Re: [projectvrm] Fwd: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words

[T-Rob < >]

> At first I saw how long this message was and thought I didn't have 
> time to read it. But T-Rob is a compelling thinker, so I started reading 
it...
> 
> ...and couldn't stop.

Thanks for the kind words.  And at the risk of abusing the privilege...

> Why would anyone agree to this??

Once you pays yer $30k there's a BIG incentive to agree to it if the SYNC 
is why you bought the car.  I might have gotten away with returning the 
car on the basis of the dealer failing to disclose the TOS prior to 
purchase, but the non-Sync features are compelling.  We ended up just not 
using the Sync features.  My wife has some limited mobility and the car 
has a helluva rear-view camera, proximity warning systems and blind-spot 
alerts light up in the mirrors, none of which require Sync activation. She 
probably won't let me buy her another car until the Google self-driving 
ones are available.

On an interesting note, if you see a shady-looking dude sitting in a 
parked late-model Ford you can be pretty certain he's not a criminal.  Or 
at least if he is, he's a dumb criminal.  Can you imagine the next Gambino 
boss getting taken down because of the Whole Call Recording capturing him 
planning something nefarious?

Let's take this a bit further.  We all know that photo/video recording is 
often legal where audio recording is not.  Ford have created an 
environment that provides warrantless access to all your car telematics 
and voice utterances.  So they know who you are, what you said and where 
you were when you said it, what direction you were travelling and how 
fast.  No more burden of proof on the government to provide a witness who 
puts you in the car at a certain place and time or that you weren't 
speeding.  You have basically waived your right to not testify against 
yourself.

Why warrantless?  Note the privacy policy:

"Syncmyride.com will disclose your personal information, without notice, 
only if required to do so by law or in the good faith belief that such 
action is necessary to: (a) conform to the edicts of the law or comply 
with legal process served on Ford Motor Company or the site; (b) protect 
and defend the rights or property of Ford Motor Company and this site; or, 
(c) act under exigent circumstances to protect the personal safety of 
users of Ford Motor Company, its web sites, or the public."

So all they need is a "good faith belief" that disclosure is required.  Or 
that it *would* be required if the agent asking had brought a warrant. But 
since it's the government asking and we trust the request because it 
originates form a trusted entity, here's your data.


The Ford policies are an example of why I'm so concerned about data 
security, crypto and roots of trust.  My usual customers include national 
infrastructure targets so I'm painfully aware of the level of 
sophistication brought to bear in attacking them.  But anyone who does not 
think that a personal cloud vendor would be just as attractive a target is 
deluded.  Attacks are generally motivated by money, espionage (industrial 
or state), or activism.  When individuals are targeted today, it is 
usually because of their economic or political value.  They are rich, 
powerful, directly connected to the rich and/or powerful, or they have 
celebrity.  Typically financially motivated attacks are against technology 
such as your browser or a specific piece of software rather than targeted 
at specific high-value individuals.  However, the money gained from these 
attacks funds criminal enterprises and enables higher-level attacks on 
individuals and infrastructure.

Why are attacks on targeted high-value individuals not more common?  For 
one thing, because your data is spread across so many vendors.  It is 
currently costs so much to gather up lots of data about specific 
individuals that the threshold of "high-value" is military targets, 
corporate execs, and so forth.  There is some effort in the black market 
to aggregate data and this is leading to long-game cons where an attacker 
gains enough information to sell your house out from under you, collect 
the payout in cash and then disappear.  The risk of a few large-value 
transactions is a lot less than making the same money using retail credit 
card merchandise transactions.  This makes attacks on homeowners as 
lucrative as compromising business bank accounts, except that they are a 
lot less risky and there are a helluva lot more homeowners than corporate 
treasury officers.  But we haven't seen a lot of this because the source 
data is aggregated from random breaches and doesn't correlate well.  Once 
we are kind enough to begin aggregating our own data, expect a spike in 
attacks targeted on individuals and significant reduction in the floor on 
what constitutes a "high-value" target.

Also expect a change in the focus of individually targeted attacks. Rather 
than look for individuals with high net worth that can be directly stolen, 
attackers will begin to look for individuals with influence within 
moderate- to high-value business targets.  If you breach a personal cloud 
provider you are bound to find at least a few people who don't want it 
known that last week they purchased a Fleshlight, rubber sheets, 5 gallons 
of honey, a case of gummy worms and a signed poster of Noam Chomsky.  The 
next day a money mule will walk into that person's place of employment, 
provide a code word and the target will simply hand over the money from 
the cash drawer.  The ability to so completely compromise large 
populations of individual is so attractive that personal clouds will be 
subjected to continuous sophisticated attacks in the same way that banks, 
Google, Amazon, military and other high value targets are today.

It won't only be criminals.  The US government has consistently abused 
every law that suspends or reduces civil liberties and there's no reason 
to suspect they would suddenly exercise restraint or conform to any new 
laws put in place that treat these information caches specially.  If the 
aggregated data are readable by the hosting provider, it *will* be 
available to government.  But if we use current technology to safeguard 
the data so only the individual can issue temporal keys to view it, we 
know individuals as a population suck at managing keys or picking security 
over functionality.  Large subsets of the population will not suspect that 
a free personal cloud hosting provider might have an income derived from 
something other than advertising to them.  We've also seen some recent 
court decisions that you *can* be compelled to provide your encryption 
key.   Rather than testifying against yourself, it is treated similar to a 
physical object that you can be compelled to produce.  The cases where 
these keys were compelled were where the defendant had aggregated a 
database of incriminating evidence that the prosecution had otherwise been 
unable to prove by going after the many sources of the data.  Sound 
familiar?  (Incidentally, one was a mortgage scam.)

I've been doing this long enough to have seen problems related to 
durability.  Entire categories of electronic signatures have been 
invalidated over the years.  In some cases because the algorithms or key 
lengths used are now obsolete.  In other cases because the root of trust 
was compromised.  For example, if you have a contract or data 
electronically signed by certs of Digi Notar parentage, you are now unable 
to validate those signatures with confidence.  If personal clouds had 
already been in wide use, the bulk of them owned by citizens of The 
Netherlands, as well as global transactional history networking out from 
there, would all now be suspect at best or unusable as evidence in court 
or for commerce at worst.  Unfortunately, considerations of durability of 
secure data are largely confined to bulk data archiving technology.  Most 
discussions of security are focused exclusively on instantaneous 
authentication, authorization and privacy of live connections and 
transactions and any assurance of durability is based on trustworthiness 
of the custodian.

This is why I'm dubious when people tell me we don't need to encrypt 
and/or sign individual datums.  I am interested in the ability to verify 
authenticity and integrity of data over time.  Up to now our electronic 
systems have relied almost entirely on context to assure these things - 
the context of the connection to a trusted source.  But increasingly we 
see that the trusted sources are themselves breached, exposing massive 
quantities of data in one fell swoop.  Worse, when the roots of trust are 
breached we lose integrity and authenticity assurance across large swaths 
of the Internet and massive quantities of data all at once.  We have seen 
multiple instances of this and have no reason to expect the situation will 
improve.  In fact, the recent policy changes by the CA/Browser forum were 
intended to improve the situation, but only for their chartered use cases 
of certs in browsers and email clients and for code signing. 
Unfortunately, the cascading effect has been to erode security in every 
other use case where CA-signed certs had formerly been common. 

When I bought my Ford, the features were so compelling that I disabled 
Sync and ignored the Draconian TOS and privacy policy.  That's what people 
do.  That's why every new blockbuster technology that isn't specifically a 
security technology is broken in V1 and stays that way until people 
believe they are statistically likely to be victims of a breach. 
(Firesheep, anyone?)  That's why we have defibrillators that can be 
remotely directed to deliver a lethal shock and the security around that 
remote connection is broken.  Same situation with infusion pumps, 
automobile control systems, smart meters, home automation and more. People 
must either believe a breach will be personally catastrophic or 
statistically probably before they care about security, and when they do 
begin to care they believe it is the vendor's responsibility, not theirs.

Personal clouds and VRM have that potential to be blockbuster, paradigm 
changing technologies.  They are in that category of technology that is so 
compelling users will accept assurances of security without demanding 
proof or paying more for it.  If I were a criminal organization actively 
running cyber attacks, I'd be busy funding personal clouds and VRM groups, 
the consultancies that will bring VRM to large Enterprise, and finding 
ways to silently support any persuasive and vocal evangelist.  The best 
case for criminals is that personal clouds are broken at birth.  But even 
if we get it massively right, you still end up with data that is 
aggregated cleanly and accurately to individuals across a much broader 
spectrum of sources.  This dataset is the Holy Grail of cybercriminals and 
impossible for them to do at scale today.  This gives the criminal a the 
most attractive possible target short of direct compromise of the bank 
itself, a very large attack surface, and a victim population notoriously 
bad at managing keys and also vulnerable to social engineering, phishing 
and so forth.  And that's the *best* case if we do everything right.

It is naive to think we could do this without some percentage of 
implementations being breached.  Our duty then is to consider what is an 
acceptable percentage of loss and the much greater potential impact of 
that loss to individuals than is present in current systems, and then 
build in mitigation.  The mitigations may include keeping some level of 
data partitioning so that several physical clouds form a logical one.  It 
may include encrypting and/or dual-party signing the data elements as they 
are produced, independent of storage and transmission security, and 
possibly using multiple roots for each party in case one is broken.  It 
may need to include honeypot services to provide fake but traceable data 
to detect breaches and identify their sources.  As we move forward I'm 
sure many other mitigations will suggest themselves, hopefully due to 
forward thinking rather than hindsight in the wake of a breach.


I neglected to post the Ford TOS and Privacy Policy links last time:

http://www.syncmyride.com/Own/Modules/PageTools/Privacy.aspx
https://secure.syncmyride.com/Own/Modules/AccountManagement/SLRegistration.aspx
(TOS is buried behind a click-wrap button on the reg page.)

- T.Rob


 
 wrote on 02/15/2013 03:54:52 AM:

> From: Drummond Reed 
> <
 >
> To: T-Rob/Charlotte/IBM@IBMUS, 
> Cc: Alan Mitchell 
> <
 >,
>  Judi Clark 
> <
 >,
>  mary hodder 
> <
 >,
>  Phil 
> Wolff 
> <
 >,
>  Project VRM 
> <
 >,
>  Sean Bohan 
> <
 >
> Date: 02/15/2013 03:55 AM
> Subject: Re: [projectvrm] Fwd: [ PFIR ] Proposed California law 
> requires site privacy polices not to exceed 8th grade language and 100 
words
> Sent by: 
> 
 
> 
> OMG.
> 
> At first I saw how long this message was and thought I didn't have 
> time to read it. But T-Rob is a compelling thinker, so I started reading 
it...
> 
> ...and couldn't stop.
> 
> And Rob's right, you better be sitting down when you read the end. 
> 
> I literally can't believe there hasn't been a full-blown privacy 
> revolt about the Ford SYNC terms. Why would anyone agree to this??
>