If companies like Amazon, Google, or Facebook fail to provide adequate protections, they could face lawsuits and government crackdowns over their technology
Alexa, Google Home, and Apple's Homepod are the convenient smart speakers that do our bidding within our homes, but who has access to the data we provide? Concerns over surveillance and data breaches have generated alarm over the amount of personal information we store in home technology, including our location, our home layout, and our voice. Such wariness is understandable, with Google Home Mini initially listening to its owners in the bathroom and uploading the data to Google's servers. After it was exposed as a glitch, the fault was quickly corrected, but the tech's capability of listening in when deactivated is proven.
However, Jake Williams, founder and president of cybersecurity firm Rendition Infoseek, says the average user isn't likely to be targeted by hackers. "Would-be attackers] don't care what you're talking about at home, they're looking to monetize data." He adds, "The level of effort to do it is too high in the vast majority of cases. Your average American just isn't that interesting."
In order to steal data from a home device, a would-be hacker would need "undetectable audio commands, eavesdropping software and targeting devices connected on a network." Since home tech doesn't store information as sensitive as credit card information, social security numbers, or passwords, it's simply not worth the effort. Of course, there are exceptions, as hackers could opt to target individuals in order to extort ransom payments for the data, but these instances are unlikely and rare.
Of greater concern is a massive data breach at one of the company clouds where customers' information is stored. While individual users can set up two-factor authentication and limit the number of external services they link to their home devices, once the information is collected and stored it's up to the company to provide protection. If companies like Amazon, Google, or Facebook fail to provide adequate protections, they could face lawsuits and government crackdowns over their technology, according to Bloomberg Law. Class action lawsuits, regulatory enforcement, and publicity damage could obviously harm company revenues if a data hack were not prevented.
Melissa Kern, piracy and information security law partner at FrostBrown Todd LLC,said, "If there is a security breach that results in unauthorized access to the personal data they have collected, whether due to a security flaw or not." As a result, Amazon and Google run product security tests to check for major flaws. Large tech companies also test the data transfer between personal devices and the cloud, in order to curb vulnerabilities to hacking.
Of course, there are steps consumers can take to protect their information. The straight forward protections include the smart user management. As consultants advise, "For those who are concerned that Google Bots are listening to everything you say, you might find some comfort in knowing that Google Home listens and even processes who is talking locally. It uploads information to the cloud when the wake word, 'OK, Google' or 'Hey, Google,' is spoken or when you long press the touch interface at the top of the device (except for Mini)." Google Home also has indicators that alert you when the device is listening in.
Ultimately, it's up to the consumer to make smart and secure choices with their data. Limiting how many devices are linked to private accounts is an easy but powerful first step. The data clouds hold all the information the device interprets, whether insignificant, unintentional, or highly sensitive.
By submitting your genetic material to a company, you're tacitly agreeing to share your identity and rights to your most private information.
From "fear of missing out" on social media to belligerent political differences, modern existence is increasingly alienating. As a result, more people are interested in "finding their tribe" by digging up their family origins. But genetics-testing companies like Ancestry and 23andMe take more than your DNA, they take your privacy to that information, as well. With the Golden State Killer finally arrested thanks to data mined from those genetic databases, law enforcement has proven their ability to access the company's records.
In the same vein, the government can gain access to personal information given to these sites for purposes they deem justified. For example, in 2019, Canadian immigration officials obtained DNA results from sites like Familytreedna.com and Ancestry.com in order to identify immigrants' nationality and trace their relatives. Subodh Bharati, a lawyer representing one targeted individual, told Vice, "I think it is a matter of public interest that border service agencies like the CBSA are able to obtain access to DNA results...There are clear privacy concerns. How is the CBSA able to access this information and what measures are being put in place to ensure this information remains confidential?"
While each site in question denies working with government agencies, if authorities argue that national security is at risk, then the websites "can't really say no," as immigration lawyer Jared Will explains. He condemns the exchange as "extorted consent." Bharati warns potential customers, "Individuals using these sites to look at their family tree should be aware that their confidential information is being made available to the government and that border agents may contact them to help facilitate the deportation of migrants."
Furthermore, accessing your data doesn't always take government measures. For instance, according to 23andMe's policy, "We do not share customer data with any public databases. We will not provide any person's data (genetic or non-genetic) to an insurance company or employer. We will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant for genetic or Personal Information." Yet, there's an additional permission users are asked to agree to, reading, "By agreeing to the Research Consent Document, Individual Data Sharing Consent Document, or participating in a 23andMe Research Community, you can give consent for the use of your data for scientific research purposes."
In July 2018, 23andMe announced it was partnering with the world's ninth-largest pharmaceutical company, GlaxoSmithKline (GSK). The agreement grants GSK exclusive access to the genetic information of over 5 million users, and 23andMe received $300 million. GSK released a statement explaining their interest in genetic databases, saying, "The goal of the collaboration is to gather insights and discover novel drug targets driving disease progression and develop therapies."
While it's a universal good to create more effective and closely targeted medicine, the transactional exchange of people's most private information, their DNA, unsettles many. Peter Pitts, president of the Center of Medicine in the Public Interest, told NBC, "Are they going to offer rebates to people who opt in, so their customers aren't paying for the privilege of 23andMe working with a for-profit company in a for-profit research project?" In essence, people are paying the site to make money off their information, with no recompense.
Additionally, despite what's written in the company's policy, "the problem with a lot of these privacy policies and Terms of Service is that no one really reads them," says Tiffany C. Li, a privacy expert and resident fellow at Yale Law School's Information Society Project. While users can opt to close their 23andMe accounts or retract their permission once it's given, the company emphasizes, "Any research involving your data that has already been performed or published prior to our receipt of your request will not be reversed, undone, or withdrawn."
Lastly, there's the possibility of information leaks. In June 2016, the DNA testing service MyHeritage announced that its database of 92 million accounts had been hacked. The depth of the breach only revealed encrypted emails and passwords, but the company was targeted because the premium on genetic data is far more valuable than credit card or bank information. Hackers could hold DNA data for ransom, according to Giovanni Vigna, co-founder of the cybersecurity company Lastline. He says, "This data could be sold on the down-low or monetized to insurance companies. You can imagine the consequences: One day, I might apply for a long-term loan and get rejected because deep in the corporate system, there is data that I am very likely to get Alzheimer's and die before I would repay the loan."
Ultimately, by submitting your genetic material to a company, you tacitly agree to share your identity and rights to your most private information. As Natalie Ram, a law professor in bioethics, says, "If there is data that exists, there is a way for it to be exploited.
You know the old saying — an ounce of prevention is worth a pound of cure. Doubly so on the internet.
Having one's digital life hacked is a little like death: We walk through daily life, blissfully unaware of its possibility, while all the while it dangles over our heads like the Sword of Damocles.
Rather than be caught unawares, surrendering bank account information and sexy selfies to nefarious, faceless internet criminals, follow these steps now to protect yourself. You know the old saying — an ounce of prevention is worth a pound of cure. Doubly so on the internet.
Use better passwords
That means no pet names, no birthdays, no kid names. Get creative with a complex string of upper and lowercase letters, numbers, and symbols. You might even think of this as an opportunity to give yourself a motivational phrase like, "Youarebrilliantin2019!" Set up passwords — and different ones! — on your voicemail, Wi-Fi, and individual apps for banking and email.
...and use a password manager
Password managers like 1Password and LastPass make logging into websites simple without leaving yourself vulnerable to problematic browser autofill. One master password gains access to all the others, so you want it to be long and complex with numbers and special characters so not even the most determined hacker can guess it. From there, the password manager takes care of all your other password.
Employ multi-factor authentication
Sheera Frenkel, who writes about cybersecurity for The New York Times, says that a password manager and multifactor authentication "are the bare minimum of what we should all be doing. And even with all that, I just assume I'm going to be hacked any day." Here's how to set up multi-factor authentication on Apple, Google, Instagram, and more.
Keep your operating systems up-to-date
Most successful hacks exploit vulnerabilities of out-of-date operating systems. When Apple or Android tells you an update is ready, download and install it. Ditto with apps. Keep them up-to-date to protect against data breaches, and be mindful which ones you download. No longer using Shazam or Tinder? Delete 'em.
Use "Find My Phone"
You can set your phone to automatically erase itself after a certain number of incorrect passcode attempts. You can also use Apple and Google's "find my device" services, which can locate your phone on a map, remotely lock it, make it ring or the nuclear option — delete it entirely.
Beware open wifi
The danger isn't in your local Intelligentsia — though you shouldn't log into your bank accounts on any open networks — but if you're ever unsure about a wireless network, stick with your phone's mobile internet connection or use a VPN, which routes your activity through a private encrypted connection. Here's a recent rating of VPN services by PC Mag to help you choose.
There's no such thing as 100% security but following these steps will keep your digital data as safe as a citadel.
8 ways to protect yourself, right now
When I was studying in China, the other kids and I always freaked out when we were doing something illicit, like entertaining a Chinese friend or using an electric tea kettle, and the dorm attendant came knocking at the door. Clearly we were being surveilled. Over time, one of the things we grew to appreciate about the United States was our individual privacy. Obviously, since then, what seemed like an inviolable right has been casually thrown away like a pile of old VHS tapes. Where I once cherished my privacy, now I might as well be sprawled naked on the pavement in Times Square surrounded by my open passport, credit cards, bank statements, and diaries.
The Internet is an incredible tool, but it appeals to some of our worst tendencies: sloth, addiction, prurience. We love it because it's free, although of course, we're all paying a huge price. Even after debacles like Yahoo exposing the data of every single one of it's users, three billion in all, or the Cambridge Analytica-Facebook scandal, how many people actually deleted any accounts, changed their privacy settings or read the epic and stultifying privacy agreements on social media? In the United States, what business theorist Shoshanna Zuboff terms "surveillance capitalism" was allowed to develop largely unregulated, allowing companies, in particular Google and Facebook, who rely on mining personal data for revenue to become, according to the New York Times, an "emerging duopoly that today controls more than half of the worldwide market in online advertising."
This spring, the European Union enacted the General Data Protection Regulation, a sweeping law that requires companies use the highest possible privacy settings and disclose any type of personal data they are collecting. In June, California followed suit with its own Consumer Internet Privacy Act of 2018, the most robust in the nation. And federal regulations? Remember back in 2017—I know that seems like the Dark Ages with the current breakneck news cycle—when President Trump signed a repeal of an Obama-era law which, under the FCC, would have required broadband companies to get permission from their customers when they were collecting "sensitive data" such as browsing history and geolocation? In late July, the Commerce Department "began holding stakeholder meetings to identify common ground and formulate core, high-level principles on data privacy," according to a senior official speaking to Reuters. In other words, don't hold your breath waiting for federal legislation.
Even California's law doesn't go into effect until 2020. What can you do right now to protect your privacy? Here are some steps you can complete in under an hour that will beef up your computer or phone's security:
1. Turn off location tracking for all of your Apps. You can turn them on selectively when you need them (such as with Uber).
2. Install automatic updates. This way your software will have the latest security features.
3. Cover your webcam with a piece of tape or post it like Mark Zuckerberg does. We know he's an expert on shady ways to collect personal information.
4. Use a password on every computer and gadget, not just your phone. And make it at least six characters long and strong. 123456 or your birthday will simply not do.
5. Put your social media accounts on lockdown. Check your privacy settings. Don't make everything public. Share only within a verifiable group of friends.
6. Avoid using public wifi connections. They can be convenient but the information you transmit is not secure.
7. Don't give away personal information that you don't have to. Phone number? Address? Birthdate? Nope. Facebook does not need to know.
8. Delete your search history regularly. This is critical if you use shared computers such as at school or in a library.
Consumer Reports has a useful list of nearly 70 other steps you can take to protect your security and privacy.
Have more tips? Tweet us at The Liberty Project.