Is my Data Safe in the Cloud?
Nicolas Carlini
After configuring a new phone with the same email address as the old one, you notice the same contacts, photos, emails, and apps. How is this possible? Isn’t it a new phone? Think of “Cloud Services” as a bucket that is on the Internet. Your old phone has been storing data directly on that bucket, sometimes without you even knowing. Your new phone also has access to that bucket and obtains a copy of the data you commonly use. There is no need to copy data from one phone to another.
Cloud services popularity has increased as access to the Internet has been cheaper and faster. About twenty years ago, 56K modems were the medium to access internet. You could not talk on your land line phone and use the internet at the same time. That technology was replaced by DSL, cable modem and fiber optics. This allowed 24/7 internet services inside the home. Wi-Fi access points solved the dilemma of a fixed internet spot at home: we can now connect from anywhere in the home. We now have more devices connected to the internet: refrigerators, light bulbs, watches and more. Smartphones speedily gained the market of devices connected to the internet. Gartner (one of the world’s leading research and advisory company) estimated the total number of IoT devices in use to have reached 8.4 billion in 2017, a 31% increase over 2016 (van der Meulen). They estimate over 20 billion devices connected to the internet by 2020.
Each device that connects to the Internet has information. Some of this information can be used to harm us or a business. In a study made by Ellen Kennerly, a consultant with more than 30 years of experience with major media companies, she mentions “nearly 2 billion consumer records were stolen or accidentally exposed in the United States last year, including personal data on nearly half the U.S. population held by the Equifax credit agency” (Kennerly). Norton, one of the major companies fighting the battle to keep internet safe, defines a security breach as “a security incident in which information is accessed without authorization” (Symantec). These incidents can quickly escalate to economic troubles, security threats, or even embarrassment if sensitive data is exposed. Sensitive data is information that can be used by hackers to impersonate someone and can be used to obtain money or more information. Some examples: social security number, driver’s license number or identification card number, bank account number, credit/debit card number.
Not only files are stored in the cloud, but also your GPS location and whom you are communicating with. Logs are being recorded of our most frequent contacts, how fast we walk, how much we sleep, videos, audios, chats, our blood pressure, the stores we frequently visit, the news we read, the music we listen to, what we browse in the internet, and much more.
Because of the nature of data stored in the cloud questions must be asked concerning data safety. What can happen if all this information is exposed to the wrong hands? Do cloud services companies use this data for self-gain or other interest? What can I do to prevent a security breach?
Basic Concepts
If we want our data to stay safe, there are some concepts we need to understand and master: internal, external and third-party threats. Internal threats depend 100% on the security habits users have. We are our own threats. By ignorance we sometimes expose our information unwillingly. External threats are all those that do not depend on us. Let’s imagine a chain of companies. The first link on the chain is the company that we are directly in contact with (email company, social media, etc.). That is our first external threat. Since companies share information with each other, any other company on the chain are third party-threats. Which of these are to blame if our information is stolen or exposed?
Let’s review each threat in depth. Can you imagine leaving your home with the door unlocked or with the door wide opened? Similarly, we can leave our devices unprotected. An example of an internal threat would be that a stranger finds a lost phone and is able to read any information stored in it. This is a great security threat. Some of the information inside a phone or digital device can be used to do an extortion in exchange for money or they can access our home banking app and make unwanted transactions. Even if we think the information we have in our phone is useless, there are technical details that can be used against us. A common mistake is using geo-tagging on the photos and upload them to social networks. Geo-tagging saves GPS information on where the photo was taken. Criminals can use this information to obtain places where we’ve been and predict where we will be (specially if we always upload photos in periodic patterns). A poor habit is to not delete our personal information and data from equipment we dispose. If someone has a hold of our old device, and it is still linked to our cloud services, they can access all the new data our new phone is uploading. These are a few examples of internal threats. In a study made by Internet World Stats, they estimated that by June 2018 there were 4,208 million users connected to the Internet. That is 55.1% of the world population. In other words, if security best practices are not applied, these are millions of possible security breaches and data exposure from internal threats only. The annual number of private exposed records per year have jumped from 66.9 million in 2005 to 1244 million in 2018 (The Statistics Portal).
Possible attacks to services and companies we directly use are considered external threats. Some of these services can be our email, operating systems, social media accounts, home banking applications, digital photo albums and more. Technology is also to blame in the exponential growth of security breaches as it inevitable has flaws. Companies release security patches (updates in the software) and fixes that are supposed to fix these flaws. Microsoft alone released 261 security patches for all its software in January 2019 alone. That is 83 more than the same month in the previous year (Microsoft Update Catalog). This shows that there are more security holes to patch every month. User data gets impacted or exposed when companies do not fix their flaws on time. On May 17, 2016, LinkedIn posted a “Notice of Data Breach” admitting that 6.5 million user emails and hashed passwords were stolen in May 2012 (LinkedIn Newsroom). Hackers had a four-year head start of mangling with user passwords. Shortly after, millions of users had their email accounts hacked as hacker found that the users used their LinkedIn password to access their email. Furthermore, emails were used to reset passwords in social media networks, banks, etc. This is an example of how even a user that can be an expert in security and applies good practices can be impacted by a third-party external threat. Popularity and revenue of a company is not a defensive shield in terms of security. Major companies have been involved in security breaches over the past years. To name a few: in 2016 three billion yahoo accounts were hacked, in the same year Uber reported 57 million riders and driver’s information were stolen, in 2018 Under Armor reported that information of 150 million users were stolen from its application “My Fitness Pal” (Sobers). These are a few examples of external threats.
Digital information is abstract and for this reason there is no way to freeze its movements. Information can be copied, shared, moved or manipulated by different parties. This introduces third party threats. Software applications have a terms and conditions which are rules by which a user must agree to abide in order to use a service. Not understanding the terms and conditions we accept can be transformed into an issue as we can agree sharing personal information with third parties without knowing.
An example is Facebook’s Data Policy (included in the terms of service). It states: “We collect the content, communications and other information you provide when you use our Products, including when you sign up for an account, create or share content, and message or communicate with others. This can include information in or about the content you provide (like metadata), such as the location of a photo or the date a file was created”.
When a user agrees to the Terms of Service, they accept that Facebook collects any information they share. In December 18, 2018 Facebook posted a statement in their Newsroom title “Let’s Clear Up a Few Things About Facebook’s Partners” where they clearly admit that they’ve shared user data with 52 firms including Amazon, Netflix, Spotify, The New York Times and others (Facebook Newsroom). The amount of companies handling user data now multiplies and so do the possibility of security issues (BBC). In 2018 Limogés Jewelry (a Walmart vendor) exposed names, phone numbers, email addresses and passwords of over 1.3 million users. The data also contained numerous records for other retailers such as Amazon, Overstock, Sears, Kmart, Target and others (Matteson).
Governments have intended to reduce the risk of manipulating and sharing information by creating regulations. The European Parliament adopted “General Data Protection Regulation” (GDPR) that requires business to protect the personal data of all EU citizens transactions within the EU states. Companies that do not comply are sanctioned (Nadeau). In the United States of America there are several regulations divided by sectors: Medical or financial data is regulated HIPPA regulations, children’s data is regulated by COPPA, student records by FERPA and so on. There is a need of all countries to collaborate in the regulations to keep data safe.
What is the verdict?
Upon studying this subject and having experienced technical threats I asked myself “Is my data in the cloud safe?” and “What threat should I be focused on?” According to a study made by Cybint Solutions (a cyber security consultant) 95% of cyber security breaches are due to human error (Cybint News). This high percentage suggest that the safest way to keep our data private is to focus on what we can do about it: train ourselves to have the best security habits. External and third-party companies can invest time and money in making their systems safe, but that doesn’t matter if we are the weakest link. Where do we start? First , we should start with a balance in our interaction with technology. There is a philosophy called Digital Minimalism, which is a form of life that constantly questions the amount of time we spend with technology and if the technology we use really adds value to our life. Its purpose is not the security of our data, but the consequence of living this style inevitably make our information safer. By avoiding the excess of technology, we automatically shut down the possibility of our private life being exposed in the internet. The three key concepts of Digital Minimalism are: technology use should be intentional and not habitual, technology is for making stuff not feeling better, and technology should never come before people (Wignall). In the end, this philosophy will also have an impact in the safety of our data. We can ask ourselves questions like “what added value does having my data in the cloud have? Is uploading my data intentional or habitual?” Learning how to balance the use of technology is the first habit to avoid internal threats.
The second way we can focus on mastering security practices to keep our data in the cloud safe is being careful with “social engineering.” Social engineering is a way to manipulate individuals into divulging confidential or personal information. We should avoid divulging information by applying basic security best practices. Phishing emails (a scam where a hacker tries to obtain information from us) are more common now. We should learn how to identify the fidelity of an email, sms, web sites or even a phone call. We should not forget about the physical security of our devices. Misplacing our phone or having it stolen now has a greater burden because the information it may hold and not so much of the price of the device. Having our devices locked down with hard to crack passwords, pin codes, etc. is always a best practice. It does not matter if our phone has no sensitive information, even if it only has the phone number of a friend, relative, etc., it can be enough to trigger a social engineering attack.
Waqar Hassan, CEO of Burgeoning Technologies LLC, a Web and IT Company, suggests in his web site, seven best practices for smartphones and other devices connected to the internet (computers, tablets, etc.). These best practices help us to be safe:
· Use a safe screen lock on your devices.
· Avoid storing sensitive data like passwords in thumb drives or MicroSD cards.
· Be cautious when downloading applications. Applications we install may run background process that steal passwords from our devices.
· Learn how to recognize malicious ads and web sites that can trick us on giving away information.
· Use an antivirus. This software monitors what is running on our device and it can warn us and clean our device from these applications.
· When not using a wireless connection, we should turn it off. This setting will prevent your device to connect to unprotected networks without your knowledge.
· Turn of geo-tagging. Location tags can be stored in an uploaded photo. This setting can be disabled in the camera setting of most devices.
Some habits will also protect us from external and third-party threats. We have no control on external threats. We cannot force external companies to apply xyz security practices. What we can do is to evaluate and carefully choose what services and companies we use. Investigating and searching about the small letter in the Terms and Conditions is a must. As we’ve learned, we cannot control or monitor what happens to our data when it is handed down from company to company. We must make sure we do not sign a blank check with the use of our information.
Having digital security habits is not very different than any other security habits. A pilot and co-pilot review a series of checks in a list to make sure an airplane can fly with no mechanical issues. A firefighter checks the hoses for holes to be ready when a fire occurs. An annual medical check can help us detect minor health issues before they get serious. When we find an anomaly in the checks, we must decide how to mitigate the risks. There are basic concepts that apply to all security aspects: train and prevent. As we learn about prevention, we will learn that our data is as secure as we make it.
Works Cited
Kennerly, E. “Privacy and the Internet.” CQ Researcher by CQ Press, 2018, library.cqpress.com/cqresearcher/document.php?id=cqresrre2018020900 Accessed 31 Jan. 2019
Symantec Employee. “What is a data breach?”, 2019. us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-know.html. Accessed 31 Jan. 2019
van der Meulen, R. “Gartner Says 8.4 Billion Connected ‘Things’ Will Be in Use in 2017, Up 31 Percent From 2016”, 2017. www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016. Accessed 31 Jan. 2019
Cybit News, “13 Alarming Cyber Security Facts and Stats”, 2018 https://www.cybintsolutions.com/cyber-security-facts-stats/ Accessed 15 Mar. 2019
Rob Sobers “60 Must-Know Cybersecurity Statistics for 2019”, 2019 https://www.varonis.com/blog/cybersecurity-statistics/ Accessed 13 Mar. 2019
Scott Matteson “How to achieve better security with third-party vendors”, 2018 https://www.techrepublic.com/article/how-to-achieve-better-security-with-third-party-vendors/ Accessed 13 Mar. 2019
Michael Nadeau “General Data Protection Regulation (GDPR): What you need to know to stay compliant”, 2018. https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html Accessed 31 Jan. 2019
Microsoft Update Catalog “January 2019”, 2019. https://www.catalog.update.microsoft.com/ Accessed 21 Feb. 2019
LinkedIn Newsroom “Notice of Data Breach: May 2016”, 2016. https://www.linkedin.com/help/linkedin/answer/69603/notice-of-data-breach-may-2016?lang=en, Accessed 24 Feb. 2019
The Statistics Portal “Cyber crime: number of breaches and records exposed 2005–2018”, 2018 https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/. Accessed 25 Feb. 2019
Waqar Hassan “7 Best Practices for Ensuring Smartphone Security”, 2017. https://socialnomics.net/2017/05/10/7-best-practices-for-ensuring-smartphone-security/. Accessed 21 Feb. 2019
Facebook “Data Policy”, 2019. https://www.facebook.com/policy.php Accessed 26 Feb. 2019
BBC “Facebook’s data-sharing deals exposed”, 2018. https://www.bbc.com/news/technology-46618582 Accessed 26 Feb. 2019
David Meyer “Facebook Is Still Giving Dozens of Companies Access to the Data of Users’ Friends”, 2018. http://fortune.com/2018/07/02/facebook-users-friends-data-sharing/ Accessed 24 Feb. 2019
Facebook Newsroom “Let’s Clear Up a Few Things About Facebook’s Partners”, 2018. https://newsroom.fb.com/news/2018/12/facebooks-partners/ Accessed 26 Feb. 2019
Nick Wignall “What is Digital Minimalism?”, 2018. https://nickwignall.com/what-is-digital-minimalism/ Accessed 22 Feb. 2019