Skip to content
(A barefoot woman and man, both without noses. The woman is speaking.) Apparently there's been another huge data breach. They got users' names, passwords, noses and shoes.

Once more unto the breach

Once more unto the breach published on No Comments on Once more unto the breach

Another day, another data breach —this time with a British teleco called TalkTalk. Unlike the Ashley Madison breach, the very fact that someone’s profile is in their database isn’t damaging, but the personal information attached to that profile could be.

There’s a ton of good common-sense security advice out there for users (the folks we used to call “consumers”). Use a different password on every site. Use hard-to-guess passwords. Be careful of public Wi-Fi. Don’t have children.

That’s fine for locking up our own front doors. But how to protect ourselves when someone breaks into the bank vault and raids our safe deposit boxes? In terms of defending ourselves from third-party security breaches, there isn’t a lot of advice out there — other than “don’t share any more information than you have to.”

Unfortunately, many of the companies we deal with make sharing more data than necessary part of the price of doing business with them. And that’s not just the data they gather in a registration form; they track how we use their services relentlessly, and cross-reference that data with information from other services.

Everything they have on us is there on their servers, ready for an enterprising hacker to swoop in and harvest if the company fails to mount an adequate defence. There isn’t a lot you can do about that; we don’t even have a good sense of how well the companies we deal with are protecting our data, because they’re notoriously tight-lipped about their security practices, citing security concerns.

The key message is just “Trust us,” which doesn’t inspire confidence with the mounting pile of headlines suggesting many data warehouses aren’t impregnable fortresses so much as all-you-can-download buffets. That’s especially frustrating if you’re otherwise careful about protecting your privacy. It doesn’t do you a lot of good to cover your tracks if your partner in crime (or data) sings like a canary.

Worse yet, you don’t have to be a customer to run afoul of a company’s disregard for your privacy and security. In their quest for ever-harder-to-ignore ads, companies have embraced Flash-based tools that expose browsers to gaping security holes.

Which is why the breaches we’ve seen so far are probably just prologue. As Cory Doctorow put it, “Ashley Madison and the Office of Personnel Management weren’t the big leak-quake: they were the tremors that warned of the coming tsunami. Every day, every week, every month, there will be a mounting drumbeat of privacy disasters. By this time next year, it’s very likely that someone you know will have suffered real, catastrophic harm due to privacy breaches. Maybe it’ll be you.”

 

Locked in the sandbox

Locked in the sandbox published on No Comments on Locked in the sandbox

(I reeeealllly want to pitch this to Roland Emmerich.)

I get the appeal of the App Store worldview. I really do. For users, it’s knowing that every piece of software on your device has been vetted – and having a simple, trusted way to manage it.

And Apple’s App Store is a thing of grace and beauty, as you’d expect from Apple. It’s a pleasure to use.

But it’s a gilded cage. Apple isn’t just deciding what’s safe for your device. They’re deciding what will and won’t be to their business advantage. They’re deciding which areas of functionality they’re willing to open up to competition, and which they want to keep as a monopoly. They’re deciding what’s easy to support, and what could cost their call centers and Genius Bars more time (and therefore money).

They’re deciding what maximizes their business partners’ ability to profit by controlling your access to their content, and what gives you too much freedom to copy, remix, edit and share.

And they’re deciding what range of choice is safe to offer you: not just to protect your security, but also to protect your user experience. And if the user experience they think is best doesn’t work that well for you… well, tough; they can’t design for every edge case.

App stores like Apple’s aren’t just about you knowing you can trust your device. It’s about Apple knowing they can trust you to make the choices that support their business model. When adults tell kids “you get what you get, and you don’t get upset,” it isn’t just a way of forestalling a tantrum; it’s preparing them for the next era in digital living.

All of this happens without any real accountability. The appeal process (and this applies to most walled gardens, whether it’s Apple’s App Store or Facebook’s… anything) makes the Star Chamber look like an unconference.

Of course, nobody’s stopping me from installing whatever I want on my Mac laptop. There’s an App Store, but I can download and install software from anywhere… or code it myself. (The latter doesn’t offer much functionality beyond launching a “Hello, world!” alert box… but that limitation comes from my lack of programming knowledge, not the platform’s restrictions.)

For now.

But it’s not hard to think of pretty likely scenarios where that could change. A botnet attack that does serious economic or physical damage would have a lot of politicians calling for safeguards to protect the Internet by imposing restrictions on software and hardware capabilities.

That might sound farfetched, except governments have been willing to criminalize a lot in the name of protecting the commercial interests of the media industry from online sharing. Vendors like Sony have already tried to sneak in certain restrictions through trojan horse techniques.

Cory Doctorow makes a persuasive business case and an absolutely compelling human rights case for the critical importance of user overrides. And that strikes me as a best-of-both-worlds approach: an App Store for security and reliability, but the option to leave the sandox for the swings or the slide… or, hey! leave the playground altogether and head over to play with the penguins at the zoo!