Network Service Providers and Privacy

Advertising runs on data. It always has. Long before programmatic ads and algorithms, we saw Mercedes-Benz ads in Fortune and Chevy ads in Mechanix Illustrated. Some clever guy had figured out that Fortune readers and Mechanix Illustrated readers bought different cars. The success of an advertising outlet has always depended on the outlet’s generation of sales. Successful sales depend on finding qualified buyers.

Today, qualified buyers are spotted by their on-line habits, that now include choice of websites to visit, age, gender, physical locations, income, purchase patterns and many other factors. Based on these factors, on-line ads are targeted to narrowly identified network users. Advertisers now have masses of data and abundant computing power to process the data.

Websites as Data Sources

But the advertisers want more data, ads targeted more precisely. Who is surprised? There are two main sources of consumer data for targeted advertising. The first source is the websites we use all the time. Google and Facebook are most prominent. They know their users and use the knowledge to aim the ads they sell to their advertisers. These targeted ads are the revenue source that funds the free services these sites offer.

Network Service Providers

The other main source of buyer information is network service providers like Comcast and Verizon. Google and Facebook have in depth information on what people do while using these sites but the know very little about what is happening outside their own sites. Service providers have a wider, but shallower, view of people’s activity.

Google knows you searched on “archery” and clicked on an informational archery site. Google identifies you as a candidate for bow and arrow ads. Comcast knows something else. Inside the sports site, you clicked on a link to Ed’s Sporting Goods. Comcast might try to sell Ed ads that they will target at you. Only Ed and you bank know that you ordered a baseball and mitt, so you probably won’t get any baseball ads.

Data Brokers

A data broker might try to purchase data from Google, Comcast, Ed, and your bank. With the purchased data, they can put together an even more detailed picture of your habits. Exactly what information the data broker will get depends on the privacy policies and regulations of Google, Comcast, Ed’s Sporting Goods, and your bank.

These data brokers disturb some people, even conspiracy skeptics like me, because they seem to have little accountability. Users have the “Terms of Service” and privacy policies that govern their relationships with Google, Comcast, and their bank, but the data brokers have no direct relationship with the people profiled in their data bases. Are the brokers good or bad? We don’t know. If they misuse our data, will we ever know? Do we have any recourse? I don’t have answers to these questions yet, but I think we all need them.

The FCC and the FTC

Both websites and network service providers are subject to regulations on what they can collect, how they can collect it, and the data they can sell, but the regulations vary. Google and Facebook are subject to Federal Trade Commission guidelines, like all businesses engaged in interstate trade. Network service providers are regulated by the Federal Communications Commission as common carriers.

There are significant differences. Network service providers are treated as utilities. Utilities are services such as electrical and telephone services that people must have. Google and Facebook are businesses that consumers choose to deal with. Because people have no choice, utilities are regulated more strictly than most businesses. Are network services a utility, or just businesses? Last year, the FCC declared them to be a utility and subject to FCC regulation, but some argue that the ruling was wrong and should be corrected.

Opt-in vs Opt-out

A critical point is whether collecting consumer information should be “opt-in” or “opt-out”? If collection is opt-in, information cannot begin to be collected until the customer says it is okay. If collection is opt-out, it is okay to collect information until the customer takes the effort to say no.

Which way is best? Consumers with informed opinions generally prefer opt-in, but a lot of people don’t care and think opt-out is fine. Businesses that collect and use data tend to prefer opt-out schemes.

Business or Utility?

When network service providers were classified utilities, they became subject to opt-in rules. FTC guidelines, which apply to Google and Facebook, are opt-out. Recently, the new administration changed the FCC regulation for network service providers to opt-out, similar to the FTC guidelines. Some consumers are quite concerned.

Engineering In the Clouds

Yesterday, I began a new blog on Network World. It is called “Engineering in the Clouds,” and it calls on my experience at CA and my two earlier books, Cloud Standards and How Clouds Hold IT Together. My first blog is on some of the reasons cloud projects do not succeed. Cloud failures can occur anywhere in the hype cycle. My plan is to publish about once a month. Since privacy has been on my mind the last few days, I am thinking about clouds and privacy for my next blog.

Checklist to Avoid the Next Cayla Doll

The Cayla doll story is frightening. The unintended consequences of a clever child’s toy amount to an invasion of  child privacy. I expect more such stories. Devices now in homes don’t just offer entertainment and convenience. They can also open doors to corporate and criminal intrusion. TV’s, refrigerators, along with our phones and laptops can all have cameras and microphones. Without your permission, someone could control these from outside your home.

Threat assessment

Security professionals follow a procedure called “threat assessment” to spot potential dangers. Threat assessment is a series of questions. Their answers yield a clear picture of threats. The questions are common sense, but you may not always think to ask them.

I recommend that before you install any device in your home or business, especially those connected to the internet, you go through a threat assessment. You may already do so without realizing it. Think through each of the five questions below. These questions apply to almost all computer security. The next five apply to non-computer devices connected to the network.

The basic checklist

  • What am I protecting? Most often, it is privacy of your family or business. Cayla can listen to you and your child and transmit what it hears to an unknown intruder or a cloud data business. The business or an intruder can speak to your child without your knowledge. Your television may record and analyze the conversations in your living room. Other devices may have similar abilities. Most often, you are protecting yourself from outside interference in your life.
  • Where does the threat come from? The source could be a business putting together a portfolio on you that they will use to sell things to you. Less likely, but still possible, the source may be a sinister criminal planning some kind of assault. A government agency, for good or bad, could use the device to collect information on you.
  • How likely is the threat? You probably know that data organizations collect data on you. And you have noticed that they have guessed whether you prefer heavy equipment parts or needlework supplies. On the other hand, the FBI probably hasn’t picked your refrigerator to monitor.
  • How great is the danger? Ads targeted to your online search profile may annoy you, but the danger to your person is slight. But a criminal stalker monitoring your phone conversations through your Bluetooth headset may be dangerous.
  • What are you willing to sacrifice for protection? Threats can be stopped, but is the effort is worth the benefit? All direct cyberthreats can be stopped or severely curtailed by going cash only and abstaining from the use of all electronic devices. Does the threat justify the sacrifice?

The Internet of Things

The threats here are from the Internet of Things (IoT), devices connected to the network but not usually called computers. The IoT is uniquely dangerous in two ways. First, IoT devices sneak in on us. We see them, but don’t think of them as computers connected to the internet. Even though many people have an idea of the threats involved in network computing, the IoT slips beneath their radar. Second, the designers of IoT devices often have no concept of good security practices and the devices are often shockingly vulnerable.

Questions for IoT security

  1. Find out how it connects to the network. Hard wiring, Wi-Fi, Bluetooth, and cellular are the main ways.
  2. Can you unplug it from the network? How easily? The first step when you suspect some kind of intrusion is to disconnect from the network. Make sure you can. Many IoT devices can’t be switched off like a laptop or desktop. If hackers remotely unlock your front door, you must stop them immediately. Don’t put yourself in a position where you must call a locksmith to install a new lock to keep your door closed.
  3. Are logs kept of who tinkers with the device? When the tinkering happened? The location of the tinkerer?
  4. Does the device collect data? If so, what is it and who has access to it? Can you control what is collected and who has access?
  5. Can the device firmware be updated with security fixes? Can it be done automatically?

These questions may not be easy to find answers for. Marketing literature is often sketchy or even deceptive on security. Engineering documents are better, but hard or impossible to get. However, even partial answers help evaluate the threat and underpin informed choices.

Cayla, A Living Doll from the Twilight Zone

Cayla, a computer driven talking doll, uses technology similar to that behind Amazon’s Alexa, Microsoft’s Cortana, Apple’s Siri, and Google Home to construct a toy that simulates a living friend for a child. Unfortunately, some believe that Cayla may be the embodiment of the murderous Talky Tina of the fifty-year-old episode of The Twilight Zone, The Living Doll.

In Germany, Cayla has been declared a banned surveillance device. Selling and even possessing a Cayla in Germany is illegal. The doll’s communication capability must be permanently disabled to make it legal in Germany. Also, several groups in the US have launched an action to have Cayla sanctioned under the Children’s Online Privacy Protection Act (COPPA).

I’m not here to advocate that these government and legal actions are justified or not justified, that’s for individuals to decide for themselves, but I think anyone who is concerned about cybersecurity should understand some of the issues involved. We are likely to see many more products like Cayla appearing on the market. Some will be for children, others for teens, and many aimed at adults. Some will be great, some exploitative, and some will, no doubt, be just plain shoddy.

So let’s take an engineer’s look at Cayla. The complaint document sent to the Federal Trade Commission is against Genesis Toys and Nuance Communications and was lodged by the Electronic Privacy Information Center and Consumers Union, among others. Genesis Toys is a Hong Kong corporation that developed the doll. Nuance Communications is a US corporation that retains and processes data collected by the Cayla doll. The exact relationship between Genesis and Nuance is not clear to me, but they are two separate corporations.

Cayla’s architecture is fairly simple. The doll itself is the equivalent of a Bluetooth headset that acts as a microphone and speaker for an app that runs on a smartphone, like an iPhone or an Android. The app communicates with a cloud service that supplies computing and storage resources that power Cayla.

This architecture has issues. Bluetooth headsets are insecure. I mentioned in a blog a few months ago that the NSA has banned commercial Bluetooth headsets for classified or confidential information. Here. A criminal hacker would not have much trouble listening in on a child’s conversations with Cayla and interjecting their own questions and suggestions. Imagine a pedophile speaking through Cayla suggesting to a three-year-old that they meet out in the street. The Bluetooth standard says the protocol is good to ten meters (30 feet) but special equipment can extend the range substantially. Also, Bluetooth signals, essentially the same as Wi-Fi, penetrate walls.

Even in isolated spots where Bluetooth intrusion may not be a consideration, Cayla has vulnerabilities. The FTC complaint points out that Cayla is programmed to promote certain commercial products, such as movies. In addition, the information that Cayla collects, like names, locations, favorite foods and toys, etc., is stored in the cloud. The Genesis Toys privacy policy states that this information is kept and analyzed by Nuance Communications and may be shared. I should note that while I was writing this blog, the posted Genesis privacy statement was changed. You may want to check it for yourself.

Cayla simulates conversation, answers and asks questions, and can, or potentially can, do all of the things Alexa, Cortana, Siri, and Google Home can do: order pizza, open the front door, adjust the thermostat, call for an Uber. The list gets longer every day. Cayla can’t do all these things now, but the technology she is built upon can. Cayla’s limits are set by the discretion of Genesis Toys and Nuance Communications. Parents may want to be certain that controls are in place that will prevent their three-year-old from ordering a dozen pizzas or their ten-year-old embarking on a trip to Aruba. I don’t suggest that Cayla is likely today to cause these things to happen. Rather, parents should be aware that these new products make such mishaps possible.

Like the living doll on Twilight Zone, Cayla is a new technology with unexpected powers and these powers can harm us if they are not used properly.

In another blog, I plan to discuss the steps I would take when deciding whether I want a product like Cayla in my home. These products have amazing potential for improving our lives and could be more fun than a barrel of monkeys for our children. But they can also be dangerous. You should choose with knowledge and good judgement.