By now, it’s no secret that the endless quest by tech companies, data brokers and other players to capture, make sense of and monetize as much user data as possible – a practice known as surveillance capitalism – presents all sorts of privacy issues. Less discussed are the increased security risks this model creates for companies, governments and individuals.
Let’s start by looking at the estimated $200 billion-per-year data broker industry. This industry largely operates in the shadows, with California’s privacy law taking only the first step of requiring brokers to register with the state attorney general, meaning that just about anyone can buy data from a broker.
Making matters worse, companies within the industry have a history of not securing the data they collect. Beyond well-publicized hacks of data brokers like Experian, others have simply made data available by accident, as Social Data did when they were recently caught with an exposed database containing copies of about 235 million social media profiles.
Once accessed, data can be copied and shared, whether that’s a customer sharing the data with a partner or a malicious actor moving and/or trading the data on the dark web. Once the data is out in the wild, there’s no telling where it will go.
The bottom line is that it’s relatively easy for bad guys to get their hands on highly personal information, enabling them to search and profile a specific user or to sift through the data to find a juicy target.
The personal information itself varies by dataset but may include details pertaining to finances, personal interests, consumption patterns and even inferred psychographic traits – in short, the raw material needed to carry out crimes like identity theft, social engineering attacks and even blackmail.
For better or worse, the information available to data brokers pales in comparison to the data held by individual tech companies like Google and Facebook. If we think of a user profile provided by a broker as a snapshot, then tech companies hold what amounts to a nearly complete dossier on each of their users.
To get a glimpse of this, it’s instructive to look at some of the data requests enabled by Europe’s GDPR, which requires businesses to share the personal data held about a given user upon their request. In 2017, for example, a journalist asked the dating app Tinder for access to her personal data and was surprised to receive 800 pages containing information on everything from her preferences in men to her tastes in music.
Clearly, any bad guy wanting to look into the innermost depths of a target’s background and personality would be well served with the information contained in a data access request. And in fact, GDPR requests have ironically become a vector through which threat actors have attempted to fraudulently obtain data. One researcher showed how easy it can be to spoof such requests when he posed as his fiancé and in some cases received her data from companies without any verification at all.
In addition to illicit data requests, more sophisticated and well-funded adversaries, like those at the nation-state level, have additional tools at their disposal. One is the insider threat. Saudi Arabia allegedly used this method at Twitter, with an insider there looking up private information for more than 6,000 accounts of interest to the country. Implanting backdoors in company servers, however difficult, is another option.
Beyond using the stolen information as a jumping-off point for further attacks, threat actors can leverage it in other ways. Of particular concern is the influencing of important strategic moves made by governments and corporations, where it becomes valuable to learn the ins and outs of individuals in charge of such functions. Finding ways in which these people may be persuaded or discovering any blind spots or peculiarities that may be exploited can be done much more easily and at scale given the deep insights and behavioral analysis that surveillance capitalism provides.
It’s clear that the wealth of data collection underpinning surveillance capitalism fundamentally undermines security as it enables much more effective targeting and attacks. The good news is that despite its entrenched economic and political power, surveillance capitalism isn’t an inevitability. It will take a concerted effort to reverse, but our collective privacy and security may be at stake.