The death of information privacy has been heralded by the tech industry for over two decades. Then Sun Microsystems CEO Scott McNealy once said, “You have zero privacy anyway. Get over it” (Sprenger, 1999). At the time, the now-ubiquitous social media giants Facebook, Twitter, Instagram didn’t exist. If, as Scott so subtly put it, we had zero privacy then, by now we must have nothing more than a gaping hole where privacy once was.
So, what is information privacy anyway? The Office of the Australian Information Commissioner says that information privacy is hard to define but mentions that it is a fundamental human right that involves “…promoting the protection of information that says who we are, what we do and what we believe.” (OAIC, n.d.)
Yet privacy is now more important than ever. Why? Because we surrender our data at astonishing rates. For example, even as much as seven years ago, Facebook had over 300 petabytes in its data warehouse (Wiener & Bronson, 2014). Last year, Facebook was generating over four petabytes of data per day by its systems (Roy, 2020), a good portion of that being stored.
Privacy has implications for us personally, at a corporate level, and in the areas of law enforcement, intelligence, and the military.
When we consider personal private data, credit card hacks and names and addresses are often the first things that come to mind, but we generate data in many ways and that can be used in ways we may not foresee.
You may consider something as innocuous as running data to be of little value in terms of privacy (after all we run in the open for everyone to see), but many apps and other trackers are available to track our moves, whether we consent to them or not. They can be misused and can involve everything from unwanted surveillance to cases of domestic abuse, up to and including murder (Valentino-DeVries, 2018).
Our voting preferences can be influenced by what we read, especially on social media. In the lead up to the 2016 US Presidential Election, collection and use of personal, private data was used extensively (and possibly illegally) by Cambridge Analytica to sway voter turnout and decisions (Hern, 2018). Facebook later conceded that they must move to a ”…privacy focused future” (Wong, 2019).
Even when we may not be doing anything illegal, we still may have something to hide, as the victims of the Ashley Madison hack discovered. Despite the moral ambiguity of extramarital affairs, their actions were ostensibly lawful, and many users fell victim to extortion campaigns (Krebs, 2015).
Even those we surrender our data to may unlawfully misuse it, as in the case of ACT Police conducting thousands of unauthorised metadata searches over the period of a few years (Jayne, 2019).
Just as with us individually, corporations require privacy. There is sensitive data that organizations must protect, and selectively and consensually share with others.
There are no shortages of incidents where corporations have leaked private customer data to hostile interests. The threat is well known, but strangely enough, these breaches usually have little long-term effects on the businesses affected (Klebnikov, 2019).
The more immediate threat to business is that of corporate cyberespionage. There are many examples of corporate espionage in INFOSEC circles, such as:
- Hewlett-Packard spying on itself, to find a mole. Private investigators were hired to find who was leaking information, but lines were ultimately crossed when phone fraud was being committed, resulting in criminal proceedings against executives.
- While Microsoft was battling an antitrust lawsuit against the US Government, long-time rival Oracle suspected that supposedly pro-Microsoft, independent reports were fake, and subsequently decided to hire PI’s to literally rifle through Microsoft’s trash to discover the truth. (Fruhlinger, 2018).
Perhaps more disturbingly, corporate espionage does not necessarily involve enterprise-to-enterprise spying. Often, nation-states may be the perpetrators. Examples include:
- Operation Shady RAT in 2006, where many businesses, defence contractors and even the International Olympic Committee came under attack of data exfiltration (Alperovitch, 2011).
- The massive 2020 SolarWinds attack, where widely used security software was compromised by a state-sponsored APT (Advanced Persistent Threat). By compromising the software, downstream organisations were in turn compromised, resulting in data breaches from US Federal departments, US state and local governments, and many organisations in the private sector (BBC News, 2020).
Law enforcement, intelligence, and the military
More than most individuals and organisations, law enforcement, intelligence organisations and the military have a very strong need for privacy. Among them, they have some of the most secure systems in the world. But what is not always obvious is that even then, simple errors in judgement or unforeseen circumstances can play a role in revealing information that must remain secret. Examples include:
- The fitness tracking data used by military personnel revealed details of a secret military base, by recording a path to and from its entrances and exits and even commonly used paths between campus buildings (Hsu, 2019).
- In 2021, the Washington DC Metropolitan Police Department was hit with a ransomware attack, but unlike many such attacks, the attackers did not want to exchange the encryption key for money, rather they exfiltrated the data and have issued extortion demands, including the location of confidential informants (Cohen, Fung, & Marquardt, 2021).
Even some of the most secure environments in the world have had their privacy violated:
- In 2016, some hacking tools were released onto the Internet that had powerful capabilities to compromise servers, networks, and firewalls. These tools are believed to have originated from the NSA’s Equation Group, a highly sophisticated threat actor believed to be part of the Tailored Access Operations unit. The identity of the Shadow Brokers group is still unknown, but theories range from insider threats to nation-state hackers (Trend Micro, 2017).
- The Edward Snowden leaks have, broadly, two main implications for privacy. Firstly, the NSA’s privacy as an intelligence organisation was violated to an alarming degree, with an estimated 1.5 million documents exfiltrated (US House of Representatives, 2016); secondly, Snowden’s leaks provided strong evidence that the privacy of everyday, lawful US citizens was being regularly compromised in an illegal fashion (Satter, 2020).
What can be done?
News of violations of privacy such as these can be demoralizing, but there are things that individuals, companies, and other organizations can do to mitigate the problem.
Avoid the data altogether
Sensitive data is a liability. If you possess it, you must protect it. The cost of very sensitive data to an organisation may be too great to bear in a sustainable fashion. If it is not strictly necessary to maintain sensitive data, then strongly consider the option not to acquire it in the first place.
Use established, reliable services
While small businesses may do well to trade online, it would be risky for them to code their own payment platform for example. They would be better off using an established platform to handle payments and likely many other parts of logistics of delivering products, inventory control and returns.
If you must have it, only use what you need, and protect it well
Of course, sometimes sensitive data must be stored and if that is the case, due diligence must be taken. In 2018 the Australian Federal Government released a statement about the security measures of the My Health Record system, and boasted that it included “…encryption, firewalls and secure login” (Robertson-Dunn, 2018). However, given the extremely sensitive nature of people’s health records, would those measures, found in almost everyone’s home router, be enough? The Australian Digital Health Agency later expanded on these measures in a report, mentioning that a defence-in-depth strategy was being employed, and has an extensive security regime (ADHA, 2018). So, the overall rule here is: the more sensitive the data, the higher the level of protection.
It is important that absolutely the right protection is put in place. If this protection costs too much, then consider the fact that the data may be too sensitive, or expensive, for you to host. Underfunding has led to many attacks including the Solarwinds attack (Schneier, 2021), multiple US Government agencies (Osbourne, 2018) and the US city of Baltimore (Edith Cowan University, 2019). While throwing money at cybersecurity will not necessarily protect your privacy, spending the right amount of money on targeted aspects of security will work better.
Advocate for law reform
In line with the principles, outlined above, of:
- Handling the bare minimum of data
- Choosing reliable and trustworthy providers; and
- Properly funding the protection of sensitive data
It is essential that our lawmakers achieve the right balance of lawful access to data, costs to business and protection of privacy at all levels.
For example, the TOLA act of 2018 was ostensibly a good measure to protect against terrorism and child exploitation, but the act itself originally had little oversight. This changed after some amendments and recommendations for changes are ongoing (Australian Law Council, 2020).
Another example is the widespread covert use of facial recognition software by Australian police departments. Many concerns were raised when it was revealed that no strong evidence could be shown for its effectiveness (Evans & Webb, 2020).
Even the Australian Government’s Australian Law Reform Commission indicates that Growing Official Powers of its own Government are a threat to privacy (ALRC, 2010). Stronger privacy laws lead to better data security for all of us, no matter what field of endeavour we are involved in. Ignoring the value of privacy by saying “I have nothing to hide” is really originating from a position of privilege; other nation-states who are active in Australia may not be so forgiving to sensitive data. It is imperative therefore that the Government be held to account for its collection, storage, transmission and use of private data of its citizens, corporations and its own.
Privacy matters to every individual, corporate and government agency. Sometimes the collection and storing of sensitive personal information can’t be avoided. Hence, organisations need to ensure they handle the bare minimum of data, choose the right tools to handle the data and comply with laws around data privacy. Furthermore, organisations need to invest in solutions to protect the data and detect when a breach occurs to act on it and minimise its impact.
We at Skillfield take this challenge and solve it for our customers with simple solutions like deploying proper endpoint protection agents and implementing advanced security detection techniques. With our services and solutions we protect your business and your customers’ data. If you’re interested in how we can do that please feel free to reach out to Skillfield for more information and a free assessment. We’re a local ANZ cyber security company and would be happy to get you started on the journey to uplift your cyber security detection and response capability.
Written by: Damian Wernert
ADHA. (2018, 9 14). Australian Digital Health Agency submission to the Senate Community Affairs References Committee inquiry into the My Health Record system. Retrieved from Parliament of Australia: https://www.aph.gov.au/DocumentStore.ashx?id=6a930984-c43f-4df6-8e4c-7ae123be40d0&subId=659863
Alperovitch, D. (2011, 08 04). Revealed: Operation Shady RAT. Retrieved from McAfee: https://web.archive.org/web/20110804083836/http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
ALRC. (2010, 8 16). The meaning of privacy. Retrieved from Australian Law Reform Commission: https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/1-introduction-to-the-inquiry-5/the-meaning-of-privacy/
Australian Law Council. (2020, 8 13). Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth). Retrieved from Australian Law Council: https://www.lawcouncil.asn.au/media/news/telecommunications-and-other-legislation-amendment-assistance-and-access-act-2018-cth
BBC News. (2020, 12 19). US cyber-attack: Russia ‘clearly’ behind SolarWinds operation, says Pompeo. Retrieved from BBC News: https://www.bbc.com/news/world-us-canada-55374945
Cohen, Z., Fung, B., & Marquardt, A. (2021, 4 27). DC Police department hit by ransomware attack. Retrieved from CNN Politics: https://edition.cnn.com/2021/04/27/politics/dc-police-department-ransomware-attack/index.html
Edith Cowan University. (2019, 7 3). How famous cyber security breaches could have been prevented. Retrieved from ECU Blog: https://studyonline.ecu.edu.au/blog/how-famous-cyber-security-breaches-could-have-been-prevented
Evans, M., & Webb, C. (2020, 1 19). Australian police using face recognition software as privacy experts issue warning. Retrieved from The Sydney Morning Herald: https://www.smh.com.au/national/australian-police-using-face-recognition-software-as-privacy-experts-issue-warning-20200119-p53ssj.html
Fruhlinger, J. (2018, 7 2). What is corporate espionage? Inside the murky world of private spying. Retrieved from CSO Australia: https://www.csoonline.com/article/3285726/what-is-corporate-espionage-inside-the-murky-world-of-private-spying.html
Hern, A. (2018, 5 6). Cambridge Analytica: how did it turn clicks into votes? Retrieved from The Guardian: https://www.theguardian.com/news/2018/may/06/cambridge-analytica-how-turn-clicks-into-votes-christopher-wylie
Hsu, J. (2019, 01 29). The Strava Heat Map and the End of Secrets. Retrieved from Wired.com: https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/
Jayne, J. (2019, 7 26). ACT police illegally accessed metadata thousands of times more than previously thought. Retrieved from ABC News Australia: https://www.abc.net.au/news/2019-07-26/act-police-illegally-accessed-metadata-thousands-of-times/11351178
Klebnikov, S. (2019, 11 6). Companies With Security Fails Don’t See Their Stocks Drop As Much, According To Report. Retrieved from Forbes: https://www.forbes.com/sites/sergeiklebnikov/2019/11/06/companies-with-security-fails-dont-see-their-stocks-drop-as-much-according-to-report/?sh=44aa58f862e0
Krebs, B. (2015, 8 21). Extortionists Target Ashley Madison Users. Retrieved from Krebs on Security: https://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/
OAIC. (n.d.). What is privacy? Retrieved from The Office of the Australian Information Comissioner: https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-privacy/
Osbourne, C. (2018, 2 22). Lack of funding exposes US federal agencies to high data breach risks. Retrieved from ZDNet: https://www.zdnet.com/article/us-suffers-highest-data-breaches-of-government-agencies-worldwide/
Robertson-Dunn, B. (2018, 6 25). The truth about My Health Record. Retrieved from Australian Privacy Foundation: https://privacy.org.au/campaigns/myhr/the-truth-about-my-health-record/
Roy, A. S. (2020, 9 16). How does facebook handle the 4+ petabyte of data generated per day? Cambridge Analytica – facebook data scandal. Retrieved from Medium.com: https://medium.com/@srank2000/how-facebook-handles-the-4-petabyte-of-data-generated-per-day-ab86877956f4
Satter, R. (2020, 11 3). U.S. court: Mass surveillance program exposed by Snowden was illegal. Retrieved from Reuters: https://www.reuters.com/article/us-usa-nsa-spying-idUSKBN25T3CK
Schneier, B. (2021, 2 23). Why Was SolarWinds So Vulnerable to a Hack. Retrieved from The New York Times: https://www.nytimes.com/2021/02/23/opinion/solarwinds-hack.html
Sprenger, P. (1999, 01 26). Sun on Privacy: ‘Get Over It’. Retrieved from Wired: http://www.wired.com/politics/law/news/1999/01/17538
Trend Micro. (2017, 4 18). Shadow Brokers Leaks Hacking Tools: What it Means for Enterprises. Retrieved from Trend Micro: https://www.trendmicro.com/vinfo/mx/security/news/vulnerabilities-and-exploits/shadow-brokers-leaks-hacking-tools-what-it-means-for-enterprises
US House of Representatives. (2016, 11 15). Review ofthe Unauthorized Disclosures of Former National Security Agency Contractor Edward Snowden. Retrieved from Federation of American Scientists: https://fas.org/irp/congress/2016_rpt/hpsci-snowden.pdf
Valentino-DeVries, J. (2018, 05 19). Hundreds of Apps Can Empower Stalkers to Track Their Victims. Retrieved from The New York Times: https://www.nytimes.com/2018/05/19/technology/phone-apps-stalking.html
Wiener, J., & Bronson, N. (2014, 10 22). Facebook’s Top Open Data Problems. Retrieved from Facebook Research: https://research.fb.com/blog/2014/10/facebook-s-top-open-data-problems/
Wong, J. C. (2019, 3 18). The Cambridge Analytica scandal changed the world – but it didn’t change Facebook. Retrieved from The Guardian: https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook