Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Privacy In The Cloud

The Facebook privacy breach kerfuffle that unfolded last week is a timely reminder that we need to care about our privacy on the Internet. Many of us don’t think about that enough. Some, perhaps, don’t even understand the privacy issues involved. Given how much we use, and maybe, need, the Internet, we cannot afford to not know or not care.

If you’re not up-to-speed with the Facebook privacy debacle, check out reporting from CNN and Wired, among many others. Briefly, Facebook had learnt about a privacy breach many years ago, but decided to keep it under wraps, until they learnt several media outlets were planning to spill the beans, and thus made the first move with a blog post on 16 March 2018. It sounded like they were trying to come clean, or perhaps just to make more excuses to save themselves.

The issue at heart was that data from some 50 million Facebook profiles were mined, then sold, and then ultimately cited as a factor in the outcomes of both the 2016 Brexit poll and the American presidential election that same year.

The data came about because individuals responded to a Facebook app. You know all those apps, in the form of quizzes, surveys, contest questionnaires, and others, that you have seen, or perhaps even participated in? Well, they are learning something about you.

This often happens in the real world too. For example, you may have provided answers to questions for the purpose of claiming a free gift. Some organisation out there is collecting information about you. Most of the time it is for marketing purposes. In the real world, it’s not so easy to mass collect information, and more difficult to mush with other data sources to learn more about you that you had anticipated.

But in the online world, such privacy invasion is so much easier. Many people gladly furnish much information without thinking. This is all happening in the normal course of events, even though the outcome is unintended, except perhaps by the perpetrator.

In this instance, we’re talking about Facebook, the single largest social media company in the world. Many of us trust Facebook, mistakenly perhaps. They knew about the breach, but Facebook kept quiet, and perhaps would never have told us anything, if not for the fact that someone had spilled the beans on them.

There’s so much information you give to various websites. I haven’t even gotten to talk about cloud services that have got hacked. Those companies had never intended to divulge your private information, but bad guys got in and stole them. HardwareZone, for example, lost data on 685,000 users when they were compromised, and they only knew about it 6 months after it happened.

Putting your information anywhere in the cloud is a risk. Not just with services that may be hacked, but even those not breached can’t even be trusted to keep your information safe.

I may be a tech-savvy user who embraces the use of Internet, but I always have some reservations about storing information in the cloud. For that reason, I’ve always tried to “own” my data, so that I can both secure it myself as well as have physical control of it. I own my own NAS, I run my own private Dropbox. I use Enpass, a password manager that allows me to use my own cloud sync, so I can be free of any intermediary that I don’t control.

Every bit of information you put in the cloud, you should assume that some day it may be divulged. It could be your carelessness, such as setting a wrong privacy option or incorrect access control configuration. It could be the carelessness of the cloud service provider, such as bugs in their software. The cloud service provider could themselves be unscrupulous, or did not foresee an unintended use of some features of their services. They could be hacked. So many things can go wrong.

In fact, even my way of owning everything isn’t perfect. That’s right, even if my private cloud storage uses HTTPS encryption end-to-end, who knows, maybe there could be bugs in the software I use, or the protocol itself? Indeed, the Heartbleed SSL implementation bug in the widely popular OpenSSL software library shows how difficult it is to secure information. There’s even some speculation that the U.S. National Security Agency had already known about Heartbleed but kept mum, or perhaps were themselves responsible for creating it in the first place.

I’m not saying we should all go paranoid and disconnect from the Internet completely. It would be quite miserable these days to not have the Internet. So many facets of our lives depend on using the Internet. No, don’t cut yourself off. However, do understand the risks of putting your information in the cloud or online.

Facebook has gone on a PR offensive by taking out full-page advertisements in several major newspapers in the U.S. and U.K. I think a small number of users will leave Facebook, while others will be more wary, and perhaps watch how they use Facebook, and maybe use less of it. However, I don’t think Facebook is as losing users as they are about new regulations that may impact their business. After all, what other good alternatives do users have?

I’m just using this Facebook incident as an example. The point is that putting information in the cloud carries some risks. There is risk everywhere, of course, but the goal is to manage the risks to a level that you are comfortable. The danger here is that many people aren’t thinking at all about how they use the cloud. Just because a username and password is required, they think it’s locked and secure.

Privacy in the cloud? There isn’t much of it.

There’s a reason why Facebook is free. Or appears to be free. That’s because you are not a customer. You are a product. Your data is being sold. As the saying goes, there’s no free lunch. If something’s free, you are not the customer.

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy