Online privacy as a policy issue

I’ve been spending a lot of time working with Qredo which is a company and a technology that seeks to provide in code many of the online privacy protections we fail to provide (or fail to enforce) in policy and law.  While I believe this is a Good Thing and necessary, it doesn’t eliminate the need to fix the policy and legal framework for online privacy.  In fact, it makes these things even more urgent.

Market value of data
As it stands today, privacy online is largely the responsibility of the parties who hold your data (including those who aggressively acquire it by any means possible) who are obligated to keep that data to themselves under most circumstances.  What we see in practice is that these companies are very good about keeping that data secret from each other so that they can sell it to one another.  If they were lax about securing it, the availability of the data would ruin the secondary market for it.

But the people that vendors are most incentivized to protect your data from – other vendors – are largely restraining themselves to using legal means to get it.  The people who obtain the data illegally also resell it, but they do so in a different market.  Since the resale of hacked data does not disrupt the primary market for legitimate data, the only concern your vendors have about losing it to hacking is their cost in offering you monitoring, replacement cards, the occasional enforcement action, or other direct impacts of a breach.  These are generally small enough to be written off as a cost of doing business.  the one thing that would be a real threat – devaluing the data itself – is the one thing they don’t need to worry about.

Cascading data markets
Very rarely are vendors held accountable for losing our data so it should be no surprise that enforcement agencies do not take any proactive steps to prevent such a loss when the vendor is known to be vulnerable but there is no breach to report.  I wrote in detail about my experience trying to make such a report in OK Hilton, gloves are off.  Though the web site sent user login credentials in the clear and the site holds credit card and other sensitive information, I was unable to get any regulatory agency or news media to take any interest.  When I tried to report it to the state of Massachusetts, who have one of the toughest privacy laws in the country, I was turned away because I did not have a breach to report and even if I did I am not a citizen of that state. This despite the fact that many MA citizens are members of Hilton’s loyalty program and were vulnerable.

The problem with this enforcement approach is that privacy issues cascade along with your data into secondary and tertiary markets. Given how tough it is to get anyone to pay attention to 1st party privacy issues, can we expect any enforcement to reach these markets?  In today’s world, reselling that personal data effectively liberates it from any obligation to the person who is the subject of the data.  I’ll give you some examples.

  • Square captures your email address and contact info, then gives these out to every merchant who you subsequently authorize a payment with through them.  When I caught them doing this they referred me to their Terms Of Service.  I discovered the problem after my wife purchased wine during intermission at the Theater.  She was not provided an opportunity to read the TOS but if people routinely read the TOS at point of purchase, the vendor would be able to sell exactly one or zero glasses of wine per intermission.  The business model of nearly all vendors using Square depends on nobody taking the time to read the TOS.
  • There are many 3rd party services springing up to help manage crowfunding campaigns.  One such service harvested my contact information from an Indiegogo campaign and used it to spam me.  Although this violates the Indiegogo TOS and Privacy Policy which are binding the campaign owner (and by extension also bind any 3rd party service), IGG has not updated their TOS or Privacy policy in response to my complaint, nor have they blogged about it to clarify the obligations of campaign owners and service companies.  The campaign on whose behalf I was spammed continues to run.

The only reason that I know about these two issues is that I use a unique email address for vendor.  I have hundreds of such unique addresses.  Someone using a common email address for everything would receive the same emails I did but have no way to know how their email address was obtained.  Upon receiving the receipt from the theater the average person might assume the theater, a first party vendor from whom they had purchased tickets, already had their email address and shrug it off.  (Although in my case the email address Square has is from a car dealership, not the theater, so receiving a receipt for a glass of wine at the email associated with the dealership stood out as an obvious anomaly.)

Deniability=impunity
But the average person who receives something that is clearly spam, such as the Indiegogo promo I received, would have no way to tell where the spammer obtained their email address.  If challenged, Indiegogo could simply deny the breach came from them.  In my case I was able to narrow down the source of the breach to Indiegogo or someone in their ecosystem and they still disclaimed responsibility and failed to act meaningfully on my complaint.  I am still exchanging emails with them so this may change.

Indiegogo has already made $2k in fees off the campaign that was the subject of the spam email I received.  The 3rd party abusing my information expands the crowdfunding market and potentially earns millions in additional revenue for Indiegogo.  What incentive does Indiegogo have to disturb that relationship if the average user has no way to tell which the 3rd party is playing fast and loose with their data?  There is practically no enforcement now and any service that can provide plausible deniability to Indiegogo can continue to operate with impunity.  There is no enforcement agency who will take my report and Indiegogo has not (so far) punished the campaign who benefited from the illegal sharing of my data.

Adding crypto to the mix
Crypto services like Qredo protect your data between two endpoints.  So lets say that all of my communication with Indiegogo had occurred over Qredo.  At some point my information must be rendered in the clear so that it can be read and processed.  Indiegogo has to know something about who I am, process my payments, and provide my fulfillment information to the campaign owner.  If these vendors keep my data in Qredo I can trust that it will remain safe.  But what incentive do they have to do that when sharing it is much more lucrative?  The data must be rendered to plaintext for either party to use it and once it is in the clear either party can share it.  This is the boundary against which all crypto-based privacy systems collide.

In other words, if a vendor such as Indiegogo reaps huge profits from a gray market in their users’ data, strong crypto cannot force them to change thees practices.

Part of Square’s value proposition is that they get better at populating your data fields over time and then provide that data to their customers (your vendors) when you transact.  A pure Qredo payment would be anonymous but for square to adopt Qredo for payments would require them to forgo all the personal data and the value they derive from reselling it, which would make them much less profitable.  For that reason, Qredo is more likely to displace Square than to enhance it.

Similarly, the business model of all the current crop of crowdfund campaign management services depends on accumulating data on your over time and across different crowdfunding platforms.  Neither Indiegogo nor Kickstarter know about my transactions on their competitor’s site, but at least one 3rd party has tracked my contributions from both sites.  Each time that vendor facilitates my transaction in a new campaign, their service becomes more valuable to campaign owners, Indiegogo and their investors.  If they were to switch to Qredo it would help me tremendously but it would also deflate their entire 3rd party market for my data.

No breach is too large to investigate
On the one occasion where I discovered a provable breach of my data, I was able to report it.  A 3rd party who manage retirement funds in the US had misconfigured their email server and it sent a PDF document to me that contained my social security number and account number for my life savings.  This was received in the clear over email which of course I reported.  While working the complaint on the phone their Sysadmin mentioned that it had happened before and had been broken for at least a month.  The company’s web site describes them as the largest firm of their kind in the US so it stands to reason that a misconfiguration on their email server will have affected many people over the course of the month.

I reported this to the North Carolina Attorney General’s office who followed up with the vendor.  The vendor responded that scope of the breach was one person – me – and the NCAG closed the case.

There is an asymmetry involved such that a breach involving millions of records is taken seriously.  The NCAG lacks either the resources or the inclination to investigate the breach I reported to see how many North Carolina citizens were actually affected, especially since neither I nor apparently anyone else was reporting a loss as a result.  Unfortunately, there is a corresponding asymmetry in that if a loss occurs due to this event it isn’t constrained to the limits of my unsecured credit.  It is my life savings being placed at risk.

The result of these incentives is that our enforcement agencies are more inclined to investigate when there are large numbers of small losses, even if those losses are covered by the credit card issuers and consumers are at most inconvenienced.  However, enforcement agencies have no interest in the kind of breaches that result in catastrophic losses to a very few people.  That is wrong and the risk only increases as we continue down our present path of digitizing everything.

Conclusions
We have laws and policy today that govern what the data custodians and 3rd parties can do with our personal data.  That these are clearly ineffective is driving the demand for better crypto and why I’m working on Qredo.  But crypto mostly addresses the threat of unintended disclosure either through carelessness or to hackers, eavesdroppers, and active tracking.

Crypto does not address the threat that a trusted, legitimate custodian of your data intentionally betrays your trust.

In my position as a security consultant, the abuses I see most are of this kind.  I have never seen a malicious breach of WebSphere MQ but I see countless cases where a vendor fails to protect your data or sells it under questionably illegal conditions.  I suspect the damage inflicted on us by authorized sharing and reselling of our data is far worse than that inflicted by what we currently categorize as cybercrime.  Unfortunately, we are largely ignorant of how big this problem is because nearly all contemporary news accounts focus on data breaches by unauthorized parties with malicious intent.  That these were unauthorized disclosures makes the malicious intent sound scary.  As a result, these reports tend to overshadow the problem of data lost to authorized entities, despite those parties acting with equally malicious intent.

This is not solvable with technology.  We need new policy and law that addresses these issues.

  • First parties need to be held accountable to disclose the 3rd parties they use to process your data.  (i.e. I should have an enforceable right to request the name of the 3rd party using my Indiegogo information.)
  • First parties should be held accountable for monitoring for data loss, for example using honeypot accounts.  (i.e. Indiegogo should have known before I reported it what was going on.)
  • First party revenue generated by illegal sharing should be restricted or prohibited.  (i.e. Remove the profit incentive to ignore bad actors in secondary and tertiary markets.)
  • The 3rd parties need to be held accountable for transparency, opt-in and to abide by the TOS of the 1st parties who shared the data. (i.e. The crowdfunding service company and Square should both upgrade to 1st party status by allowing me to opt-in.)
  • Individuals should be able to report vulnerabilities before a breach occurs and have the reports taken seriously.

Legal and quasi-legal abuse of your data is rampant and infringing companies have little incentive to stop.  Software such as Qredo will help to address unauthorized access and so make privacy on the whole a lot better, but it will also make it more difficult to address issues of authorized users disclosing your data improperly since these instances will be harder to find and prove.

We will need to find the political will to establish policies and laws for the preservation of online privacy while we still have a cultural memory of what privacy used to be like, and we’ll need to do that sooner rather than later.

Comments

  1. Hello T.Rob, how do you rate the technology / product of Qredo please?

    • I’m not in a position to rate it at this point. The original designs I saw were sound and vetted by myself and a team of experts. I was convinced enough in what I originally saw to devote almost a year of my life to the project.

      But however good the design, the trustworthiness of the product depends on the implementation and I have no details on that. On the one hand, they had a really smart team capable of implementing almost anything you could throw at them. On the other, they switched from an independent email provider in in a privacy-friendly jurisdiction to Microsoft Office 365 after I left.

      There’s reasons to believe it might have gone either way. I hope some version of Qredo makes it to my phone so I can try it out eventually, but I’ll want to see some independent validation that what was built lived up to the prototype before I entrust my digital life to it. Let’s say I’m “cautiously optimistic” about Qredo at this point.

Leave a Reply