With the birth of the computer, and then the internet, the information age began. It started with excitement and great optimism about how the free flow of information would change the world. Social networks and search engines like Google, Facebook, and Twitter putting “in the moment” information at our finger tips. Mobile technology and smart phones keeping us tied to that information no matter where we are. And now the rise of the internet of things, which is making our homes smarter and adaptable to our every whim. But at what cost? There’s no easy answers here, and I’m still struggling with this myself, but it’s an important conversation to have. Let’s dive into this.
CES 2019 just ended and we saw an incredible number of amazing, whiz-bang, smart home devices, smart TVs, self driving cars, and more paraded around the show floor. As a tech nerd this is like watching a summer blockbuster and eating a bottomless tub of popcorn. But there’s the faint drum beat in the background throughout all of this that’s getting overshadowed and lost amongst the noise, and that’s the drumbeat of privacy. It’s something that’s slowly slipping away from us and we’re not noticing, or caring that it is.
I’ve talked about this in previous videos, but we all have to do a due diligence when signing up for a service or buying a new smart home device. We all have to understand how our private data is being used by the company providing that product or service. Are we comfortable with how they’re using our data? If we are, what guarantees do we have that it’s kept safe, or that we’ll be able to access and delete it if we want. It’s our information, so we should remain in control of it, right?
Weak Security & Data Breaches
We’re barely into 2019 and a bombshell of a report came out that Ring smart cameras and doorbells, which are owned by Amazon, might have been snooped on by employees. From The Intercept’s report:1
Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.
And even worse than that:
At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s ‘sense that encryption would make the company less valuable,’ owing to the expense of implementing encryption and lost revenue opportunities due to restricted access.
Ring has since released a statement:
“Ring employees never have and never did provide employees with access to livestreams of their Ring devices.”
Which The Intercept says is contradicted by multiple sources. This story is still unfolding, but it’s not a good sign when a company plays fast and loose with customer data due to the expense of implementing encryption and lost revenue opportunities. That’s putting profits above their customers and their privacy.
Have a new fancy Smart TV in your home? Well, it knows everything you’re watching and is logging all of it to the TV manufacturer.2 In the U.S., you may be familiar with the Neilson Ratings, which the TV industry has historically used to gauge how many people watch specific TV shows. In the early days that was done with volunteers reporting what they watched in a log book, but today, it’s as simple as having software on your TV that can identify anything you’re watching, no matter the source.
The Verge just had a very open conversation on the practice with Vizio’s CTO, Bill Baxter. I applaud Vizio for being so open and forthright about this information, but not all companies want to disclose that this is what’s actually happening. Bill Baxter stated:
So it’s what the glass on the TV sees, just to be really straight. Whatever the TV sees.
But he made it clear that Vizio takes privacy seriously:
… there are restrictions, and we don’t want to violate the customer’s privacy rights and we certainly anonymize that data and we don’t try to, in any way, infringe on their privacy.3
The margin on TVs is razor thin, so they have to resort to ways to keep prices low for their customers, but have ways they can monetize on the backend. While Vizio may appear to be taking the right steps, that can’t be said of everyone. A Consumer Reports investigation last year found major security vulnerabilities in many smart TVs that could be used by “a relatively unsophisticated hacker”:
The vulnerability was found in sets by Samsung, TCL, and devices using the Roku TV platform, which can include brands like Philips, RCA, Hisense, Hitachi, Insignia, and Sharp, along with some of Roku’s own streaming players.4
Both Amazon and Google have also been caught with data breaches around their Amazon Echo and Google Home products. Amazon sent 1,700 audio recordings to the wrong customer.5 Last June it came out that Google Home and Chromecast were leaking precise location data because they were transmitting data on an unsecured internet protocol without any form of authentication.6
And as if that wasn’t bad enough, mobile providers who have incredible data into our every movement, have been found to have major loopholes into gaining access to that data. Motherboard conducted an investigation into the practice, and after giving a bounty hunter $300 found the exact location of their cellphone:
The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.7
It can probably go without saying, but this is terrifying. Imagine someone is in an abusive relationship and trying to hide for safety. Or an unscrupulous employer looking into a potential employees extracurricular activities. Not to mention the potential implications for governments sidestepping the constraints of laws that are unable to keep up with the rapidly changing technology.
So What Do We Do?
In the U.S. we have the Fourth Amendment, which is supposed to protect us from unreasonable searches and seizures. It’s the notion that “each person’s home is their castle,” but in the technological age we have far more private information stored in pocket sized computers and in the cloud than was ever available in someone’s home. Our emails, texts, photos, documents, location, phone calls, and every digital behavior we have is like an extension of our brain. We have laws that protect spouses from having to testify against each other, as well as laws to allow us from incriminating ourselves, but those laws don’t extend into the digital form. And that digital form is far more encompassing and detailed.
Big Internet has been running unchecked for the past 20 years, which could be seen as necessary to allow it to grow and flourish. However, today it’s like big oil, big steel, big auto during the industrial revolution and through the early 20th century. Unchecked corporate greed can lead to decisions that go against an individual’s best interest and health for the sake of maximizing profits. We’ve seen this again and again throughout history and only have to look back at laws enacted to protect children and worker safety.8
When it comes to our private data and corporations, I think there’s a simple argument to be made for a bill or privacy rights that must be followed. Apple is one of the only big companies making customer privacy one of their central pillars, and they should be applauded for this effort. Other companies should follow suite. Tim Cook has spoken publicly on the need for rules and laws to protect all of us, as well as warn of the dangers of a data industrial complex.9
The European Union has taken the first major step in this direction with the General Data Protection Regulation (GDPR). It provides essential rights to access, to be forgotten, to data portability, and privacy by design, along with major fines and rules to keep companies in check. I’d argue that countries like the U.S. need to follow suit, but this is where things are more gray than black and white.
The argument around security and law enforcement is a very thorny subject that has no clear answers right now, but is a debate not only worth having, but required. Australia just passed a law requiring backdoors into all encrypted data, which was poorly written, vague, and not thought through for how it may have a lot of unintended negative side effects.10 Any encryption with a backdoor is the equivalent of not having security at all. You can make the argument that only the good guys would have access to the backdoor key, but that key is highly likely to get compromised. It’s hard to believe a secure backdoor would be safe with the revelations of the NSA security breaches with Anthony Snowdon and Wikileaks. Rival governments could hack and compromise those keys. Weakening security for everything for the sake of fighting terrorism is going to make us more vulnerable, not safer. But I also agree, and see the arguments for law enforcement needing to have tools to pursue criminals and terrorists to keep all of us safe. This is one of those subjects that makes my head spin and I have no clear path to an answer, but I do know that we shouldn’t rush into any legislation until it’s properly vetted and thought through.
With companies like Amazon and Ring playing a little too fast and loose with customer data,11 I’m a fraction of a step away from pulling all Echo and Ring devices out of my home. I’m not there yet, and I want to give them the benefit of the doubt and a chance to redeem themselves. I don’t want to be rash, but I want to hold them, and all of Big Internet accountable for my private data.
For me the first step seems crystal clear. Here in the U.S. we need privacy laws enacted, much like GDPR in Europe. There needs to be regulations in place to keep Big Internet under scrutiny with not only fines for breaking the rules, but criminal punishments for more extreme abuses.
When it comes to law enforcement, we need much more open debate on the subject. We need to understand exactly what the police, FBI, and others need to make their job effective, but also understand from the technical side what’s possible without compromising security for everything. As it is today, law enforcement has more tools in their tool chest than ever before, and even with encrypted communication are able to use meta data and unencrypted data to track illegal behavior. A recent report showed that:
The officials working in the trenches to examine digital evidence often don’t know where to access the data relevant to their investigations in the first place. When they do know how to access the data, they don’t know what tools to use to analyze it.12
There’s a treasure trove of unencrypted data law enforcement already can use, but often doesn’t have the right tools or knowhow to do so. The report’s title, “Low-Hanging Fruit” says it all, and that has nothing to do with the encryption debate.
What’s your take on this issue? I’m really curious what others think, and to hear different points of view on the topic. I don’t have the answers and don’t claim to, but think this is an important topic for everyone to think about and debate. If we don’t, we’re going to watch our right to privacy continue to slip away and be gone before we know it.
Additional articles and videos:
- Rene Ritchie on YouTube – “Right to Remain Private”
- The NYT Daily Podcast – “The Business of Selling Your Location”
- Council on Foreign Relations – “Reforming the U.S. Approach to Data Protection and Privacy”
- Tim Cook in Time Magazine – “You Deserve Privacy Online. Here’s How You Could Actually Get It “
- Wired – “Carriers Swore They’d Stop Selling Location Data. Will They Ever?”
- The NYT – “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret”
- Gizmodo – “The Amazon Alexa Eavesdropping Nightmare Came True”
- Wired – “Google Home’s Data Leak Proves the IoT is Still Deeply Flawed”
- The Verge – “Democrats aren’t buying a proposal for big tech to write its own privacy rules”
- Slate – “There Is No Good Argument for Encryption Backdoors”
- Just Security – “Why An Encryption Backdoor for Just the “Good Guys” Won’t Work”
1: The Intercept report on Ring snooping – http://theintercept.com/2019/01/10/amazon-ring-security-camera/
And Wired on the same topic – http://www.wired.com/story/security-news-this-week-employees-may-have-snooped-on-ring-security-camera-feeds/
12: http://www.mercatus.org/bridge/commentary/war-between-encryption-and-law-enforcement-overblown http://csis-prod.s3.amazonaws.com/s3fs-public/publication/180725_Carter_DigitalEvidence.pdf?tAGR_DvxRdp0RspiGYNGcGKTUjrGY3rN