Who’s Looking Over Your Shoulder ?

“Digital files cannot be made uncopyable, any more than water can be made not wet.”
– Bruce Schneier


computer-screen

Web 2.0 has been a great boon for communications. But as Investor Relations operatives who deal with restricted information there are any number of dangers when dealing with market sensitive and other commercially sensitive material. Some of them are well documented .. network and wireless security, IT departments handling the surge in BYOD (Bring Your Own Device) to work. But here are some others you may not have considered.

Here’a quick run down in no particular order on some potential security/privacy dangers you may not have personally considered from everyday tools you may use in your work day. These risks will vary from person to person. The hard drive contents of a junior employee  will pale in comparison to the laptop of your CFO, but perhaps all are food for thought.

Google the phrase ‘The Death of Anonymity’ and you’ll se a slew of articles from any number of gurus outlining the sheer amount of tracking that various websites impose on us now. Here is security uber-maven Bruce Schneier on Bloomberg.

Bruce has so much of this stuff in his head he could write a book … oh wait he already has.

But it’s not just the social sites like Facebook we need to think about. For instance do any of you use something like Evernote ? Evernote is a digital file folder that lets you collect urls, images, notes and all sorts of other data, then access them from anywhere, obviously by storing all your data in the cloud. The problem is if this were research on an acquisition or other sensitive topic not only do Evernote know all about it, so could anyone who can access your Evernote account.

evernote

Of course every cloud vendor talks about how secure they are, but is that true ?  Ask a customer of online dating site Ashley Madison !  I’ve used Evernote as an example, but any service that you use which stores your data in the cloud has the same potential weakness. No one is safe when it comes to information in the cloud and on servers anywhere, witness the North Korean hack against Sony and most recently and famously the Russian attack against the DNC prior to the recent US election.

Paris_hackRemember about 10 years ago one of the first celebrity cases was when when Paris Hilton’s phone was famously hacked ?  Note that wasn’t her physical phone she carried which was illegally accessed, but rather the cloud based backup of her phone’s data at T-Mobile.

Likewise in the  News of The World scandal the breach of data was achieved by hacking the cloud based voice mail of the victim’s network provider, not the actual phone. So it’s pretty clear that if it’s in the cloud and part of a publicly available product, it can be accessed without your consent.

For the same reason we strongly dissuade our clients from using the vertigo inducing Prezi for anything slightly resembling confidential presentations. Prezi comes in three flavours, only the Premium version of which allows you to create Prezi’s on your desktop, rather than in the cloud. But you really can never know much data leakage occurs with any of these types of cloud services.

On a slightly different have you ever used a web based mail service like mail2web to access your regular email addresses ?  If you do realise that you do so with the clear understanding that to  use the service you need to give them your email address and password. Would you ever do that if say someone at a call centre asked you ?

Likewise many millions of people use Gmail and Google Docs. Look at the terms of service and you will see that Google reserve the right to robotically scan your mail and use that data to better target the information they present to you (advertising). Here is the clause in question from their Terms of Service

“Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”

google-doscs

Similarly, when using Chrome, Google stores your searches, partial searches, all of your bookmarks and other sync data including allocating your computer a unique ID number which Google says is only there to confirm successful installation, but it is not deleted after install.

The other range of services and companies in which we place great trust, is the recent boom in services which allow us to transfer digital files too large for email. Businesses such as YouSendit (now rebranded to Hightail), Wetransfer, and SendThisFile just to name a few.

All of these companies are holding and daily transferring terrabytes of data globally including all sorts of corporate assets such as reports, drafts, brochures, videos, design mock-ups and so on. I use WeTransfer these days, I did read their 4,000 word Terms of Service. It seems benign (they promise not to peak at your files) I’m sure they are lovely folk but as the recently famous saying goes “When something online is free, you’re not the customer, you’re the product.”  How can we be sure that any of these companies is not running scans over our data ?  We simply can’t.

Dropbox_logo_(September_2013).svg

In 2014 well know file sharing service DropBox appointed Condaleeza Rice to their board. Rice was one of the key architects of the massive NSA monitoring of domestic phone and internet records exposed by Edward Snowden. Snowden has described DropBox as ‘hostile to privacy’  and recommends use of a ‘zero knowledge’ service such as SpiderOak which works in a similar way to other file sharing and chat services but all file are encrypted, even from SpiderOak itself.

The value proposition of SpiderOak is that even if forced to hand over data to authorities, SpiderOak cannot assist in decrypting the information and has no desire to do so. Note: I am not vouching for the efficacy of SpiderOak, AIRA members should be guided by their own internal best practice. i.e. Speak to your own in-house cyber-nerds in IT.

So what is the solution ? … well I sure don’t have a silver bullet and if I had one, it may be out of date tomorrow. As knowledge workers in the field of Investor Relations we have to receive and transmit digital files of varying degrees of importance and confidentiality. What is clear is that as recent events concerning the US, Russia, Sony, Wikileaks, Mossack Fonseca et al indicate, it is a constantly moving target and we should ensure we are briefed regularly in best practice by your own experts.