This all started with the Guardian, they put an article there that connects directly with the last two articles and that is why I decided to take a look. It also directly connects to me with my Data skills and as such I thought it was a good idea to look at it. So the article ‘You aren’t as anonymous as you think‘ (at https://www.theguardian.com/world/2018/jul/13/anonymous-browsing-data-medical-records-identity-privacy) is not a consideration, it is an absolute truth that goes back to the ages of Windows 3.1. All these users thinking that you cannot be found, and that you are invisible online. That was never a truth. Yes, you can hide, you can deceive people on location, but in the end you leave data behind. So when the article treats me to “Names and other identifying features were removed from the records in an effort to protect individuals’ privacy, but a research team from the University of Melbourne soon discovered that it was simple to re-identify people, and learn about their entire medical history without their consent, by comparing the dataset to other publicly available information, such as reports of celebrities having babies or athletes having surgeries“, I was not at all surprised. If data can be aggregated, to some extent that data can also be reversed. The mere consideration of ‘comparing the dataset to other publicly available information‘ makes it happen. It goes even further when you consider not publicly available data. For example data on those watching a YouTube video, data from supermarkets (loyalty programs) and there are dozens of them. The amount of people who are connected to no less than half a dozen of them is staggering. Now consider the data in places like Facebook and you have a setting to create wires, each wire a person and a system fast enough to extrapolate dozens of wires a second, 85,000 people identified a day. You might think that this is nothing, but this new database is only growing adding more and more public data to it every second. Even if we start now, within a year 31 million people would be identified, categorised and classified. It will grow faster after that, actually the growing of that dataset is only a dozen a second in the first day, it already accelerates soon thereafter and this has been going on for close to a decade at the very least.
The text that follows: “This privacy nightmare is one of many examples of seemingly innocuous, “de-identified” pieces of information being reverse-engineered to expose people’s identities. And it’s only getting worse as people spend more of their lives online, sprinkling digital breadcrumbs that can be traced back to them to violate their privacy in ways they never expected” is true but a little fear mongering in nature. You see, it only matters when you put your life online. I saw this danger and the reality of it well before 2003, so I never allowed for internet banking, EVER!
There were issues with the X.25 protocol for a long time, my bosses then called me crazy, the flaw in the defence computer found in 1981 was ignored, people told me that I had no clue because I was not educated (with two graduates and a master I would oppose that nowadays, but then I could not). So when I saw the presentation recently by Raoul Chiesa (Telecom Security Task Force) I found the pieces that I never had in those days. His quote “We encountered a huge number of breaches on tested infrastructures, usually getting access via the main X.25 link. More than 90% was insecure“, that is the smallest part (here), so today I take my anger out on two Lt’s and a Major then were eager to belittle me and call me dumb whilst removing me from access from a system that I tried to warn them about (I held thus grudge since 1981). At the Dutch Defence Ministry, the payment systems were used to keep track of it all, it was a mere customer support function. It was fun for a month, and then I considered (and tested) the flaw. Even as there was a boss and he had a keyboard with actual keys to unlock certain options (like the keys of a lunchbox), but it was merely a charade. I learned that the system had a flaw. It was possible to get the down and out of every officer in no time, especially if they had loans. There was the flaw, and when I tried to warn someone I was muzzled and send to the basement to clean out the archives (which gave me access to a lot more). So when we see the data setting, there is a lot more going on because if someone figured out the how to get into one system, they can get into a lot more systems.
In this specific case I learned that the system was only for those following the menu rules. Yet when you press ‘SYS REQ‘ you get a blank screen, even as this was not new, knowing that one program gets you into the main screen, the people were able to get into ANY part because security was not monitored to the extent it needed to be (good old IBM), so even as you get into the system, by entering “MDET 2710” I got a new blank screen, but now with the cursor almost in the middle, I have found the loans system. So by entering the registration numbers of soldiers, when there was a loan, there would be numbers and now there is an issue, because when you know there are debts, there are issues and weaknesses. I always suspected that this was how some officers had been gotten to, but I was the idiot and quickly send away.
Now consider the fact that X.25 is still in use, that there is still a use for it (attached document) and now consider that page 19 gives the Australian defence prefixes. Now also consider that prefixes are not that secret. Now switch to page 40, where we see the assessment of Raoul telling us (unverified) that 1% of the top 1000 companies are ‘not penetrable‘, this now gives us that the top 990 companies that still have X.25 links are indeed optional data sifts.
It is that bad!
Getting back to the article we see the setting where we are confronted with “In later work, Sweeney showed that 87% of the population of the United States could be uniquely identified by their date of birth, gender and five-digit zip codes“, depending on the country it can get a lot worse sooner. You see, the Netherlands has a well-designed postcode (very postman friendly) so the 4 letter code gets you to the near location, the two letters that follows can get you to within a 10 house distance; that alone could offer the setting of identification sooner. But the clarity should be there, a zip code and a birthdate is all you need. Now, tell me how often have you filled in some voucher for a great deal and you got a massive discount? Did it include your zip code? Well, the credit card will most likely have sealed the deal uniquely identifying you to an amazing offer and from there you are now the direct target for targeted marketing and other offers. This does not need to be a bad thing, because the more 40% discounts you get, the better your quality of life looks, yet now that it is linked to a bank card or credit card also means that optionally EVRYTHING purchased after that can be linked to you too, now we get a spending pattern, we get products and services you need and want, giving those offering it a setting where they can optimise how much you get to spend (by varying services and costs). This also links to “Yves-Alexandre de Montjoye, a computational privacy researcher, showed how the vast majority of the population can be identified from the behavioural patterns revealed by location data from mobile phones. By analysing a mobile phone database of the approximate locations (based on the nearest cell tower) of 1.5 million people over 15 months (with no other identifying information) it was possible to uniquely identify 95% of the people with just four data points of places and times. About 50% could be identified from just two points“, there we get the next tier, because any additional tier gets the owner more clarity on you as a person and what you aim for (what you desire). Where you are, when you were there and why you went there. Now, a lot of this is still a stretch, because you go to work and you lunch and shop around the office to spare time. Yet that is not a given in the weekend is it and that data set grows and grows.
You might wonder why this matters.
It might not for you, you might not notice but having the needs of 3 million people in London mapped also implies where the good deals are and where true profit can be found. London is perhaps the best evidence as it is so choc-a-block full. So when you are interested in setting up a building anywhere in London is a good place, yet when you know where the spending sprees happen, you can also tell where they are much lower and the latter is the place you do not want to build. It could set the profit margin up by close to 10%, not merely in value, but by starting somewhere and the plots are sold before the building is finished, that is a hell of a lot o margin to play with. The other side is equally happening. Consider that all your activities are known, how much is a health insurer willing to pay for access? Evidence that shows a person to be a 15% larger risk factor, what will his or her premium be like in the end? Consider: ‘Insurers have to tell you why they’ve ended your coverage‘, so we accept that, but what are the chances that we get to hear the truth? They might have told you that you falsely claimed that you were a non-smoker, but is that actually the real reason?
The next quote is a little silly, but it was Apples finest hour, so I cannot deprive you of it: “Even if location data doesn’t reveal an individual’s identity, it can still put groups of people at risk, she explained. A public map released by the fitness app Strava, for example, inadvertently became a national security risk as it revealed the location and movements of people in secretive military bases“. Yes that is one option, it was a certain lack of common cyber sense from the military side of things, but not the worst, when you combine the X.25 issue, sniffers and military locations, it becomes easier to identify logistical targets, yet that is not the issue, it is the data that matters. When you figure out what goes where, you get the setting that data in transit is no longer as secure as we once thought it was, so as data is cloned in transit we lose even more. Oracle stated in one of their papers “Enterprises are concerned about the lack of control on the data in the cloud due to on-going data breaches, lawsuits, government/regulatory agencies involvement, the volume of the data being generated by hundreds of applications and the related components“, it is not merely that, it is the factual setting where data is trusted, and too often to what we might consider is the wrong party.
Wired gave us that with: “Like any industry, there are many newcomers that give the reputable cloud solution providers a bad name. These companies are poorly financed, staffed, and resourced. They are traditionally an IT solution provider who has installed some server in a data center and called it a cloud. They are not security experts, and have poor security measures in place“, that is part of the problem, we cannot tell one apart from the other and they are all on LinkedIn trying to grow their business. A valid step to take, but how can we differentiate the wheat from the chaff? That is the first issue already and we haven’t even started to keep data safe. You think that people would employ common cyber sense in keeping safe, but no, the bosses tend to go for the good deals, the ones that are on special and when they get one they let you sort it out after data was transferred, that is the cold reality of corporations.
And when it is set up, there is always one employee stupid enough to think that some mails were specifically for them and when they look at the present it is a mere cool meme, after which they have given access to the outsider, including their cloud account. That is the cold light of day in this. So the alarm clock is not there to wake you up, but to tell you that you have been asleep and things are already moving from bad to worse.
And it is not over; the large companies are still at it. Consider the headline ‘Apple Rebuilding Maps App, Hopes to Outperform Google‘, you would think that they would give up and merely use Google Maps, but the reality is that the data coming from 800 million iPhone users is just too much not to get. The business intelligence value alone goes deep into the billions and there we see it, we will connect to one or the other, but we will connect and let others collect data on activities and events, completing the picture of every unique user that is online. The fact is that if it all was secure it would not be a big thing, but there are two flaws in that thinking. The first is that free services are never free, Apple is not wasting a billion dollars on a solution that is merely a free service, for every million invested, they expect between 3 and 4 million in return. The second flaw is that whilst you think that apps are secure, they are not. Let’s be fair, most merely want to write a cool app that has fans and makes them some coins, 99% of these developers are all like that and that is a good thing, but when the system is flawed, issues happen and we are caught in the middle, whilst all our details go everywhere. Some do it intentionally through Facebook, some do it without knowing what they are doing, they are introduced to the impact down the line.
That is how it crumbles and the people need to become Data Aware and have a better Common Cyber Sense more and more, because the response ‘It was just on my own computer‘ no longer holds any water when it comes to defending your online actions.
There is one part in the article that I do not agree with. It is the part: ““One of the failings of privacy law is it pushes too much responsibility on to the consumer in an environment where they are not well-equipped to understand the risks,” said Johnston. “Much more legal responsibility should be pushed on to the custodians [of data, such as governments, researchers and companies].”” I only agree in part, the fact that data is collected needs to be revealed from the start and it is ‘opt in’ only! That means that if the customer disagrees, no data is to be collected ever. Yet many will not like it because the unwary user is the treasure trove they all want. I do not believe that we can allow for the ‘not well-equipped to understand the risks‘, like a car, a plane and a shotgun, usage can be socially fatal and have long lasting considerations.
If you did not want to learn, then do not use it. Additional responsibility is to be placed on the custodians regardless, but leaving the consumer in the country of ‘no man’s land’, in the city of ‘never accountable’ is also no longer acceptable form my point of view. The ‘figuring it out‘ time has gone. The impact is too large to remain on that route and there is enough evidence to show it.
My last ‘disagreement’ is with the end quote: “Privacy is not dead. We need it and we’re going to get there”, it is optimistic and I love it, but it is not very realistic.
In the online world: “Privacy is optionally public domain. Getting somewhere eager is to become a member of the public domain charter and that population already surpassed a billion and still growing every minute“.