Give Me Convenience, I’ll Give You My Private Data

Yes, I’m partially quoting the American punk band Dead Kennedys and their 1987 album Give Me Convenience or Give Me Death which, in turn, plays on the famous American patriot Patrick Henry’s quote “Give me liberty, or give me death!” It’s a cry against society’s consumerism, partially comprised of our ever-increasing quest for more and more convenience in our daily lives.

Patrick Henry

Have You Ever Exchanged Money for Convenience?

We are more connected, enabled, and busy than any generation that came before us. As a consequence, we are both short on time and overwhelmed with information.

When we aren’t busily replying to emails or keeping up with global affairs minute-by-minute, we relax by fastidiously maintaining our social network presence, photographs, conversations, check-ins, and fitness tracking through more apps and services than we probably even realize.

Consequently, we are more willing than ever to pay real money for increased convenience. Whether it’s symptomatic of some deeper condition or is a direct result of so many options being available to us, we are quickly being seduced by things like fast-track security, priority boarding, on-demand media content, and same-day home deliveries.

This makes security an ongoing issue that many (I’d say most) people aren’t prepared to handle. Remembering dozens, perhaps hundreds, of unique passwords and usernames and keeping all of our devices up to date is difficult, to say the least, and these necessities conflict directly with our desire for maximum convenience. It’s a balance where, frankly, convenience currently has the upper hand, at the cost of immeasurable amounts of our most private data.

“In this corner…”

Let’s be honest with each other when it comes to security.

Will we favor re-using passwords across services for our convenience and increased ability to remember them? Undoubtedly.

Will we use simple passwords to make them easier to remember? Very likely.

Will we write our passwords down to make them easier to recall when needed? Quite possibly.

Most people will consider doing anything to make the whole process less of an inconvenience if they are feeling under pressure at a given moment.

Cyber criminals are distinctly aware of people's proclivity to choose the quick, easy options and often rely on this fact when attacking their targets of choice. A couple common choices people make can be helpful to criminals:

Auto logins: Individuals may opt to auto-login to their Windows account on their system and bypass the inconvenience of re-entering their credentials with each login. On certain systems, this can result in the presence of plain text passwords being stored in the registry.

Plain text passwords: Many people store plain text passwords in documents on their computer for the convenience of easy retention and retrieval, despite the obvious security implications. Attackers will always be on the lookout for unprotected files containing username and password combinations.

Any attacker who gains low privilege access to a system will often first scan across user documents for any plain text passwords as a quick way to elevate their level of access to the system and its data. With the many password management tools available on the market today, leaving yourself vulnerable in this manner is simply no longer necessary.

Privacy is the New Convenience Currency

Companies are acutely aware that I may be willing to surrender my valuable personal information in exchange for services. In effect, too many people are willing to trade privacy for convenience.

Have you been asked if you want to bypass a login page by linking your Google or Facebook account details? It's known as a "social login" and I’ll admit it—I’ve done it, as I’m sure many readers have as well. In doing so, I have to trust that the company will safeguard my private information from cyber criminals and not do anything unethical with the information itself.

Companies like Google and Facebook know a significant amount about you and your identity. Your date of birth, favorite music, home address, and schedule for the week are all there in these companies' possession. Although Facebook and Google provide us the means to limit what information we authorize to be shared, how often do we really check these privacy settings? How often do users check the background of the company they are about to share identity data with? Connecting accounts without the proper due diligence potentially exposes us to increased risk of identity theft and fraud, all for the sake of convenience. It’s a trade-off that shows no signs of slowing, nor will it anytime soon.

Almost every mobile application will request access to some amount of personal data and location information in return for proper or improved functionality. This behavior has been observed for a number of years, with some applications requesting access to a huge range of personal data, data that is unrelated to the app’s core functionality.

The Intersection of Security and Convenience

One might argue that some technologies, such as fingerprint scanners, are able to take both security and convenience into account and make the two concepts inclusive, rather than exclusive, to each other.

It’s been nearly three years since Apple pushed biometrics into the mainstream, adding the TouchID fingerprint scanner to the iPhone 5s in 2013. Delivering improved security, and naturally more convenience for the end-user, TouchID quickly led to millions of people using their biometric data to verify themselves and unlock their beloved handset more efficiently.

Apple itself pointed out that it doesn't store any images of your fingerprint, only a mathematical representation of your fingerprint, kept “inside a secure enclave." But how many of those millions of iPhone and iPad users will have fully considered how that biometric information is being stored, whether it is being transmitted, and how long it will be before cyber criminals find a way to access that data? These are important questions when we are no longer talking about an interchangeable credit card number at risk, but an (almost) unique marker of our human identity.

It’s been 12 years since people started flooding onto Facebook, which currently sits at over 1.71 billion monthly active users globally. This means, taking into account non-active users, Facebook likely holds facial recognition data for over a quarter of the people on the planet. Think about that, over quarter of the population of the world has already willingly exchanged their facial data (by posting photographs) in order to use the free social network service provided by Facebook.

Last month, Google began rolling out its pilot payment system, Hands Free, which combines both facial recognition with location tracking, leveraging biometrics and location history awareness to provide better security while streamlining and speeding up the payment authentication process beyond PINs and signatures.

Meanwhile, Samsung recently revealed that the upcoming Galaxy Note 7 mobile phone will include iris scanning technology, resulting in yet another key part of our biometric passport being drawn out into the mainstream.

Every time we make an exchange to gain convenience, we are putting a lot of trust in the companies that collect our personal data. Just like username and password sets, biometrics are not insurmountable to a determined cybercriminal, and biometric data needs to be safeguarded as much as any other personal data, if not more.

Just the Beginning

Each of us will need to consider at what point our desire for convenience is forcing us to make poor security decisions or encouraging us to volunteer up our entire biometric profile and private data store to companies in order to save a few minutes each day or access a new “free” online service.

I suspect at some point we will have no choice but to relinquish this data in exchange for the services upon which our lives increasingly depend. For now, at least, we still have a choice on whether it's a fair trade.

Security & Intelligence
Advisory Firms
Law Enforcement
Law Firms
Litigation Support and Consulting
US Government
Chief Information Security Officer
Company Director or Executive
Corporate Investigator
Government Investigator
HR Manager
In-house Counsel
Information Security Professional
IT Manager
Law Enforcement Investigator
Litigation Support Professional
Records Manager
Risk and Security Manager
Software Developer
Posted on August 4, 2016 by James Billingsley