Privacy Fail: Is Uncle Sam Encouraging Bad Security?

CANCUN, MEXICO – A prominent privacy activist says that leading software vendors, and the U.S. government are failing the public when it comes to Internet privacy, and that big changes are needed to prevent consumers from criminals, advertisers and government spies.

CANCUN, MEXICO – A prominent privacy activist says that leading software vendors, and the U.S. government are failing the public when it comes to Internet privacy, and that big changes are needed to prevent consumers from criminals, advertisers and government spies.

Christopher Soghoian, a Washington, DC based Graduate Fellow at the Center for Applied Cybersecurity Research, told attendees at Kaspersky’s Security Analyst Summit (SAS) that major technology vendors, including Google, Microsoft and Facebook, have promoted a culture of insecurity to support advertising-based business models that rely on Internet users surrendering information about their movements online and preferences.

Soghoian, who has blogged about privacy issues and revealed security holes in services like Dropbox, said that leading technology firms have studiously avoided making their products protect user privacy by default, and have under invested in features that would make it easy for users to opt-in to better privacy.

“These firms are leaving users vulnerable and they’re not informing them about the threat,” Soghoian said. “The result is that if they get hacked, they’re not going to know it.”

The situation is the result of a market in which software firms give away sophisticated applications in exchange for user data, but where the terms of that exchange are often hidden from the consumers who are surrendering their data.
“We all use software provided to us by companies,” Soghoian said. “But in the last few years we’ve switched from a market in which consumers mostly bought software to one in which the software they use is given to them for free.” However, software firms aren’t charities.

“Browsers are not cheap to make. So you have to ask why the companies are offering these products for free.” The short answer is “to get user data.”
“They give us their software because they want our data.”

Soghoian said that most popular browsers and Web based applications “spew private data” about their owners movements in preferences. That data is then vacuumed up by advertising firms – many of them divisions of the same software companies that make the browser software and used to serve targeted advertising.

Browser history data, headings and – increasingly – the plethora of user-submitted data from social networks all combine to create detailed dossiers on consumers, he said.
Users struggle to understand the consequences of loose security configurations, while the software companies often put access or usability barriers in the way to make sure more secure configurations are not adopted, he said.

Cookie management interfaces that are critical to prevent Web sites from tracking user activity are difficult to access and are rarely – if ever – updated to make them more usable, he said.

“These companies have default settings that are not private and not secure, because they know consumers will never change these defaults.”

The fixes for the privacy problem aren’t simple.

Soghoian advocates moving away from the free software model to one in which users pay a small fee to use the software that is free of tracking features. Today, those choices don’t exist.

“Consumers don’t have a choice. You have one version of Chrome and one version only,” he said. The popular online music streaming system Spotify, he notes, requires a Facebook login to use. “That’s no coincidence. Social interaction drives use.”

Moving the market may be difficult, the government can help promote secure behavior: treating data privacy as a public health crisis and using its reach and huge online presence to promote best practices, such as updated browser platforms and secure configurations.

Suggested articles

2021 Attacker Dwell Time Trends and Best Defenses

The time that attackers stay hidden inside an organization’s networks is shifting, putting pressure on defenders and upping the need to detect and respond to threats in real-time.