Plugged In: Data security — how much choice in the matter?

By Joe Kashi, for the Redoubt Reporter

There’s no doubt that smartphones, Wi-Fi connections and other mobile technologies are convenient and productive, but those benefits are accompanied by significantly increased risks.

In a continuing legal education session that I and others presented last week to Canadian lawyers about mobile security, there was a broad sense that personal privacy risks have become much more serious as mobile computing becomes the norm. Periodically over the next few months, we’ll discuss some measures you can take to reduce those risks.

Recently, information tech-nology professionals rated mobile technologies, particularly smartphones, as by far the most serious privacy and security risk. Not only does mobile computing come with all of the usual risks of office-centric computing, but also with quite a number of additional risks unique to the mobile experience.

Protecting our privacy is often more difficult with mobile devices. Now that the vast majority of all data is maintained electronically, the potential for mischief and the unwitting compromise of everything from banking and credit card data to private communications has become very high. That risk is greatly exacerbated by the move to social media and mobile computing.

To the long-standing general problems of computer security, we now face concerns unique to mobile and cloud computing use, further increasing vulnerability. Governmental agencies, banks, online retailers and cloud computing vendors are all being hacked with regularity, but usually not comprehending the nature and scope of the breach for months after the initial attack. A friend from my MIT days, a retired career military officer, casually mentioned in a recent email that there’s a general expectation that national communications would be intentionally disrupted during some crisis or other sometime during the next 10 years. Even without such apocalyptic, yet plausible, scenarios, the public Internet as we know it is exceptionally vulnerable to state-sponsored, criminal and hacker disruption and penetration.

There’s little or no feasible action you can take to avoid mobile and “cloud” security problems beyond avoiding the threat or loss of a mobile device and using heavy encryption. Storing your data somewhere out in the Internet “cloud,” whether with Google, Facebook or a business-oriented vendor, further reduces your privacy. Despite assurances, the publicly known record is not comforting, and we only know about those major breaches that have been recognized and reported in the media.

Do you really want your private data beyond your ability to take sufficient action to protect it? Is the convenience worth the risk? Only you can answer those questions. Personally, I avoid placing any sensitive personal or client data online, on a notebook computer system or on a phone.

Even as risks proliferate, the rise of social media and smartphones seems to result in less caution about data security, rather than more, even as business connectivity moves increasingly to smartphones. The irony is that “Big Brother” is less likely to be the American NSA, nor its Canadian and British counterparts, which act under legal strictures and oversight, but more likely to be relatively unregulated Facebook, Google and other social media and cloud-computing businesses that mine your data for profit.

I used to comment, when discussing computing security at continuing legal education seminars, that, “If you’re not a little paranoid, you’re not careful enough.” That’s no longer true. Instead, I would suggest an even higher degree of continuous concern about computer security is now warranted. Complacency is not a defense.

Communications security is inevitably a weak link. Consider, for example, that the course of World War II was largely determined by communications interceptions. Most dramatically, British communications intercepts resulted in the sinking of hundreds of U-boats, while the U.S. cracking of Japanese codes resulted in the decisive victory at Midway in 1942, causing a complete reversal of Japan’s fortunes of war in a mere five minutes. Both the Germans and the Japanese were quite convinced of the security of their communications and complacently failed to take decisive action to periodically upgrade their security, despite strong indications of vulnerability.

Modern social media and cloud computing companies have far greater computing resources to achieve the same result and, tellingly, they have complete access to your data hosted by them. That’s likely entirely legal in most instances, if you read your usage license carefully. I do not suggest that social media and cloud-computing companies are acting malevolently, only that their comprehensive commercial data gathering is susceptible to commercial abuse and third-party penetration and manipulation.

For example, as I was completing this article, I became aware of Facebook’s newest patent application, U.S. Patent application No. 20150124107, where Facebook identifies a way to uniquely “fingerprint” and identify photographs uploaded by any smartphone or camera. Although the initial portion of Facebook’s patent filing indicates that this would be used for user authentication, the latter portion of the patent application cites data mining for targeted marketing, something that requires detailed analysis of your usage, contacts, visited sites and preferences.

As with Google’s hidden cookies, you can be identified and geotagged. If you can be uniquely identified and located by these unregulated, for-profit exploits, your activity and contacts can be tracked. That’s already true with much of social media and Google activity, including Gmail. Otherwise, how would Google know to later send you personalized ads for some product you scoped out using an entirely different website?

Many of us recall how, several years ago, some social media sites silently copied your email contacts and used that information to populate publicly visible lists. Although that particular problem has been ostensibly rectified, it’s surely illustrative of the need to keep social computing clearly separated from business usage and highly private personal information.

The decades-old term for this sort of snooping is “traffic analysis,” a mainstay of surveillance since the 1930s. Avoiding security breaches must now transcend simple blocking of viruses, criminal schemes and hackers— still a major concern.

Let’s assume, for example, that you use your smartphone both personally and in the course of business for emails, web lookups, cloud-based document review and the like. All of your Internet and wireless communication data, not merely that which you internally might consider personal, is now potentially susceptible to nonhacking breach and dissemination, in addition to the traditional vulnerabilities, a la Target and numerous other retailer and governmental breaches.

Online threats to your privacy continue to proliferate. In the end, only you can decide when the risks outweigh the convenience of using a single smartphone or other mobile device for everything.

Local attorney Joe Kashi received degrees from MIT and his law degree from Georgetown University. He has published articles about computer technology, law practice and digital photography in national media since 1990. Many of his articles can be accessed through his website, http://www.kashilaw.com.

Leave a comment

Filed under Plugged in

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s