Twitter's data privacy failings are the norm, not the exception
Will there be a catastrophic cyber event in the next two years? Hackers are asking for your insurance details.
Subscribe to FILED Newsletter
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Will there be a catastrophic cyber event in the next two years?
- Hackers are asking for your insurance details.
- The metaverse is even more insecure than you expected.
But first: Twitter and the challenge of forcing visionaries to care for our data.
If you only read one thing
We need to make sure tech visionaries consider our data privacy
.png)
You can say many things about Twitter under Elon Musk, but one thing you can’t say is that it has been boring. If you take Musk’s word, buying Twitter was an accelerant to building X, “the everything app." He estimates this purchase sped it up by 3-5 years (he could be wrong, though).
By “the everything app,” his subsequent comments suggest something akin to China’s WeChat, used by citizens of that country for everything from payments to social media.
But users who hear Musk's plans for turning Twitter into an "everything app" should keep one concern top of mind– data privacy. Using one app for all aspects of your life means sharing a lot of (most of?) your sensitive data with one company.
(Full disclaimer: I drive a Tesla – so I say the following with much respect @elon).
In this case, you would be doing so with a company that has a history of missteps when it comes to guarding, selling, and accessing user data, which is now owned by the founder of other companies with their own privacy-related controversies. Data breaches and a lax approach to sharing data with advertisers have long been hallmarks of Twitter, and the situation hasn’t improved with the purchase by Musk.
Solving for X
So where does that leave us when considering X?
It’s tempting to point to Twitter’s data privacy failings as an outlier. You’d be forgiven for thinking that in a different company, one with a more stable team and leadership, surely data privacy would also be treated with more care. Not so.
I regret to inform you that data privacy and governance is treated with a similar lack of care across the enterprise and technology sectors. What Twitter does is offer a particularly public version of a situation that is rampant. If we were talking about Facebook, Google, or a national bank, or a defence contractor, building such an app, we’d be having the same conversation. The solution is not “choosing different platforms to give us control on all our data.”
Businesses want to monetize our data but are less interested in taking care of it. Founders pushing an ambitious vision of the future usually don’t consider or care about the implications of our data privacy. Unless we require them to.
How do we prevent founders with a myopic vision for the future from forgetting about our data privacy? It turns out we do have a solution to this issue. It’s called regulation.
As a community, we need to think about how we want to regulate organizations that collect our data, and how we establish that our data is owned but us and we are just lending it to them. This is all about control and regulation. The more control we give the public–inside and outside the enterprise–the better for society. These platforms and systems have value—that's why people sign up to them. But there must be some way to manage the data, its collection, and its use. We knowingly trade away our privacy when we use such platforms, we should be setting the terms and conditions.
By the sounds of things, we have about 3-5 years to do so (though that may be wrong).
🤫 Privacy and governance
An example of platforms doing the right thing with sensitive data: Last week, the National Center for Missing and Exploited Children (NCMEC) announced Take It Down. The tool, funded in part by Meta, allows children and young people (or their trusted adults) to have their non-consensual intimate imagery removed from the internet.
The Biden administration dropped its national cybersecurity strategy. It’s looking at imposing minimum security standards for critical infrastructure and making larger software makers responsible for maintaining the security of computer systems.
New EU regulation due in the second half of the year will set clear procedural rules for enforcing the GDPR. This is seen as a response to lax enforcement by jurisdictions like Ireland and Luxembourg.
Bad news for Horizon Worlds fans (they exist, right?): new research suggests privacy in the metaverse may be effectively impossible unless safeguards are adopted. The research showed that just three data points (one for the user’s head and one for each hand) are all that are needed to identify a user within a large population.
Canada’s Office of the Privacy Commissioner has created a great campaign, with a graphic novel teaching kids about privacy with their digital devices. More of this, please!
🔐 Security
LastPass announced a data breach, involving an attacker gaining access to a decrypted vault by stealing credentials from a senior DevOps engineer, using their home computer to access the corporate vault. A comprehensive collection of security failings here. But even worse—this all happened in August. An inexcusable delay in customer comms.
Speaking of inexcusable delays: Last week Activision disclosed a December 4 breach involving hackers gaining access to internal employee and game data.
Australian insurance provider Medibank revealed the attack vector of last year’s major security breach. All it took was a combination of stolen credentials from a third-party and a misconfigured firewall.
The World Economic Forum says thanks to geopolitical instability there will be a “catastrophic cyber event” in the next two years. This is fine.
A novel approach: hackers are asking their victims to share their cyber insurance details, to better calibrate their demands. What could go wrong?
The Australian government is considering a new Cyber Security Act as part of a crackdown on lax corporate information security standards and data hoarding, and to help resolve shortcomings in existing Security of Critical Infrastructure laws.
Also in Australia: according to the regulator ASIC, only 11 of 36 hacks were revealed to the market.
📣 The latest from RecordPoint
If organizations are to embed privacy into their systems and processes to gain an advantage and gain customer trust, they need to understand the sensitive data they have, and how to classify it. This means they need to learn to separate their PI from their PII. This guide explains the differences between each of these terms, and how various privacy regulations approach them.
That’s all for this month’s edition. We hope you found the newsletter stimulating. If you did, let Elon know!
