The Chairman, Deputy Director of the Bureau of Consumer Protection,
and Chief Technologist of the Federal Trade Commission will hold a
telephone media availability on Wednesday, December 1, at 1 p.m. to
answer reporters' questions about a new FTC report on privacy that
outlines a framework for consumers, businesses and policymakers.
Jon Leibowitz, Chairman
Jessica Rich, Deputy Director, Bureau of Consumer Protection
Edward W. Felten, Chief Technologist
Federal Trade Commission
Wednesday, December 1, 2010, 1 p.m. ET
Dial-in: United States: (800) 398-9367
International: (612) 332-0820
Confirmation Number: 182971
Host: Cecelia Prewett
Call-in lines are for press only
A friend of PrivacyWonk, Sara Cohen, has authored "Privacy and Security Implications of Geo-Location Social Media Tools" over at The Homeland Security Blog after participating in a joint experiment conducted by Fox News and Corner Alliance. The experiment followed Sara for two weeks as she used geo-location social media tools like Four Square and Facebook Places during her daily life. Without Sara's knowledge, Fox News DC had been surreptitiously filming her during the course of the experiment. "On the final day, I was found by the news crew and reporter, who had
been following me all along, filming me without my knowledge."
I was very excited when Sara let it be known she was participating in this experiment. It was a chance to show how these services can be abused and how important it is to protect yourself while using them. While this Fox News and Corner Alliance experiment was conducted with Sara's permission, it is very easy to imagine this being done by people with ill intentions. Here's the video:
Great takeaway quote from Terrence Whitehead, "The value is not in your privacy, the value is in your information, your whereabouts. That's what people want to know. That's what companies are paying for."
I asked Sara to give a small intro about herself and the experiment:
"For the past three years, I've been working in emergency management
and social media. In 2008, I completed my master's thesis, "Using
Social Networking for University Emergency Communications" with UCLA.
Taking lessons learned from Virginia Tech and Northern Illinois University, I
developed a model for universities to leverage social media specifically in
emergency communications. Since then, I've worked with several
universities, organizations, and government agencies, developing social media
programs, policies, standards, and training. I've presented and written
on the security and privacy implications web 2.0 technology for several
conferences and publications. One thing I am sure of is that as technology
advances, so too does the information transmitted via these channels. The more
information we share, the greater the risk to our personal privacy and safety.
And in a fast-paced and dynamic environment, it is becoming increasingly
difficult to manage our online personas.
As someone who uses social media on daily basis, I was interested in
participating in this experiment to see just how far my information could go. I
pride myself on staying up to date with ever-changing privacy policies and the
security implications of new technology. I was surprised to learn, however,
just how easy it is to lose track of the bigger picture, when sharing
information on a daily basis for the purposes of staying connected. This blog
discusses my approach, my findings, and a few lessons learned."
Geo-location has been a frequent topic here on PrivacyWonk. Security
researcher and friend Omachonu Ogali developed a great proof of concept
called Where's my iPhone, which siphoned GPS coded images from Tumblr to produce Google maps of exactly where the photo was taken. Adam Savage of Myth Busters famously compromised his home address by sharing a picture of his car via twitter. Location-based information came under Congressional inquiry this past summer with security experts like Matt Blaze (UPenn) testifying on ECPA Reform and the Revolution in Location Based Technologies and Services.
When it comes to using Geolocation social media applications, my first piece of advice would be a the most basic one: Don't use them. If you can't do that, never use them from home. Or your office. Use them only when you are out, doing silly stuff. Don't establish patterns that can be exploited. Don't allow other people to check you into places. Make sure your phone's privacy and location settings are also not giving away too much info as well, GPS and "Enhanced Network Location" aka Cell Tower/Wifi Access Point triangulation do not need to be turned on all the time. Most games/applications will not need access to your location information either.
Simply put, don't let your digital exhaust compromise your real, physical, security.
A story published yesterday by Kim Zetter on Wired.com's Threat Level titled "Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage" gave some fantastic insight into the virus. The story was a recap of a larger report issued by Symantec, which performed in-depth analysis on the Stuxnet virus. This virus targeted specific supervisory control and data acquisition (SCADA) software and, further, only activated certain chunks of code when those SCADA systems were managing a specific number of sub-systems from specific manufacturers.
The basic points I took away from the analysis is that: (1) Stuxnet is far more advanced than was previously thought. (2) Stuxnet was designed to specifically target Iranian nuclear facility(ies). (3) The level of sophistication most likely meant nation-state backing.
...All I could think about after reading this story was William Gibson's award winning Cyberpunk novel Neuromancer. The geek in me wants it to come out, in the future, that the Stuxnet project was code named "Operation Screaming Fist" by whatever nation-state sponsored its development. In Neuromancer, Operation Screaming Fist was an American military operation aimed at introducing a major virus into a Russian military computer though both physical penetration of Russian defenses and logical penetration of Russian Intrusion Countermeasures Electronics.
We've seen some pretty crude "cyberwar" attacks, notably the DDoSing of Estonia off the map a few years back. Now we have Stuxnet. Things have come along way in a very short period of time, it will be interesting to see what comes next.