Tag: privacy

Turkey? or not Turkey?

I started my reading today with ZDNET’s 2019 Turkeys. This is an annual effort to highlight the failures and disappointments in the technology industry. I must admit that I was unaware of some of the things they highlighted and, honestly, quite disappointed in ZDNET for some of the others they had an issue with, then there were the obvious entries that I think they had every right to show disappointment in.

One of the Turkeys this year revolves around Google purchasing Nest and some related home security and convenience product lines. At the heart of the issue are two problems, Google has taken these products from open architecture (a field of technology and protocol sharing so others could develop products to work with Nest and associated security products) to a closed architecture where only Google will develop and sell compatible products and services. The second problem is that Google has not addressed privacy issues for those using this and other families of their products and has a habit of using the “presumed private” data in some very not private ways.

Another Turkey suggested by ZDNET is Google and its lack of appropriate behavior with large blocks of personal medical records that they gained access to by virtue of that data being managed by them in the cloud. It remains to be seen if legal action will be taken by patients, organizations or even local or national government agencies; but, initially, it appears as if that might be appropriate.

A couple of Turkeys were handed out for a lack of acceptance of the USB-C standard which ZDNET had hoped several brands would embrace this year with their new products. Because the connector is more damage resistant and easier to correctly plugin combined with enhanced power capacity and data rates, it was hoped that it would be widely used on new devices; however, Apple and Samsung appear to have not been ready for that change. Maybe ZDNET does not fully understand the marketing strategies (planned obsolescence and designed in fragility to guarantee more sales?) of these phone manufacturers.

Highlighted in several of the Turkeys this year was the disparity between the presumed privacy of cloud storage and the actual level of protection for private material stored in the cloud. Specific issues appear to be access allowed to law enforcement (without need for a court order or warrant), use of data by the cloud manager for marketing, research, and guidance sold to businesses including insurance firms. It appears that this may have been done within the letter of the privacy statements attached to the sign-up process for obtaining the cloud storage and other services; but, for the consumer, those statements are meaningless without considerable legal assistance and a full understanding of the possibilities for use and misuse of the stored information. In short, the above-average consumer is unable to grant informed consent.

Privacy?

A common question of late is “Should I have an expectation of privacy?”.

Some folks may believe that what they send via email is private, and those who send encrypted email would seem to have good reason to expect privacy regarding the content of their emails. Further, there are those who have nice privacy disclaimers embedded in every email. I will leave it up to an attorney to clarify whether the disclaimers provide any measure of protection for the individual or firm whose email contain such a disclaimer.

My issue is that many folks expect email to be private; after all, you send email to a specific destination or list of destinations. If you are concerned about privacy of the content, you might send that email in one of the secure (encrypted) formats and expect that this choice guarantees the privacy of your email content. A fly in the ointment is that our government (never mind other governments and their level of respect for personal and professional privacy) has been utilizing a system of court orders to compel secret (unpublished) access to mail on professional mail servers and hosts.

If an article published in ZDnet is to be believed (it agrees with and draws details from a Rueters News Service article), the NSA / FBI have on many occasions compelled services to provide emails based on some criteria for external access by those other than the intended recipient. What is worse; it is the nature of the mail servers to decrypt the incoming emails in order to perform the government requested “scan” for phrases to identify emails to be extracted. This brings into question the use of the term secure when referring to emails that are intended by the sender to be secure. Secure in this case refers to the emails being transmitted securely; but, the government requesting the emails to be scanned at the server bypasses the standard protection provided by this kind of service.

While I see this as a clear violation of our fourth amendment rights (and others), it may be some time before legal systems are enacted to alter or prevent these kinds of actions by our government agencies (never mind the acts of hackers). In the mean time, this event (which I see no reason to expect is an isolated one) serves as a reminder to us to be more careful regarding what we consider to be private in this age of expanding technologies. This kind of event combined with the hacking events that have been revealed in various news releases make it quite clear that anything published and stored electronically is at risk of becoming public or, at a minimum, viewed by unintended recipients.

What can we do? for extreme cases where privacy is important, provide a shared encryption system to the intended recipients, encrypt the contents of an email, paste that into the body or attach it and send the email(remember to never share the encryption keys electronically – this is how Yahoo, Google, Microsoft Exchange, and other large mail servers can decrypt mail they host – the encryption technique and link to shared keys are included with the email). After receiving the email, the recipient will then decrypt the contents; allowing them and, hopefully, only them to read the contents. Another solution is to avoid using the big commercial mail servers. Many businesses lease or rent web hosting for their corporate website and most of these also include mail hosting service as well. The reason this is likely to be more secure seems two fold to me; first: it is a much smaller prize and the government and hackers may simply not find it worth the effort; second: you as the owner of the hosting service are the very entity who the government will need to make a request of for access to the mails that flow through that server.

This kind of concern regarding privacy of materials should also extend to the use of cloud services, social networks, and blogs. If it is a large public host (Apple Cloud, Microsoft Cloud, One Drive, Facebook, Twitter, etc.), the odds of it attracting the interest of the government or private hackers is far greater than if it is hosted on your own private network or even leased web service. The advantage to selecting one of the large public hosts is that they tend to act fairly responsibly in terms of performing backups, equipment maintenance, and intrusion prevention (except for court orders from the government agencies).

It seems to me that we already have law in place to protect us from these kinds of secret intrusions into our privacy; still, we have at least two recent events made public where it is clear US government agencies are acting outside the clear intent of privacy laws. This indicates that their exist other laws, on the books, that need to be challenged and changed or repealed. It is up to we, the people, to bring this topic to the attention of our law makers, or simply understand and live with the consequences.