Data Privacy Part 1
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Hi, I'm Matthew Clark. This is Module seven, Privacy.
Congratulations. You have completed module six and on your last module towards your certificate of completion.
Let's begin our new module with less than 7.1 data privacy. Part one
in this lesson will cover the privacy landscape and discuss some common privacy terms. Will also discuss three different case studies.
The first one is when the government gets concerned and asked parents to take action. Wu and then the next one is how a desire for fitness reveals military secrets. And the last one is how one man's quest for wider teeth almost shows too much.
The privacy landscape is an area that, admittedly, we've seen a lot of change in over the last several years.
We've seen GDP are with its sweeping privacy regulations and rights for European citizens. In August, 2020 also brought changes to the U. U S privacy shield when Europe's top court ruled that arrangement was no longer valid
and it really showed how influx of privacy law really is.
And it's not just the you this concerned with privacy. India has been working on a personal data protection bill to address privacy rights and concerns for its citizens, along with many other countries
in the U. S. Is a little bit different. We don't have any specific federal law about privacy. Instead, privacy concerns are addressed in a patchwork of federal and state laws. So let's go through some privacy terms that will probably be used in the next three or four lessons. First ones data subject. And this is
any person that could be identified either directly or indirectly.
A data controller is the entity that determines the purposes for which our personal data is process. They dictate how and why data is gonna be used by the organization
on day have the most responsibility to protect the privacy of the data subject.
Data Processor, on the other hand, is usually a third party that's external to the company that processes personal data on behalf of the controller.
A joint controllers when, uh, more than one entities have controller ship on. Both parties have to enter into an arrangement where the data subject and has to be informed about that arrangement.
So let's outline some of the common privacy rights that are being created and carved out by governments for their citizens. These air based on the GDP, our rights, but their common to many of the different laws either past or being written.
We won't go through all of these. But consumers generally have the right to access their personal information, and they have the right to fix outdated or incorrect information as well
the one that most people know is the right to be for gotten.
But consumers also have the right of data portability, the right to take the data with them and that data to be provided to them in a common file format.
Consumers also have the right to opt out. If you're a certain age, you have the right to opt in. You have the right to be told through data breach notifications of an issue, and you also have the right so that businesses can't discriminate against you for exercising a right.
So this is the headline from the Virgin 2017, when Germany introduced a blanket ban on smartwatches aimed at Children due to concerns that they might be used a spying devices.
A year later, researchers looked back at one of those watches, and they found that if they changed a parameter that they could get admin access to the A P I
and can you believe it? That in 2019, there was a very similar headline about a Smartwatch called The Safe Kid. One and that watch was being sold is, ah, high tech SIM and GPS Safety and surveillance Smartwatch for kids?
Well, the companion APP allows parents to locate and follow their kids almost to the meter as well as record and playback their movements Over a given period of time. You can draw up a geographical fence around the child, and
if the child leaves that area, you will be immediately notified and warned. That's what coming from the product sheet
for that particular watch.
Well, obviously we get a headline because there's a problem.
Regulators found some serious vulnerabilities in the EU. Authorities ended up issuing their very first recall of a product due to privacy and security issues.
Well, what were the vulnerabilities? You may ask?
Well, the mobile application accompanying the watch had n encrypted communications with its back end server, and the server enabled UN authenticated access to the data.
Consequently, the data, such as location, history and phone numbers and serial number could be easily retrieved and changed. Ah, malicious user could send commands to any watch, making it call another number of his choosing.
Or the threat actor could communicate with the child wearing the device and locate the child through GPS. So not good.
Many of you may remember this particular incident involving the straw of a workout watches
the This was a data aggregation attack because individual data was being aggregated in order to show a bigger picture
at the time, Strabo allowed users to share workout data and even provided a very helpful heat map of activity from other users.
Well, the issue was that the straw the data was used to expose secret U. S military bases used in the past that the soldiers were working out on
the strongest CEO stated that the company didn't expect that worldwide users would find sensitive information through the absence of users voluntarily share their fitness data.
In other words, struggle was banking on their end users and being technologically savvy enough to know how what data's they should or shouldn't share, as well as understanding the scope and maybe potential repercussions of sharing data.
And maybe even they thought that in your end, users would have a broad enough understanding of house travel was currently using the data.
It's also safe to say that Strabo probably wasn't putting two and two together and coming up with national defense secrets and then just blowing that off under the guise of well, the customer should know better.
But they could have done more to inform the customer, or at least made it easier for the customer to opt out of. Sharing that data
struggle later made changes to the privacy settings to make it easier to understand and opt out of the heat map. They also refresh the data to clear information that people marked private.
The military also banned the use of GPS enabled fitness trackers.
Okay, let's finish the lesson off by talking about the aural be smart toothbrush
and that handsome guy there in that picture, where in that spiffy white Sai Buri T shirt is none other than your tantalizing teacher of the dark arts of I O t. Okay, that was probably a little overboard.
Previously, we've mentioned how some old school manufacturers have this really great product. They decided that they could make their product just a little bit better by adding some intelligence to it.
And I've often wondered how that conversation goes. You know, where does this idea come from? That good products could be made just a little bit better Onley if somebody connects it to the Internet?
And I think I figured out that it must start with some enterprising intern that's, you know, looking to make their mark. But we end up with some crazy I O. T devices like pressure cookers that are connected to the Internet.
And I even saw the other day in a big box store. There was a smart toilet seat. I'm not kidding. There was a smart toilet seat and did all these terrible things, like warming up the seat for you and blowing air. Just terrible things, the toilet seats they're not supposed to do. And the worst thing is that there's this control panel on the side of the toilet seat
where you could save your preferred settings
and it had memory for two different people to people could save their preferred settings. For this I o t toilet. See, that's just terrible idea. What happens if you accidentally hit the button for the second user, there's just things you just don't want to know.
So back to the coyote toothbrush. So someone had to have been hopped up on caffeine in order to dream up a scenario where you would use a toothbrush app that activated the camera on your mobile device to watch you while you brush your teeth in your bathroom.
There's absolutely no privacy concerns here whatsoever that I can think of.
So I'm a techie kind of guy, and I'm notoriously difficult to buy for. I generally already have all the toys that people can think to give me. So my beautiful wife surprised me last Christmas with this I o T. Toothbrush.
So I got this for Christmas. And what are you going to dio? It's a potential privacy nightmare. Standing in your towel after a shower, brushing your teeth, and trust me, there's just certain things in life no one needs to see and certain things you can't unsee.
But I have visions of this showing up on CNN. You know, it's a news clipping. I'm not that important, but I could just see my face on the news. Ah, photo of me taken from this app brushing my teeth, you know? And there here's this headline. You know, stay tuned. The security expert caught brushing his teeth. The full expose.
Moving on. Do you remember our conversation about preparing the service desk to know how to handle incoming vulnerability disclosures? Well, when these smart toothbrushes first started coming out, surprise, surprise, there was an issue. A security researcher was able to use a simple man in the middle attack to get access to the data
being sent from the toothbrush
to the mobile app. Obviously, there was a communication channel that wasn't encrypted.
So the security researcher called or will be service desk and was reportedly told by the Helpful Service desk associate who was also obviously totally unimpressed by this vulnerability. The service desk associates said, Who the blank would wanna monitor a toothbrush, which is a good question,
and we'll learn more details later. A 10 on CNN
Well, that's it for this lesson.
In this lesson, we discussed the privacy landscape. We took a deep dive into the unknown world of privacy terms and rights. We discussed three privacy stories ripped from the headline, including a Children Smartwatch, a fitness watch application and cameras in toothbrushes. What
Data Privacy Part 2
Reasonable Security: A Review of US Law Affecting IoT
Global IoT Laws: A Review of International Law Affecting IoT