Data Digest № 030
Welcome to Datawallet’s Data Digest, where I review and occasionally analyze the latest news and the most critical developments in the data industry. Here’s a look at the latest developments:
“Equifax is a bank on Main Street that forgot to lock its vault.”
Four members of the Chinese military are facing charges of hacking Equifax, stealing U.S. trade secrets, and personal data of 145 million American citizens in 2017. Equifax, a data broker that amasses sensitive personal information of hundreds of millions of Americans without consent, was quick to use the indictment to deflect responsibility. However, following the investigation, it appears that Equifax’s cybersecurity measures were practically non-existent.
Months before the attack, the software Equifax was using, Apache, released a patch to prevent breaches stemming from a software vulnerability, but Equifax refused to adopt the patch. The suit alleged that the information “was not encrypted, but instead was stored in plain text... accessible through a public-facing, widely used website.” Furthermore, they “employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes.” Such negligent cybersecurity practices effectively renders Equifax as a bank who left its vault wide open. Regardless of how sophisticated the attack by the Chinese military was made out to have been, it is clear that gross negligence was at play on the part of Equifax. Why it still isn’t a legal requirement to encrypt such sensitive data is bewildering.
“You hear about it in the news and you think, ‘Well there goes my credit card number, my Social Security number, my bank account information,’ and you sign up for another year of free credit card monitoring information. We cannot think like that in this country.”— David Bowdich, the deputy director of the F.B.I.
The stolen data was of significant value to the Chinese government. Sensitive information about senior members of the government was compromised, including health histories, extramarital affairs, and information about their children.
While the Equifax hack is regrettable, it also points to a more severe systemic issue: US corporations collecting vast amounts of highly sensitive personal information without any meaningful restrictions and without any guidelines as to how to secure them. An effort to hack a database in order to steal information always ensues from a simple calculation from the attacker: what's the ROI of the hack (or put differently, does the value of the obtainable information outweigh the cost of hacking the system in the first place?) Unfortunately, in the absence of meaningful regulation for data brokers, the inverse question is posed by data brokers, namely: what's the ROI of our security? It will take clear regulation for the data collection and encryption of data assets by data brokers and hefty fines against for enforcement to help data brokers understand the ROI of good security. This will in turn make the burden for hackers higher, reducing their ROI figures on a hack, meaning hacks will become less likely.
"Opportunity makes the thief" is the saying that best describes the Equifax hack of 2017. It is therefore not state agencies that pose the biggest risk to our personal and national security, but the absence of clear regulation for data brokers.
Opinion | Chinese Hacking Is Alarming. So Are Data Brokers. (Published 2020)
Clearview A.I. Hacked For Entire Client List
Clearview A.I., the facial recognition company most recently described as "the end of privacy as we know it" by the New York Times’ exposé, has been compromised. The company reported the intruder “gained unauthorized access” to its list of customers, number of customer's user accounts, and number of searches customers conducted. Clearview reported the vulnerability has been fixed, and the intruder did not obtain law-enforcement agencies’ search histories. The report claimed the servers were not breached and there was “no compromise of Clearview’s systems or network.”
“If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t,” — David Forscey, the managing director of the no-profit Aspen Cybersecurity Group.
As with the Equifax breach, the issue with data brokers is systemic and stories like this will repeat ad nauseam unless meaningful legislation is passed to curb data collection by data brokers and force the implementation of adequate security.
Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen
Firefox Turns On DNS By Default In The U.S.
Mozilla has announced that it will turn on DNS over HTTPS (DoH) by default for Firefox users in the US. DNS/DoH is the protocol that talks to internet address books to translate hostnames (e.g. dns.google.com) to IP addresses (e.g. 126.96.36.199). While there are several advantages to DNS (mainly the fact that everyone uses it already) it remains largely unencrypted and easy to spy on. It’s also unsigned, and hence, easy to spoof. DoH, on the other hand, is encrypted and uses certificate authentication. It's therefore much more secure than its predecessor. It also makes spying on your web traffic much harder, especially for ISPs such as AT&T and Verizon, which have built massive ad networks specifically around their ability to snoop on you while being on their network. DoH won't stop the data collection but it’ll likely make it more difficult.
Firefox turns controversial new encryption on by default in the US
Sen. Josh Hawley releases a proposal to overhaul the F.T.C.
Sen. Josh Hawley of Missouri is back with a plan to overhaul the Federal Trade Commission (F.T.C.), claiming they “lack the ‘teeth’ to get after Big Tech’s rampant abuses.” His plan to roll the F.T.C. into the Department of Justice (D.O.J.) would focus the policing of digital markets and enforcement. In his proposal, Hawley specifically calls out the staggeringly low 5 billion Facebook fine that the F.T.C. handed out after the company violated a consent decree over data privacy, which immediately pushed the value of Facebook shares. He also accuses the F.T.C. for allowing Google and Facebook to continue to make countless acquisitions after such blatant antitrust violations. He blames the F.T.C. for failure to reprimand the same behavior that “allowed Google to entrench its market share for years using deception”, citing the 2.7 billion antitrust fine that the European Union hit Google with in 2017.
Hawley’s proposal would eliminate the five-member structure and put it under the power of a single director, approved by the Senate for a five-year term. It would also create a digital market section within the F.T.C. that would focus solely on tech, and put the review of mergers and acquisitions under the D.O.J.’s antitrust division. Hawley’s disciplinary approach could give the F.T.C. the kick they need to regulate data misuse accordingly. However, many are concerned that his proposal is too drastic and would allow a single director to act out vendettas on Big Tech. Furthermore, it would require various hearings and multiple pieces of legislation to move forward, and given Congress’ inaction to progress data privacy legislation so far, it seems highly unlikely that Hawley’s plan will come to fruition.
This Republican senator’s radical new plan for the FTC kind of makes sense
Google plans to move its British users under U.S. jurisdiction
Reuters revealed that Google is planning to move its British users’ accounts under U.S. jurisdiction, following the U.K.’s exit from the E.U. The shift will compromise the privacy of millions of U.K. citizen's data, previously protected under European regulations. GDPR will stay in effect during the transitionary phase. After that, Google will still need to adhere to the 2018 Data Protection Act. According to Reuter's sources, Google is planning to move British users under the U.S. jurisdiction because “it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data.” Google would require users to acknowledge the new jurisdiction in their terms of service. The move likely wouldn’t take effect until 2021 at the earliest. Following the U.K.'s exit from the EU, many other companies will follow suit. Google's ability to pick and choose data regulations, regardless of borders, is a disconcerting idea. We encourage privacy-concerned readers to familiarize themselves with Google alternatives, such as Firefox, Brave, and DuckDuckGo.
Exclusive: Google users in UK to lose EU data protection - sources
India could threaten end-to-end encryption everywhere
India is releasing new rules forcing tech companies to adhere to government data requests without a warrant. The new legislation could potentially threaten end-to-end encryption on a global scale. Any app with more than five million users would be subject to the new regulations. Trade groups are fighting back, arguing the rules would pose a severe threat to Indian citizen’s privacy, saying they would sue if the rules were implemented as written. If the trade groups lose the results would be detrimental to the privacy of billions of users, and the advancement of new businesses. Many companies would opt for cheaper and less secure systems, and others may decide to ignore the Indian market of 1.2 billion people altogether. Either way, it looks like a weak and unfair outcome that will fall on the shoulders of Indian citizens.
India’s proposed internet regulations could threaten privacy everywhere
Another day, another privacy bill
Sen. Kirsten Gillibrand of New York laid her bill proposal on the pile for digital privacy legislation. Promising to keep companies’ data collection in check, the bill aims to empower the digital rights of consumers including a brand new federal agency. Most lawmakers agree that bipartisan support will be necessary for any privacy legislation to advance. Similarly, Sen. Maria Cantwell’s proposal last year did not preempt state laws and therefore was met with resistance from Republicans, who favor a single standard. Despite this, Gillibrand’s proposal is certainly laudable, and may up the ante for the creation of an independent agency. At minimum, it would push the agenda forward for stronger enforcement actions.
“Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.” —Sen. Kirsten Gillibrand, D-N.Y.
Sen. Gillibrand proposes a new government agency to protect privacy on the internet
Zuck calls for Big Tech regulation while facing lawsuit for ignoring one of the most significant data breaches in history
In a recent Financial Times op-ed, Zuckerberg wrote, “we have to balance promoting innovation and research against protecting people’s privacy and security.” This is incredibly hypocritical considering revenue, not privacy, is the company’s primary goal. After his appearance in Brussels, European regulators rightly touted that his sudden outreach of privacy-washing was far too little too late.
At the same time, an article published by the telegraph provided evidence that Facebook’s concern for their users’ privacy and security is, and always has been tenuous. Legal documents show that they repeatedly ignored both employees and outsiders about a loophole. This led to the breach of 29 million people’s data in September 2018. It, therefore, seems highly duplicitous for Zuck to start virtue signaling around Europe, claiming to be one of the good guys.
Mark Zuckerberg again calls for Big Tech to be regulated, even if it’s bad for business
The latest privacy armor is a “bracelet of silence.”
One in five American adults now own a smart speaker. Merely knocking on someone’s door, or sitting in a friends living room, is likely to result in the inadvertent recording of your private conversation. A recent study from Northeastern University showed that smart speakers 'accidentally' activate recording up to 19 times a day. So what’s the polite privacy etiquette in a surveillance society? Ben Zhao and Heather Zheng, two computer scientists from the University of Chicago, developed the “bracelet of silence”.
Wearing the bracelet blocks any microphones in the vicinity from listening in. The microphone jammers work by emitting 24-25kHz white noise, inaudible to humans, which leaks into the audible range of the phone or smart speaker and jams their recording. While the bracelet of silence is one team's creative project against invasive data collection practices, privacy armor as an individual defense against nefarious data practices doesn’t get to the root of the problem. Woodrow Hartzog, a law and computer science professor at Northeastern University, aptly states that until the lawmakers make real changes to the control of our data, and pass laws that adequately secure and protect our privacy, “we’re playing cat and mouse...and that always ends poorly for the mouse.”
Activate This ‘Bracelet of Silence,’ and Alexa Can’t Eavesdrop (Published 2020)
What I'm Reading:
Twitter Ran Ads for Human Organs Because Money Is Money
I Got a Ring Doorbell Camera. It Scared the Hell Out of Me.
California Police Have Been Illegally Sharing License Plate Reader Data
SerafinConsumer PrivacyData DigestCCPA Data Misuse Data Breaches