Data breach fatigue, RE: The New York Times
Back in August of this year, Christopher Mele of The New York Times wrote an article entitled “ Data Breaches Keep Happening, So Why Don’t You Do Something?”. In his article he brought to light a term coined recently, “Breach Fatigue” which could also be referred to as “Data Breach Fatigue”.
Due to an increasing number of large institutions ( Yahoo 3 Billion, Marriot 500M, Equifax 146M, and so many more, even LinkedIn 167M) being affected by data breaches, and the quantity of data being breached, people are becoming numb to the idea of their data being compromised. Given the scale of the Yahoo data breach, chances are if you’re reading this, you’ve had your data compromised through no fault of your own. Troy Hunt a Microsoft Regional Director built a tool for you to check if your data has been compromised by one of these breaches, aptly named Have I Been Pwned.
Thankfully, the majority of people who have had their data compromised in these breaches have not been personally affected by identity theft, fraud, or hacked accounts.
“Using Measures of Risk Perception to Predict Information Security Behavior”…
An experiment performed by Dr. Anthony Vance and a number of other researchers as referenced in The New York Times article, showed that individuals are more likely to heed security warnings and take actions to protect their data if they have been personally burned in the past. This cycle of data breach without the consequences for the individuals affected, is causing people to feel a sense of “data breach fatigue”. An even more concerning situation than before the major breaches occurred, as people begin to lose sight of the importance of keeping their data protected.
This brings us to a divide, where on one side people are saying it’s not important (or realistic) to protect their data anymore. Arguing they can’t reasonably protect their data with the proliferation of social networks and cloud services where you give up control of your data to another organisation.
On the other side, you have people trying hard to protect their data and are often inconvenienced. Not using social networks, not backing up their data to cloud platforms, not syncing their phone contacts or images, and so on.
Something is missing. It doesn’t have to be this way does it? Can we not have both digital convenience, and the confidence in knowing our data is secure?
How cloud providers and social networks protect your data
At the root of the problem is something very fundamental to how social networking sites and cloud service providers handle data.
When you upload a file to a cloud storage platform, or it’s synced automatically from your phone, or you send an email to someone — that file is encrypted between your phone and the social networking site or cloud service provider using a technology called TLS. This protects you from malicious parties that might be eavesdropping on your internet connection (for example the government, or a hacker at your coffee shop), we call these parties threat actors in the security world.
Some cloud service providers take it a step further and provide “encryption-at-rest”, typically to satisfy contractual or regulatory requirements. This protects your data from a thief stealing the physical storage drives from the cloud service provider’s data center, or the the company mishandling the disposal of old storage drives.
The potential threat actors that haven’t been mitigated by these processes include the social network or cloud service provider themselves, or anyone that may compromise them.
As these social networks and cloud service providers grow, hire more staff, gain complexity at an organisational and technical level. It becomes more and more difficult to prevent a malicious party or threat actor from gaining access to the data these organisations manage. Increasing the risk of a data breach.
What can we do?
A couple cloud service and data communication models exist today that allow companies to build platforms that are convenient for you (the users) to use, without them (the company) having any access to your data. Hence, if they as an organisation are compromised your data still remains safe, and you are able to enjoy the convenience of using their platform.
The first of these models is end-to-end encryption. This model typically utilises a public key encryption model and is great for data communication. In a nutshell, public key cryptography is where two individuals have their own public/private key pair, which they use to encrypt a message back and forth and verify the author of that message. If you want to understand more about the technical, feel free to checkout Wikipedia or the EFF. A well-designed easy to use application makes the encryption seamless so the user doesn’t have to think about it.
A glimmer of hope, has shown this model to be picking up steam with major social networks and apps.
An example of this is WhatsApp (one in six of you have this app installed) who four years ago working with Signal, implemented end-to-end encryption for messages and media. WhatsApp’s parent company Facebook has offered end-to-end encryption on their messenger platform, unfortunately you have to enable the functionality manually.
Signal is a mobile app that pioneered end-to-end encryption starting out as TextSecure & RedPhone in 2010, providing encrypted SMS functionality and end-to-end encrypted voice calling. Today Signal still provides end-to-end encrypted voice calling, but has dropped support for encrypted SMS focusing instead on mobile-data/WiFi based end-to-end encrypted messaging much like WhatsApp.
PGP/ GPG, I’m including PGP and GPG here as if I don’t, I’ll hear about it from some of you. This is typically used in email-to-email communications, and as much respect as I have for this technology (I have used it in the past, and continue to maintain my own key). They unfortunately haven’t stood up when it comes to ease-of-use and making the user experience seamless.
Zero Knowledge Services
The second model (closely related and sometimes integrated with end-to-end encryption) are services under the category of zero knowledge services. This is a term that has not been used widely, as the number of platforms today operating under this model are small. These platforms operate without knowing anything or very little about the users they support. Again this is accomplished through cryptography and may use symmetric or asymmetric (public key) cryptography. Symmetric cryptography can be thought of as very similar to a password for logging into an account, it can be used to unlock the account, or in the case of cryptography unlock an encrypted set of data. This key is usually a finite length, and very random unlike a password. With strong symmetric cryptography, it’s mathematically impossible for one to gain access to an encrypted data set without the key. If you want to understand more about the technical, feel free to checkout Wikipedia.
Platforms operating as a zero knowledge service typically retain encryption/decryption keys client side (in browser, in app, etc…) and store encrypted data on the platform in the cloud. Majority of the application is running client side (where the data can be decrypted), which is very common now a days with the proliferation serverless. Unfortunately, not many platforms out there support or operate on this zero knowledge model. Possible reasons include, application development complexity ensuring confidential data is not communicated to back-end systems unencrypted, free platforms that rely on selling your data, and even government pressure.
How to identify services that are end-to-end encrypted or zero knowledge based
Organisations that operate on an end-to-end encrypted or zero knowledge service model typically take pride in their technology and service offering and advertise it using these terms. They may even provide technical documents that explain in technical detail how their encryption methodology works.
Organisations that you see explicitly only mention SSL/TLS, encryption-at-rest features, typically do not provide end-to-end encrypted or zero knowledge based services. Be hesitant when storing your data with these organisations, as they are just as susceptible to major data breaches of your data as we have seen in news reports time and time again.
If you have to use a platform or service that does not provide zero knowledge services, I recommend reaching out to them and asking them about their encryption functionality and ask about client side encryption. This will help drive a change in how companies protect peoples data.
Until the major companies that handle and manage our data start using service models that incorporate client side cryptography, we will continue to see data breaches at large organisations affecting millions and sometimes billions of people.
We have the technology to eliminate this problem. The only question is will people demand this technology be adopted. As tech professionals will we step up our game from simply doing TLS and encryption-at-rest, and start building end-to-end encrypted, zero knowledge based services.
With the use of client side encryption in models such as end-to-end encryption and zero knowledge services, we can have both the convenience of social networks and cloud service providers and the confidence that our data is secure and not at risk of being breached.
Not all use cases are compatible with zero knowledge based services, but with enough ingenuity many of the services offered today could leverage it’s promises.
Like, Comment, and/or Share if you thought the content here was interesting, worth sharing, or have your own thoughts!