Data Privacy Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
8 hours 10 minutes
Difficulty
Advanced
CEU/CPE
8
Video Transcription
00:00
Hi, I'm Matthew Clark and this is lesson 7.2 data privacy, Part two.
00:07
In this lesson, we'll talk about privacy in the i o T fitness ecosystem.
00:11
We'll talk about what happens with government, encourages fitness and what that really means.
00:16
And what also discuss anonymous search data and ask ourselves, Is this really anonymous?
00:23
And then finally, we'll talk about Ah, Florida man. Really? That's all we need to say.
00:29
In our last lesson, we talked about Strada, so let's stick with coyote devices in the wearables market, specifically the fitness area.
00:38
These devices have a wealth of personal information, and the ecosystem around them does is well.
00:44
The fitness watch obviously records physical activity, but it also receives data from the fitness. Watch out. It receives call logs,
00:53
text messages. It records your steps or lack of steps. Because you've been sitting all day,
00:59
it records how long you slept in what time you went to bed In your average heart rate,
01:03
the fitness watch app itself may record your water intake or it could receive calorie data from your mobile food app.
01:11
It could also receive body weight data from your smart scale, along with 25 other health data points, including your B M I.
01:19
The mobile food APP records food entries along with all this other food information, and it probably received step data from your fitness watch app.
01:27
And if you use a mobile exercise app and it's gonna record, you're walking routes and your GPS coordinates, as well as transfer exercise information to your mobile food out and your fitness, watch out.
01:38
That's a lot of shared information between different manufacturers and application developers. In order to have privacy, you need security. But if security fails, then you no longer have privacy.
01:51
However, you can have a perfect security program without any privacy whatsoever.
01:57
Unfortunately, security is usually an afterthought, and privacy is usually not thought of it all.
02:02
So when Covitz started, the FBI figured it was a good time to help keep everyone fit and healthy in the country. Because, you know, after all, fitness is the FBI's mission statement.
02:14
Well, maybe not
02:15
soon after the APP was released, it broke on Twitter that the APP itself was asking for lots of questionable permissions on devices including access toe photos and storage and WiFi information. And this is the FBI. After all, which kind of made people scratch their head?
02:36
You know, those air really broad request for access toe information? What would the government need access to that data for? Well, it is the FBI, so I guess we should be able to trust him.
02:50
So let's take a ride on the way back machine, That wonderful service on the Internet that shows us how terrible the Internet was years ago.
02:58
Let's go back to the year 2006, when AOL well was a force to be reckoned with
03:04
a O. L assigned numbers to users to help protect their identity. And in 2006, America Online released 20 million anonymous search queries for 650,000 of their users.
03:17
And they did this, reportedly for the benefit of researchers
03:22
And a O. L. Thought that this data wasn't really threatening anybody's privacy because it stripped any identifying information from the searchers and just to sign each user a number.
03:32
Well, the researchers use that data to D anonymous individuals, and let's talk about just one of those users. 4417749
03:44
User number 4417749 conducted hundreds of searches over a three month period on topics they covered lots of different things, including the best season to visit Italy.
03:58
Termites
03:59
hand tremors
04:00
Safest place to live
04:02
T for good health.
04:04
Mature living,
04:06
bipolar
04:08
dog that urinates on everything.
04:12
Numb fingers,
04:14
dry mouth
04:15
Landscapers in Lilburn, Georgia.
04:18
Using all of this data, researchers were able to unmask User 4417749
04:26
And when Thelma Arnold, a 62 year old widow living in Lilburn, Georgia, was approached by reporters, she said, I was shocked to hear that ol had saved and published three months worth of my searches. My goodness, it's my whole life. I had no idea someone was looking over my shoulders.
04:46
If you look at her searches, you might think that she suffers from a lot of sicknesses. And she But she explained those searches to reporters. Miss Arnold said that she routinely research medical conditions for her friends to help with her anxieties. Explaining her queries about nicotine. For example, she said. I have a friend who needs to quit smoking and I want to help her do it.
05:06
There are several things that you can learn from this story more than we even have time to point out.
05:11
But one of which is that enough anonymous data can be de anonymized and identifying individual, especially when it's organized.
05:19
Another thing to remember is that you're never alone on the Internet, and companies make money selling you because you're their product toe advertisers and most of us are just willing to give away our privacy for free stuff.
05:34
Our last story is about a Florida man. I find a hilarious when stories start off with Florida Man, followed by something usually really crazy.
05:45
But in this case, this individual did live in Florida, and he was a Florida man. His name was Zachary McCoy. He was a 30 year old Gainesville, Florida, resident and college student,
05:55
and one morning he decided to check his email before heading out to his job at a local restaurant.
06:00
He was surprised to find that Google's legal investigations team had contacted him that the local police had demanded information related to his Google account.
06:12
The company said that it would release the data to the police unless he went to court to try to block it, and he had just seven days act
06:19
well. This email, of course, scared him. He knew he hadn't done anything wrong, But why would the police want his Google information?
06:27
His Google account was linked to his android phone. He used Gmail and YouTube and lots of other Google products, just like millions of other people.
06:35
But the police wanted access to everything.
06:39
There's just one clue
06:41
and the notice from Google. There was a case number,
06:44
and he so he searched the Gainesville Police Department's website, and he found a case about a 97 year old woman who had had her home. Burger lies 10 months earlier. She had lost $2400 worth of jewelry, including an engagement ring worth $2000
07:00
and she lived about a mile away from where he shared a house with two other people.
07:05
He was worried that if he went straight to the police that he would be arrested for a crime he knew nothing about.
07:12
His parents agreed to use their savings to hire a lawyer for him.
07:15
So the lawyer found out that the notice came from a geo fence warrant, which is a type of search warrant that required Google to provide location data drawn from GPS and Bluetooth and WiFi and cellular connections
07:30
from everyone nearby. That way, it worked is that the police asked for the anonymous data which they took and look through, and then they requested subjects to be unmasked or their identity given away.
07:43
Macaulay happened to be an avid biker, and he used run keeper to record his rides.
07:47
The AF, of course, uses GPS coordinates.
07:50
The phone fed those coordinates to Google, and now Google was going to give that all that away to the police.
07:58
He then looked at the day of the robbery and found that he had passed by the victim's house three times within a now er it was part of his ride routine through the neighborhood.
08:07
McCoy was successful in getting the warrant overturned without Google releasing any information to the police.
08:13
The same data that had made him a suspect also proved his innocents.
08:16
Many people simply say, I don't have anything to hide, and I don't care if the police get my data are wanna ask about it.
08:24
As if not having anything to hide is some type of badge of honor.
08:28
The reality is that everyone has something died something they don't want other people to know about. That's why it's called having privacy, and our phones air everything their windows to our soul. When the Internet surfing preferences
08:41
as I O. T. Becomes more pervasive and our data is out there more, everyone should eventually realized that there's something a search, a time when they got home, an Internet purpose, a Netflix show or even how many shows in a row. You've been watched all week, a certain medication
08:58
or something that they just don't want other people to know about,
09:03
McCoy said. This
09:03
if you're an innocent, that doesn't mean that you can't be in the wrong place at the wrong time. It's like going on a bike ride in which your GPS put you in a position where please suspect you of a crime you didn't commit.
09:16
I think we can all agree that the moral this story is not to exercise
09:20
Well, that's it for this lesson. We continued our discussion of privacy in the real world, and we discussed three privacy stories ripped from the headlines, such as Why you should never trust the FBI here for your fitness and Who in the world is 44 1, 77 49
09:37
and I O. T devices and APS that share your secrets.
09:43
And I think we can conclude that we've all learned a very valuable lesson. It's never worth it to exercise.
Up Next
IoT Product Security

This course will focus on the fundamentals of how to set up a functioning IoT product security program from the perspective of a company that designs, manufactures, and sells IoT and IIoT devices for consumer or industrial use.

Instructed By