remember that prior to GDPR there was limited general awareness of the importance of privacy, little recognition by organisations that they needed to take it seriously and an assumption by many that privacy was simply too complicated or intangible to be regulated at all.
With this hindsight in mind, it is obvious that we have come a long way and that there is now broad awareness of privacy, organisations are almost all now taking it seriously and that GDPR has not only been in force for four years now, but it has spawned many other privacy regulations elsewhere – from CCPA in California and POPI in South Africa, to LGPD in Brazil and countless further regulations in other nations or US states. This is no small achievement.
Unfortunately, GDPR has come in for much criticism. This has either been a reaction to the cost and inconvenience of compliance, or it has been frustration at the way that it has been applied or enforced.
Many commentators, myself included, have railed against the cost and inconvenience of GDPR compliance. My personal mantra has always been to seek to strike the right balance between meaningful protection (digital ethics, privacy and cybersecurity) and the maximisation of economic and social value (cloud, digital transformation and innovation).
It can be argued however that we currently have the worst of both worlds – there is little in the way of meaningful protection, given the lack of enforcement (which I will come on to). And at the same time, we are inhibiting innovation, with many startups opting either to base themselves outside the EU in order to avoid the overhead that GDPR represents or struggling to thrive within the EU while at a disadvantage to overseas rivals.
To a great extent, such complaints can be overstated. ALL organisations that value their customers and their own reputation, should not only have adequate data management processes in place, but should also have an organisation-wide culture of respecting both privacy and cyber hygiene (and with it cybersecurity). It is only those organisations that lack a ‘privsec’ culture that incur what they would see as ‘extra’ cost when it comes to compliance. That is not to say that the burden could not be eased for start-ups to help foster innovation – under the clear emphasis that they should be getting their act together anyway, because the rules will apply to them fully at some point if they succeed in growing at all.
GDPR’s greatest failing has not been down to the regulations themselves, but to their enforcement. As I explain in detail in my articles for Accounting Web and for Commvault, most of the responsibility for regulating the tech giants has fallen to the Irish regulator – the Irish Data Protection Commission (DPC). This is because most of the large tech firms, attracted by the country’s low corporation taxes, have chosen to base their European headquarters in Ireland.
Reluctant to rock the boat, the Irish DPC has almost entirely failed to enforce GDPR on firms like Google and Facebook that not only have business models focused on exploiting data, but that have also been accused of being among the most flagrant abusers of people’s privacy. Whatever the merits of such accusations, it is the DPC’s job to investigate and where necessary to take action.
Even in major instances where the highest European courts have ruled against such firms, as was the case almost two years ago for Facebook in the SchremsII trial, the Irish DPC has yet to enforce such rulings. Indeed such is the DPC’s failure to enforce GDPR that it has even been sanctioned by the European Parliament – in a vote of 541 to 1.
It is notable that in the latest European regulation on content moderation, there has been a move towards central enforcement, to avoid the scenario where a local enforcement organisation such as the Irish DPC is ineffective.
The Irish DPC’s complaint that it is under-resourced rings hollow. It may well have a far lower budget than Facebook or Google spend on their lobbying or legal activities, but this has not prevented other local Data Protections Authorities (DPAs) ruling against these giants.
Indeed such has been the success that Facebook has had in holding off enforcement, even of the SchremsII ruling, that some firms now see an actual business case for non-compliance. Indeed the Irish DPC has been accused not only of being complicit, but even of also being potentially corrupt in the way that is has failed to act.
While changes to the regulations themselves to encourage innovation or to the enforcement regime to hold BigTech to account are actions that the EU could take to improve GDPR, there is one major issue that is beyond its control entirely – the schism between the EU and US.
There is an the ideological gulf that exists between the EU’s prioritization of privacy as a human right and the US’s prioritization of surveillance for national security. It has already led to the demise of both Safe Harbor and Privacy Shield (note the SchremsII ruling) and will dog attempts to implement any replacement.
The recent announcement of a new transatlantic agreement lacked much in the way of substance or legal merit. It’s claim that it would be supported by Presendential executive orders is of great concern as these are easily reversed and have little legal foundation. Introducing real measures for adequate judicial supervision in the US would require legislation. Unfortunately, complete gridlock in Congress has made it impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass.
We shan’t be holding our breaths for any federal privacy law, let alone one that might resolve the concerns on this side of the Atlantic.
The most that we can probably do is seek as much harmony as possible on either side of the Atlantic divide, with as much alignment as possible between the EU and UK versions of GDPR and with regulation at the federal level in the US at some point in the future to align the proliferation of state by state privacy laws.
I am an optimist – hence my ability to recognise the ‘Good’ where many others have not. I also believe that the ‘Bad’ can be addressed eventually if the Irish DPC can be forced to act (or failing that can be bypassed). I have less confidence that the ‘Ugly’ will be addressed any time soon.
How to fight for your privacy
In my last two blogs I’ve looked at what privacy is all about in a digital sense, and how creeping surveillance affects us all. In 2022, we’re all just a product to the ad industry.
In this blog, I’m going to provide some tips on how you can protect your privacy by doing some basic stuff – and I’ll also keep the tech jargon to a minimum (that can’t be simply explained, anyway).
Check your phone and tablet’s privacy controls
It might be a surprise to many that in your device’s setting there are several ways to limit what’s collected by your handset or tablet manufacturer1. Despite their reputation, Google does provide a lot of controls to limit tracking, though older Android handsets that can’t run newer versions of Android will miss out on recent changes. Don’t get smug Apple users, I’m talking to you too; the default iPhone settings send plenty of ad related info to Apple.
One thing a little less obvious are your device’s network options. Turning off WIFI and Bluetooth when you go out shopping will stop you connecting to shop beacons, which track you to target you with ads.
Snooping on you 24/7? There’s an app for that
More apps than not, in fact. I’m not kidding. Even if you flick every privacy switch you can on your devices, the second you install an app you might be turning your device back into a digital spy. And again, Apple users, this applies to you too, even if you choose ‘ask apps not to track’ in iOS.
Apps might ask for access to your location, contacts, your photos, microphone, camera… do you really know what they are doing with it all? Could your apps access these things without asking? Once you’ve given them permission, they can (largely) access them whenever they like. So, you should only install apps from companies that you trust, have good privacy controls or you’re happy for them collect data about you. In most cases, apps like Facebook, Twitter or LinkedIn can be managed in a browser much more privately than the app. Sure, they’ll bug you to install their apps, but that’s only because they want more data to monetize you!
Even apps that don’t come from the big tech giants like Facebook and Google might still use their services, especially where ‘app measurement’ is concerned. Technically, this should be data sent back to developers to tell them about the use of the app – performance, crashes etc. but a lot of metadata about you can also be sent, and aggregated with other data on you to build a more granular picture. It’s possible to limit this too – see the section below on Firewalls.
Many other types of apps, especially games, productivity, photo and messaging apps won’t have the browser option – so you either don’t install it or let them suck your data. Don’t like WhatsApp because it’s owned by Facebook? Try Signal instead, you might be surprised how many of your friends use it. By the way, there are genuine apps for lots of stuff that don’t play the surveillance game, so watch out for those.
Browsers and the web
There is good news about browsers – there are a good number of privacy friendly alternatives that can do a lot to shield you from data harvesting. Personally, I use DuckDuckGo, Firefox and Brave (a privacy focused version of Chrome). Each is different, but all do a good job of blocking attempts to track you. Just using multiple browsers is a good thing too, and don’t be afraid to clean out the cache regularly – it helps with privacy a lot (normally in settings>privacy or settings>data management).
This is more of a desktop issue, but a word of caution on browser plugins. Brave is a version of Google Chrome (which is in fact Open Source) made to be more private, so you can install Chrome plugins. If you start with privacy focused browser and then add data vampire plugins, you’re no better off. Choose your plugins carefully. You should also weigh-up the privacy implications of ‘Sign in with’ tools from the big tech companies – each is different, and certainly don’t use any of them without two-factor authentication.
Next steps: VPNs and Firewalls
A VPN (Virtual Private Network) uses a technology that hides your IP address – the ID assigned to your device for network access. It does it by sending all your network traffic through an encrypted tunnel to a datacenter somewhere. This has several advantages. It means your telco can’t monetise your browsing or network habits, and it also means you can connect to services back home while you’re your travelling3. Someone can travel from Europe to the US for example, and still get the local to home experience because all of the network traffic will come from your home country. The ones to look for commit to no activity logging, but again, you need to choose carefully and look at reviews from independent experts in this area. Also remember you have to pay for VPNs – if they’re free, they are invariably just data vampires.
Firewalls are another useful tool in your armoury3. I use a firewall that blocks tracking using app measurement tools and lots of known malware, and while it’s free, they really want you to use their paid VPN service. Mine does break a couple of apps, but it’s something I can manage. If you do run one of these and app stops working, switch off the firewall and try again.
When I first installed my firewall and saw just how much traffic was blocked (much of at night) I was amazed. I’ve set my phone up to be ‘private’ and it’s still blocked 89K attempts.
Just as with browsers, the search engine news is also good. While Google is by far the runaway leader in search, there are other options that will deliver great results. Startpage and DuckDuckGo both offer comparable search tools, though I would recommend letting DuckDuckGo manually know you location – before I did this, I was unhappy with the results. Now I use them all the time. Other privacy focused search engines are available.
Cars. TVs. Speakers. TV dongles and streaming boxes. Smoke detectors and heating thermostats. Water and energy meters, plugs and lights – the list goes on. All now smarter than they were, all now capable of surveillance, so don’t ignore them. My own bugbear are smart TVs. One of mine has no privacy controls at all, the other won’t let me upgrade to the new OS without turning off the privacy controls. Neither are legal under GDPR or the UK’s Data Protection act, but they get away with it. Whatever you have, check what privacy controls you have, and use them. Popular devices like Amazon Alexa and Ring, Google Nest and other smart devices may have more controls than they used to, but you should still read their privacy policies – you might be surprised what you find.
The privacy arms race
Why bother with all this? I point you back to the first blog in this series. Surveillance is rife, and it’s hidden from you. The free stuff you get is hailed from the rooftops, but the sleezy snooping is quietly swept under the carpet… but it’s very well used, to productize you and your life. And not in a good way. I’ll warn Apple users again too. While many Android users are aware of what they’re dealing with, many iOS users are falling for the privacy ads from Apple, who have been ramping up their advertising revenue very nicely, thank you. Don’t be complacent with either platform.
Where will tracking go next – time-based pricing for energy or water use? Car and health insurance, perhaps? It’s already happening. Right now, it’s early adopters are taking these things up because it suits them or there’s a financial advantage. What about when it’s the norm and you’re on the wrong side of the system or in a marginalized group?
Also consider this. Should sensitive data about you be hacked, things could escalate quickly and you could end up feeling like you’re in an episode of Black Mirror. Remember, if you don’t look after your privacy no one will do it for you. It’s time to tool-up4.
1: Wired has tips for Android here and iOS here. For iOS, ignore the advice about Protect Mail Activity – it’s actually bad advice. Instead, turn Protect Email Activity OFF and new switches appear, turn both switches ON for the best protection
2: Browser Fingerprinting: What Is It And What Should You Do About It?, PixelPrivacy, July 2021
4: Privacy myths busted: Protecting your mobile privacy is even harder than you think, CNET, Jan 2022, https://www.cnet.com/tech/services-and-software/privacy-myths-busted-protecting-your-mobile-privacy-is-harder-than-you-think/
When ransomware is also ‘leakware’, what can you do?
Extortionists like multiple levers
In my last blog, I wrote about the perils of data growth and the increased ‘attack surface’ it presents, which was part of a wider message on data and sustainability. Here, I’m digging into the security aspect of data growth, how it relates to cyber-attacks and especially to ransomware.
Let’s start with the mind of the attacker. The more hooks they have you on, the more likely you are to pay. Even now, organisations (commercial & public sector) are still falling victim to ransomware without a reliable cyber-recovery strategy. If your attacker infiltrates your organisation undetected for months, not only can they encrypt your data, but they can also extract it. This is an increasing problem, known as leakware, or double extortion.
The idea behind leakware is that in addition to encrypting your data, the attackers will also make exfiltrated sensitive data publicly available. The idea is to scare you into paying the ransom not just to get back access to your encrypted data, but also to avoid regulatory fines and/or lawsuits. Both can be eye-watering in scale, and despite the headlines GDPR isn’t the scary one here – class action suits could cost many times more1. There’s also the addition of brand-damage which can really hurt you depending on the sector you operate in. Leaked legal, financial, or medical records are particularly devastating, and research indicates that a data breach in a small or medium business leads to closure of the company in up to 60% of cases2.
Ransomware-as-a-Service doesn’t come with an SLA
The murky world of ransomware has a lot of variability. Ransomware-as-a-Service means you could be hit by an inexperienced hacker looking to make a fast buck, or a ‘professional’ criminal gang with capabilities that rival that of nation states.
So, on the upside they might be bluffing about having your data… but how can you tell for sure? If they offer you a sample or file names, ask to see everything. It’s easy to make copies and a professional gang can (somewhat ironically) give you a secure connection. They wont worry about storage costs either. This will also give you some time to check your security logs, and to engage a crisis/breach management specialist3.
Doh! They have our sensitive data!
‘Well, that’s just bad luck, isn’t it?’ Unfortunately, regulators and litigation lawyers will always see the answer to that as ‘no’. From un-patched firewalls and VPNs to unsecured cloud buckets, and rogue employees, it’s always the fault of the organisation, and it’s the organisation that ultimately pays up. Er, but…
- My data was encrypted! Encrypting data at a storage level doesn’t help if hackers have user-level access
- The user shouldn’t have had the breached data in the first place! Still your fault – training, access controls, data policy etc.
- It was the database admin that made an insecure copy. A control issue: DBAs should not have un-checked access that enables them to make unauthorised copies
- How can we pay that much??? Maybe you shouldn’t have collected personal data that you didn’t explicitly need, or held on to data for so long
Where (and when?) did you park your time machine?
Sadly, if you’re in a situation right now where leakware has led to a confirmed data breach, you have very few options. ‘What about my cyber-insurance?’ I hear you say. Before you rely on it (or buy it) I recommend you research it carefully – many experts question its impact and its value4.
If you operate in the EU, and personal data on EU citizens is compromised, you MUST report a data breach to the supervisor authority within 72 hours. The UK’s Data Protection Act 2018 is the same. Regulations in other countries vary but trying to keep a breach quiet will invariably get you into more trouble and will always lead to larger fines than ‘fessing up’. You also have a duty to your customers (and suppliers) to notify them so that they can take any necessary action to protect themselves – failures here will harm you in court if that’s where you end up.
Ultimately, for leakware to work the cyber criminals are relying on your integrity falling short. If it does and you pay the crooks, how can you be sure they will delete the copies they have? You really can’t.
Three steps you can take today to mitigate the risk of leakware:
- Have a security review. Employ some security specialists to assess your organisation and importantly, act on what they say
- Sort your data out. Data growth increases your attack surface (risk) and costs you lots of money. Profile your data and expire, secure and archive based on content and business policy. Automate it for the future or you’ll end up in the same state again
- Get a training program in place. Your users are a big risk factor, and they are also your eyes and ears. Training helps reduce risk and spot issues early
No security is fool proof, so in addition to these steps having a backup and disaster recovery system that is resilient to ransomware is also critical. Look for a zero-trust security model, immutable backups, and air-gapped cloud storage as a minimum. These won’t help with leakware but are essential components of any serious ransomware risk mitigation strategy.
As I said in my last blog, sorting out your data can save you buckets of money, enough to beef up your security and train your staff, with change to spare. I can’t see any boardroom turning that down.
1: EasyJet example: DPA 2018 (GDPR) states that companies who fail to secure personal data can be fined up to 4% of their turnover – for EasyJet in 2019 it was a little over £6B; pre-pandemic law firm PGMBM planned to file an £18 billion class-action lawsuit for the same breach. While neither are likely to meet the headline figures, the company could end up paying out on both
2: 6 Potential Long-Term Impacts of a Data Breach, Security Intelligence, Nov 2021 https://securityintelligence.com/articles/long-term-impacts-security-breach/
3: Crisis management companies can provide forensic security services, expert IT support, legal help and reputational damage management – but don’t wait until you need one to research them
4: Cyber-Insurance Fuels Ransomware Payment Surge, security Threatpost, June 2021 https://threatpost.com/cyber-insurance-ransomware-payments/166580/
Australia’s CSIRO offers free R&D Cyber Security training for SMEs
Data Mesh? Data Fabric? I Don’t Care What You Call It, You Need It!
GDPR at 4: the Good, the Bad and the Ugly
Discussion with James Canham-Ash, Head of EMEA Comms, Manhattan Associates￼
Next-Gen Networks & 5G, Facilitating Enterprise Business Transformation
Hybrid Cloud Patterns, VMware Cloud on AWS: Evolve Event 1
Trending On Elnion
- Supply Chain12 months ago
Discussion with James Canham-Ash, Head of EMEA Comms, Manhattan Associates￼
- 5G11 months ago
Next-Gen Networks & 5G, Facilitating Enterprise Business Transformation
- Cloud1 year ago
Hybrid Cloud Patterns, VMware Cloud on AWS: Evolve Event 1
- Telco & Mobile1 year ago
Discussion with Stacey Marx, President, National Business & Channels, AT&T
- Digital Enterprise1 year ago
NextGen Networks Transforms Enterprise Business: CXOCyience 2￼
- Cloud1 year ago
Changing Face of eCommerce: Virtual Panel – Supply Chain Insights
- Retail10 months ago
Brian Townshend, GM Omni Retail, Super Retail Group, Retail Leaders Forum 2021
- Data9 months ago
GDPR Adequacy Decision of UK Aims to Focus on Innovation over Privacy