In my last two blogs I’ve looked at what privacy is all about in a digital sense, and how creeping surveillance affects us all. In 2022, we’re all just a product to the ad industry.

In this blog, I’m going to provide some tips on how you can protect your privacy by doing some basic stuff – and I’ll also keep the tech jargon to a minimum (that can’t be simply explained, anyway).

Check your phone and tablet’s privacy controls

It might be a surprise to many that in your device’s setting there are several ways to limit what’s collected by your handset or tablet manufacturer¹. Despite their reputation, Google does provide a lot of controls to limit tracking, though older Android handsets that can’t run newer versions of Android will miss out on recent changes. Don’t get smug Apple users, I’m talking to you too; the default iPhone settings send plenty of ad related info to Apple.

One thing a little less obvious are your device’s network options. Turning off WIFI and Bluetooth when you go out shopping will stop you connecting to shop beacons, which track you to target you with ads.

Snooping on you 24/7? There’s an app for that

More apps than not, in fact. I’m not kidding. Even if you flick every privacy switch you can on your devices, the second you install an app you might be turning your device back into a digital spy. And again, Apple users, this applies to you too, even if you choose ‘ask apps not to track’ in iOS.

Apps might ask for access to your location, contacts, your photos, microphone, camera… do you really know what they are doing with it all? Could your apps access these things without asking? Once you’ve given them permission, they can (largely) access them whenever they like. So, you should only install apps from companies that you trust, have good privacy controls or you’re happy for them collect data about you. In most cases, apps like Facebook, Twitter or LinkedIn can be managed in a browser much more privately than the app. Sure, they’ll bug you to install their apps, but that’s only because they want more data to monetize you!

Even apps that don’t come from the big tech giants like Facebook and Google might still use their services, especially where ‘app measurement’ is concerned. Technically, this should be data sent back to developers to tell them about the use of the app – performance, crashes etc. but a lot of metadata about you can also be sent, and aggregated with other data on you to build a more granular picture. It’s possible to limit this too – see the section below on Firewalls.

Many other types of apps, especially games, productivity, photo and messaging apps won’t have the browser option – so you either don’t install it or let them suck your data. Don’t like WhatsApp because it’s owned by Facebook? Try Signal instead, you might be surprised how many of your friends use it. By the way, there are genuine apps for lots of stuff that don’t play the surveillance game, so watch out for those.

Browsers and the web

There is good news about browsers – there are a good number of privacy friendly alternatives that can do a lot to shield you from data harvesting. Personally, I use DuckDuckGo, Firefox and Brave (a privacy focused version of Chrome). Each is different, but all do a good job of blocking attempts to track you. Just using multiple browsers is a good thing too, and don’t be afraid to clean out the cache regularly – it helps with privacy a lot (normally in settings>privacy or settings>data management).

One word of caution on ‘private browsing’ or ‘incognito mode’ – these offer little privacy beyond your device. Someone with your device can’t look at your history once the tabs are closed, and because cookies get wiped, computers at the other end can’t access 3^rd party tracking cookies. That aside, your network provider will know what you’re doing and computers at the other end can still do much of their stuff. For example, they’ll still know broadly where you are (your IP address gives this away) and they may recognise your device’s fingerprint² – so they’ll still know it’s you.

This is more of a desktop issue, but a word of caution on browser plugins. Brave is a version of Google Chrome (which is in fact Open Source) made to be more private, so you can install Chrome plugins. If you start with privacy focused browser and then add data vampire plugins, you’re no better off. Choose your plugins carefully. You should also weigh-up the privacy implications of ‘Sign in with’ tools from the big tech companies – each is different, and certainly don’t use any of them without two-factor authentication.

Next steps: VPNs and Firewalls

A VPN (Virtual Private Network) uses a technology that hides your IP address – the ID assigned to your device for network access. It does it by sending all your network traffic through an encrypted tunnel to a datacenter somewhere. This has several advantages. It means your telco can’t monetise your browsing or network habits, and it also means you can connect to services back home while you’re your travelling³. Someone can travel from Europe to the US for example, and still get the local to home experience because all of the network traffic will come from your home country. The ones to look for commit to no activity logging, but again, you need to choose carefully and look at reviews from independent experts in this area. Also remember you have to pay for VPNs – if they’re free, they are invariably just data vampires.

Firewalls are another useful tool in your armoury³. I use a firewall that blocks tracking using app measurement tools and lots of known malware, and while it’s free, they really want you to use their paid VPN service. Mine does break a couple of apps, but it’s something I can manage. If you do run one of these and app stops working, switch off the firewall and try again.

When I first installed my firewall and saw just how much traffic was blocked (much of at night) I was amazed. I’ve set my phone up to be ‘private’ and it’s still blocked 89K attempts.

Search engines

Just as with browsers, the search engine news is also good. While Google is by far the runaway leader in search, there are other options that will deliver great results. Startpage and DuckDuckGo both offer comparable search tools, though I would recommend letting DuckDuckGo manually know you location – before I did this, I was unhappy with the results. Now I use them all the time. Other privacy focused search engines are available.

Smart stuff

Cars. TVs. Speakers. TV dongles and streaming boxes. Smoke detectors and heating thermostats. Water and energy meters, plugs and lights – the list goes on. All now smarter than they were, all now capable of surveillance, so don’t ignore them. My own bugbear are smart TVs. One of mine has no privacy controls at all, the other won’t let me upgrade to the new OS without turning off the privacy controls. Neither are legal under GDPR or the UK’s Data Protection act, but they get away with it. Whatever you have, check what privacy controls you have, and use them. Popular devices like Amazon Alexa and Ring, Google Nest and other smart devices may have more controls than they used to, but you should still read their privacy policies – you might be surprised what you find.

The privacy arms race

Why bother with all this? I point you back to the first blog in this series. Surveillance is rife, and it’s hidden from you. The free stuff you get is hailed from the rooftops, but the sleezy snooping is quietly swept under the carpet… but it’s very well used, to productize you and your life. And not in a good way. I’ll warn Apple users again too. While many Android users are aware of what they’re dealing with, many iOS users are falling for the privacy ads from Apple, who have been ramping up their advertising revenue very nicely, thank you. Don’t be complacent with either platform.

Where will tracking go next – time-based pricing for energy or water use? Car and health insurance, perhaps? It’s already happening. Right now, it’s early adopters are taking these things up because it suits them or there’s a financial advantage. What about when it’s the norm and you’re on the wrong side of the system or in a marginalized group?

Also consider this. Should sensitive data about you be hacked, things could escalate quickly and you could end up feeling like you’re in an episode of Black Mirror.  Remember, if you don’t look after your privacy no one will do it for you. It’s time to tool-up⁴.

1: Wired has tips for Android here and iOS here. For iOS, ignore the advice about Protect Mail Activity – it’s actually bad advice. Instead, turn Protect Email Activity OFF and new switches appear, turn both switches ON for the best protection

2: Browser Fingerprinting: What Is It And What Should You Do About It?, PixelPrivacy, July 2021

https://pixelprivacy.com/resources/browser-fingerprinting/

3: A good firewall for iOS and Mac is https://lockdownprivacy.com/ and for Android (and iOS) I try https://blokada.org/

4: Privacy myths busted: Protecting your mobile privacy is even harder than you think, CNET, Jan 2022, https://www.cnet.com/tech/services-and-software/privacy-myths-busted-protecting-your-mobile-privacy-is-harder-than-you-think/

Not long ago if you went to McDonalds for a coffee, it came with a sticker on the cup. If you saved up six on a little piece of card (also on the cup), your 7^th coffee was free. A simple system, and very private.

That sticker system was scrapped in 2020, for an app¹. Suddenly, McDonalds have gone from knowing nothing about you, to collecting your financial info, your location and even looking at your search and browsing history. And for your <cough> convenience, you can sign-in with Facebook, Google or Apple.

OK, so I work in business too, and it’s imperative that you use data to understand customer behaviour and market to them. But do you really need this level of information? This is just one example of what I refer to as ‘creeping surveillance’.

How data about you is monetized

I can only guess at what all that data is used for in the example above², but it’s typical of many apps that give you free stuff in exchange for data. I also don’t want to beat-up on McDonalds – as a reputable business they do provide opt-outs and are doing a lot to transform their business into a more sustainable one, which is great news.

Much more problematic are where the developer’s ONLY purpose for the app is to siphon your data – the user functions are merely a ruse designed to get you to install it. From games to widgets, productivity apps, and even ones that claim to protect your privacy. Whatever function you need, you can be pretty sure there’s a ‘data vampire’ app for that.

But why? Well, data about you is a lucrative business.

We value your privacy

It may be the biggest lie ever told. They sure do value it though. They value it because your privacy is up for sale all over the place – and mostly, WITH your consent³. Cookie walls – you hate them, so you click OK. Privacy policies – you hate them too, so you don’t read them. Data collection opt-outs are hidden or long winded. It’s all by design. It’s called obfuscation, and they want you to give in. Even user ‘privacy control panels’ are mostly designed to mislead you – all of which, incidentally, is not technically allowed under GDPR.

Data about you⁴ makes $billions for big tech, but smaller companies can still make huge profits from personal data collected from websites and apps. Depending on the level of detail, the data from just a few thousand individuals could net thousands of dollars for a small company, or even a lone developer. It all goes into a pot that profiles you to a scary level of detail – believe me when I say they can predict your actions better than you can. That’s why real time bidding ad-clicks can go for anything from a few cents to $2 and up. Remember, that’s just for a single user click on an ad.

It’s time for business to believe in choice

Creeping surveillance has become normalized when it really should not be – it’s dysfunctional. Many people believe privacy to be a human right. Even Mark Zuckerberg purchased the properties surrounding his own⁵ to create a privacy buffer for his family (which you contributed to, I’m sure he’s grateful). It’s not the only example – Larry Page, the co-founder of Google is a famously private person. The fact is that the people that want to trade on your privacy, crave it for themselves.

This is why data collection should be a choice. Just because you can, doesn’t mean you should. Let’s not forget that many people are happy with data collection – they want the most integrated and tailored experience possible.  And they want it even though they know the ramifications; I’ve met ‘privacy professionals’ that think this way. Personally, I do my best to avoid tracking, apart from with the companies I trust, then I play the game. Surely looking for engaged people like that means you’ve found your hot prospect?

Talking from the business side for a moment, there are plenty of ways to combine tactics – tokenisation, anonymization, differential marketing (and more), in addition to what I’m sad to say has become ‘traditional’ data collection. Let people choose, it fosters trust. Make it simple to select what level of tracking people are comfortable with, including ‘none’. This layered approach will make your prospects and customers happy – if they trust you. It shouldn’t really trouble you unless you are Meta, Google, or swathe of other big names, of course.

The problem is that marketing teams are under so much pressure to get lead numbers up, lead quality suffers. This is often driven by sales management demanding more leads, only to complain about lead quality afterwards, at which point they blame marketing. So, whether you’re in sales and marketing or just reading this with a casual interest in privacy, consider this. When the starting gun was fired on GDPR in May 2018, many US websites worried about the legal consequences blocked European visitors, but the New York Times took a different approach. They dropped real-time bidding and behavioural ads and focused on contextual and regional ads instead. The NYT ad business continued to grow ‘nicely’ as they put it⁶, even without all that creepy targeting.

In my next blog I’ll be looking at what you can do to preserve your privacy. When you lose ground to this sort of creeping erosion of your rights, it can be really very hard to reclaim them, so it’s important that we all keep fighting.

1: This blog refers to the UK App; screen shot shows the privacy information from Apple’s UK app store. Data collection may vary by country or region

2: I have asked McDonalds why they need my browsing history on several occasions, but so far, they have not responded

3: Don’t get hung-up on consent folks, it’s not needed if a business has what’s called a ‘legitimate interest’ – which can be a rather stretchy, elastic term when in the hands of less reputable businesses

4: Note that I don’t refer to it as ‘your data’ – that’s because it isn’t

5: Why Mark Zuckerberg buys up properties that surround his 10 homes:
https://www.scmp.com/magazines/style/news-trends/article/3009010/why-mark-zuckerberg-buys-properties-surround-his-10

6: After GDPR, The New York Times cut off ad exchanges in Europe — and kept growing ad revenue, Digiday, Jan 2019:
https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut-off-ad-exchanges-europe-ad-revenue/

Extortionists like multiple levers

In my last blog, I wrote about the perils of data growth and the increased ‘attack surface’ it presents, which was part of a wider message on data and sustainability. Here, I’m digging into the security aspect of data growth, how it relates to cyber-attacks and especially to ransomware.

Let’s start with the mind of the attacker. The more hooks they have you on, the more likely you are to pay. Even now, organisations (commercial & public sector) are still falling victim to ransomware without a reliable cyber-recovery strategy. If your attacker infiltrates your organisation undetected for months, not only can they encrypt your data, but they can also extract it. This is an increasing problem, known as leakware, or double extortion.

The idea behind leakware is that in addition to encrypting your data, the attackers will also make exfiltrated sensitive data publicly available. The idea is to scare you into paying the ransom not just to get back access to your encrypted data, but also to avoid regulatory fines and/or lawsuits. Both can be eye-watering in scale, and despite the headlines GDPR isn’t the scary one here – class action suits could cost many times more¹. There’s also the addition of brand-damage which can really hurt you depending on the sector you operate in. Leaked legal, financial, or medical records are particularly devastating, and research indicates that a data breach in a small or medium business leads to closure of the company in up to 60% of cases².

Ransomware-as-a-Service doesn’t come with an SLA

The murky world of ransomware has a lot of variability. Ransomware-as-a-Service means you could be hit by an inexperienced hacker looking to make a fast buck, or a ‘professional’ criminal gang with capabilities that rival that of nation states.

So, on the upside they might be bluffing about having your data… but how can you tell for sure? If they offer you a sample or file names, ask to see everything. It’s easy to make copies and a professional gang can (somewhat ironically) give you a secure connection. They wont worry about storage costs either. This will also give you some time to check your security logs, and to engage a crisis/breach management specialist³.

Doh! They have our sensitive data!

‘Well, that’s just bad luck, isn’t it?’ Unfortunately, regulators and litigation lawyers will always see the answer to that as ‘no’. From un-patched firewalls and VPNs to unsecured cloud buckets, and rogue employees, it’s always the fault of the organisation, and it’s the organisation that ultimately pays up. Er, but…

• My data was encrypted! Encrypting data at a storage level doesn’t help if hackers have user-level access
• The user shouldn’t have had the breached data in the first place! Still your fault – training, access controls, data policy etc.
• It was the database admin that made an insecure copy. A control issue: DBAs should not have un-checked access that enables them to make unauthorised copies
• How can we pay that much??? Maybe you shouldn’t have collected personal data that you didn’t explicitly need, or held on to data for so long

Where (and when?) did you park your time machine?

Sadly, if you’re in a situation right now where leakware has led to a confirmed data breach, you have very few options. ‘What about my cyber-insurance?’ I hear you say. Before you rely on it (or buy it) I recommend you research it carefully – many experts question its impact and its value⁴.

If you operate in the EU, and personal data on EU citizens is compromised, you MUST report a data breach to the supervisor authority within 72 hours. The UK’s Data Protection Act 2018 is the same. Regulations in other countries vary but trying to keep a breach quiet will invariably get you into more trouble and will always lead to larger fines than ‘fessing up’. You also have a duty to your customers (and suppliers) to notify them so that they can take any necessary action to protect themselves – failures here will harm you in court if that’s where you end up.

Ultimately, for leakware to work the cyber criminals are relying on your integrity falling short. If it does and you pay the crooks, how can you be sure they will delete the copies they have? You really can’t.

Three steps you can take today to mitigate the risk of leakware:

• Have a security review. Employ some security specialists to assess your organisation and importantly, act on what they say
• Sort your data out. Data growth increases your attack surface (risk) and costs you lots of money. Profile your data and expire, secure and archive based on content and business policy. Automate it for the future or you’ll end up in the same state again
• Get a training program in place. Your users are a big risk factor, and they are also your eyes and ears. Training helps reduce risk and spot issues early

No security is fool proof, so in addition to these steps having a backup and disaster recovery system that is resilient to ransomware is also critical. Look for a zero-trust security model, immutable backups, and air-gapped cloud storage as a minimum. These won’t help with leakware but are essential components of any serious ransomware risk mitigation strategy.

As I said in my last blog, sorting out your data can save you buckets of money, enough to beef up your security and train your staff, with change to spare. I can’t see any boardroom turning that down.

Sources:

1: EasyJet example: DPA 2018 (GDPR) states that companies who fail to secure personal data can be fined up to 4% of their turnover – for EasyJet in 2019 it was a little over £6B; pre-pandemic law firm PGMBM planned to file an £18 billion class-action lawsuit for the same breach. While neither are likely to meet the headline figures, the company could end up paying out on both

2: 6 Potential Long-Term Impacts of a Data Breach, Security Intelligence, Nov 2021 https://securityintelligence.com/articles/long-term-impacts-security-breach/

3: Crisis management companies can provide forensic security services, expert IT support, legal help and reputational damage management – but don’t wait until you need one to research them

4: Cyber-Insurance Fuels Ransomware Payment Surge, security Threatpost, June 2021 https://threatpost.com/cyber-insurance-ransomware-payments/166580/