The Digital Life Episode #109: The de-evolution of online privacy
Our big institutions, both corporate and government, are not able to keep up with security in the digital age. As our communications, commerce, and even our health data continue to move online, what is the individual to do?
From the recent breach of US government systems exposing valuable personal data, including Social Security numbers, for millions of Federal employees; to the Sony hack revealing private corporate communications to embarrassing effect; to the intrusions on computer networks at major health insurance companies Anthem and Blue Cross, the list of concerning events goes on and on.
Do we need a cultural shift in our understanding of cyber-privacy? And what would that be? In this episode of the Digital Life, we discuss the consequences of online privacy devolution.
WikiLeaks Dumps More Sony Documents
Chinese Hackers Get Access to US Government Systems
Welcome to episode 109 of The Digital Life, a show about our adventures in the world of design and technology. I’m your host Jon Follett and with me is founder and co-host Dirk Knemeyer.
Howdy Jon! What’s on the schedule for today?
So today let’s talk a little bit about the evolution, or perhaps more accurately, the de-evolution of our online digital privacy. Because there have been so many recent news events that have really brought this topic to the floor, and I think it’s a critical one for the experience of The Digital Life going forward.
So I wanted to start with some of the big news events of the past couple months around privacy and then talk a little bit about that topic both from a user experience perspective and from the general digital culture perspective as well.
So let’s get started with one of the more disastrous security breaches of the 21st century so far which is that of millions of federal employees having their personal data siphoned off by hackers, presumably of Chinese origin, at least according to a reporting I’ve seen by the New York Times. And essentially getting into our governments antiquated systems and then extracting this data which included social security numbers from what I understand. And this is data specifically about federal employees, so now this has been exposed and for the United States I think this is a horrible black eye because we’re at least given the story that our cyber security and our digital readiness for the future is solid and it quite clearly is not. So we have this huge governmental on the cyber security side and I just found this news item to be somewhat shocking. I don’t know, what was the impression that you took away when you heard about this?
I expected … Disappointed, not surprised. It’s tricky, right? Because we’ve really evolved so that’s … There’s a lot of power that each of us have as individuals. To hurt people or organizations would have very little to do with us. I mean let’s go back N thousand years, there was a time where the only way to hurt a person or an object in the environment was to be standing within arms reach of that thing and pummeling it in a personal way, either with your fists or with some kind of hand held object. Then through technology we have things like the bow and arrow, and on and on and on. And now we’ve created this virtual space which totally changes the rules, but we also have technology within it that can be mastered and learned by an individual but then to harm a scale like a country or the whole of the internet to a certain degree from a service disruption standpoint more so than a data breach standpoint.
But it’s a problem that’s not going to go away, the nature of computer science, the nature of computer security is such that an individual or particularly a group of individuals that are banded together officially or unofficially by a federal government or a federal group have the power to get into anything they want given enough time. And that’s the price that we pay, whether it be the U.S. government or individuals, for having our information on the internet. For engaging with this thing that is, by it’s very nature, global, virtual, and really hard to protect. It’s tough.
Yeah, I think one of the takeaways that I sort of realized as I was reading this and a number of other security breaches. Especially the embarrassing Sony security breach, where their emails and sensitive transactional information was sort of exposed and made public for all to see; their dirty laundry. One of the takeaways was that being these large institutions and being in charge, there’s no longer this impregnability. Some of the benefit of being large and in charge has gone away and now these very nimble hacker groups can make a mockery of the larger institutions because they just can’t keep up.
So it makes me wonder if this centralized information and these large institutions that are unable to protect themselves, if that’s going to necessarily sort of need to change in some way. And I don’t have the security vision to see how that would happen. But there’s no longer the all powerful large institution that can control all aspects of it’s being. It’s now these smaller nimbler players who have very much the advantage when it comes to the security aspects.
Yeah, I mean there’s a couple things. So one, its almost certainly not going to change until something catastrophic happens. And the breach that you mentioned doesn’t rate at that level, what that looks like. What the catastrophic event would be that would cause change, I don’t know but it would be really dire. Because people love the convenience of the internet, people love the fact that you can be anywhere and always on data and information that you need is at your fingertips fully updated, there’s so much good stuff about it.
But if the institution really wanted to protect against it, it would be very … It’s very doable, but it’s a kin to … Like if you think about CDC workers dealing with a real virus. They put themselves in a special suit, then they go in that suit into a staging room between, say the room where they live and the room where the yuckies are, and they’re … I’m sure I’m using the imprecise and silly specifics but they’re hosed down essentially. So they have to put this outfit on and then they’re additionally have all these other protocols in order to be safe.
By taking these systems off the internet, by essentially having the data in literally a physical and safe place. Having the systems in a physical and safe place. And then going through this safe staging process, and then being available in real time for a period of time, and then being pulled down and walked down again. Like that’s a way around it, that’s a way … If its built correctly and can handle responsibly and consistently, and if the physical infrastructure and the ultimate safe space is truly, truly safe, which there’s a different vulnerability right there. In that scenario the hackers can be avoided, these things can be avoided.
But how many of us, how many organizations would want to deal with those kind of protocols? Because it requires a whole lot of downtime. And we are accustomed to using the internet in a way where there’s no downtime whatsoever. And that is indeed one of the key features of it. So it will take something really, really cataclysmic for something at the level of the United States government to take major every day systems and put them into that kind of a process. But it is solvable, it is doable. It’s just using the internet in ways that are very much divorced from how we’ve becoming accustomed to using them up until now.
Yeah, it’s interesting that you suggest that because I think some of the security recommendations around the federal computer systems that were breached was that the systems that were vulnerable be taken offline for a period of time while they figured out how to best secure them and how to best deal with that. So separating out the sensitive information, especially when it’s critical and personal information and it’s not well protected, pulling it offline may seem anti-technology but at the same time it’s probably the safest way to protect things.
Yeah, and for what it’s worth, I’m sure governments like China and North Korea, that they do treat their data that way. They do sacrifice the convenience, openness, and sort of the liberal sensibilities for the very conservative, cautious, closed approach of keeping it safer. They may be in the right here, because the unprecedented ability of an individual, or a small group of individuals to compromise our data is very real. And we may be a little bit stupid in how we’re — meaning here in the United States — are addressing that reality.
Yeah, and I think it really comes home when you start considering that, since personal data is really the target now, we’re all made vulnerable whether we’re federal employees or if we have healthcare system that is storing some of our particularly sensitive information in a database that’s not well protected. So similar hacker groups have caused all kinds of problems for health insurance companies and I received a letter in the mail that said hey your data’s been exposed we’ll get you some online monitoring security software to let you know if somebody does something bad with it. But, hey you’ve been exposed in this particular data breach. And you sort of couple that with the idea that a lot of our health records are now being made electronic through EHR’s, and to take that a step further, that electronic health record will soon be containing a whole bunch of new information. Maybe genomic information, other information from your wearable’s and things like that.
So as our online presence increases … As the amount of information about us in the digital world increases, so does our exposure and becoming a target for people to do not so nice things with it.
Yeah, right now a lot of the things that you named off, that data couldn’t be used against us in a diabolical way. The technologies around health and genetics are not such that that could be used to weaponize against us and kill us, or harm us. Or something that would matter, but that’ll change at some point. I think it’ll change at a point where we’ll probably be old, we won’t matter really at that point. But it will change at a point probably during our lifetimes. And for younger people, for people who are there and relevant and active in the future, it’s really concerning.
And you know another nuance to all of this is, there’s a difference between what I’ll call criminal hacking, and what I’ll call destructive hacking. And the distinction I’m drawing is criminal hacking is one that is done with a plan, whether it be done by a vigilante or whether it be by a shadow government group, the idea is we want to get N data for Y purpose and it will be operationalized for that purpose. A very few of the big breaches were seen in the news fall into that category. Most of them fall into the category of destructive hacking, where it’s less about executing the plan to exploit the data and it’s more about embarrassing, humiliating an enemy. Somebody you want to hurt, basically. Somebody you want to bully. And so, the U.S. government of course is a huge target for that. Just like Sony Entertainment Group was a huge target when they were putting out a movie lampooning the supreme ruler of North Korea.
And at more personal level, I think where it gets more troubling is what could be done to us as individuals. We already see it from a non-hacking perspective, in terms of the bullying and doxing that go on with social media. But if a target was juicy enough, it could be a lot worse than that. What would happen if someone who really had reputation and clout … Who’s a good example for this? If like a Malcolm Gladwell, if he, who people listen too, came out with something that was very subversive against whatever; the Chinese government or some individual organization that just wasn’t going to tolerate that, what could they do? How could they criminalize their hacking, their nefarious efforts to really, really put a world of hurt on that individual?
So we just are all vulnerable in so many different ways. And we are now in a world very much where if you stand up and stick you hand up above everyone else, it could get chopped off in brutal, brutal ways. Most of which are virtual but have real impact in our physical realities.
Yeah, I think that’s a particularly disturbing scenario. I’m also thinking as we move forward even more deeply into our having the digital life integrated into our everyday reality, I’m interested in this evolution of our understanding of privacy and what that means culturally. Because up until now we never quite had to struggle with what is known by only ourselves and our confidence and to our medical professionals who help us or whatever it is. The information that we see as being secret versus the information that we make public. And that information is now less and less likely to stay in that comfort zone of trusted advisors and availability limited to the public sphere. That veil is very thin now, with everything residing online.
So we’ve come to this moment, and our expectations of privacy moving forward are based on this pre-digital world. And it feels like we’re really learning a lot of hard lessons all at once, which is making the scenarios even much more different culturally. So I wonder from a user experience perspective, how we can expect our concept of privacy to evolve over the next, who knows, 10, 20, 30 years. Are we capable of changing how we think about our personal and private data? Or are we just going to feel more and more squeezed by our online presence and try to keep everything under wraps? What’s your take on that, Dirk?
I think until there’s a cataclysmic event, there will be very few people who take proper precautions. But I think there’s a couple problems. One is that, even proper precautions I don’t know if they mean a whole lot. So the example I’m going to use is there was a period of time … I don’t know how far back this goes but at least a few years, where if I was doing something online that I thought could be embarrassing if it got out, I would log out of the browser and go into an anonymous session. The problem is that what I was doing was still being picked up by Comcast or whatever the cable provider.
So it’s just so difficult in the current ecosystem to really be private, to really have your data protected. And what exacerbates it, and what makes it something that is not urgent for us … And I’ll speak for myself here but I’m assuming it’s the case of many other people, is that we think we’re safe from the standpoint that even if we get drilled, even if our data gets out there we get identity thefted the worst things happen, I have confidence that I’ll be bailed out. That whether it be my bank, whether it be the government, whether it be the company that holds my mortgage. However I’m undermined that there’s a safety up there. So the only thing where I feel vulnerable ultimately, and it sucked to have a really nasty identify theft. But that it would be fixed and over and life goes on.
The only place where I think I’m vulnerable are things that might be embarrassing if they got out. But I’m increasingly just not caring because I think it’s going to happen if I’m ever well known enough to matter, I think my stuffs going to get out there and I’ll just own it. Because there’s nothing that I’ve done online or been interested in that I wouldn’t be able to stand up and own at the end of the day, even if they’re thing that conventionally, somebody would be vulnerable from. So it’s just a really, really hard situation given the nature of the digital ecosystem and then just, again, given the fact that the safety nets are there. It’s very unlikely that any of us would be compromised, and the compromise would be turned into literally our life being totally changed. It may be for a short period of time, but then it’s fixed and life goes on. So, it’s tricky stuff my friend.
Listeners, remember that while you’re listening to the show you can follow along with the things we’re mentioning here in real time. Just head over to thedigitalife.com, that’s just one L in The Digital Life, and go to the page for this episode. We’ve included links to things to pretty much everything mentioned by everybody so it’s a rich information resource to take advantage of while you’re listening or afterward if you’re trying to remember something that you liked. If you want to follow us outside of the show, you can follow me on Twitter @jonfollett, J-O-N F-O-L-L-E-T-T. And of course the whole show is brought to you by Involution Studios which you can check out at goinvo.com. That’s G-O-I-N-V-O dot com. Dirk?
You can follow me on Twitter @dknemeyer. That’s D-K-N-E-M-E-Y-E-R. Or email me firstname.lastname@example.org.
So that’s it for episode 109 of The Digital Life. For Dirk Knemeyer, I’m Jon Follett, and we’ll see you next time.