In our rapidly evolving digital landscape, balancing convenience and privacy has become a crucial concern. We spoke with Chris Henderson, Senior Director of Threat Operations at Huntress, to discuss how we can protect consumer data amidst the benefits of an internet-connected world. Chris shared his insights on privacy issues, comparisons with other technologies, and strategies for ensuring both convenience and security in this interview:
How can we balance the convenience these technologies offer with the crucial need for privacy? Can you also discuss how these privacy concerns compare with other common technologies like GPS navigation and Bluetooth?
There are undeniable benefits we gain from an internet connected world, more accurate music recommendations, alerts that traffic is worse than normal and I need to leave early and notifications when I need an oil change. As a consumer, it would be reasonable to assume those benefits are paid for by the price I paid for my product. In reality, companies are double profiting on their products. First by selling the product to the consumer, and secondly by selling that same consumer’s data to clearing houses.
A consumer should not need to ask where their data is being re-sold. Consumers are owed the right of transparency as to how their data will be used and with whom it will be shared. Many companies claim this reselling of data is ethical because a consumer simply needs to opt-out if they object. However, the processes which exist to opt-out of having your data re-sold are so obscure that they are too difficult for the average consumer to navigate.
Given the pervasive data collection involved in today's digital amenities, what role should businesses and governments play in ensuring that the convenience provided by these technologies does not come at the expense of consumer privacy and security? Are there specific strategies or collaborations you believe could effectively prioritize both?
Organizations already have the means with which to anonymize their data collection in such a way that it is still usable to drive product innovation and third party research but respects the privacy of the consumer. Mandating anonymization or at least transparency as to the degree a consumer’s data is anonymized prior to purchase should be a focus of private public partnerships.
Cybersecurity is increasingly challenging with the involvement of nation-state actors who exploit vulnerabilities in data transmission and storage. Could you elaborate on how these actors target such grey areas and what measures can be taken to protect sensitive driver information from these sophisticated threats?
Threat actors typically gain access to this information through a few different manners. Many take advantage of weaknesses in the systems designed to house and transmit the data, utilizing weak access controls, lack of encryption or vulnerabilities due to out of data software and systems.
If the threat actors are unable to break into the systems due to weaknesses and vulnerabilities they will likely employ social engineering to facilitate their initial access. Leveraging weaknesses in the human defenses to trick an individual into providing them access.
Some adversaries only need to pick up a checkbook though. When the personal use information of a consumer is for sale, it may often be easiest to purchase the data that has not been sanitized well enough so they can stage later attacks. If the data is for sale, assume the bad guys are buying it as well.
What are some innovative solutions or practices to enhance security without compromising on user convenience, especially in areas as dynamic as internet-connected vehicles?
Password Managers have an interesting approach to data security. They are blind to the data they possess because the data in their possession is encrypted unless a user requests access to it. The user’s password is then used to decrypt the data.
It would be interesting to see a similar approach with personal data, if it truly is for our own use and convenience, lock it away until I request access to it.