#027: The Things I've Seen. And Collected. And Stored Forever.
Computers are everywhere around us.
This isn’t exactly news to you, in all likelihood. After all, you’re probably carrying one in your pocket or bag right now, if you’re not looking at it this very minute. You also likely own a laptop or desktop computer, possibly a tablet, and some form of entertainment system to play games on or watch tv series with. That all of those work because of computers inside them isn’t surprising.
What might surprise you is what else runs on computers. Your dishwasher has a computer in it, and your refrigerator, and your washing machine, and your coffee machine. Your car has several computers inside it, for various purposes. If you’re on the forefront of technological innovation, you might have lightbulbs with computers in them.
And lately, manufacturers have been connecting all these computers to the internet, creating the so-called Internet of Things. By connecting your devices, manufacturers promise that your washing machines will wash better while allowing you to keep abreast of the latest news, your refrigerator refrigerate better while also letting you know that you’re out of milk again, and your coffee machine will make better coffee while feeding you feel-good motivational messages for the perfect morning.
This trend mostly serves the manufacturers: not only do they get to add more “features” in their brochures, they can collect data from their devices while they’re being used. And it’s in the manufacturers best interest to keep you as much in the dark about this as possible, because if you knew that your coffee machine collected your coffee drinking habits so they can be sold to the highest bidder, would you still have bought that one? Would you have bought that child’s toy if you knew that it sent the recordings your child makes to the manufacturer’s web service? And even intimate devices like vibrators are tracking their users’ behaviours.
Even if you give the manufacturers the benefit of the doubt, allowing that they might be using that data only to improve their devices and services, you’d stop doing so once you learn how cavalier those manufacturers are when it comes to security and following privacy laws. That dishwasher runs an insecure web server, making it easy for hackers to make it part of a botnet and abuse it for their purposes. That cloud-connected teddy bear your child uses to send you cute voice messages stores those on an insecure server and just had all their data stolen and ransomed. That smart toilet has a hard-coded Bluetooth PIN, making it easily controllable by someone else. Your Smart TV is tracking what you watch for how long.
All of this makes Troy Hunt’s suggestion to put cigarette-like warning labels on IoT-devices sound much less like a joke, and more like a sensible policy instead. Companies don’t like to put what they’re tracking into plain, easy to understand words, fearing that potential customers would be freaked out — justifiably so.
It’s not just devices, though. Devices you can at least disconnect or maybe buy ones that aren’t “smart” in the first place. Websites and Apps, on the other hand, give you even less choice.
That you’re being tracked on the internet is nothing new, of course. It’s what generates those giant revenues for Google and Facebook after all, the collecting and selling of your personal data to the highest advertising bidder.
They can do that because not only have they made themselves key part of the internet infrastructure or social experience, but also because so many websites embed their codes for Like buttons or analytics, allowing them to easily track you across all those sites. Other platforms do the same, measuring what websites you visit, what products you look at, which ones you buy, or don’t. It also means your data is being collected by who knows how many companies in various countries with differing jurisdictions and privacy laws, without your explicit consent.
As annoying as having that pair of shoes you looked at three months ago follow you around the web, it doesn’t seem so bad. After all, Facebook and Google are free for you to use, and they have to make money somehow, right? And really, what’s the problem with people knowing you like looking at, but not buying, those pink ripped jeans?
The problem starts with just how much information is collected about you just by using a website like Facebook, or an app like Tinder, as journalist Judith Duportail found out when she asked Tinder for her data, and got back 800 pages of her deepest, darkest secrets. And Facebook can store more than 1000 pages of your personal and private data on you, possibly even after you delete your account.
And, just like with those smart devices, not all companies care all that much about security. Even those who care very much about security might still have data breaches, like Dropbox, who lost 60 million user accounts, or LinkedIn, losing over 117 million accounts. Criminals who harvest that data can not only use it to break into the original account, but, because many people reuse passwords, also break into other services with those stolen credentials.
All of this does paint a rather scary picture. Computers today can collecting and cross-reference data that would’ve been nigh impossible before, and we’re freely giving out more of your personal data than ever before, knowingly and unknowingly. While each piece might seem innocuous at first, someone can use this to figure out you’re pregnant before your family knows, and intelligence agencies can use just the metadata to decide you should be killed.
So what can you do? First, when buying devices, maybe avoid those that are internet-enabled. And if you have to, you don’t ever have to connect them to the internet (although even that can’t always protect them from being infected).
And when it comes to browsing, make sure you use an ad-blocker, a unique password for each site (and a password manager to generate and keep track of them), and enable two-factor-authentication whenever it’s offered. And be wary whenever a site, no matter how trustworthy, asks you for a piece of personal information.
None of those measures can completely protect you. For that, it would need sweeping changes not only with privacy laws, but also how we value and reward non-collection of personal data or the proper storage and protection of the same where warranted, as well as how we punish and shun those who do collect more than they should, as well as technical improvements to prevent the easy theft of your data.