Experts have issued fresh warnings to U.S. citizens over the enormous amount of sensitive, personal information being routinely captured and commoditized, and that this same information is being weaponized by the country’s adversaries. A panel at the recent AFCEA TechNet Cyber conference highlighted that data gathering by Facebook, WhatsApp and Google presents a significant risk to both individuals and the nation.
Maj. Gen. Joseph Brendler, USA (Ret.), described it as an unregulated arms market. “If you are not paying for a service, the thing you’re getting is not a product. You are the product. The company… is using your interaction with them… to collect information about you, and then they sell it,” he said.
Col. Arthur Friedman, USAR (Ret.), an identity strategist detailed to DISA from the National Security Agency, expressed concerns that “private corporations are collecting information today that may hurt citizens. They may not be able to get a loan; they may be denied a job interview; they may even be denied health insurance.”
According to Marc Groman of Groman Consulting Group, who has served as a policy advisor within the White House, “As we create this data and create this incredibly deep, detailed picture of not just American individuals but of our society, our communities, our culture, there are risks we never talk about with that data moving overseas for other purposes.”
Gen. Brendler, who before retiring served with the U.S. Cyber Command, argued that what began as “a purely commercial marketplace” is now “…producing technologies that can be weaponized and used for the purposes of influencing the people of the United States to do things other than just buy products, such as who you’re going to vote for… That dynamic is called influence operations, if you put it in military terms, and the weaponization of that technology is exactly what is used... in conducting information warfare against the United States.”
“It’s much more than just the textual type of data—imagery, video, audio—all of this is being collected, it’s being digitized, it’s being packaged up, commoditized, and it’s really traded on multiple markets around the world,” added Brig. Gen. Gregory Touhill, USAF (Ret.), of Appgate Federal Group. Gen. Touhill went on to explain that this treasure trove of information “can and is being weaponized against people by nation state actors, cybercriminal groups and others for nefarious reasons.”
The panel’s statements come as leaks suggest that WhatsApp is set to force through updated Terms of Service in 2021, which users will have to accept or they will lose access to the app. Screenshots shared by early testers of the Facebook-owned consumer app, shows messages stating, “By tapping Agree, you accept the new terms, which take effect on February 8, 2021… After this date, you’ll need to accept the new terms to continue using WhatsApp or you can always delete your account."
A spokesperson for WhatsApp has confirmed that the changes will affect how businesses can operate on the platform and interact with users. However, WhatsApp’s intention to collect and market personal information is already spelled out in their existing Privacy Policy, which states, “As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies… Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.”
Given that the commercialization of personalized information is fundamental to the Facebook/WhatsApp business model, and as such, not only jeopardizes personal privacy but on a macro level can threaten national security, why is this not more widely understood? It could be linked to the fact that, as a recently released survey identified, WhatsApp’s Privacy Policies are “among the hardest to understand.” This is for good reason; the more difficult it is for users to comprehend how much of their data these apps are parceling off and selling, the less likely they will push back with legitimate concerns.
The threats to personal privacy outlined also extend to enterprise and government security, as the COVID-19 health crisis has forced almost all organizations to support a newly remote workforce. As employees rely on the convenience of self-sourced freemium apps like WhatsApp for work communications, their employer’s data is, in turn, also jeopardized by Facebook’s monetization of data. In addition, barely a month goes by without revelations of consumer messaging apps being compromised, with headlines such as this by Forbes explaining why users should stop using WhatApp until they have changed three critical settings.
To protect individuals, enterprises, government organizations and the nation itself, we in the security community must continue in, and intensify, our efforts to educate the public on the threat such apps represent. Offering secure alternatives that do not hand critical data access to tech companies and, ultimately, foreign adversaries will be vital to this.
We must also acknowledge the role regulation should play in protecting us from both these tech companies and those who use that data for nefarious purposes. As Groman stated at the AFCEA conference, “In the United States, we do not have a general privacy law. Every other Western democracy does. We are the only one that does not right now. I’m optimistic and hopeful that we will address that.”
No comments:
Post a Comment