Issue 17 : The Security and Privacy Wars in the Digital Age

It’s all about software

After a couple of practical issues, I thought I’d get back to analysis and strategy — kind of the initial reason for this newsletter 😄 Hope you enjoy it.

Onwards with this issue.

Security and Privacy Wars

A long time ago, in Internet terms, we had a war of security between Unix and Windows. Windows, the new shiny up and coming OS was open by default and that openness enabled all sorts advances, but like anything it can be used for good and bad and that openness allowed a lot of bad things to happen, some that we are still dealing with decades later. Unix, on the other hand, was secure by default, because everything was turned off by default. You were required to open up things as you needed them and were discouraged from opening things unless it was absolutely necessary and could be justified. The evident reality of today, is that the Unix model won out and Windows is currently exponentially more secure as a result of being more cautious. I’m simplifying somewhat, but you get the picture.

Given the fact that history often repeats itself, this battle seems to be taking place in the mobile era. The two protagonists being Apple and Google of course. Google’s approach is akin to Microsoft’s from its burgeoning years, with Apple’s being more like the Unix model — that’s no coincidence, in that macOS is in fact built upon the Unix kernel, Berkley Systems Development. Many tech nerds will cry foul of my assertion, rightly detailing that a kernel isn’t the whole thing. That's fine, it's to illustrate the point.

Apple’s implementation of its developer APIs (Application Programming Interface) shows us that they’re much more concerned with securing and protecting as much as possible from the get-go. Something Google doesn’t seem to be either interested in, or capable of. That’s unfair, Google is perfectly capable of it. Perhaps not with the current implementation of Android, but the engineers at google could easily do so if required. So that leaves us with the only explanation that is sane, that Google has no interest in securing Android like iOS. And that’s fine, it’s their choice. However, I thought it would be an interesting exercise to compare and contrast some areas of Google and iOS to give context to the impending privacy wars that are just gearing up, as you’ll see later.

Security: 2-factor authentication

During a WWDC State of the Union address — the keynote for developers, aimed at developers, rather than the morning’s keynote that is mostly for users and the press — Apple spoke about a number of enhancements for the future of security and privacy. The statistic that around 2 thirds of all Apple ID users have enabled and utilised 2-factor authentication versus around 10% on other platforms was somewhat surprising. Why do users on other platforms not set it up? — because it exists and has done for a while.

Well, it’s a relatively easy question to answer in fact. It’s simply too difficult for most people to understand and setup. Apple makes it a little easier, but again, here many users still don’t use it. The Google’s OS is much more widely used in absolute numbers and is used in places where the security necessity is either less-required or less understood. With many more multiples of users, Google has a hard time getting people on board, but due to its open doors policy in the beginning, getting the updates required to help secure its users is additionally extremely difficult.

Security: OS updates

Google’s OS is fractured to a staggering degree. Just over 10% of Android users are using the latest version, Pie. And even if you wanted to update, the sheer numbers of Android phones in circulation that are below the minimum threshold for updating to more recent and hence more secure versions is a testament to the sheer disregard that Google, the manufacturers and telecommunications companies have for you as a customer.

Apples adoption statistics are unsurprising because Apple does a much better job of updating users’ OSes and supporting legacy devices compared to Google and its OEM hardware partners. In fact, Apple claims that 83% of devices sold in the last four years are running the latest version of iOS, iOS 12. That’s a staggering achievement and doesn’t end there. Not only that, but 80% of ALL devices are running the same version, the last 20% are presumably a mix of those not updated yet and those that cannot. In absolute numbers that’s around 28 million phones around the world.

Android smartphones make up around 85% market share compared to Apple’s 15%, so if we take Apple’s figure of around 900 million iPhones in circulation, that would make a total of over 4 billion Android phones worldwide, all types. If only 10% are on the latest release (40 million), that’s a whole lot of phones that have potentially dangerous security flaws.

Privacy: Data protection (on device encryption)

Although Android supported full disk encryption since Android Gingerbread (version 2.3) released in 2010, however, the implementation leaves much to be desired.

Firstly, it’s an opt-in thing, apart from some of the latest most high-end devices on the market running Lollipop (5.x onwards). Once again, average users are unlikely to take advantage of this somewhat essential feature for your security. Apple’s iPhone OS 3 introduced full disk encryption in 2009, yes, the era of the iPhone 3GS! That it was automatically applied with literally no user interaction meant users were more secure by default.

Security: Password Management

iOS includes a rudimentary built-in password management tool called Keychain that allows the storage of passwords, the recall when needed and a syncing model that surfaces passwords saved to it on all of your Apple devices, save it once and its available everywhere. More recent versions suggest strong passwords when presented with password creation or change dialogs.

Apple hasn’t stopped there, it’s adding many features to macOS too, its less wall-gardened OS. Of note, is a new Notarial Service for apps that are distributed outside of the App Store. It allows Apple to lock-down malicious code before its even distributed. In basic terms, an app that uses the service connects to Apple servers on startup to check it still has a valid pass. If that pass has expired — which could be for a number of reasons — the app is prevented from starting, thus, in theory, protecting your computer and all it holds.

As we get further in to the digital age, it’s privacy that matters##

In May of this year, both Facebook and Google held conferences — Facebook F8 and Google I/O — both Google and Facebook made announcements that hinted at a new direction for some of their products, stating that they’re turning to privacy by default.

Google’s announcement as told in Wired:

Google placed a big emphasis on user privacy in this keynote. It’ll now be easier for users to access their Google security settings from their smartphone and from there quickly delete their web history and app activity. The firm will also process more user data on the device without uploading it to its own servers.

Google Maps is also getting its own minor privacy overhaul, with a new incognito mode that won’t remember search results or dropped pins. This brings Maps in line with Chrome – which has had incognito mode for a decade – and YouTube.

On the security front, Google is making it easier for Android phone owners to verify their identity through two factor authentication. For certain Android smartphones, the phone itself will act as a security key, allowing users to verify their identity with a single press, doing away with the need to receive and input a code.

Facebook did the same, as recounted by BuzzFeed:

Facebook CEO Mark Zuckerberg kicked off his keynote with a privacy-focused speech. "Privacy gives us the freedom to be ourselves ... so it's no surprise that's the fastest way we're communicating online is small groups," Zuckerberg said. "That's why I believe the future is private." Following the comments, the CEO said, jokingly, "I get that a lot of people aren't sure that we're serious about this. I know that we don't have the strongest reputation on privacy right now."

Let’s be clear on one thing, they're still collecting data in every way they can and matching that data up to potential advertisers (including themselves) in order to make money. Their fundamental BM has not changed, they’ve just found new ways of executing on it. What they have done however, is try to change the conversation towards privacy, allegedly in a thinly veiled attempt to divert attention or subvert impending law suits against them from the EU and the DOJ (US).

Listening to episode 244 of the Critical Path podcast by Horace Dediu, I had a similar realisation put forward by Horace; Personal data should be treated like a controlled substance

In Digital Transformation you're going to be handling data all the time, and as a result you’re going to need to treat it like that controlled substance as described by Horace. Chemicals and arms can be legitimately owned and used but they are controlled (in most civilised countries anyway) to a point that harm done from them is limited. The GDPR in this, its first guise, tries to develop a framework that controls personal data in much the same way; you need to explicitly ask for permission BEFORE collecting it, you need to clearly state the purpose you're asking for it and lastly need to clearly and explicitly detail how you are going to use it.

Hardware platforms and their apparent stance on openness vs closedness, security and privacy, are starting to matter less and less, and it is in the software layer that lies the opportunity and risk. Software is eating the world. The coming European Copyright Directive, recently approved but not yet in law, will expose this to an even greater degree.

 Reading List


GDPR After One Year: Costs and Unintended Consequences - Truth on the Market

Here’s a different angle on the usefulness of GDPR, worth the read.

GDPR can be thought of as a privacy “bill of rights.” Many of these new rights have come with unintended consequences. If your account gets hacked, the hacker can use the right of access to get all of your data. The right to be forgotten is in conflict with the public’s right to know a bad actor’s history (and many of them are using the right to memory hole their misdeeds). The right to data portability creates another attack vector for hackers to exploit. And the right to opt-out of data collection creates a free-rider problem where users who opt-in subsidize the privacy of those who opt-out.


Source: Deloitte

Bringing digital to the boardroom

DIGITAL transformation is not just about adopting new technologies. Its significance, especially in the business world, extends to how technology can be used to create—and sustain—a competitive advantage.

As such, digital transformation, along with the potential for disruption, is high on the agenda for executives at many financial institutions, as well as their boards of directors.

Not just financial institutions I’d say, and I’d go even further and suggest that most Caribbean businesses would do well to understand this and heed the advice given in this article.

The Future is Digital Newsletter is intended for a single recipient, but I encourage you to forward it to people you feel may be interested in the subject matter.

Thanks for being a supporter, I wish you an excellent day.

Matthew Cowen @matthewcowen