Monday, 21 September 2020

Lions and Tigers and Bears, OH MY! (Data Security, app bans, and National Security)

Once again, the current US President (No 45, in this case) is making a mountain out of a molehill.

Just, in this case, not much of one, and for one of the small number of instances in his tenure as El Prez, he's actually hitting on a genuine (NOT FAKE! WOW!) issue. 

A Judge in the USA has issued a 'stay' order, preventing the US Government (USG) from denying US internet users the ability to download certain Social Media (SM) platforms, these being of Chinese origin - in this case, specifically WeChat.

Boiled down, the USG has said that the Chinese-operated SM platform, which also routinely censors information that the Chinese Government does not like (such as information on SARS-CoV-2, or COVID-19), threatens US National Security through its "malicious" behaviour of seeking out and downloading user data of many forms, such as network activity, location data, and browsing and search histories.

OK, then can we expect bans for FB, Twitter, Instagram, and all the other SM platforms that apparently regularly dive into user data with apparent freedom?! No? Quelle surprise, mon ami.

Many applications (and there's another misuse of language that I'll get into in another post before long! Watch this space 😉 ) note user data, and it's not just limited to network activity, location data, and browsing and search histories; they'll look for telephone logs, activities, who you're talking to that very moment, your contact lists, and so much more besides.

For YEARS, security analysts and companies have advised users of these packages that they MUST examine the 'permissions' that these things demand access to, in order to allow users to actually use the packages, and deny those that try to overreach the amount of permission that actually need in order to operate. You really should be asking why they need access to all this information, folks. Taking a photo should not generally need, for example, access to your contact listings. Point made?

Now, while acknowledging that There Ain't No Such Thing As A Free Lunch (a.k.a. "TANSTAAFL"), these 'apps' also often allow 'in-app purchases', sometimes only offering the use of a credit/debit card payment system, instead of, for example, GooglePay, or PayPal, or similar (which omission also tends to breach their agreements with the major operator platforms such as Apple and Google, but that's another story).

So, by allowing these prying 'apps' access to your inside leg measurement, you're also giving them the keys to your bank as well. Really smart. Not. Remember, there have been documented cases of peoples bank accounts being plundered by rogue 'apps' (do a search on your preferred internet search engine if you want to see examples of this). Always check those permissions, people. If they are asking for odd and extensive 'permissions', you really MUST be asking "WHY?".

From a National Security angle (and I've been both a Reservist and a Civil Servant in the employ of Her Majesty's Government, so I know whereof I speak), government employees should be required to adhere to a kind of SM limitation agreement, in the form of either requirements under primary law (which we have in the UK with the Official Secrets Act), or Non Disclosure Agreements (NDAs) (which is the only option in the USA, due to the 1st amendment rights to freedom of speech). The idea that users personal data being used by the Chinese is some form of national security issue is not much of a stretch of credulity, but it is a stretch, none the less.

A more realistic threat to US National Security would be those SM users with access to classified information. Far better, I think, to require people with clearances that the USG is concerned about, to restrict them from using SM as much as they do. Enforceable Usage Policies (and specific NDAs for those forms of access) in return for clearances seems to be the best way to approach this: The willing surrender of certain privileges/speech rights in return for access seems to be a fair deal, to me.

So, while the USG and El Prez are doing a Chicken Little, and it actually is an issue, it's just not much of a National Security issue comparatively speaking, and a wholly preventable one if people use a little common sense, by having SM users engaging a few brain cells and asking if an 'app' actually needs those odd and extensive permissions.

Of course, that's another issue too: Common Sense.

Yeeeaaaah. Let's not go there today, eh? 😉

1 comment:

Rob said...

The amount of drama that's gone into this is absolutely ridiculous, IMO.

First, yes, people in sensitive positions shouldn't be using Chinese-controlled social media. Period, bang, full stop. People in sensitive positions should also be getting regular training in emerging social media threats, though, and I imagine "Chinese social media is bad" gets repeated there fairly frequently, as well as the "and here are the employment consequences if you use Chinese social media" segments.

But so much of this, Rog, just seems like ... like Trump doing his best to stir up even more ruckus, to keep the electorate disoriented and confused. That's what he does: that's what has historically worked out very well for him. So my inclination is to look at this, call it a non-story, and move on.

But I will absolutely, without reservation, concur: social media in general, and especially Chinese social media, carries with it some grave risks.