This is the Shared Security Weekly Blaze for September 10, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch the podcast by subscribing to our YouTube Channel!
Show Transcript
This is your Shared Security Weekly Blaze for September 10th 2018 with your host, Tom Eston. In this week’s episode: The five eyes security alliance, Google and your offline purchases, and privacy by default in Firefox.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The “Five Eyes”, which is a long-running security alliance between the US, UK, Australia, New Zealand, and Canada, agreed in their annual meeting a few weeks ago that “privacy is not absolute” and “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”. In addition, it was also stated that technology companies should be urged to “voluntarily establish lawful access solutions to their products and services”. If that is not possible, due to push back from technology companies, intelligence agencies may take matters into their own hands. What this means is that if technology companies do not build or develop backdoors into their products, law enforcement may develop their own ways to hack into devices or could work to enact legislation to eventually force technology companies to create these backdoors.
Encryption and government backdoor access, as you may remember, has been a very hotly debated topic as the needs of law enforcement often times conflict with the needs of encryption and privacy that we all are entitled to. We all realize that the same encryption that we use to safeguard our legitimate private and business data is the very same encryption that criminals use. However, allowing our governments backdoor access to bypass or circumvent encryption weakens security for all of us. You may recall the controversy over the FBI asking Apple to break into the seized iPhone from the San Bernardino shooting that took place in 2015. Apple rejected the FBI’s demand so the FBI apparently found their own way to access the device from professional hackers that may have had a 0day vulnerability to allow access to the iPhone. I would suspect that because of this new rhetoric from government alliances such as the “Five Eyes”, the 0day market for exploits allowing governments ways to bypass encryption solutions, are going to be much more popular as the arms race around encryption and privacy continue.
It seems that we can’t stop all the news about how Google uses your information to serve you more ads or to track your location, even if you disable the setting to not allow location tracking. If that wasn’t bad enough it was reported last week that Google has a secret deal with Mastercard to track what users are purchasing offline. According to a report by Bloomberg, sources with knowledge of the deal say that Google and Mastercard have been negotiating for about four years to allow Mastercard transaction data in the US to be encrypted and sent to Google. This data would allow Google to match existing Google users to actual physical purchases. This means that when Google users click on ads, those clicks can be tracked to actual sales in physical stores. In response to this Bloomberg article, Mastercard has stated that they do not provide any transaction data to third-parties and that Mastercard does not “know the individual items that consumers purchase in any shopping cart – physical or digital”. Google has also stated that it does not have access to any personal information from its partners’ credit and debit cards, and that Google does not share any personal information with its partners. So who are we to believe?
First, we need to keep in mind that Google’s ad business had 95.4 billion dollars in sales just last year alone. You know as well as I do that Google is going to do everything that they can to keep these dollars coming in and to keep advertisers happy. If Google can change the advertising world by leveraging data that it collects about its users, financial data or not, they are going to do it. It also means that regardless of what Mastercard and Google tell you, there are large privacy concerns that need to be addressed. Especially if we’re talking about physical transactions being made in a store that could be linked back to you. My take is that more than likely, in the terms and conditions that we agree to when signing up to use a credit card, we allow our personal data to be used for “marketing purposes”. Marketing purposes can have many different meanings but it’s unfortunately not up to us to decide how our data will be used by the credit card companies. The most simple solution is to not use or sign up for a credit card but that is very difficult for many of us to do. What we can do is be more aware of how our data is being used by reading the terms of service and privacy policies of the credit card services that we utilize. If you don’t agree to the terms, simply don’t use the product or service and find an alternative to paying for products, like good old cash.
Mozilla, the maker of the Firefox web browser, announced last week that new versions of Firefox, by default, will block third-parties from tracking browser behavior. While current versions of other browsers like Google Chrome have similar options, users must enable these features as by default these settings are not enabled. This move by Mozilla puts the “always on by default” blocking of ads and trackers more in line with newer privacy aware browsers like Brave. Mozilla seems to be moving more in the direction of building in ad-blocking and anti-fingerprinting technology instead of the traditional model of allowing users to install various third-party browser plugins which can be installed in Firebox as an extension. My guess is that browsers like Brave are starting to become more competitive, especially now where the privacy of our data is top of mind for many of us, especially because of high profile coverage of things like the Facebook Cambridge Analytica controversy. My take is that I hope more companies use Mozilla as an example and implement similar “privacy by default” features. I would also take that a step further and encourage companies to implement something called “privacy by design” as well. In the cybersecurity world we often use the term “secure by design” which means that when anything is developed that security is implemented from the beginning, in the design phase. This always works out better for the product, the consumers and our data than adding security features when a product or service is already out on the market. The same holds true for privacy. The more companies can build in privacy controls into their products and ship them with those controls on by default, the more protected our data will be. And I would be certain, the companies that do “privacy by design and default” will also be more successful and profitable as well.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.