At the intersection of limes, teenagers, and privacy
As the parent of an age group that is best described as unpredictable on good days, one thing is consistent. Research has shown us that this generation does not have the same expectation of privacy as my generation. I remember vigorously debating in a college class my inherent right to privacy as protected by the 4th Amendment. Regardless of whether my argument was flawed or simply not factual, my fundamental belief was I had a legal privacy right, and no institution or government could impede upon it.
My teenager and his friends appear to have a different belief, illustrated by their vigorous use of social media to publish their photos, food, routine life events, even to share their entire belief systems. Bruce Schneier, a fellow at Harvards Berkman Klein Center for Internet & Society, has covered the topic of teens, social media, and privacy in the past. His conclusion is that teens desire privacy, but they also have a need to safely share with each other using their own language and coding. In 2014, Fast Company compiled and commented on varied research regarding teenagers, young adults and expectations of privacy. Whilst one study concluded online privacy is dead, other studies determined it truly depends on how you define privacy. Teenagers may not care if their Facebook friends or Twitter followers know their religion or gender identity, but they certainly care if their parents monitor their social feeds. Teenagers and young adults have grown up in the digital age, so they are much more likely to understand how to set and control privacy settings on their devices and accounts and they do so to segment their audiences. When I conducted my own informal study and asked my teen if a government agency, that suspected him of wrong doing or associated him with an unlawful activity, could search his phone or computer, the reply was get a warrant. So is this generation really any different from prior generations on expectations of privacy? Or, do the differences lie in the complexity of the information sharing platforms to which they feel dependent and entitled? And, how do these beliefs and values shape privacy regulation and laws, and intersect with security in the modern digital era? Are there learnings we can adopt from the next generations implementation of technology and privacy controls?
Now about those limesI have a Twitter account (@ajohnsocyber). I opine about cybersecurity, post about my beloved Chicago Blackhawks and Dallas Cowboys, engage in animated communication with coworkers and friends and advocate for animal fostering and LGBTQ rights. I also have a Facebook account mainly to catch up with far away family and share pictures. I have a LinkedIn profile too, but its for work and I am a purist about my posts there. So, I have an online footprint. That online footprint will tell you the names of my dogs, things about my belief system, expose my awful attempts at humor, and my preference for seedless Persian Limes on the occasions when I need something to accompany a cocktail. The Persian limes were a recent addition based on a Twitter conversation with two people I havent actually met IRL, so you can say my social interactions are fruitful. The point of all of this is that I share enough for someone to assemble a fairly detailed profile of me from my social media footprint and with it, attempt to social engineer or password hack me. Yet I willingly give up some of my privacy to interact with other humans in cyber space. As a security professional, I should know better, right? Well, not necessarily. All social media use does not lead to a path of hacker victim, and I am fully aware of which information to share and which to protect and how.
My social sharing is guided by some core principles:
- The Internet is in perpetuity. My digital footprint is unlikely to go away in the foreseeable future.
- Hackers will keep hacking, and even the best defenses cant always prevent persistent and sophisticated attempts. Think back to the relentless attempts on Brian Krebs in 2016.
- Multi-factor authentication (MFA) on my personal and professional accounts is a must.
- Most of the information I choose to disclose is already available in some way either via public record or through friends with no special instruction for secrecy.
- I can concurrently assert my right to privacy, and my privilege to waive that right.
- I encrypt sensitive personal data.
- I have provisioned defense in depth controls and alerts for critical information.
Because in reality, our hyper-connected world of powerful search engines, and abundant compute and storage, make it possible for reams of data about your entire life to be mined by anyone with a strong desire and a credit card. Oddly though, the majority of breaches still start with a phish rather than a targeted social engineering attack. In fact, phishing is the number one delivery method of malicious software. Compromises of sensitive data are most often tracked back to: weak authentication, poor data classification/encryption policies, lax privilege management, absent or weak admin controls and lack of user education on phishing. We can opine all day about privacy and the need to hold sensitive information close to increase security, but in todays society, from our youth to the millions of adults using social media, including many of the top cyber professionals in the world, very little is truly private.
Add to this a climate of perpetual information sharing and consumption and you can pretty much throw privacy expectations out the window. What you can and should do personally and professionally is make certain you distinguish the personal and private from that which is critically important and know your options to protect each. For technology, consumers deploy basic security hygiene, strong passwords and regular updating. Organizations have additional responsibilities to educate users, patch, use all available access controls and invest in proven detection solutions as well as human hunters so that the now. This way, all but inevitable breaches can be detected quickly.
Because, guess what, notwithstanding the controls required by regulations, the right to be forgotten or have data forgotten in our ever-connected world maybe a right, but it needs your active participation if there is to be anything left to debat