Recently, I have attended a number of events and listened to some wonderful technical minds explaining to me how various new technologies are configured to exfiltrate (by default) significant data; both user and device generated, and send it back to the suppliers and partners of such technology. It's not just smart phones and tablets but increasingly everything from washing machines to robot dolls and from smart TVs to CCTV.
The reason given by technology vendors for doing this is that it helps them to develop better solutions. However, many believe the actual reason to be that, once aggregated, this data can be monetized in many different ways to give the technology companies and those to whom they sell the data, significant market intelligence and significant revenue. Essentially, it is a major money spinner and increasingly the main reason why many technology vendors are in business.
At present, there seems to be almost a feeding frenzy in the tech vendor marketplace to deliver very basic technology, with little real utility, in a shiny case (albeit too often appealing to children) and at a seemingly ridiculous price point, just so they can harvest as much personal data as possible which can then be sold on to marketeers, advertisers, insurers, governments, etc.
Exfiltrated data can include user credentials, location data, user inputted content, recorded content (audio and video), and literally anything the device is capable of collecting. All of this being sent back automatically to enable the vendors to create big data sets that can be mined and monetized.
So how different is this method of data exfiltration when compared to those methods used by hackers?
Certainly, hackers seem to be more targeted on the types of information they wish to steal, although often they also wish to aggregate large data sets to sell on in marketplaces that exist in on the Dark Web and other anonymised networks.
Additionally, the hackers have not "legitimized", their activities by asking the user to legally agree to the exfiltration of data; essentially hackers are often acting outside of the law of many jurisdictions. I mention this only because, whilst it is fact, most end users I speak with consider the legal agreements used by tech vendors to be highly confusing, complex and purposely voluminous such that to read, understand and willingly consent to the exfiltration used would be simply too burdensome and beyond the capability of most end users. This "psuedo-implied" consent is the legal mechanism the tech vendors hide behind when seeking to legitimize their activity.
After that however, the difference between the two actors becomes less clear. Both parties wish to take and use the data for the purposes of making money at low cost. Both parties seem to want to rely on varying degrees of stealth in order to hide the knowledge of the extent of their exfiltration activities from the end user.
I often hear the tech companies explaining that their need for this data is so that they can continue to develop cool technologies and whilst this can clearly be argued, one may also question why innovative thinking seems only to be stimulated as a result of such activity. When I bought my cool tech I could have sworn that I paid quite a hefty sum for it. Clearly that's not enough to remunerate the greedy vendors.
From a data security standpoint this exfiltration only serves to significantly complicate the protection of end user and business data. It makes our jobs as information security professionals ever more complicated and the costs of data security also rise. Security monitoring systems, seen by many as the only remaining method for detecting and (sometimes) preventing breaches, now have to differentiate between these two exfiltration actors. What data exfiltration is agreed and and what is not? Who is friend and who is foe? Hackers know this and use it to their advantage.
The truly frustrating thing is the abject, almost childlike ignorance, and often blind acceptance which the end users show in relation to both these two exfiltration actors. It is this pure focus on the need for utility and disregard for their personal security and privacy that enables the tech companies to claim legitimacy and the hackers to continue to ply their trade whilst many organisations and citizens sit back and accept it. The short corporate and personal memory of users means that when they actually suffer from the breaches of privacy currently occurring it will be too late to attribute this to any specific actor or to correct the situation.
I don't have a silver bullet answer to this extensive, and most definitely social problem but perhaps the politicians, human rights activists and legislators are the only hope? I cannot help but draw a comparison with the collective state of mind that pre-WW2 Germany appeared to have in abundance whilst Hitler and the Nazis played with the law and lined up the country, Axis allies and the world for resultant tragedy. Whilst researching for this post, I took some time to read about how the Nazis changed and used the German law to achieve their aims. With the benefit of hindsight, it is truly shocking and I found it hard to believe that the public could sleep-walk into such a situation. I sincerely hope that successive generations do not look back at this point in history with similar incredulity at the privacy nightmare currently unfolding.