For years, my PC ran on XP, Microsoft's most robust, steady and never-say-die operating system. It was a lot like my old Dodge Aspen that ran and ran and ran and was still going when the odometer reached 200,000 miles- the Energizer of its day. However, just as I ultimately had to replace my beloved two-toned green gas guzzler on wheels, I had to replace our tower following Microsoft's lukewarm reviews of Windows 7, its immediate successor, Windows 8, and finally Windows 10. It was during this installation I discovered the extent of how my privacy - and that of my family's - was suddenly put on notice and at risk.
It all came down to Microsoft's Privacy Statement which, by default, I agreed to when I purchased Windows 10 and signed off on the end-user license agreement with clauses that included the following:
Microsoft collects data to operate effectively and provide you the best experiences with our services. You provide some of this data directly, such as when you create a Microsoft account, submit a search query to Bing, speak a voice command to Cortana, upload a document to OneDrive, or contact us for support. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device. We also obtain data from third parties (including other companies.)
Wow, that is very specific. And then this:
We share your personal data with your consent or as necessary to complete any transaction or provide any service you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our services; and to protect the rights or property of Microsoft.
In other words, as a Microsoft customer, how you interact with its services isn't private. In fact based on these T's and C's it's the equivalent of open season for the company to aggregate, digest and distribute data they've collected from your behavior to anyone they want: subsidiaries, vendors, and others; even law enforcement if they deem it necessary.
This is only one example, and just the tip of the Internet Insecurity iceberg. Consider this recent post on SHODAN (Sentient Hyper-Optimized Data Access Network) an online "search engine" for Internet Connected devices (e.g. the Internet of Things).
As described in the post, Shodan crawls its way through the Net much like Google's spider bots, settling in and connecting to your services, logging and then producing a 'searchable index" of what it finds there.
In some ways that's not a bad thing, especially if you want to keep hackers off your home router (the post details how and why this happens), however, that kind of exposure can open up your router to all kinds of mischief.
The most egregious outcome could be the Internet accessing a webcam you've set up, which Shodan could then discover, index and even remember its login prompt. Imagine the implications of strangers "listening" in on a baby cam you've placed in that child's bedroom or viewing some other location inside the home. Not surprisingly, among Shodan's five most popular searches, three are for online cameras. So, if all of the elements line up just right and your online camera isn't secure enough, Shodan can virtually tap into it and transmit live feeds directly from your infant's bedroom. Or maybe yours.
We think our privacy is at risk from the Internet, but what about the Internet of Things which could take that perceived invasion of privacy to an entirely new level? Consider these examples:
Microsoft Xbox. Its Kinect devices come equipped with a video camera and microphone which can pick up, record and transmit your communications back to the company. In fact, its T's and C's (terms and conditions) disclose that "users should not expect any level of privacy" when using the device. (Sound familiar?)
Verizon. In an effort to produce more qualitatively targeted advertising, the company tried to patent a camera that could be embedded in your flat screen or DVR to monitor "ambient action." In other words, it could listen in and watch your every move and decide from there what kind of advertising you would take notice of in line with that behavior during the next commercial break.
Google. In 2014 the company purchased Nest, an Internet of Things connected to a thermostat for more than $3 billion. In addition to being able to set your thermostat remotely through a smartphone in order to more efficiently manage your home's energy use or to receive smoke or carbon monoxide alarms, this device could also represent a very real "hornet's nest" of privacy issues. This includes something as benign as Google knowing the amount of your monthly electric bills to developing a profile of your day-to-day movements and behavior which, in the wrong hands, could not only influence how advertisers target us, but also present a very real safety risk when our homes are unoccupied.
"Smart" streetlights. Three US cities -Chicago, Detroit and Pittsburgh - have installed so-called "Intellistreets" (high-tech streetlights) that purport to support energy management and security but also can surveil activities on the streets below them. This includes the ability to deliver broadcasts to the public at large and yes, even includes listening posts that can -and in this age of counterterrorist measures- and probably do monitor and record passersby's' conversations.
If all of this smacks of George Orwell's perennial dystopian novel, 1984, you're not alone in your thinking. We all want technology to improve our lives and make things easier, but how much of our privacy are we willing to trade off for that convenience? As far as I'm concerned, however, unlike Orwell's anti-hero Winston Smith, who by book's end, "loves Big Brother," given this invasion of privacy by the Internet of Things only briefly outlined here, you likely won't find me sharing that particular sentiment anytime soon.
Author: Heidi Bleau
Category: RSA Point of View, Blog Post
Keywords: Consumer Security, Cybercrime and Fraud, Internet of Things