Same Old Problems, Still No Answers

for some reason we're not alone

Shocking stories about data brokers selling sensitive data aren't new. There is a regular stream you encounter if you aren’t paying attention.

A federal judge in Idaho dismissed the case last year, since what could be harmful in reselling the geolocation data of 35 million people who might go to Planned Parenthood, a domestic violence shelter, a mosque, an LGBTQ club or seedy dive bars?

Apparently nothing to the Idaho federal judge or Kochava, the data broker.

To be clear, this isn’t even allegedly anonymized data, which is a problematic notion regardless.

Welcome to “normal.”

Two things struck me reading that Ars Technica story.

First, this is a clear case of where my argument for "reductive security" can mitigate some impact on individuals.

Most security approaches start with adding stuff, such as security applications, when you really should start with what you can remove. This requires a review of what you actually have.

New phone? Review the applications, and disable or remove what you don't need. This is where Android has something over iPhones, but where PinePhones or CalyxOS exceed both.

Maybe you can stop relying on the device's calendar, contacts, web browsing? Bluetooth? NFC? Turn off wifi until you actually need it?

Digital devices linked to bigger networks should be treated with suspicion. Advertising from every industry continually encourages us to move from the “analog” onto their networks so they can collect more data.

This one commercial mocking cash versus their phone application might rank as the most annoying.

Do you appreciate the real cost of installing some retailer’s "preferred customer" application? Do you realize the customer of that app isn't you. The real customer are the data brokers who purchase the data the app collects about you.

If you think “I have nothing to hide”, consider why that “nothing” is a commodity to data brokers. It has value and a price, and it is collected and sold. They are happy you’re not "hiding.”

Reductive security is also useful for the enterprise. Think about the hostnames configured for a domain.

A domain is registered with a domain registrar, and they might provide DNS name services. A DNS record for email and a web site are manually configured by the customer. But by default, a whole bunch of other subdomains appear in DNS: ftp.yourdomain.com, shop.yourdomain.com, etc. Those subdomains all direct to the DNS provider’s hosts, even if you don't use them. You now have given free reign to some provider to do what they want under your domain, with your branding at stake. And then they are collecting data on visitors to subdomains they configured and host.

Think about email SPF records (Sender Policy Framework) which authorizes certain hostnames or IP addresses to send email as if it's coming from your domain. That likely includes your own mail hosts, plus any other third-party marketing provider domains.

Imagine marketing person “Alice” adds Provider X to your SPF record for mass emailing. Then Alice departs. Marketing person “Bob” arrives, and adds another mass emailing provider to the SPF record. Long after the entity stops paying the Provider X invoices, their ability to send email from your domain remains unless someone changes the SPF record.

The point is simple: the less systems, the less data available or collected, the safer you are. The security surface area to monitor and defend decreases, and is more manageable. It's not the ultimate elixir to solve the world's problems, but it's a strong starting point in the never-ending war to enhance privacy and security.

The less data available to the data brokers, the safer you are.

But the really disturbing part isn't that the data brokers are only enabled to collect this data. The horror-show reality begins when one realizes that the data brokers are actually downstream in this dystopian ecosystem.

Who actually enables the data brokers? It's usually the providers and product manufacturers, from internet services to cell phone companies and beyond who collect, package and sell your data. Then they enlist the data brokers into their ecosystem.

How does Kochava get this data? The last line in the CEO’s profile makes the case clear:

The Kochava technology is now integrated with more than 3,500 networks and publishers and is trusted by hundreds of brands including the biggest names in mobile gaming, news and media, and consumer goods.

It’s those “networks and publishers” whose data collection and sale that seem to escape the scrutiny. Downstream data brokers are the bottom feeders, and a logical product of this ecosystem.

Thank you for reading ClearOPS Bridging the Gap between Privacy and Security. This post is public so feel free to share it.

Yet this upstream incessantly collects more and more sensitive data, sometimes under the auspices of “security.” From web sites with dozens of third-party data miners to idiotic and NIST-contradicting security questions about mothers’ maiden names and first-grade teachers for authentication, the first-party collectors should not be feigning shock when cases like this happen.

I don't know if the FTC, FCC or anything short of another Big Bang can end this game. But if you get nausea from reading stories like this, it shouldn't just be because it happened. You should have nausea because it can happen, and that it's facilitated from the upstream.

About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.

About ClearOPS. ClearOPS revolutionizes third party risk with its support for both buy-side and sell-side vendor management, powered by Generative A.I. Take your vendor management to the next level and fix your internal workflows for maximum efficiency. Inquiries: [email protected]

Reply

or to participate.