Data as an instrument of war

[Pags]

1. I'm not concerned about the US. I have nothing to hide, and we have strong Constitutional protections. I'm concerned about Russia/China, and to a lesser extent, Iran/DPRK/nonstate actors.
2. Yet. This would take a long while to do. There's no instant off-switch.
3. I never said my opinion would be popular.
4. I don't think they need to be punished for unintentionally losing data - especially if what they lose is encrypted at rest. I think there should be a law against companies intentionally selling it or trading it to third parties.

W/r/t signing consent forms, there are certain things you cannot consent to, no matter what the form says. For example, when you read a software EULA or really any legal document, there is always a clause that says the agreement cannot violate US law. Change the law, and consent forms will adapt or be unenforceable. You can't consent to something that is inherently unlawful - e.g. murder, slavery, buying votes/ voter suppression, etc. It's unenforceable in court no matter what any contract might say.

The EU has been moderately successful at getting tech companies to change their privacy practices globally. California has been highly successful at steering vehicle emissions standards to be greener. It may take a while, but I feel it's a worthy cause. Like seatbelts in cars.

I am fine having a bank account and a mortgage. I would rather not have my bank or mortgage lender selling my data to third parties, but it's no big deal to throw out the Pella window mailer for the 50th time. That is all less concerning to me, however, than smartphone user data being easily accessed by China and Russia. We all saw what happened in Hong Kong.

So how does that play out in a peer conflict? You still haven't answered that and I'm honestly curious. I understand how China used it to suppress disconnect within their own borders but what does that mean for Joe Six-pack? Like I said, if this was a no cost decision, sure make the HWPPI Act of 21 a law. But I'd think the economic impacts would outweigh and benefits. That and the tech companies would still find a way to "sanitize" your data to be legally compliant to ensure you still get the targeted advertising we all crave.

I'd also be curious to see what would happen to the internet in a peer conflict. Would we firewall ourselves off? I have no idea but it's an interesting thought since it is an attack vector.

 

[Brett327]

Sure. Just because an unwanted behavior is hard to detect/prove/stop doesn’t mean we should make it legal.

Do you want to actually have an impact on the problem you want to correct, or do you just want to pass some laws, pat yourself on the back, and call it good? I would level the same criticism toward those who would ban assault weapons. You're engaging in the same "hey we did something" kind of behavior.

I just don't think you've thought through what you're proposing in any kind of rigorous manner... which is kinda of your trademark around here.

 

[Hair Warrior]

So how does that play out in a peer conflict? You still haven't answered that and I'm honestly curious. I understand how China used it to suppress disconnect within their own borders but what does that mean for Joe Six-pack? Like I said, if this was a no cost decision, sure make the HWPPI Act of 21 a law. But I'd think the economic impacts would outweigh and benefits. That and the tech companies would still find a way to "sanitize" your data to be legally compliant to ensure you still get the targeted advertising we all crave.

I'd also be curious to see what would happen to the internet in a peer conflict. Would we firewall ourselves off? I have no idea but it's an interesting thought since it is an attack vector.

I think it plays out in a very deadly, violent way that is hard to precisely foresee.

We know for a fact that both China and Russia have put covert operatives on American soil as recently as 2010 (bc we caught some of them). If we are in a peer conflict with China or Russia, and the conflict progresses past certain “red line” threshholds that may not be well understood, I think we will see the enemy bring the fight to CONUS in ways not seen since 1814.

But if you want a glimpse of how user data can be exploited for warfare, look at the peer conflict of Israel and Iran. Someone (presumably Israel) has been carrying out precise assassinations of Iranian nuclear scientists for the past decade or so. It’s plausible to assume - and I have no inside information here, just open sources - that such operations are made possible or enhanced by exact geolocation data in near-real-time, and/or intimate foreknowledge of personnel movements made possible by exploitation of smart devices used by the target or their associates. That is speculation in my part. But what isn’t speculation is that pattern-of-life for a particular target can be easily pieced together using geolocation data that is freely bought and sold by location data companies.

 

[Hair Warrior]

Do you want to actually have an impact on the problem you want to correct, or do you just want to pass some laws, pat yourself on the back, and call it good? I would level the same criticism toward those who would ban assault weapons. You're engaging in the same "hey we did something" kind of behavior.

I just don't think you've thought through what you're proposing in any kind of rigorous manner... which is kinda of your trademark around here.

If Congress did pass a law against monetizing protected user data, and if a tech giant willfully broke that new law, the US govt has a pretty straightforward way of dealing with it: get a warrant with probable cause, and wiretap the company to find out. There are a few federal agencies that could enforce such a law. Also, don’t underestimate the employees of these tech giants. Many are pro-privacy individuals, and if there is a new federal law on protecting user data from monetization that their employers are willfully disregarding, I think you would see whistleblowers come forward. The US govt already offers whistleblowers cash bounties for reporting certain financial violations that are found to be criminal. Plus, when people start facing jail time for wrongdoing, someone will turn state’s witness to avoid prison. Again, nothing that hasn’t been done before to stop companies from committing crime. Crime isn’t great for the shareholders, either - they generally don’t tolerate crime, because they don’t want their shares to go the way of Enron.

 

[Brett327]

If Congress did pass a law against monetizing protected user data, and if a tech giant willfully broke that new law, the US govt has a pretty straightforward way of dealing with it: get a warrant with probable cause, and wiretap the company to find out. There are a few federal agencies that could enforce such a law. Also, don’t underestimate the employees of these tech giants. Many are pro-privacy individuals, and if there is a new federal law on protecting user data from monetization that their employers are willfully disregarding, I think you would see whistleblowers come forward. The US govt already offers whistleblowers cash bounties for reporting certain financial violations that are found to be criminal. Plus, when people start facing jail time for wrongdoing, someone will turn state’s witness to avoid prison. Again, nothing that hasn’t been done before to stop companies from committing crime. Crime isn’t great for the shareholders, either - they generally don’t tolerate crime, because they don’t want their shares to go the way of Enron.

The tech companies aren't the ones you'd have to worry about. Since China seems to be your favorite boogey man, think through how easy it would be for them to take what they want and your data gets traded and sold to advertisers just the same. Lather, rinse, repeat with North Korea, India, Pakistan, and a growing number of FSU states.

 

[Pags]

I think it plays out in a very deadly, violent way that is hard to precisely foresee.

We know for a fact that both China and Russia have put covert operatives on American soil as recently as 2010 (bc we caught some of them). If we are in a peer conflict with China or Russia, and the conflict progresses past certain “red line” threshholds that may not be well understood, I think we will see the enemy bring the fight to CONUS in ways not seen since 1814.

But if you want a glimpse of how user data can be exploited for warfare, look at the peer conflict of Israel and Iran. Someone (presumably Israel) has been carrying out precise assassinations of Iranian nuclear scientists for the past decade or so. It’s plausible to assume - and I have no inside information here, just open sources - that such operations are made possible or enhanced by exact geolocation data in near-real-time, and/or intimate foreknowledge of personnel movements made possible by exploitation of smart devices used by the target or their associates. That is speculation in my part. But what isn’t speculation is that pattern-of-life for a particular target can be easily pieced together using geolocation data that is freely bought and sold by location data companies.

Dude, there are always spies in our country. This is nothing new. Having enemy operatives up to no good is something you should always be prepared for, regardless of their targeting data. I imagine we have some people in China.

I'm not sure id use the israel-iran shadow war as a template for what would happen in a peer conflict. It's just a different animal. But, as I mentioned earlier, there are plenty of ways to precisely geolocate targets, with cell phone data only being one source.

 

[Pags]

The tech companies aren't the ones you'd have to worry about. Since China seems to be your favorite boogey man, think through how easy it would be for them to take what they want and your data gets traded and sold to advertisers just the same. Lather, rinse, repeat with North Korea, India, Pakistan, and a growing number of FSU states.

This is the point I've been trying to make. If a nation state wants this stuff they'll find a way to get it. Or they'll get something else. That's kind of what nation states pay their espionage folks for.

 

[Spekkio]

Forcing companies to encrypt all user data at-rest is no different than requiring banks to have a vault and certain other security measures, as a precondition to remain FDIC-insured. Which is why every bank in America has some sort of vault. We still get occasional bank robberies, and rarely, the robber will try to gain access to the vault, but these are extremely rare and almost never successful in the long run. For personal user data, companies are currently operating like a yard sale with a shoebox sitting on a folding table - not like a bank vault that is FDIC-insured.

I think you're missing something here...

All current big tech companies that provide 'free' services do so by guarding your personal data extremely closely. They don't sell your data, they sell access to targeted advertising to your specific web habits and interests.

The moment someone can get these companies' algorithms and personal data for knowing everything you do on the web and putting up ad banners relevant to you is the moment they start to go out of business. That's their cash cow.

This isn't to say that there's no risk of hackers or insider threats giving away all this code and data, Chinese or otherwise. Just that we're all on the same team and you're asking the government to apply regulations for companies to implement security controls where market forces have already driven them 10 years ago.

 

[BigRed389]

I think you're missing something here...

All current big tech companies that provide 'free' services do so by guarding your personal data extremely closely. They don't sell your data, they sell access to targeted advertising to your specific web habits and interests.

The moment someone can get these companies' algorithms and personal data for knowing everything you do on the web and putting up ad banners relevant to you is the moment they start to go out of business. That's their cash cow.

This isn't to say that there's no risk of hackers or insider threats giving away all this code and data, Chinese or otherwise. Just that we're all on the same team and you're asking the government to apply regulations for companies to implement security controls where market forces have already driven them 10 years ago.

It would also seem the EU, and consequently multiple “allied” non-member states (Japan, South Korea) are already along this curve with the GDPR (ironically now comes up on the ad banners on this thread).

Given the applicability of that to our companies that do business with EU member nations, and it being something they would already implement, the logical thing to do would be to see if it would make sense for us to mirror this at the Federal level.

 

[nittany03]

The moment someone can get these companies' algorithms and personal data for knowing everything you do on the web and putting up ad banners relevant to you is the moment they start to go out of business. That's their cash cow.

Meh. Google's machine learning framework is called TensorFlow. Want to study it? If you know C++ and Python, you can study it here. It's been open source for like 5 years now.

Why? Because Google's advantage is the oceans and oceans of data they can use to train their models. AI and machine learning are only as good as the data you train your models with, and that is Google's secret sauce.

 

[Hair Warrior]

All current big tech companies that provide 'free' services do so by guarding your personal data extremely closely. They don't sell your data, they sell access to targeted advertising to your specific web habits and interests.

If you don’t think US tech companies are selling or trading your actual data, and only selling ad space, I have some beachfront property I’d like to sell you in Santa Fe.

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has "direct connections" to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and Canadian cell networks, too.

www.zdnet.com

Google Says It Doesn’t 'Sell' Your Data. Here’s How the Company Shares, Monetizes, and Exploits It.

"Google will never sell any personal information to third parties; and you get to decide how your information is used." - Sundar Pichai Sound familiar? Although big tech companies like Google keep the lights on by harvesting and monetizing your personal data, they can be quick to mince words and...

www.eff.org

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret (Published 2018)

Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it’s anonymous, but the data shows how personal it is.

www.nytimes.com

 

[Hair Warrior]

The tech companies aren't the ones you'd have to worry about. Since China seems to be your favorite boogey man, think through how easy it would be for them to take what they want and your data gets traded and sold to advertisers just the same. Lather, rinse, repeat with North Korea, India, Pakistan, and a growing number of FSU states.

E2E encryption
Sanctions to block Huawei, TikTok, and other Chinese corporations from US markets
DImE pressure on third countries to do the same

But right now, China can easily acquire whatever it doesn’t already collect through lawful intercept programs. My unpopular opinion in my original post aims to make that much harder.

 

[Pags]

If you don’t think US tech companies are selling or trading your actual data, and only selling ad space, I have some beachfront property I’d like to sell you in Santa Fe.

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has "direct connections" to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and Canadian cell networks, too.

www.zdnet.com

Google Says It Doesn’t 'Sell' Your Data. Here’s How the Company Shares, Monetizes, and Exploits It.

"Google will never sell any personal information to third parties; and you get to decide how your information is used." - Sundar Pichai Sound familiar? Although big tech companies like Google keep the lights on by harvesting and monetizing your personal data, they can be quick to mince words and...

www.eff.org

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret (Published 2018)

Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it’s anonymous, but the data shows how personal it is.

www.nytimes.com

These articles are very vague as to what data is actually being used. It sounds like the data they're talking about is sanitized or attributed less to an individual and instead to other attributes like phone ID, browser cookies, etc. Whether that is PII when not associated with your name is an interesting. I'd offer that if you associate my street address with my name it's PII. But my street address on it's own isn't PII, it's public record. My point is even with GPDR type protections in place your behaviors will still be sold. GPDR seems to be attempting to address the risk of compromised identity via a hack and just says companies have to solicit your consent and then protect your data. It doesn't seem to specifically cover data selling.

In most cases PII isn't needed to identify a person. You could just as easily be identified by your pant size, movies you like, etc.

 

[taxi1]

E2E encryption
Sanctions to block Huawei, TikTok, and other Chinese corporations from US markets
DImE pressure on third countries to do the same

But right now, China can easily acquire whatever it doesn’t already collect through lawful intercept programs. My unpopular opinion in my original post aims to make that much harder.

We could steal a few pages from behavioral economics and require the big companies to somehow explicitly tell us who they are selling our data to. In the same way that food is required to have nutrition information...

"This data is being sold to over 1000 companies, including (random sample of the 1000 that changes each time)"

Or the way cigarettes have health warnings...

"Based on historical results, your data will likely be lost to nation-state or criminal entities with probability of 10%"

Or provide the tracking info back to the user...

"OBTW, here's your life history over the last week, where you were, what websites you visited when you were there, what we think you were doing, here's a couple of companies that paid for that information."

 

[Spekkio]

If you don’t think US tech companies are selling or trading your actual data, and only selling ad space, I have some beachfront property I’d like to sell you in Santa Fe.

"Your data" =/= "your personal / sensitive data."

The biggest threat to people's information on the internet is user carelessness. International terrorist groups successfully use social media to recruit and plan attacks. Sometimes we can breach this, sometimes we can't. You'd think that the companies would just turn over the data, but it's P2P encrypted and they don't even have access to it themselves.

There's enough information on the mk1 mod 0 social media account for anyone on their friend's list to steal their identities. Facebook isn't giving away people's birthdays, current address, phone number, places of birth, everywhere they've lived, where they got married, and their mother's maiden name to hundreds of people, most of whom are only distant acquaintances...the users are. And many protect this information with a weak password that is used across multiple accounts.

The data is relatively safe if you manage your digital footprint. No amount of government regulations is going to protect people from themselves, and John Q. Citizen isn't important enough for a Chinese intelligence agency to spend time hacking into his shit.