« Motly Python: A "Hacker Madness" Script | Main | WASL: Personal Information Gathering Using Domain Name Registration Records »

Wednesday, 07 August 2013

Metadata or Content: NSA is not the only data collector you should fear

The PRISM and other surveillance projects have raised public awareness of the extent to which NSA in the US – and similar agencies worldwide – conduct surveillance or collect metadata associated with individuals’ communications.

While security agency or law enforcement activities capture international attention, we ought to be equally wary of data collectors other than these. If security agencies are the devils we know, commercial data collectors are truly the devils we don’t know.

We come into contact with them every day. They gather not only metadata but content as well, often with little or no disclosure of what data they collect, how they use or store the data, or with whom they share. And we willingly – if unwittingly – consent to them doing so!

In most daily encounters where our metadata or content is collected or shared, we have little or no clue about who the data collectors are.

The majority of users don’t ask questions each time they agree to a Terms of Service, subscribe to a forum, or download an app. Seriously, do you know:

  • Who develops the apps you downloaded? The games you play on Facebook? The forums you join using your Twitter or Facebook account?
  • Have you ever investigated who funds them? What country they operate from?
  • Do you know what uses the social media or web site host makes of profile information you obligingly offer when you sign up?
  • Do you take note of what metadata or content they will collect as a condition of use?

Metadata or Content?

If you are confused over the difference between metadata and content, the brief answer is that metadata are data that describe your activities, such as the phone calls you make, the people or businesses you call, and the dates, times and duration of your calls. Content is your conversations. These same distinctions apply for email, surfing, or watching movies over the Internet.  Privacy by Design published a very thoughtful and thorough report explaining metadata versus content; do read it.

Read the Fine Print

Each time you authorize an app or game using a social media account, take time to know what metadata or content you are committing to share.

Each time you use a social media account to log in to comment or engage in a forum, read the challenge.  

Let’s consider what we see:

Leakagelesson
Click to enlarge
Social engineering or Notice and Consent? Notice and Consent is a good thing. How Notice and Consent is phrased may be important as well. Look carefully at the entire notice before you consent. Is the data collector’s claim that they won’t see your password or post messages for you a disclosure or is it an attempt to persuade you that “it’s OK” or distract you from the fact that they will be able to read tweets from your timeline but haven’t disclosed what they will do with them, i.e., will they grab your tweets and use them in endorsements based on your “consent”? Is the positioning of the button “Play Game” for convenience or is it optimized to exploit impulsivity? 

Farmvill
Click to enlarge
Your choices will affect your friends.  If a data collector is asking access to your friends or contacts lists, it’s a safe bet that they will be targeted for advertising or solicited to “join in” (and perhaps with “your” recommendation). This works both ways: think about how their choices will affect you. This is repetitively obvious on Facebook, where apps relentlessly hound you to sign up – often, because your friend Likes them.

Criminal actor data collectors love “Public.” Sharing to “public” promiscuously (i.e., your profile, all your posts and activities) exposes you to spammers or scammers who are just as voracious for your metadata or content as commercial data collectors. The more criminal actors can collect about you, the better they can impersonate you and spear-phish your friends, family, or colleagues

Don’t be a threat to your own privacy

In an earlier post, I explain that there are only three true threats to Internet Privacy: public sector actors (e.g., governments), private sector actors (data collectors, legit or criminal), and you. While recent events suggest you have less control over your metadata or content than you imagined, you can avoid self-inflected wounds. Read the fine print. Know the devils.

 

Posted at 03:37 PM in All matters security, Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories