Jeff Northrop

Privacy and security

Read this first

FTC Investigation in 3, 2, 1…

Currently making the rounds on the internet are a series of videos of people’s oftentimes embarrassing attempts at karaoke. These viral gems are the product of Starmaker from Starmaker Studios who, as a result of there eagerness to create a platform, are likely to be the next privacy-failure poster boy.

If you browse the videos on the company’s Youtube channel you’ll see children singing, a woman breastfeeding while singing and other potentially compromising situations. I’m guessing here, but it looks like many of the participants in these videos are unaware that these videos are open for public viewing.

To learn more I decided to install the application and check it out for myself and after installing the application and going through the process of recording and uploading a video I can see why so many potentially embarrassing videos reside on that channel. The application is...

Continue reading →


50 Shades of the Privacy Profession

Note: This is a piece I wrote for the International Association of Privacy Professionals Privacy Tech blog.

I was asked the other day by a reporter to define “privacy professional.” I provided some over-long response describing how those within an organization who touch personal data—regardless of their title—are considered privacy professionals. There is nothing incorrect about that answer but it’s so broad, so abstract and can be applied to so many roles that it’s essentially a useless response for anyone looking for guidance.

I could have described a professional that interprets legal and regulatory language, possesses strong communications skills, provides risk analysis and strategic direction as well as manages cross-function teams—the types of skills often required by a Chief Privacy Officer (CPO). However, while that certainly describes the skills possessed by the prototypical...

Continue reading →


Amazon Echo, Who Is Listening?

Amazon announced a new toy today, the Echo, and it looks like an interesting product. It’s a combination of Siri (or Google Now, or Cortana) where you verbally ask questions and it will respond, and a voice activated media server. Though as interesting as the product is as a concept, upon reading the announcement, my immediate thoughts went to an article published last week by Michael Price for Salon magazine. The article details Price’s fears concerning his new Smart TV, specifically his fear that the device is sending all his conversations back to the manufacturer’s servers.

More troubling is the microphone. The TV boasts a “voice recognition” feature that allows viewers to control the screen with voice commands. But the service comes with a rather ominous warning: “Please be aware that if your spoken words include personal or other sensitive information, that information will be...

Continue reading →


Ignorance at Apple and Whisper

Quick question: What do Whisper and Apple have in common? That’s right, both are currently being publicly flayed for perceived privacy violations. More specifically the public is in an uproar after discovering that their respective software is sending personal data from their device to corporate servers, much to their surprise.

If you’ve read just about anything I’ve written in the past 3 years you know how I feel about companies that do things that surprise the consumer, but the situation with these two companies is a little unique but becoming more common. Their perceived violations wouldn’t have been easily resolved in the traditional manner – with more precise policies or via policy compliance audits.

If you’re not up on the latest in the Whisper scandal to follow is a brief summary. After garnering some attention from an article in The Guardian, Jonathan Zdziarski, performed a...

Continue reading →


Every Application is An Analytical App

I just read Gartner’s Top 10 Tech Trends for 2015. It’s always fun to read predictions and this list contains all of the usual suspects (the Internet of Things, Cloud, 3D printing, etc.) but number four on the list caught my attention:

Advanced, Pervasive and Invisible Analytics. Every application is an analytical app today.

In a world where notice and consent, the fundamental underpinning of our privacy laws and regulations, isn’t working (e.g. nobody reads privacy policies and when they do they don’t understand them) and regulators are getting more creative and aggressive in the way they hold companies accountable to their actions, what kinds of risks are developers taking when they enable “advanced, pervasive and invisible analytics” in their apps?

The risks are huge. If you don’t believe me ask Google’s Street View team what happens when you collect information from the public...

Continue reading →


Security Comprehension

Too much information is a persistent problem in the world of information security. We’re buried under threat intelligence feeds, noisy alert systems, not to mention the steady drumbeat of news on the latest breach or exploit. Add to this the requirements to understand locations of increasing large caches of dispersed data on rapidly evolving and shifting systems, and it is easy to understand why the typical Information Security function is buried under a torrent of information.

Of course there is a long line of vendors offering solutions to all of the aforementioned issues. These usually boil down to visualization tools such as dashboards, and automation tools providing some sort of information filtering capabilities. Some of these are very good, but what is missing is a tool that allows us to start organizing ourselves holistically in such a way that anyone on a security team can...

Continue reading →


Privacy, GRCs Blind Spot

Governance, risk management and compliance (GRC), the functions within the organization that ensure it stays on the straight and narrow, are structured in variety of ways, but it generally breaks down into the following areas:

  • Audit and Compliance ensure that policies match practices
  • Risk Management ensures everyone understands the likelihood and cost of unfortunate occurrences
  • Information Security protects data from unauthorized use or dissemination
  • Information Technology implements and maintains necessary control mechanisms on technology
  • Legal ensures that all of the aforementioned functions understand legal and regulatory requirements and contractual obligations

When implemented and managed well, this traditional structure is effective in safeguarding organizations against straying from their legal and regulatory obligations. Unfortunately privacy requires something more...

Continue reading →


Information Security Risks Becoming a Failed State

Current events are depressing. President Obama, on the television last night, let us all know he has approved US airstrikes in Syria – an indication of the deepening struggle of both the Syrian and Iraqi governments attempting to maintain some semblance of control. The situation in Ukraine is on a knife’s edge as well for much of the same reasons. These are indicators that we may be witnessing the last gasps of failing states in those regions, but while that news is bad, in the midst of constant updates on the instability in Ukraine, Syria and Iraq are news reports of major data breaches, most recently JP Morgan and Home Depot. I fear that much like the situation with the aforementioned regional political conflicts, an analogous story can be told about the current state of information security.

The unfunny punchline to the case I’m about to lay out is that information security...

Continue reading →


Welcome to Our New World Order

The kerfuffle over explicit personal images of nearly one hundred celebrities continues to make the news and is choking social media with cries of indignation, pleas for support, tasteless jokes and voyeurs salivating over the whole thing. Given the scale of the leaks and the notoriety of the victims none of this is surprising, but the media coverage of it is sensationalist and lacks perspective (I guess that isn’t really surprising either). Some articles are better than others but most condemn a handful of sites as if they were welcoming denizens of evil and ignore the fact this type of privacy violation has become commonplace. All of this mis-focused attention is just feeding the cycle of interest.

There are three lessons to learn from all of this.

Things spread fast on the internet and it cannot be controlled

When news broke of the leaked photos, the internet moved fast. The...

Continue reading →


Celebrity Nudes Whodunnit

Today the internet is all a-buzz with the news that a hundred or so celebrity’s personal photo accounts were hacked. Tonight it’s all about indignation, tomorrow will come the speculation about how this could occur.

Make no bones about it, this is a massive privacy breach and on a scale I’m not sure we’ve seen before. Particularly when you account for the personal nature of the photos and the sheer number of celebrities affected. Given that, someone will want to say they were the first to get it right, and that includes yours truly.

First, let’s dispense with what this is not. I have a gut feeling this is not an iCloud exploit, as most suspect (UPDATE: Apple now confirms this). This is certainly not some nation-state effort. It is on that scale but that would be ridiculous – even the most fervent jihadist has better things to do. I also don’t believe that some script kiddie could...

Continue reading →