The Assumption Of Privacy – NOT!

September 13, 2015 mitch tanenbaum Leave a comment

Pierluigi Paganini, a fellow security blogger in Italy, wrote about a situation with Vodaphone where a Vodaphone employee rumaged through a journalist’s texts and phone calls to try and find the source of a story that the journalist wrote which was critical of Vodaphone’s security.

The journalist, Natalie O’Brien, pictured above, described it as “creepy and nauseating that someone has been trolling through your mobile phone account …”. “The invasion of privacy is devasting. It plays with your mind. What was in those texts? Who were they to? What did they see? What did they do with the information?”

The incident was reported to the privacy commissioner – who knows what the outcome of that will be and when. The incident occurred in 2011/2012.

Vodaphone does not deny that an employee did, in fact, rummage through Ms. O’Brien’s account.

What they denied is that Vodaphone management told this employee to do it. This is called plausible deniability in the intelligence community and the military. Don’t tell me what you are doing so that I can say that I didn’t know, with a straight face.

Whether Vodaphone management did know about it or not is less of an issue for me.

What is at issue is that anyone, never mind a journalist, thinks that anything that they do online (which includes mobile phones) will remain private if it is of interest to someone with some motivation and resources. UNLESS they take proactive measures to protect it.

I do not only mean the NSA or GCHQ. Nowadays, many hackers have resources as well.

Do I mean someone doing a password reset on your account? Or socially engineering an employee to get information? Or an authorized person doing something outside the scope of their authorization. Yes, yes and yes. Not to mention a dozen other ways to compromise your so called private data.

Glenn Greenwald, who leaked the Snowden papers, went to extreme measures when meeting with Snowden including such things as removing the battery from his cell phone (there was an iphone involved also, which does not have a removable battery. That phone they put in the freezer (the freezer makes a reasonably good RF radiation shield).

For the average bear, the best solution is commercial encryption. I don’t mean, by the way, encryption such as what Google or Yahoo use. In those cases, they have the key, so unless someone breaks into their data center and walks off with a server, that encryption does not help much. Don’t get me wrong – it is not bad – but there are so many ways around it that it is of limited value.

Likely, most of the time the stuff you talk and write about is not of great value (let’s meet at 1PM, do you need anything at the store or what do you want to do for dinner), so the steps that you go to in order to protect that are minimal.

There are, however, other times, when the conversations are of value – for example, a conversation between a business owner and her attorney regarding a takeover strategy. The takeover target and/or a stock speculator might be very interested in that. Different levels of protection are advisable in that case.

I guess my key point here is that you should not assume that your digital adventures are private. Former CIA Director David Patraeus got taken down by his digital breadcrumbs and he didn’t even SEND the emails. Of course, he should have known better, but that is another story.

Advertisement: If you are interested in protecting your digital assets, please contact me directly and I will be happy to assist.

Information for this post came from SecurityAffairs.co .