No, it is NOT okay to peep inside!
Privacy in the digital age
Is your house door locked? I’m sure it is. There’s no one checking your screen, looking over your shoulder, is there? Of course not, of course not. After all, people understand the notion of privacy — a state in which one is not observed or disturbed by other people… Or do they?
Let me present you with some statistics. 31% of my WhatsApp contacts are dog lovers, and 21% are cat lovers. 26% would prefer to dine out after work rather than cooking, 35% consider themselves to be religious, and 18% describe themselves as having strong political beliefs. How do I have this information? Let’s just assume I asked my contacts for these details.
However, what if I could get all of this information without their knowledge or permission?
Well, if someone is snooping on me, they will learn that I love a lot of Toms, but I certainly hate a peeping tom!
Now before you exclaim, “but I don’t have anything to hide!”, let me introduce you to Edward Snowden.
Edward Snowden is a former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013. According to The New Yorker, the information he leaked confirmed that a) the U.S. government was routinely collecting phone logs of millions of Americans without obtaining any court warrants, even though they had no links to terrorism, and b) they had the capacity to access vast amounts of user data from U.S.-based Internet companies such as Facebook, Google, and Microsoft to track foreign suspects.
“Saying you don’t need privacy because you have nothing to hide is like saying you don’t need freedom of speech because you have nothing to say.”
- Edward Snowden
Still think you’ve got nothing to hide? Here are a few instances of privacy breaches that have happened in the past.
Breach of Privacy
You might be aware of the permission controls in Android and iOS phones. We can give permission to an app to use a specific component of our phone, like the camera, or storage. But did you know that these app-level permissions are not really effective for user privacy?
According to research done at CMU, it is usually the various third-party libraries included within apps that access sensitive user data rather than the apps themselves. For example, the Google Admob library may access location to deliver targeted ads. Since there is a set of popular third party libraries that are used by most apps, even if the user gives permission to just one of the apps that uses this library, the third party library now has their private data. This creates a false sense of security as the users would think that they have denied access, but actually may not have denied access in all apps they use.
The root of the issue is the fact that users are unsure of what kind of data is essential for the core functionality of an app, due to which they give permissions that are unnecessary.
In another incident, a talking doll called Cayla was banned in Germany in 2017 due to security risks. This doll had a speaker and a microphone with the capability to converse with a child. It was connected to a phone via bluetooth, where the processing would take place. Since this bluetooth connection was unencrypted, anyone could hack into the connection and eavesdrop on the conversations happening around the house.
Security expert Ken Munro, in his talk on privacy, gave yet another example of a security vulnerability in IoT devices. He had conducted some hacking experiments on a smart kettle, to find that the chip inside the kettle could be cracked using a trivial password of 6 0’s. What was worse, he discovered that the chip was storing the password of the Wi-Fi network completely unencrypted! Imagine, if a thief stole your smart kettle, he could now login to your Wi-Fi network and snoop into your web browsing activities.
As technology pervades into our homes, we must ensure that the Internet of things doesn’t become an Internet of threats for us.
What Are The Governments Doing?
With the exponential advancement of technology and the corresponding threats that come along, the governments are slowly but surely responding to the changing times.
The GDPR, or General Data Protection Regulation, is an example of this. It came into force in 2016 and applies to all entities that process the personal data of citizens or residents of the European Union. It has an exhaustive set of rules and regulations on what kind of data can be collected, how it should be collected, and how long it can be stored for processing. Most importantly, it specifies that the data should be collected only after obtaining specific, unambiguous consent from the users.
Another such law that came into effect is the California Consumer Privacy Act, or the CCPA. CCPA gives more control over the personal information that businesses collect about California consumers. The have the right to know about the personal information a business collects about them and how it is used and shared, the right to delete personal information collected from them, the right to opt-out of the sale of their personal information, and the right to non-discrimination for exercising their CCPA rights.
Such laws are certainly steps in the right direction to protect the privacy of naïve consumers, but there is still a long way to go. The GDPR is confined to the European Union and the CCPA is limited to California residents. It might be long before third world countries’ governments prioritize data privacy.
What Can We Do?
To put it simply, get smarter just like our devices. We should be able to understand the tech we use — at least to some extent — and we need to secure our systems with strong passwords.
According to a research done by Prof. Lorrie Cranor at CMU, people find it easier to remember passwords that are a collection of random syllables, but pronounceable. These are found to be as strong as a short-but-difficult-to-remember collection of characters, or a passphrase that is long with many words, and therefore, easy to make mistakes while entering it.
Some of the other simple tips we can follow are:
- We must use 6 or 8 digit pins rather than the 4 digit pins.
- We must use private browsing more.
- In general, we shouldn’t give out information unless we absolutely need to. 10 minute mail creates a temporary email address that is valid only for 10 minutes, which we can use to try out a new app or a website.
- If you use a lot of IoT devices, you must connect them on a separate network, so that in case of a security vulnerability, the rest of your (non-IoT) devices will not be affected.
Privacytools.io offers a lot of resources to follow the best practices for privacy.
Ultimately, the onus is on us to protect ourselves and our digital identities. So stay aware, stay safe!