Data hacking privacy
A hacking case has been in the news the last week in Finland, where the recorded psychotherapy session notes of 40,000 patients was stolen and has been held for ransom. Essentially emails have been sent to those involved demanding a few hundred euros to be paid to stop the publication of the notes. The company in question, Vastaamo, is essentially destroyed, but it was getting referrals from all over, as well as hospitals. Supposedly, the data wasn't very well stored. The cross section of people is very wide, from a couple people my wife knows to public personalities and the interesting thing is that some people have chosen not to pay and instead wear whatever may come from the publication of their notes. Many have also paid the blackmailer.
I think that this event is bringing to light the value of data and I was trying to explain to a client who was speaking about it this morning in regards to what the data collectors hold on us and our sense of privacy. From my understanding, while we are private from each other on the surface, the Big 5 (Apple, Google, Microsoft, Facebook, Amazon) and others have a very granular view of our activities, especially once they start cross-referencing data points. Some people don't seem to acknowledge the harm in this when it is used for marketing purposes, but don't really see how they could be manipulated.
With my client I gave a very basic example of a hypothetical patient who is having marriage problems and was discussing it with their psychotherapist. If that data was available to advertisers, what would they push? In scenario 1) adverts for romantic getaways, restaurants, flowers and gifts are pushed. In scenario 2) adverts for Tinder and horny singles waiting to meet are pushed.
Would it have an influence on the outcomes of the marriage?
The data collectors don't need those notes of course and they have no interest in the outcome of the marriage either way, they will sell the advertising space to the highest bidder. We already know how manipulated we can be by these platforms, but the ability to social engineer at an individual and very private level is enormous and the incentive to do so is massive, due to data being the most valuable and lucrative industry.
I posited another hypothetical to my student where I was a blackmailer who had images of him cheating on his wife and asked if he'd pay. The thing is, that information is only valuable while it is private, but if he told his wife himself, I would have nothing to blackmail him over.
And I think this is where the privacy of data comes into it, as while we can claim that we don't want the government tracking our movements, they have access to all that information anyway, if they pay for it, as it exists somewhere. What we are more concerned about is the surface level publicity of our secrets, where for example the platforms track and catalog how much time we spend looking at our ex partners and those we are interested in. We want to be hidden from each other and this gives us a false sense of security, as we are not hidden from those who are more capable and invested in influencing and manipulating our opinions and behaviors.
Data only has saleable value when hidden and we keep driving for our data privacy. But could it be that this in itself is a manipulation by those who collect, categorize and sell our data? Our demand for privacy creates data scarcity and keeping our lives "private" is precisely what gives the data industry value. At the very least, it cuts both ways and it is uncertain which is more harmful, transparency or privacy, where transparency means that we know more about each other than we might want to know and they know about us, privacy means that a handful of companies can control the global social narrative for profit.
What I am wondering is if these kinds of events will further break down our will for privacy or extend it - will we get used to transparency and start demanding more of it? In Finland, a country where it is often possible to check earnings of neighbors in the newspaper, where a car license plate can be texted to an authority to see who owns it and how much is still owing and while people are shy, it is common to go to the sauna naked with relatives and strangers - privacy is still an issue. Which makes one think what people are hiding that they consider so valuable. Google probably knows.
Yes, our data is valuable but it isn't s valuable as we might think, because if we tried to sell it ourselves, no one would be interested in buying it, unless we are famous. I illustrated this with my student with another blackmail scenario, where there was a video of him masturbating and whether he would pay to have it suppressed. There probably isn't many people willing to pay to see a 50+ year old man playing with himself, unless he was someone noteworthy - like a politician. Yet, the awareness of local knowledge with friends and colleagues would force him to pay the ransom because of the potential for social shame - but if it was normalized, there'd be no shame felt.
While I know these are weird discussions to have with a client (we know each other well), using these kinds of examples evoke some kind of emotional response and consideration to highlight the knowledge is power dynamic in play. Currently, most of our lives are recorded as data in some form and organized into knowledge that can be leveraged and turned into power, as either earning potential or social manipulation, generally both together and as they say - power is addictive and money buys more of it.
The incentivization around the usage of data is very poorly aligned with the well-being of society and instead, maximizes profits through division. After all, a happily married couple likely consumes less than two singles.
Taraz
[ Gen1: Hive ]
What you tell us here is really scary, @tarazkp. Many of the patients at that clinic must have gone in with intimate problems that should only interest him and his doctor. It's as if the priest publishes the confessions of his parishioners all over the world. Here in Venezuela there is an example of a very famous actor who committed suicide because a video of him having homosexual relations was made public. As you say, if he had not had a wife and had been a declared gay, there would have been no problem. The detail is that some things that should be private, can be made public by third parties. I feel that just like the big malls or houses where more and more we see walls of glass where we can visualize everything, so it is with our private lives: every day they are more exposed to the view of everyone. A good Thursday and greetings
I think it is sad that in this world, people still have to hide their sexuality from society - it is ridiculous.
And yes, our private lives are becoming far more public and we are the ones who are publishing it for likes. It is a strange world where we want privacy, yet publicize out lunch. :)
What do you think the chances are of 'early adopters' of blackmail payments are done after the first payment? I'd think in 6 months or a year that those payments would come up again.
I don't particularly care that the gang of 5 mines my data. If I chose to interact with them they have a legitimate claim on what ever I do during that interaction. I GUZBUCKING care that they sell my data to third parties that have no legitimate right to my data.
I am really incensed that they have used hacking techniques to mine and sell data of mine that WAS NOT gotten during a chosen interaction. Like Siri and Alexa listening in when I'm not using them (I don't use either of them).
It's really shitty that somebody got access to those papers. That is supposed to be the most private place we have in this society and the company that let it get away from them should be destroyed. It's quite easy to encrypt anything which puts another layer of security in every interaction. That is just really bad business.
I wonder if you can deduct blackmail payments? Or if you can set up your payments on a recurring basis? :)
I am pretty sure that there will be demands later, at least for some. they did a pretty clever thing though - pay 200 in 2 days or it will become 500 in two days more - past that, it gets published.
The problem is they are impossible to avoid. I was listening to a security expert on a podcast talking about trying to avoid Google - and he lasted something like 6 weeks before he accidentally used a Google API. he said it was incredibly difficult (he knew what he was doing) and very, very limiting.
The "passive" collection is amazing.
Yep, I think they aren't going much further - except possibly to court.
In Finland, the blackmailers probably will have to pay the appropriate tax too :D
It is almost impossible to avoid Google and Amazon online. Google, currently, has more than 160 service URLs which need to be blocked on firewall level. As soon as you do so, 20-30% of the internet becomes unusable because they rely on Google Cloud or other offerings.
Same with Amazon Web Services (AWS) which powers always more internet functionality due to its relatively cheap cost. Functionality going from storage, via computing units (CPUs), to network balancing and quite some more too.
Millions of sites break as soon as you block those 2 platforms in your firewall. The Internet almost breaks so to say.
Yep - the only way to effectively avoid is to be a non-user of the internet and live in a cave - and never come out to be seen by the satellites.
The data could be used for good, but human nature being what human nature is I know your secret is going to win over the good almost all of the time.
It could definitely be used for good. Just think about all of those data points that kind indicate health issues and help direct policy to improve well-being - instead it sells useless trash.
Well, one should live in a way there's nothing to be ashamed of. Shame, in general, is a concept imposed by society. The entity that has no bodies and no souls but of those who rule and say what society needs. Shame has always been a way to control, not to enlighten or empower, or even make better (for oneself). It's a tool.
I don't think it is only the shame of it - but I think there is also the idea that we each have "secrets" that we can choose with whom we share - having it public takes out the intimacy and importance of it, debases it in some way.
If it's on the internet already it went out of intimacy, no? Ok, A.I. can deduce some stuff, your searches give poo away, browsers like Brave claim they can protect that...It's our choice how we use the interfaces given and our responsibility to reveal or not to reveal. What's out of my fingers is out of my fingers and belongs to the world ;) Then again, I'm prying into people's lives and even more so in he past, so I am kind of into that field of moral dilemmas about privacy vs public for some time now. Hence I am for transparency and responsibility of actions that concern others and for keeping private what is private. Good luck with that, though ;)
Not sure, if it is assumed it is private.
I agree with the responsibility, but unfortunately that also requires the knowledge - and there is so much automation and complexity, I am not sure if even the above average can adequately handle it.
I, for one, I lack the knowledge of what is private and what is not. And how private exactly. I just assume the worst and it doesn't bother me. I also tend to calm myself with the No One Cares thought.
Ads have not bothered me unless they obstruct the use of the site itself. I like studying ads. And I might click on 1 % of those and even find them useful...at random. It's my job to filter what I need or don't, I don't expect the net to protect me from unwanted info. Then again, it's important to understand oneself in order to have the best behavior (for oneself), ads influenced or not.
Meh. All your scenarios are taken from what is assumed to already be a private aspect of our lives, the intimate sphere.
That's a nigligible percentage of data cases and one which already comes built-in assumed privacy. And, indeed, a blackmailable situation.
Now can you please ask your student how they would feel when realizing that while showing off their fitness prowess on Strava and Endomundo, they are (potentially) providing insurers with data which will affect their health care insurance, life insurance, their mortgage, and potentially also their car insurance. And, of course, also the interest rate on their car loan because their BMI and pulse were higher than healthy average for that age.
No blackmail, no inherent hankering for privacy since willingly shared data (without reading or caring whether the platforms shares the data with third party providers), all innocent data. Just pulse, speed, and a whole bunch of health data the user even didn't realize was also uploaded and thus shared with third party providers.
Still nothing to care about being protected? Maybe think about those Amazon employees who have taken life insurance as offered by their Overlord, Amazon Inc.
What if Google decides tomorrow to become a health care insurance agent? Sitting on that location and Google Fit, and Google Wellbeing, data? Heck, they may even be able to mine how often you order food via Uber Food and from which fast food joint.
Your data is worth and deserves to be protected. You may not realize it should but it definitely shouldn't be accessible to anyone not first degree relationship or approved health provider.
And that Finish company who got hacked should be taken to cleaners for lacking to properly encrypt that data. Data hacks are Always possible, but encryption is cheap and easy enough to secure most of the data which can be vulnerable. That's a basic standard which they should have implemented and which would have prevented this from happening (unless they were hacked via an authorized machine).
Addendum: it also needs be said a lot of data harvested is harvested stealthily. And here I'm not just talking of cookies which track your internet history or Javascript which triangulates you despite having location access disabled. I'm talking about device fingerprinting which allows them to connect you with your account cross-device without being logged in. I'm talking about "beacons" dropped on sites you visit to monitor your activity. All that just because you signed up for a service and decided to use them.
Yes, but how much of it is "guessable" through other data points? Can Google know when a marriage is struggling or, a person is cheating on their partner? I would say it isn't too difficult - how do their algorithms handle it?
The "opt-in" of wearables is obviously another concern. I would say that they are already monitoring and monetizing the data in ways we wouldn't be comfortable with - but none of our "intuition and wring" is set up to handle any of this, especially since we can't actually see what "this" is.
I totally agree with the argument that there's no value to that data without the hankering for privacy around it. But it's an anomaly in the vast sprawl of data harvesting and mining and profiling which is done. A lot of which without disclosure.
Facebook can because they do emotions analysis. But there’s a ruling against them selling against that data.
All three could, but it would require many dots to be connected. Yet, all three have listening devices (Facebook are actually the ones who applied for the patent on turning on phone mics and cameras remotely - the NSA may disagree). Yet, I would say Amazon is closest to tie those dots together (see later in this comment).
Edit: Cheating is probably not too difficult to recognize, especially not if people are heavy FB/IG users. Unless they have solid discipline, there's probably easy to recognize patterns.
I'm old fashioned and I would subscribe to the theory I don't mind sharing that data with the provider I've chosen, if only I knew that's all to it.
I went with the wearables/health example because the loans and insurances issues are the easiest to explains and they tend to hit home without needing to write a whole dissertation.
But that pesky JavaScript which triangulaties despite no allowed location access is very valuable too. Location can be used for disposable income estimation. Btw when did you allow pretty much any website which wishes so to read out your browser history? Pretty sure you never did so, at least not explicitly. It's just a cookie though and it's very widespread in use.
Do people who have Ring smart doorbells and security cameras know that they operate facial recognition, and share data with more than 400 law enforcement agencies in the USA? That’s only disclosed in legalese without disclosing more than “may share data with relevant third party providers” (or something like that).
Do people know that Amazon has applied for a patent which allows them to make recommendations based on what the (future) drone delivery camera records?
"When we delivered those condoms for your weekly Thursday visit to your mistress [she has Ring devices, busted], we noticed that your solar panels are first Gen and could do with some upgrading which will improve their efficiency. Here's a list of recommended suppliers" [Added to your profile: operates solar panels, higher disposable income than previously estimated, can make recommendations on average 10-12% more expensive]
But, once they have the baseline, they can likely find other data points that quite accurately map, that aren't covered in the ruling.
Amazon are great at screwing us while helping us - it is all so convenient, what could go wrong??
The problem is that even the tech savvy and security conscious can't keep track and at every point, there is a hundred new points created.
Yup, and that's why it is so important that we keep raising awareness. So people will support regulatory efforts like the GDPR and California's new online privacy law. Rather than approve one of Trump's first acts which was to give ISPs more access to commercial use of customer data.
Having too many regulations sucks but well-crafted ones can almost nullify the potential harm.
"Use that data internally as much as you want, but you can't share it. And you can only use your own platform data"
It doesn't matter how many new data points are created then. Shareholders aren't going to keep agreeing with multiple $5bn (and higher) fines every year. That will eventually lead to changes in the board room and on executive level.
Of course, then the battlefield becomes what consists of own platform data. Amazon owns RING so that's platform data. Facebook WiFi requires location access to be set to always ON, so that's own platform data even if it's the pages/businesses who use FB who provide the WiFi.
The more people understand the potential of data harvesting and profiling, the closer we come to potential solid regulations. Only those can eventually protect us and your data is worth that protection. It truly is.
Private information from the clinic? How horrifying. I know that it takes so much trust to open yourself up like that, only to be exposed in the end?
Yikes.
I can honestly say that many years ago, I didn't think that much about sharing my personal business with my family via the internet. Nothing earth-shattering, but, not anybody's business. Now, I share nothing personal. How sad that we have to look both ways in case Big Brother has his ears on. Even worse with the B&E of businesses...
I am still living in my own world where it disgusts me that people are low enough to take something that isn't theirs.