Death to company CEOs for data leakage. Okay. Maybe death is an exaggeration. But a slap on hand for the people who have leaked my data is too weak. I was again reminded how little control I have over my data. The IEEE Computer 09.17 edition (issue 09), one of their better issues this year, has a great article on the security risks of IVAs (Intelligent Virtual Assistants) like Amazon Echo, Google Home, Apple Siri, Microsoft Cortana, etc., "Alexa, Can I Trust You?" (non-paywall: http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=923459 ).
I love my Amazon Echo and we use it daily. One common topic that comes up at home is how safe is it? Generally, as the article points out, pretty safe, BUT, there are risks: to the device (it might be possible to hack it and turn it into a listening / transmitting device -- if it can happen to your smart phone, why not your IVA?), the connection (although usually HTTPS, the APIs can be learned overtime with enough sniffing and machine learning), and surprisingly, third party unauthorized accessed to my voice recordings in the cloud. It didn't occur to me that my data may be access by third parties as part of the IVA eco-system. I knew that the Echo waited for the watch word (in my case Alexia) then transmits the following voice data to the cloud for processing and answering. How long is my data stored? That's not clear. How many seconds of my conversation are stored? Who as access to it? Again, that's not clear.
As with my perspective on computer security, device hacking and connection monitoring / man-in-the-middle is not something I'm too worried about as this requires someone targeting me, which frankly is unlikely as I'm fairly low on the totem pole of high-value assets. It takes a bit of effort to focus on one person. It is much easier to focus where all the data lives at a company. I believe that if I maintain good computer hygiene (perform regular updates; don't run anything as admin), keep my AV up-to-date, pay attention to what I click then chances are low that I'll get infected. The IVA devices are a little different in that one has little control over updates but as a push device to the Internet, unless the Amazon Skill Store gets infected with malware for a skill that I use, I see little risk. Of course if there is direct access to any device (PC, phone, IVA) you'll not prevent infection.
Data leakage is a train wreck happening in slow motion and there is no way to stop it. I can't even image how to keep my data from being obtained and used by companies. Something like The EU Data Protection Act will never be adopted in the US. Instead I'm struck by that famous quote, "Insanity is repeating the same mistakes and expecting different results". While my personal computers have not been hacked, my personal data has been. Constantly. The major ones include Yahoo, OPM, and recently Equifax. I've lost track of the number of websites I've been told to reset my password "for my own protection". How long before my conversations at home are hacked by unauthorized access in the IVA cloud?
What have I lost so far from these hacks? Well, other than the lost trust in the institutions that have collected my data, nothing that I can tell. But how can I tell? How many times can I be impersonated online and not know it? Or how many times can a criminal obtain my identity card in other states before I find out? I belong to free credit monitoring as part of the OPM and now Equifax hacks. Is that enough? Does it solve the problem completely? Just one false credit card created as me and then I have months of work to clear my formerly good name. Supposedly both of the OPM and Equifax hacks are state sponsored attacks but what prevents that data from leaking too? It seems that if there is one constant in nature is that data wants to be free.
The OPM hack took the personal data for my entire life, all the nitty-gritty details, good and bad, needed for a security clearance, including fingerprints. And what happened to the data owners at OPM? Nothing. The political hacks at the top organization resigned. Yahoo lost my personal information, safety questions and passwords. What happened to Yahoo? Nada. The company lost some market value when sold to Verizon but the executives weren't penalized. Equifax stored my PII, my personal identifying information, in clear text, including my birthdate, my social security number, address, and all my financial information. In clear text? In 2017? If it were 1970 I can understand. There is no excuse for putting such important information in clear text. That PII is the essential information as an American I need to identify myself with any institution I deal with over the phone or internet. And who went to jail? No one. Any penalties? We'll see if Congress does something.
What I'm struck by is why there are no penalties for the people and organizations that lost my data, or will lose my data. I think the model is wrong. My data is treated as an artifact that begets zero responsibility. If my data is stolen it is treated like a burglar slipped into the organization and the burglar must be punished. A blue collar crime. Instead, my data should be treated on par with white collar / financial crimes. Insider trading is a serious crime with serious penalties for the convicted and their companies, but many argue that it is a victimless crime as there are no direct consequences of harm to persons or institutions. Yet a company like Equifax can collect all of my personal information, without my permission, and lose it without any consequences other than loss of market capitaliztion. A company that doesn't perform basic security hygiene (maintain up-to-date patches, encrypt my data, at least at rest) and exposes me to identify theft or worse, is a crime much worse than insider trading. Theft of my data is something tangible with potentially direct consequences to my ability to function in the 21st century.
After the Internet Bubble collapse of 2000, the Dot Bomb that occurred from misleading/inaccurate financial data, The Sarbanes-Oxley Act of 2002, Section 302, requires CEOs to certify that all financial information appearing in the annual report submissions to the SEC were accurate. The CEO is subject to financial criminal penalties even though the inaccuracies were committed by someone else within the company. That is a tremendous incentive to keep the books clean. The United States should pass the same type of requirement for CEOs in terms of security: certify that their company's cyber security is at best-effort and best standards for PII data. In an on-line world we should expect nothing less.
(Note: this article was published concurrently on LinkedIn.)