Let's be honest here, before the turn of the 21st century, if a stranger asked to keep our photo in exchange for a funny caricature, or a supermarket had asked to put a microphone in our homes, or a train company had asked our whereabouts in the station, or physical education teacher had asked us for our step count and sleep data every day, we would have said no. Now days, we upload multiple photos to Russian-based FaceApp, buy Amazon Alexas, use London Underground’s free WiFi, and track our activity on Garmin watches. And still manage to sleep well at night...well some of us at least. We recently learnt that both Amazonand Google admitted to having employees listen to recordings from their smart speakers. Whilst Facebook argues that its "users have no expectation of privacy" on their posts. These big US internet companies — Amazon, Apple, Facebook, Google and Microsoft — have all, to some degree, failed to protect their users' data and establish a base level of security. Controversies about how Facebook -- who received a $5B fine by the Federal Trade Commission -- shared user data with developers such as Cambridge Analytica and foreign governments earns them the lowest marks on security and data privacy, while Apple's strong emphasis on adopting considerably better policies than its more data-hungry competitors, might earn it the highest marks among the five. Other examples worth noting can be found in a previous newsletter entry here.
Relatively, there are more sophisticated means to retrieving user data without the target always being aware that it is happening. One of these was revealed by the Royal Melbourne Institute of Technology, who used various native sensors — such as the accelerometer — found in smartphones to predict the personality traits of its user. Similarly, yet more terrifying, a recent story published in the Financial Times, noted how most internet companies are equally at risk from a mobile phone spyware suite called Pegasus -- produced and sold by Israel-based “Cyber Warfare” vendor The NSO Group. The same spyware implicated in a breach of WhatsApp earlier this year. Private agencies and governments have long used Pegasus to successfully harvest private data — such as passwords, contact information, calendar events, text messages, and live calls — from the mobile phones of targeted individuals.
Shockingly, the story focuses on the recent evolution of the spyware to infiltrate the data residing in the cloud used by the targeted individual. Such data can contain a full history of location data, archived messages and/or photos, emails, sensitive passwords, and financial records. The way it works is rather smart as it allegedly copies the authentication keys used by services such as iCloud, Google Drive, Facebook, Box, and Dropbox, among others, from a corrupted mobile phone. The keys are what these services use to verify an individual's identity, and thus provide them with access to the data on the respective cloud server. Put simply, these keys allow for an attacker to impersonate the target's phone in order to gain access to the data stored on the cloud, bypassing 2-factor authentication and login notifications. Notably, the NSO Group denies having spyware that can hack such cloud applications, services, or infrastructure.
As noted in the first entry above, the world is shifting to a more digital and decentralized form of finance and commerce, whether it be Wealthfront or Betterment roboadvisors assisting you in facilitating your wealth management, or using Robinhood's mobile app to enact stock trades. The truth is that most of this data flows through the cloud services of internet companies. And so long as hacking tools like Pegasus exist, coupled with our willingness to brazenly share our data with attention platforms, such sensitive data is subject to surveillance. But don't delete your Facebook profile just yet, as "good tech companies" — such as CrowdStrike, Cylance, and SentinelOne — are coming to our aid to fight and protect us against such cloud-native surveillance tech. Earlier this month, shares in CrowdStrike — the cyber security company that uncovered Russian hackers inside the servers of the US Democratic National Committee — jumped 97% in their trading debut on the NASDAQ, valuing the California-based cyber security group at $6.8 Billion. Since then, quarterly reports indicate revenues have risen 103% year-on-year to $96.1 Million, primarily due to the growing demand for its expertise in combating malicious cyber hacks. In any case, stay vigilant, as what we deem most crucial to our privacy in everyday life is what surveillance tech seeks to exploit (Read more here).