The DOBlog

Tag: apple

  • Daisy (chain) cutters needed

    Brian Honan (@brianhonan on twitter) has been keeping me (and the omniverse) updated via Twitter about the trials and tribulations of Wired.com columnist Matt Honan who was the subject of a Social Engineering attack on his Amazon, Apple, Gmail, and ultimately twitter accounts which resulted in every photograph he had of his young daughter being deleted, along with a whole host of other problems.

    Matt writes about his experience in Wired.com today.

    Apart from the salutary lesson about Cloud-based back-up services (putting your eggs in their basket leaves you at the mercy of their ability to recover your data if something goes wrong), Matt’s story also raises some key points about Information Quality and Data Governance and the need to consider Privacy as a Quality Characteristic of data.

    Part of the success of the attach on Matt’s accounts hinged on the use of his Credit Card number for identity verification:

    …the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

    So, Amazon view the last four digits as being useful to the customer (quality) so they can identify different cards on their account so they are exposed. But Apple considers that short string of data to be sufficient to validate a person’s identity.

    This is a good example of what I call “Purpose Shift” in Information Use. Amazon uses the credit card for processing payments, and need to provide information to customers to help them select the right card. However, in Apple-land, the same string of data (the credit card number) is used both as a means of payment (for iTunes, iCloud etc.) and for verifying your identity when you ring Apple Customer Support.

    This shift in purpose changes the sensitivity of the data and either

    • The quality of its display in Amazon (it creates a security risk for other purposes) or
    • The risk of its being relied on by Apple as an identifier (there is no guarantee it has not been swiped, cloned, stolen, or socially engineered from Amazon)

    Of course, the same is true of the age old “Security Questions”, which a colleague of mine increasingly calls INsecurity questions.

    • Where were you born?
    • What was your first pet’s name?
    • Who was your favourite teacher?
    • What is your favourite book?
    • What is your favourite sport?
    • Last four digits of your contact phone number?

    In the past there would have been a reasonable degree of effort required to gather this kind of information about a person. But with the advent of social media it becomes easier to develop profiles of people and gather key facts about them from their interactions on Facebook, Twitter, etc. The very facts that were “secure” because only the person or their close friends would know it (reducing the risk of unauthorised disclosure) are now widely broadcast – often to the same audience, but increasingly in a manner less like quiet whispers in confidence and more like shouting across a crowded room.

    [update: Brian Honan has a great presentation where he shows how (with permission) he managed to steal someone’s identity. The same sources he went to would provide the data to answer or guess “security” questions even if you didn’t want to steal the identity. http://www.slideshare.net/brianhonan/knowing-me-knowing-you)

    The use of and nature of the data has changed (which Tom Redman highlights in Data Driven as being one of the Special Characteristics of Information as an Asset). Therefore the quality of that data for the purpose of being secure is not what it once may have been. Social media and social networking has enabled us to connect with friends and acquaintances and random cat photographers in new and compelling ways, but we risk people putting pieces of our identity together like Verbal Kint creating the myth of Kaiser Sose in the Usual Suspects.

    Building Kaiser Soze

    Big Data is the current hype cycle in data management because the volumes of data we have available to process are getting bigger, faster, more full of variety. And it is touted as being a potential panacea for all things. Add to that the fact that most of the tools are Open Source and it sounds like a silver bullet. But it is worth remembering that it is not just “the good guys” who take advantage of “Big Data”. The Bad Guys also have access to the same tools and (whether by fair means or foul) often have access to the same data. So while they might not be able to get the exact answer to your “favourite book” they might be able to place you in a statistical population that likes “1984 by George Orwell” and make a guess.

    Yes, it appears that some processes may not have been followed correctly by Apple staff (according to Apple), but ‘defence in depth’ thinking applied to security checks would help provide controls and mitigation from process ‘variation’. Ultimately, during my entire time working with Call Centre staff (as an agent, Team Leader, Trainer, and ultimately as an Information Quality consultant) no staff member wanted to do a bad job… but they did want to do the quickest job (call centre metrics) or the ‘best job they thought they should be doing’ (poorly defined processes/poor training).

    Ultimately the nature of key data we use to describe ourselves is changing as services and platforms evolve, which means that, from a Privacy and Security perspective, the quality of that information and associated processes may no longer be “fit for purpose”.

    As Matt Honan says in his Wired.com article:

    I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.

    And that can result in poor quality outcomes for customers, and (in Matt’s case) the loss of the record of a year of his child’s life (which as a father myself would count as possibly the lowest quality outcome of all).

  • Why Apple’s iOS6 changes mean increased work for Irish Data Protection Commissioner

    At Apple’s WWDC conference this week nerds, fanbois and developers were greet by the news that Apple will be shipping iOS6 later in the autumn (or “fall” for non European readers). Among the features that Apple is touting are:

    1. Ditching Google Maps for its own mapping product and GPS tools
    2. More deeply integrating Facebook with iOS, similar to the deep integration with twitter that emerged in iOS5.

    I personally have some privacy concerns about this level of integration and the potential for Apple to become even more the “Big Brother” they so eloquently mocked in their 1984 TV advert.

    Maps

    By ‘baking in’ an application (Apple Maps) that will likely require me to disclose my location to Apple in order to work (and which at first glance appears to be less useful than Google Maps), I’m getting a less good deal on which to base the sharing of my personal data. And Apple aren’t giving me a map for the good of my health or because they want me to know where I am.

    Location data is part of the “Big Data” gold rush. Traditionally it has been mobile telcos who have access to this data and can analyse it to determine a variety of offerings for customers (next time you get a “pleasantly surprising” SMS message telling you about a special offer in the coffee shop you just happen to be near, congratulations, you’ll have walked within range of a ‘geo-fence’ that will have triggered the SMS. Assuming of course you opted-in to that kind of thing. Like that voucher service you signed up to).

    Google tracks you as well when you used Google Maps on your iphone. But, in the absence of a Google login that tracking is relatively anonymous, going down at most to being able to identify that a particular device was in a particular location (unless you’re logged into a Google service on your device, in which case rest assured Google is probably making associations on the fly).

    Apple on the other hand can also link your location to your phone. And your phone is registered to you. Through iTunes. So Apple will potentially have access to a more granular level of data about who is where, when, who is near them, who they are contacting (iMessage makes your SMS free to another iPhone user… congratulations, Apple now knows who you are messaging). Apple knows what kind of music you like, what movies you rent, your demographic segment… (it’s the iTunes platform!)

    By adding maps to the mix in the iOS/iTunes platform, Apple can also tap information about you in motion – where you are travelling from, to, how fast and can probably make assumptions about your mode of transport (moving fast, not on a road, in a relatively straight line… means you’re probably on a train. Well done, Apple now knows you are probably a user of public transport).

    As CNET reporter Rafe Needleman writes:

    …the more users you have running your geolocation software, the more data you have about how fast people are moving. Apple’s adoption of its own mapping platform means it will now get access to that data from its iPhone users, assuming (and it’s a big assumption) that Apple can hurdle the privacy issues over gathering that data.

    And as Apple’s European HQ is based in Cork, it will be the Irish Data Protection Commissioner who will be in the vanguard of haggling with Apple with regard to the nature of the terms and conditions and controls that will be placed on the processing of the valuable and very identifiable personal data in question.

    Facebook

    I use Facebook. I have a Facebook profile. I am a believer in Sun Tzu’s mantra that one must know your enemy.

    By tightly integrating Facebook with iOS6 Apple potentially gets access to a valuable array of data about who you know, your interests, etc. Facebook get an easier to manage interface and a more ‘baked in’ and reflexive sharing of content and information by Facebook users.

    And the individual gets another avenue by which personal data by and about them may wind up in places they were not expecting or being used in ways they didn’t anticipate.

    Later this month Facebook will be facing into the return visit of the Irish Data Protection Commissioner who made relatively negative findings in their audit report earlier this year (but not as negative as many may have hoped). As the integration with iOS was not in the scope of their original review, I suspect it will not be on the table for discussion (at least not formally).

    But again it is the Irish Data Protection Commissioner who is in the vanguard of protecting the fundamental rights to Data Privacy which are enshrined in EU law and which Facebook, through it’s terms and conditions, extends to Facebook users everywhere outside of the US and Canada.

    And it means Apple don’t have to waste any more time and effort trying to put the bounce into Ping. They will have effectively outsourced that to Facebook. So Apple wins something. Facebook wins something. Where is the consumer’s win (and is it big enough to balance the impact on privacy).

    Evolving the Platform

    Any minute now I expect my friend Phil Simon to fire out a blog post about how Apple’s ditching of Google and locking in and locking down of Facebook represents a platform strategy play in The Age of the Platform. Apple is simply adding more “planks” to its platform, pushing out a competitor platform and reducing the incentive for another platform to start competing in devices (or at least minimising the impact of any such competition by leveraging the critical mass of the iOS/iTunes platform).

    But to stretch and mangle Phil’s Platform analogy to the nth degree, any form of large scale construction requires permits and clearance and needs to balance the utility and convenience of what is being built (whether it is a shopping mall or a social media data sucking behemoth) with the impediments it may cause to the rights and enjoyments of individuals.

    And the “Building Control Inspector” in this case will more than likely be the Irish Data Protection Commissioner.

    • With less than 22 full time staff
    • A budget of less than €1.5million

    I fear that the back-end complexity of Apple’s move to front-end simplicity may be a killer blow to the efficiency and effectiveness of the Office of the Data Protection Commissioner, which is already creaking under the strain.

    Given the influx of DataSuck Platform companies in to Ireland (LinkedIn, Facebook, Twitter, Google, Apple –admittedly here for years, Zynga etc.) the Irish Data Protection Commissioner is rapidly becoming the “Local Sheriff” in the Wild West of ‘Big Data’ exploitation for more than just the 4.5 Million people living on our little island.

    #SupportyourLocalSheriff