|image labeled for noncommercial reuse
I was speaking with my wife last night about the impending bill
that allows Internet Service Providers (ISPs) to gather information about the browsing habits and behavior of its customers, and then sell that information to third parties. I told her that we needed to get a Virtual Private Network (VPN) service to encrypt our internet traffic and deny our ISP the treasure trove of information that they could gain from us. Her response surprised me. She asked what use it would be to use a VPN if most consumers did not and simply carried on as they always had. After several attempts to convince her that my priority rested on the privacy protection of our own family, my wife asked how making such an effort would actually solve the problem.
I was at a loss for words at that point, a fact that was probably very evident to her. She then continued by saying that I should pivot my privacy evangelism outward and explain the same to others, as most people will not know enough about the situation to actually care. This was a severe gut check, seeing as how most of my writing and speaking over the last few years has been centered on breaking information security concepts down in a way that will make users understand and care about the consequences of their digital actions. By only thinking about finding a technical solution to my own problem, I was doing no different than organizations that implement user behavior analytics (UBA) to combat insider threat (as opposed to taking the time to ensure that their employees are effectively trained). While UBA can be an excellent compliment to user awareness training, it should never be a substitute as it does not actually solve the root problem.
Thus – this article is my response. Just like my wife, most people are very willing to give up on their own privacy in order to more easily access the apps and websites that they frequent. How many people freely hand over their personal information to the world through Facebook, Tumblr, Twitter, Instagram, and countless other social media outlets? After all, what do they have to hide? Anyone can follow them around the grocery store to see what they buy on a regular basis (Note: this is already done digitally, which is another topic completely).
The important thing to understand here is it isn’t just about what you are “Googling”. Other information is farmed, such as the order of websites that you go to, how much time you spend on each one, what you buy online, what types of social media websites you use (which can lead them to mine the information freely provided, as stated above), what internet-connected applications you use, what type of devices you have connected to the internet and their software versions, what usernames you frequently use, etc. While we pay for access to the internet, the internet itself is primarily free. I heard someone on one of the securityweekly.com podcasts once say something to the effect of “if the product you are using is free, you are the product.”
Google, Facebook, and several other vendors have been using your behavior and information for years in order to generate income. I’m not saying that we need to pull out our aluminum foil hats, as that is simply their business model. We have control however, about how much information we make available about ourselves, our families, and our employers.
Several companies are currently looking into using user behavior for their multifactor authentication solutions. By knowing where you are, how you use your device, and what you use it for, they can generate a digital fingerprint that does a very good job at identifying and authenticating users. This isn’t simply an idea for fantasyland – it is being used and it absolutely works. Behavior authentication is likely going to be the solution to passwords and other poor authentication methods. Now let’s get back to the topic at hand. All of that information that behavior authentication technologies use will be freely available to your ISP (and anyone they sell it to).
This may sound like fear, uncertainty, and doubt (FUD), but common knowlege about you can be used for more practical purposes as well. Whenever you try to recover a forgotten password from your back or almost any other website, you are asked a set of security questions. How many of those could be determined by observing your online activities? Better yet, what if they could use that information to get into your email? Of all this, I have not yet seen any requirements for protecting the data that the ISP collects on you, whether or not they plan on selling it.
Finally, I would be irresponsible if I did not at least provide a few solutions to this problem. Some examples of relatively inexpensive and easily-configured vendors can be found in this article
and countless more that are popping up every day in response to this concern.
If you have any questions, please do not hesitate to leave a comment. We can be the change we want to see in our lives – we just need to understand the need for it.
Steve Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at firstname.lastname@example.org and on Twitter at @SteveHigdon.