You can’t hide from those prying eyes

January 11-17, 2021

Experts: With the new year, expect new cyber threats

By Dwain Hebda

Americans have no shortage of things to fear in 2021, from losing ground to the coronavirus impacting worldwide health and economies to social unrest and political division awaiting the new White House administration. To that list, add potentially unprecedented threats to online privacy for individuals and businesses, threats underscored even as beleaguered 2020 trudged toward its exit.

In December, it was announced that presumed Russian operatives had delivered the U.S. cybersecurity community a kick to the midsection via SolarWinds. The Texas-based software giant admitted to being digitally hijacked with malware implanted in its core product beginning in March, malware that was then subsequently downloaded by thousands of unsuspecting customers. Among those compromised was cybersecurity firm FireEye, who on Dec. 9 disclosed that the gambit had breached its client list, including the U.S. Departments of State, Homeland Security, Commerce and the Treasury, as well as the National Institutes of Health.

Cybersecurity concerns are not new of course, even down to the consumer level, but they are taking on new and frightening forms that seek not only account numbers and passwords, but also to influence your very thoughts and actions. The kicker? Technology and legal experts say as a society we are willingly, if often unknowingly, enabling bad actors through our social media use by providing grist for the mill of fake and misleading news, hyperactive marketing tactics and even engineering our behavior. 

“The tolerance for companies butting into our business is very high. People are really okay with it because it’s so darned convenient,” said Elizabeth Bowles, president and chairman of Aristotle Inc., and of counsel with Beacon Legal Group of Little Rock. “That convenience is the tradeoff; consumers have become immured to the idea that their information will be used and sold.”

Decades after the internet revolutionized how the world thinks, acts and conducts business, the machinations behind social media are just starting to bubble to the surface of most people’s understanding. Facebook, for example, may have sprung to life to connect people, but as it rapidly evolved into the world’s most important social media company, the need for generating revenue without charging users became a major conundrum, as recently spelled out in the Netflix documentary “The Social Dilemma.” 

The solution for the company, as for virtually all other social media outlets to follow, was to capture the data generated by users’ social media activity and sell that profile to companies for their own marketing purposes. As technology has become more sophisticated, now incorporating artificial intelligence for instance, the user profile became exponentially more accurate. If you have ever wondered how the ubiquitous “You may also like” suggestions at the bottom of your screen have you so well-pegged, that’s how.

“It’s very much a keyword

algorithm and it’s very calculated and very smart,” Bowles said. “With Google, for example, Google knows everything that I search. It was really brought home to me while I was searching for vacations to Great Wolf Lodge. About a month later, I was on some random website and some ad came up. I wasn’t really thinking and was like, ‘Wow, how do they know I wanted to go to the Great Wolf Lodge? That’s so coincidental.’ Then I was like, wait a minute. That’s not coincidental in the least.”

The legal limits of such data harvesting and marketing are murky at best. While the vast majority of social media users have no idea the posts they read, the online groups to which they belong, or the Google searches they perform are being collected, packaged and sold, fewer still have ever read the disclosure information that social media sites provide when a user signs up. Therein lies a large share of the problem, Bowles said. 

“I have read privacy policies in social media companies where they’ve basically said, anything you post here belongs to us and too bad about you,” Bowles said. “I don’t use those companies because I’m not posting my picture on a social media platform to give it to them for whatever purpose they see fit.”

“Consumers have to realize that if you are giving your data to anyone, it is being collected and kept and used for a purpose. You need to make sure you understand what the rules are when that’s collected, how it’s collected and for what purposes that can be used for.”

Given the fine print and the fact that companies have been selling client information for decades, the process itself doesn’t rise to the level of illegality. But it does pose several ethical questions as well the overarching issues surrounding social media companies’ ability to keep such massive data stores safe from bad actors. 

A vivid example of this problem is detailed in another recent documentary, “The Great Hack,” which shows how a British company, Cambridge Analytica, stole personal data of tens of millions of Facebook users. But it wasn’t to clean out their bank accounts, it was to target them in political campaigns, namely Brexit and to a lesser degree the 2016 U.S. presidential elections. The scandal, which ultimately cost Facebook $5 billion in fines over security breaches, not only showed how far behavioral engineering via social media data had come, but also exposed major flaws in information security measures by social media platforms. 

“The [threats] that concern me are the ones that are targeted to behavioral engineering. The ones that know how people behave and they use the way people behave to cause them to download something, like a game,” Bowles said. “From this game, I’m going to be able to get into their apps where they can get information due to the privacy policy. They can do a lot of things completely legally, right up until they swipe everything and sell it to some nefarious third party.”

“The other thing is, data goes through several sets of hands. It might be legitimately collected at Facebook and then sold to a legitimate advertiser who then aggregates the data and re-sells it to somebody else who then sells it to somebody else. Eventually, you are hitting that guy in Uzbekistan. And, you only need one person. That’s another problem; for the scale of it, it’s so cheap. You set up your game, your honey trap, your little fishing expedition and you only need a couple of people to fall for it and you’re rich.” 

These factors, experts say, present major new threats when it comes to consumer and corporate cyber security. Throw in a pandemic where millions of people are working remotely, many on their own equipment and home Wi-Fi where firewalls and other security measures are much more lax and you’ve got a year like 2021 looming, rife with potential disaster.

“You need fewer than 20 data points about a person to pinpoint any man, woman or child within the entire world,” Bowles said. “If I already know you live in Little Rock, Arkansas, or better yet, Tillar, Arkansas, I don’t even need that much. Maybe, just one or two. Obviously, the social security number is the gold standard; if you can get somebody’s social security number, you can do all kinds of harm. But you don’t need that to do a bunch of harm.”

Legislation has struggled to keep up with the problem, cowed by commercial interest lobbies and outrun by the pace of technology. Online security law is still relatively nebulous in the U.S., meted out state by state with the underlying onus for security squarely on the social media user, not the platform. High-profile information security cases, such as with Facebook, have pushed the issue closer to the forefront, but meaningful safeguards are still slow in coming.

“If you look at the fundamental approach that the United States has taken to privacy, you’re prioritizing the business benefits over the fundamental rights of privacy,” said Mandy Stanton, an attorney with Mitchell Williams in Little Rock, specializing in information security and privacy.  

“In privacy technology, when everything is so fast-moving, it’s probably always going to be a little bit on the catch-up. In terms of taking it more seriously, for a lack of a better way to say it, I do think there’s definitely been some movement. I’m not going to say we’re rolling hard on that, but it’s happening.”

Stanton said a better model for information security accountability already exists, the General Data Protection Regulation (GDPR), in effect in Europe. These rules provide, among other things, clearer disclaimer language so that social media users can better understand what their use of the platform means as far as their data is concerned. 

“One of the things required under GDPR is that privacy policies be in what they call a ‘clear and conspicuous format.’ Basically, that means that whoever the intended user is can understand it,” Stanton said. “Privacy policies are intended to be easily readable. They should not be a burden to take a look at, with the high points easy to find and read.”

The precedent GDPR, which was rolled out in 2018, has already resulted in California legislation providing similar consumer protections that other states are examining. This itself is potentially problematic: good news for the user, but ultimately creating a dizzying level of complexity for companies doing business online.

“Now, we’ve got the California Consumer Privacy Act that in many ways mirrors GDPR. And you’ve got other states discussing their own versions of CCPA. It’s kind of all over the map,” Stanton said. “Privacy law is driven by the residence of the individual, rather than the location of the business. So, it’s likely to become a myriad of laws that companies are going to have to comply with. It’s still a spider web right now.”

Whatever ultimately shakes out of the situation – up to and including uniform federal privacy guidelines which few expect anytime soon – Stanton said no statute will ever completely protect the consumer better than individual accountability. 

“There’s always going to be some threat out there, right? I have definitely seen more of those at work this year than I have in years past.” she said. “To the extent we can take care of our information, I think that self-awareness is so important. There’s no reason that an individual can’t go and check their credit reports or be mindful of what they’re putting on social media.”

“Make sure you’re paying attention to what a platform is doing with your information. Once you put something out there, you lose a level of protection because you’re voluntarily giving that up. So, from a common-sense perspective, if you don’t want it out there, don’t share it.”  

PHOTO CAPTIONS:

After the widespread hack of 250 federal agencies and businesses in late 2020, U.S. networks are increasingly vulnerable to foreign cyber threats in 2021. U.S. Homeland Security officials are on high alert after a suspected Russian cyberattack of third-party software in early December. The CyberSecurity and Infrastructure Security Agency (CISA) is now investigating the impact of the security breach on enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations.