How Exposed is Our Data When Connecting to the Network?
By: Gabriel E. Levy B.
Through an investigation recently conducted by The New York Times, the journalists in charge of the investigative unit managed to obtain a list of data related to the mobile devices of the alleged assailants who had forced their way into the Capitol in Washington [1].
The information gathered by the journalists contained neither names nor specific data of the owners of the devices they used, but a collection of advertising identifiers, designed to allow large companies to send personalized ads. In other words, they obtained the same information normally obtained by large advertising agencies and companies for their ads.
Supposedly this data is anonymous, but the investigation combined it with other public databases and in a matter of seconds, they managed to obtain the real names, addresses, telephone numbers and e-mails of the supposedly anonymized data that were given to them.[2]
According to the description published by the journalists, obtaining such information did not require any effort and it was a simple exchange of databases, something that anyone with the same information could have done, which shows that contrary to what social platforms claim, any advertiser could determine the destination of advertising and obtain sensitive personal data with complete certainty.
“They are supposed to be anonymous and smartphone owners can reset them or disable them altogether. Our findings show that the anonymity promise is a farce”, The New York Times [3].
Using the available information, the researchers of the American media represented all the movements of the different assailants through a video, which were of course completely identified through the information cross-referencing, highlighting how easy it is to geolocate individuals, simply by using cell phones.
The newspaper revealed the story of one user, whom the data collected places inside the Capitol, but he claims he was not at the riot. This information could eventually be used as evidence by the police for prosecution.
Another published finding is that approximately 40 percent of the phones tracked near the riot scene on the National Mall during Donald Trump‘s speeches were also found in and around the Capitol during the siege, a clear link between those who had listened to the president and his allies.
“Thinking that information will be used against people only if they have broken the law is naïve; this data is collected and remains vulnerable to use and abuse, whether people are gathering in support of an insurrection or justly protesting police violence. Neither of these data should ever have been collected”, the New York Times [4].
The same newspaper had already denounced in 2019 that they had managed to efficiently track the data of millions of people, using a similar technique, identifying, for example, the sites frequented by celebrities.
“In 2019, a source came to us with a digital file containing the precise locations of more than 12 million individual smartphones over several months in 2016 and 2017. The data is supposed to be anonymous, but it is not. We found celebrities, Pentagon officials and average Americans”.
It became clear that this data — collected by smartphone apps and then fed into a dizzyingly complex digital advertising ecosystem — was a liability to national security, to free assembly and to citizens living mundane lives. It provided an intimate record of people whether they were visiting drug treatment centers, strip clubs, casinos, abortion clinics or places of worship. [5]” The New York Times
The Unfulfilled Promise of Data Anonymity
It is no secret that being connected to the Internet through any type of device necessarily implies generating information flows and footprints. Every search, every chat, every video uploaded or played, every written text, every published photo, every generated sound is an information footprint, which when added and consolidated with those of millions of connected users produces a wide cloud of information known as Big Data [6].
Big Data allows the consolidation of generic information about events on the Internet; for example, how many millions of people are searching for news about a soccer match, a live event, a last-minute fact or a cooking recipe. Such information is analyzed to yield global trends of great use to companies and the media. But, at least in theory and so far, this information should not be individualized.
Additionally, it is necessary to remember that Big Data regulatory standards prohibit the information collected from being used to identify people individually and thus learn about their tastes, transactions and communications [7].
Despite legal and regulatory protections, the possibility of users’ private information on the network being compromised covers a wide spectrum of risks that can range from the device (e.g. smartphone), the operating system (Android, IOS, Windows), the software and the apps used for multiple functions (games, social media, tools, etc.). All these elements could eventually serve to share users’ private information with their central servers. Although this is a crime in almost all countries, it is very complex for the authorities to control.
The Backdoor Danger
In an interview with the BBC in the UK, the American expert Suzanne Spaulding, who worked as an IT security consultant for the US Department of Homeland Security, revealed to the British media how the security agencies of the world’s major powers use the so-called backdoors of smartphones to obtain sensitive information without users’ authorization, and used the metaphor of a castle to explain the risks of these backdoors[8]:
“You build your castle, dig the moat around it and put all your guards to protect it, all of them ready to defend the castle against any adversary, but someone inside the castle built a tunnel and has hidden it. That would be a backdoor”, Suzanne Spaulding [9].
Backdoors are a special code that can be hosted in the firmware (default software used by the hardware), in the operating system or in applications, and have the ability to infringe the combined software and hardware security of any device, bypassing controls without leaving a trace.
In 2013, Edward Snowden, a CIA security analyst, revealed how the National Security Agency (NSA) had access to the backdoors of multiple types of technologies, including Facebook, Google, Microsoft, and Yahoo, by intercepting communications using a software called Prism.
In the particular case of Huawei, U. S. security agencies have been denouncing that the Chinese government would have access to a “backdoor” of some Huawei and ZTE devices sold worldwide; it would have unlimited access to private and public information of millions of people around the world with this backdoor, something that, according to the evidence provided by Snowden, would be the same as the U. S. government does through companies in their country.
Last year, hundreds of Google employees marched in response to the signing of an agreement called “Maven” between the technology company and the U. S. Department of Defense, which was intended to improve the accuracy of U. S. military attacks. The agreement raised the suspicion of many skeptics around the world, who doubted the purpose of the project, as it could be a covert agreement to facilitate the work of spying through Google‘s available technology.
Not Only Governments and Large Corporations Spy
Although there is a clear risk of users’ privacy being compromised by global military, commercial, geographic and political interests, the main leaks do not come from governments but from hackers who use malicious software to access and steal sensitive information, damage computers, steal banking information and make fraudulent transactions, among many other illegal activities.
According to Kaspersky figures, a malware attack occurs worldwide every 12 seconds.
Another possibility, much more disturbing than eavesdropping by the CIA or the Chinese government, is that the information stolen from our devices is used by criminals for extortion purposes, as happens with “Ransomware“, a practice whereby hackers hijack a device, encrypting the information and then demanding ransom for it or even worse, the stolen information may be sold to third parties, especially when it comes to corporate information that is sold to competitors.
In conclusion, as a recent New York Times investigation has shown and as experts have been denouncing for many years, the promise that our data remains anonymous in the Big Data network is a fallacy in many respects.
Technology companies such as large advertisers can easily identify every user connected to the network, while governments may spy on us through the backdoors of our cell phones, while hackers do business with our information.
All of the above demonstrates that privacy security and regulation is in its infancy and there is an urgent need for regulatory intervention by global authorities to defend the interests of users and protect one of the most valuable assets of Western democracies: citizens’ right to privacy.
Photo: Glen Carrie on Unsplash.com
[1] New York Times article on the research conducted
[2] New York times Newspaper post on Twitter
[3] New York Times article on the research conducted
[4] New York Times article on the research conducted
[5] New York Times article on the research conducted
[6] Oracole article on Big Data
[7] Academic Article: Big Data, Privacy and Data Protection
[8] BBC article on Smartphone backdoors
[9] BBC article on Smartphone backdoors
[10] BBC article on Edward Snowden’s revelations
[11] Quora article on backdoors used by China
[12] BCC article on the Maven project
[13] Kaspersky analysis on network security and hacker attacks
Disclaimer: The published articles correspond to contextual reviews or analyses on digital transformation in the information society, duly supported by reliable and verified academic and/or journalistic sources. The publications are NOT opinion articles and therefore the information they contain does not necessarily represent Andinalink’s position, nor that of their authors or the entities with which they are formally linked, regarding the topics, persons, entities or organizations mentioned in the text.