Jeff Northrop

Privacy and security

Read this first

Amazon Echo, Who Is Listening?

Amazon announced a new toy today, the Echo, and it looks like an interesting product. It’s a combination of Siri (or Google Now, or Cortana) where you verbally ask questions and it will respond, and a voice activated media server. Though as interesting as the product is as a concept, upon reading the announcement, my immediate thoughts went to an article published last week by Michael Price for Salon magazine. The article details Price’s fears concerning his new Smart TV, specifically his fear that the device is sending all his conversations back to the manufacturer’s servers.

More troubling is the microphone. The TV boasts a “voice recognition” feature that allows viewers to control the screen with voice commands. But the service comes with a rather ominous warning: “Please be aware that if your spoken words include personal or other sensitive information, that information will be...

Continue reading →


Ignorance at Apple and Whisper

Quick question: What do Whisper and Apple have in common? That’s right, both are currently being publicly flayed for perceived privacy violations. More specifically the public is in an uproar after discovering that their respective software is sending personal data from their device to corporate servers, much to their surprise.

If you’ve read just about anything I’ve written in the past 3 years you know how I feel about companies that do things that surprise the consumer, but the situation with these two companies is a little unique but becoming more common. Their perceived violations wouldn’t have been easily resolved in the traditional manner – with more precise policies or via policy compliance audits.

If you’re not up on the latest in the Whisper scandal to follow is a brief summary. After garnering some attention from an article in The Guardian, Jonathan Zdziarski, performed a...

Continue reading →


Every Application is An Analytical App

I just read Gartner’s Top 10 Tech Trends for 2015. It’s always fun to read predictions and this list contains all of the usual suspects (the Internet of Things, Cloud, 3D printing, etc.) but number four on the list caught my attention:

Advanced, Pervasive and Invisible Analytics. Every application is an analytical app today.

In a world where notice and consent, the fundamental underpinning of our privacy laws and regulations, isn’t working (e.g. nobody reads privacy policies and when they do they don’t understand them) and regulators are getting more creative and aggressive in the way they hold companies accountable to their actions, what kinds of risks are developers taking when they enable “advanced, pervasive and invisible analytics” in their apps?

The risks are huge. If you don’t believe me ask Google’s Street View team what happens when you collect information from the public...

Continue reading →


Security Comprehension

Too much information is a persistent problem in the world of information security. We’re buried under threat intelligence feeds, noisy alert systems, not to mention the steady drumbeat of news on the latest breach or exploit. Add to this the requirements to understand locations of increasing large caches of dispersed data on rapidly evolving and shifting systems, and it is easy to understand why the typical Information Security function is buried under a torrent of information.

Of course there is a long line of vendors offering solutions to all of the aforementioned issues. These usually boil down to visualization tools such as dashboards, and automation tools providing some sort of information filtering capabilities. Some of these are very good, but what is missing is a tool that allows us to start organizing ourselves holistically in such a way that anyone on a security team can...

Continue reading →


Privacy, GRCs Blind Spot

Governance, risk management and compliance (GRC), the functions within the organization that ensure it stays on the straight and narrow, are structured in variety of ways, but it generally breaks down into the following areas:

  • Audit and Compliance ensure that policies match practices
  • Risk Management ensures everyone understands the likelihood and cost of unfortunate occurrences
  • Information Security protects data from unauthorized use or dissemination
  • Information Technology implements and maintains necessary control mechanisms on technology
  • Legal ensures that all of the aforementioned functions understand legal and regulatory requirements and contractual obligations

When implemented and managed well, this traditional structure is effective in safeguarding organizations against straying from their legal and regulatory obligations. Unfortunately privacy requires something more...

Continue reading →


Information Security Risks Becoming a Failed State

Current events are depressing. President Obama, on the television last night, let us all know he has approved US airstrikes in Syria – an indication of the deepening struggle of both the Syrian and Iraqi governments attempting to maintain some semblance of control. The situation in Ukraine is on a knife’s edge as well for much of the same reasons. These are indicators that we may be witnessing the last gasps of failing states in those regions, but while that news is bad, in the midst of constant updates on the instability in Ukraine, Syria and Iraq are news reports of major data breaches, most recently JP Morgan and Home Depot. I fear that much like the situation with the aforementioned regional political conflicts, an analogous story can be told about the current state of information security.

The unfunny punchline to the case I’m about to lay out is that information security...

Continue reading →


Welcome to Our New World Order

The kerfuffle over explicit personal images of nearly one hundred celebrities continues to make the news and is choking social media with cries of indignation, pleas for support, tasteless jokes and voyeurs salivating over the whole thing. Given the scale of the leaks and the notoriety of the victims none of this is surprising, but the media coverage of it is sensationalist and lacks perspective (I guess that isn’t really surprising either). Some articles are better than others but most condemn a handful of sites as if they were welcoming denizens of evil and ignore the fact this type of privacy violation has become commonplace. All of this mis-focused attention is just feeding the cycle of interest.

There are three lessons to learn from all of this.

Things spread fast on the internet and it cannot be controlled

When news broke of the leaked photos, the internet moved fast. The...

Continue reading →


Celebrity Nudes Whodunnit

Today the internet is all a-buzz with the news that a hundred or so celebrity’s personal photo accounts were hacked. Tonight it’s all about indignation, tomorrow will come the speculation about how this could occur.

Make no bones about it, this is a massive privacy breach and on a scale I’m not sure we’ve seen before. Particularly when you account for the personal nature of the photos and the sheer number of celebrities affected. Given that, someone will want to say they were the first to get it right, and that includes yours truly.

First, let’s dispense with what this is not. I have a gut feeling this is not an iCloud exploit, as most suspect (UPDATE: Apple now confirms this). This is certainly not some nation-state effort. It is on that scale but that would be ridiculous – even the most fervent jihadist has better things to do. I also don’t believe that some script kiddie could...

Continue reading →


When Policies and Practices Don’t Match

The Center for Digital Democracy (CDD) recently filed a compliant with the FCC alleging that 30 U.S. companies are failing to comply with the US Safe Harbor Agreement. The companies are all data brokers of some sort – either as their primary business, such as Axciom, or a by-product of what they do such as with Salesforce. The filing is 100+ pages of background, opinion and evidence, but the whole thing can be boiled down to one simple allegation: These companies say they do one thing in their policies but in practice they do something else.

This filing is not unique, as the FTC earlier this year settled similar allegations with twelve companies and, over the years (and with increasing frequency), they have brought a number of similar cases against individual companies. All of these cases almost always boil down to someone doing something with personal information that their policies...

Continue reading →


Is Privacy Necessary Without Humans

I finally found some time to catch up on the week’s news last night and, not surprisingly, there were a number of different stories reporting on Google’s new tools for tracking user’s on their smartphones. The effort from Google is not surprising in the least, nor do I think it is all that interesting, it did however send me thinking of something I hadn’t considered before.

Note: The Google announcement is yet another story, in a long line of such stories, where companies announce some increased ability to track customers and people respond to the news by expressing discomfort over being tracked. I’ve written about this many times before so I won’t belabor the point, but to readers who are running services that collect personal information you really should confront the issue in a transparent manner and not simply hide behind some legalese filled privacy policy.

As I was considering...

Continue reading →