Mingis on Tech: Data breaches in a world of ‘surveillance capitalism’

hi and welcome back to Mingis on tech
I’m Ken Mingis executive editor at computerworld
I’m here with CSO’s JM Porup, we’re gonna be talking about the rate recent rash of
data breaches and see what’s going on to stick around okay so JM thanks for being here thanks
for having me as you well know the last few weeks have been quite wild and wooly
insecurity land with the the big announcement from Facebook that 50
million accounts had been hacked the announcement from Google that Google+
accounts have been hacked and I mean this is this is nothing new
these things do happen from time to time and I’m trying to get maybe from you
with your security background a little bit better sense for you know what we’re
seeing here you know why these things seem to continually happen and you know
if there’s anything that that either individual users or companies can do to
try to like stave off any damage from these things good question
so Facebook and Google have enormous ly well-respected security teams and they
spend a ton of money on security some of the very best people in security work
for Facebook and Google they pay top dollar and you work on the hardest
problems there are and yet they still get breached right the problem is is at
the other day Facebook and Google are engaged in what some call surveillance
capitalism okay that’s a new one way to explain that to me
what surveillance capital is sure so who is Facebook’s customer advertisers
exactly we are the we are the proud of your on the product we are the product
not the customer so our you know the exposure of our data doesn’t receive any
market blowback from advertisers because they’re still able to get value out of
advertising okay and the problem is is that you know when you have say Fort
Knox you need to have Fort Knox style
security because that’s a goal ammonia yeah you know why do you rob banks cuz
that’s where the money is you know there was a famous bank robbers like why do
you rob banks that’s where it is that’s where the money is you know but that’s
not the where the money is now okay the money is is is in all of that intimate
personal data and if you amass a giant mountain of wealth you better secure it
properly but the problem is it is so difficult to do
that security well even with the hundreds of millions of dollars or
whatever the budget is of these companies for the best security their
money can buy right you know humans make mistakes you know perfect security is
impossible and when a single breach can affect 50 million people could in theory
affect two billion people every single you know the right flaw could affect
everybody at face ball right in theory yeah and that’s really hard to do well
now surveillance capitalism is we’re gonna spy on you and to show you
targeted advertising and manipulate your buying habits or your political opinions
or whatever the advertiser wants to pay money to convince you to do this and it
sounds vaguely like you know sort of almost 1984 esque levels of watching
what people are doing and then monetizing that you know with an outside
third parties advertisers whoever yeah it sounds a bit creepy I think it is
creepy I think it is creepy and I think you
know the the non-stop news of data breaches even with these large comedies
which such very well-respected co-team is for for security is that you know
their fundamental business model is arguably maybe not the best for society
you know these these companies are really more surveillance companies than
social networking companies and when a very large corporation is able to
acquire that much intimate personal data about you know not just all Americans
but practically half the planet at this point and at Facebook wants everybody on
Facebook that extreme concentration of wealth and power attracts the world’s
best attackers okay and so you know it’s interesting I just want to pause for one
second because I think given the number of times over the years you you see
these reports about breaches from social media companies all companies in general
hearing you say that both Facebook and Google have smart you know intelligent
security folks working for them the best of the way you know because it’s sort of
which is good to hear because I think a lot of people when they see these
breaches over and over and over again I think Facebook doesn’t know what it’s
doing and what you’re saying is they’re being targeted by the best of the best
in terms of hackers and the best of the best that we’re trying to defend against
those hacks and so there’s like a little bit of a war going on all around us
daily constantly trying to get at this Fort Knox of you know private
information is that is that a good way to des absolutely think about this no no
no like I mean III cover some security for CSO and the researchers and security
people who work for Facebook and Google have enormous ly well-respected
reputations these these people are the best of the best and yet they still get
breached it’s not that Facebook is being incompetent I mean far for me to accuse
Google or Facebook of not doing everything within their power to secure
their users data III don’t I wouldn’t say that for a second because because
they are doing everything they possibly can but the real key takeaway is the
best they possibly can is still not good enough and is not likely ever to be good
at that was what I was gonna say this sounds like sort of like the Cold War
arms race you know just as soon as a company puts in layers of security that
will protect its users or the data then the hackers are gonna find somewhere
around that then you you know you just get this constant up and up and up is
there is there any way will we ever be secure well our data ever be really
truly secure do you think well the best way to secure data is not to collect it
in the first place okay or share it if you’re an individual user
well you know it’s hard because you know we like to talk about the free market
and competition and like if you don’t use Facebook use something else but
that’s not really an option I mean you know Facebook is a monopoly you know as
security extra expert Bruce Schneier likes to put it if you’re not in
Facebook you don’t get invited to the cool parties it’s true you know I have
been to a cool party in months cuz I’ve been sort of a hoarding Facebook ever
since the Cambridge analytical stuff so it’s like no one knows where I am or
what I’m doing now so you know it’s it’s it’s you know saying you know let the
market decide in a situation with a monopoly player is disingenuous at best
right it’s like saying oh you’re a user of Ma Bell in 1970s America go use a
different landline it’s like okay that’s cute but either
you’re being disingenuous or you’re just you know being stupid right you know I
mean and it’s the same situation with Facebook I mean there is no free market
regulation self regulation in monopoly situation and you know because of the
extreme difficulty of adequately securing sensitive data the best
strategy is always just not to collect it but that doesn’t work with Facebook
and Google’s its whole reason for being that is why these companies exist if
they didn’t spy on you they would go out of business right that’s what they do
that’s what that’s how they make their money if they don’t spy on you they have
no way to exist okay so you’ve got a situation where you’ve got two companies
that are incredibly powerful and de-facto monopolies in the field that
they’re in you’ve got a user base of billions or a couple of billion any way
off the planet half the planet and the way these things have woven themselves
into our social culture if you’re not part of it you’re really really sort of
on the outside looking in at what everybody else is doing yeah
so that being the case what if anything can well let’s assume that Facebook’s
going to continue you know surveilling its users and Google too and others
Instagram whichever ones as users and his company’s too you know outside
companies that rely on on you know Facebook and others what can be done to
try to bolster security I mean you see things like two-factor authentication
it’s like that does that is that gonna make any difference at all here it is
that sort of like a band-aid no it’s a fair question so two-factor
authentication is something that all of our viewers should be using for all
their accounts if possible okay and that prevents account hijacking or account
takeover right but that doesn’t stop breaches on the server side okay you
know that can make sure only that way to a two-factor authentication proves that
I am me to Facebook or Google right and no one else can pretend to be me but
once the data is on Google server and there’s a breach on the server so I have
no way to stop that that’s that’s a different category of a problem and what
we’ve already established that users in a monopoly situation can’t really go
somewhere else and which really leaves us with you know
in classic free-market economic theory in you know in a monopoly situation the
appropriate response is a government regulation right if you have a trust
that then you bust the trust you know if you have an oil monopoly you bust the
monopoly you have a phone monopoly you bust the monopoly because that’s in the
interests of society you know the free markets not going to encourage
innovation and good security and you know the overall well-being of society
if a monopoly player can just do whatever they feel like or be lazy or
incompetent or you know keep doing whatever they feel like doing basically
it’s interesting because it seems like at least in the current climate here in
the US you know there’s been a lot of talk over the last five or 10 years
about needing to bolster privacy regulations and what companies can
collect and how they handle it you’ve got the GDP our stuff coming in from
Europe you know earlier this year but it doesn’t feel like the climate in the
States right now is looking favorably on new regulation on companies if anything
it’s the opposite it’s more like a Wild West free-market rule whatever so if
there’s no government regulation no way of sort of you know putting putting into
law what should what these companies should be doing how best to safeguard
this stuff what do we do we at the mercy of lack of government hackers out there
companies doing their best but failing no they foreseeable future or well it’s
a fair question and I’m glad you raised GD P R because GD P R I read GD P R as
shots fired against Facebook and Google and primarily uh not I would say
primarily maybe because they’re the biggest they’re the 800-pound gorillas
in the room so they’re the ones that are need to pay most attention to it well
you know let’s say you saw refrigerators and you’re collecting user data to sell
them or refrigerators your core business is making and selling refrigerators your
your core business is not spying on people right you know so if the fridge
make smart refrigerators still is still becoming you know maybe that adds 5 to
their revenue but you know like their core competency in their core revenue is
not the surveillance aspect so whereas that is like the bread and butter for
Facebook and Google and Europe has the largest regulatory
single market in the world they’ve got like 4 million people and any serious
global company that wants to do business in Europe which is basically all of them
you know have to contend with this and the GDP our signs are eye watering 4
percent of global revenue I think it is and and they’re gonna go after Google
and Facebook you laters there I think Europe sees it as a sovereignity issue
if you see four hundred million people and all their data is going to a foreign
country you know even if you like the United States as a Europeans just like
that’s still like a sovereignty issue you know now you have all of our
citizens data is that good for Europe I think many Europeans would say oh maybe
not right and beyond that like while the US federal government has clearly
abdicated any responsibility and showed no interest in this the state of
California has okay the state of California and where is Silicon Valley
California in fact in because of GDP our California
is looking at sort of like a mini California version of the of the GDP are
so you don’t need to have Washington gets act together if Europe Brussels and
Sacramento get together to do this thing Facebook and Google are gonna have a
really hard time of it right they’re gonna have to it’s interesting and you
know one of the one of the points you made earlier about the whole
surveillance capitalism I wonder if part of the problem that has not yet been
resolved is that people don’t really think about you know think about the
whole Facebook ecosystem in that way hmm I mean I know you you know if you’re up
to snuff on this stuff you know when when things are free you’re the product
you know and you certainly see lots of concerns about Google around privacy
with you know data coming out of Google Maps you know or ways or you know
whatever mapping software use Apple makes a big big deal about the fact that
they try to protect privacy that they don’t have you know the data doesn’t
come to them it stays on your device your phone whatever do you think that
step one is like public education here like people when you log into Facebook
realize what’s going on III do think sorry I’ll finish with this
point but I do think after 2016 and after the revelations of how Facebook
and advertising you know we’re sort of manipulated intentionally or not in a
way to steer people into certain political camps possibly I do think
there’s more of an awareness now that some of this can happen or is happening
but I also think there’s an awful lot of people who have not a clue I’m thinking
you know my mother is still on Facebook and demands that I come back and it’s
like mom there’s a reason I’m not there you know
well it’s it’s fair because this is very abstract it’s very technical a key tenet
of security is is you can’t rely on everyday users to be security experts
like that that’s just not realistic you know you have to design and build
systems that are secure by default so ordinary people just want to live their
lives right they just want to have fun connect with friends connect with old
chums from school go to the cool parties you know you know and it’s like so a
good comparison that I like is to there’s two comparisons that I’m not
sure which one is the best okay but both from the 60s we have Ralph Nader and and
unsafe at any speed and then we have Rachel Carson as the Silent Spring now
for for 20 30 years we dumped DDT into our rivers and we had factories
polluting the environments and you could set Lake Erie on fire and and you know
there was all this pollution or like you know whatever it doesn’t matter and then
people like oh it’s killing the birds in the wildlife it’s giving humans cancer
it’s like it’s like bad for us as a collective society you know it’s like
the immediate short-term harm is not there we’re making more money we’re
creating jobs the factory is building the community we’re killing bed bugs DDT
is awesome Rock DDT I remember the mosquito spraying in the summer you know
all the stuff the fog it’s like it was everywhere like you know so it’s just
like there’s this disconnect between the long term harms and the short term
benefits yeah and I fear that in an age of surveillance capitalism and data
breaches we’re in a very similar situation to like invisible things are
gonna kill me I mean come on you’re being paranoid
well you know actually invisible chemicals can kill you radiation can
kill you if there’s a massive toxic waste spill and the river that you get
your drinking water from you’re gonna pay attention you could get very sick
and die your family could get sick and die you know and I think we’re in a
situation where like with those two revelations the 60s I you know Rachel
Carson’s Silent Spring you know we have to have an EPA you know no you can’t
dump toxic waste in there you know companies make money when they dump
toxic waste in the river right it’s good for the bottom line
you know it’s cheaper you know you know it’s good for me a pure free market
capitalist in perspective dumping toxic waste into fresh water is a great
business move but as a society we’re like you know that’s probably not the
best thing for society as a society in a government represented by society says
as a society we agree this is not OK and we restrained that practice couple of
points Rachel Carson I think that came out in 60 or 61 EPA was created in 1970
you know if there’s always a lag unsafe at any speed I think was written in 65
or 66 it was still several years beyond that before you know cars all had the
seatbelts and the harness belts and the airbags and so it seems like there’s
always a lag between when the problem is identified and I do think you know
increasingly it’s being identified around social media in these breaches
but I mean you know perfect example right now
the debate over global climate change yeah you know we can see effects you
know generally more and more people are realizing this is really happening and
yet in some ways at least again here in the states we’re going in the opposite
direction it’s gonna happen it’s gonna be you know a Hell on Earth let’s just
get rid of all regulations you know I guess that’s one way to do it so do you
have any sense let’s let’s go back to like hopefully a positive future um do
you have any sense given the the number of breaches the continuing you know news
about breaches the growing awareness of people on social media that they’re the
product and that their data is not necessarily safe and that the only
person or the only entity that can step in and do something a lot gdpr is
you know state/federal even I guess even local governments in some ways could but
I think you need at least a state level to get anywhere any sense for how long
it’s gonna take before we see the kinds of regulations and you know changes we
need well as a view here in my crystal ball yes please we’re gonna hold you to
this particularly be back in five years and see if you’re right well no I mean
III do feel that we’re very much in like the early 60s of those two particular
cases you know I mean you know absent government regulation it’s very
difficult to see how things are going to change and I think the government
regulation is the appropriate response I think the next 12 months with GDP are
going to see so I’ve spoken it to GPR experts and they tell me that
enforcement is going to be harsh and they’re going to look to break some
fingers they’re looking to make a statement they will find a flagrant
violator and they’re gonna hurt them they’re gonna they’re like you know your
European Commission find Google for a security incident something like two
hundred and fifty million dollars last year and a lot like they will happily
lay down trillion dollar fines you know and and these companies will pay I think
if you put B’s and T’s in front of those not trillions billions okay Billy catch
attention yeah yeah that would be like bankrupt but but yeah no no like
enforcement is going to be harsh and I think you know looking at five to ten
years out that’s very vague very hard to say I think on the 12 to 18 month
horizon we are going to see a very strong enforcement posture from the
European Commission and that is going to be a loud noise in Silicon Valley what
happens after that where we go after that in the current administration here
in the US I don’t see any any movement on that
what happens after 2020 is anybody’s guess right so I mean we have still had
Jerry Brown in the State House in California and he’s shown Glynnis to
sign laws that address issues like this so I’m looking to Brussels in Sacramento
for leadership on this issue and that’s enough because you’re not gonna have two
Facebooks right you’re not gonna have Facebook the European version and
Facebook for everybody else you’re not gonna have you know
you might have Google but even with like right to be forgotten Google’s struggled
to make that work in a way that makes sense so you know enforcement from
Europe will affect global users globally as well it should we’re all in this
together immensely it’s disappointing you know I
mean you you you would hope that America would be leading on this issue but
instead we are we are falling further and further behind on in defending
citizens privacy and autonomy and security and and we’re abdicating that
global leadership role and letting Europe do the leading and I think that’s
really unfortunate we should be doing a better job I do wonder if and we can
wrap it up on this but I do wonder you know obviously we’re talking about this
in early October 2018 we got midterm elections coming up and my sense is that
if there you know is a change at least in one one house of Congress this is the
sort of thing that I could see the party out of power calling attention to with
hearings you know I mean obviously there’s a breach there’s a few hearings
and then nothing happens so you know I guess we’ll see first of all what the EU
does what California does how the elections turn out and see whether over
the next 18 months as you say 18 months to two years mm-hmm
and where this goes whether there’s any serious effort to clamp down on this and
in the meantime obviously people need to be aware then when they’re having a
great time on social media it’s fun you know that what they’re get what they’re
selling is themselves their data and they better hope that whoever they’re
selling it to is protecting it because the government’s not coming to the
rescue any time soon unless no no okay great what a great discussion thanks
guys thanks so much JM no worries for now my grim as it is and that’s a wrap

Leave a Reply

Your email address will not be published. Required fields are marked *