Get Ready for A New Chapter in Digital Security

People are more plugged in than ever before. They carry smartphones, they wear fitness trackers, they post their information to dozens of different sites, networks, and platforms all at once, and they rarely take steps to control that unceasing flow of information. Most of the time, that’s perfectly fine. It’s even expected. There are apps just for finding out the precise location of your friends or sharing their media viewing habits. We post pictures of our night out, tag the pub, and post pictures of exactly what we ordered and how we were dressed. We freely scream our demographics and our habits to anyone who happens to be listening. It’s all part of the web of always-on everyday life, but what does it mean for your digital security?

It’s not like we mind giving up a little privacy if it means we get better service in the bargain. Maybe that pub, seeing how popular the nachos are on social media, decides to drop the price and make it a daily special. Maybe our clothing brands, seeing how often they’re represented in the dance-club crowd, bring out a new line of more practical options to cater to a demand they might not have seen otherwise.

That’s the thing with this new interconnected world of ours. The results of so many connections are often surprising, with new insights and developments sneaking out of unexpected corners. Such was the case with Strava this weekend, the “social network for athletes”, with egg on its face for accidentally exposing a wide variety of military secrets, potentially jeopardizing countless lives and accidentally sticking its foot in the mouth of geopolitics in general.

Digital Security

How did this happen?

In November of 2017, Strava released a global heatmap of the locations and exercise habits of its users. In particular, it showed popular jogging paths and running trails. All this data was, of course, anonymous, so no particular pixel could be tagged to any given user, but that doesn’t really matter when the identity can be inferred from context. A simple example: if I know it to be true that only one person in the State of Oregon is using Strava, then from this heatmap, I could tell you what city she lives in and where she goes jogging. That’s spooky but hardly a matter of national security.

It gets dangerous, though, when you combine two very important factors. First, soldiers (all over the world – not just in the US) use the app to help track their workouts and training sessions. Second, soldiers are often posted to bases (secret or publicly known), borders, disputed zones, embassies and consulates, and so on.

Sources

Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts, took to Twitter to point out several “clearly identifiable and mappable” military bases or patrol schedules that were visible from the heatmap. As well as some US military bases, Ruser identified a Turkish patrol North of Manbij, a Russian operation in Khmeimim, several operations support bases (“FOBs” for “forward operating base”) in Afghanistan, and a variety of jogging routes and trails in the vicinity of military bases and camps. If you wanted to plan an ambush, this heatmap is a practical field guide.

Adam Rawnsley of the Daily Beast noted activity around airports in Somalia, particularly the airport of the capital city, Mogadishu. Other Twitter users noted visible activity at Diego Garcia and Mount Pleasant (an RAF base in the Falkland Islands), among other known military sites, and went on to identify a suspected CIA base in Somalia, US special operations bases in Africa’s Sahel region, and a Patriot missile defense system site in Yemen.

Ruser isn’t thrilled with the lax state of milopsec (military operations security), Tweeting bleakly, “I shouldn’t be able to establish any pattern of life info from this far away”, but somehow it gets worse.

So Much for National Security…

From the Strava site (remember, this is also a functional social network), it’s possible to identify individual users from that heatmap who also posted profile pictures of themselves, on base, in military attire. As far as data mining software goes, we’ve got the tech today to pinpoint a particular user on the heatmap and tie that data into their military career, their posting and assignment, and more. It’s an extreme case and purely hypothetical. Nonetheless, if someone looking for information were to know the precise habits, description, and location of someone in a sensitive position… well, so much for national security.

Suppose the data isn’t anonymous, and Strava’s servers (which surely aren’t kept locked away behind military-grade security protocols) do indeed log the geotagging data for particular users. In that case, an enterprising individual could easily figure out precise timetables and other tactical information.

When asked for a statement, Pentagon spokeswoman Maj. Audricia Harris was quoted as saying that “[the] DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required and if any policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”

Scott Lafoy, an open-source imagery analyst, was less forgiving. While he acknowledges that it’s too early to tell exactly how many vulnerabilities this heatmap reflects, “[the heatmap itself] is literally what 10,000 innocent individual screw-ups look like. A lot of it is going to be a good reminder to security services why you do opsec and why you do [take steps to] manage this sort of thing”. He went on to add that “everyone is going to really hope it doesn’t get a couple of people killed in the meantime.”

There’s Sharing, and There’s Over-Sharing

Pentagon spokeswoman Harris was clear in stating that “annual training for all DoD personnel recommends limiting public profiles on the internet. Including personal social media accounts. Furthermore,” she went on to say, “operational security requirements provide further guidance for military personnel [and] recent data releases emphasize the need for situational awareness when members of the military share personal information.”

That brings us back to Lafoy’s ‘10,000 innocent screw-ups’. Sure, no one would voluntarily compromise their security. Unfortunately, most people just aren’t aware of the full scope of what and how they’re sharing.

For instance, no one would ever post, “Hi, my name is Andrew McLoughlin, and I live at 100 Maple Street. My bedroom window faces East.” That would be insane. But how many of us lie in bed and post “#Blessed!” from our smartphones without even pretending to disable our location tagging? A set of GPS coordinates and a quick trip to Google Street View, maybe a detour to the municipal offices to examine the plans of the house, and suddenly that post takes on a whole new character.

And that’s just Instagram.

Now, it’s easy to poke fun at embarrassing government gaffes (They should have known better! “Military Intelligence,” am I right?), but it’s scary when it’s you who gave too much away.

Are you using your Fitbit as a sleep tracker? Did you log into Netflix at the AirBnB? Did you save your home and work addresses as shortcuts in Google Maps to save time on your commute?

Take inventory:

How many different ways have you identified yourself and your personal data online in the past 96 hours? Don’t limit it to social media, but look at everything from profiles and browsing habits to hardware and network activity.

No matter how many you counted, you can be sure you didn’t get them all. In the past few years, we’ve seen:

-Google Street View mappers intercept and log data packets (that is, web traffic) from unsecured wi-fi networks as it passes

-Sites tracking individual users from just their computer specs (screen resolution, monitor type, operating system, browser build, default language, security preferences, wi-fi antenna, network speed, and so on)

-Security breaches and leaks of confidential information

-PayPal and the rise of eCommerce

-More sites asking users to create a profile tied to an email address (always keep a burner, ladies and gents!)

-the ubiquity of the smartphone

-the rise of the always-on generation

Big Data or Big Brother?

When digital marketers, data analysts, tech giants, programmers, data miners, investors, or interested parties talk about “big data”, this is the pool they refer to. You leave hundreds or thousands of footprints all over cyberspace daily, but only a handful are deliberate. Think of your interactions with cyberspace as walking through a wheat field. No matter how careful you are, there will always be a trail of bent stalks and footprints. Except in our metaphor, the wheat is actively trying to get in your way, to help you leave a bigger trace, and the farmer keeps a record of your activities.

Just recently, we told you that big data was getting bigger. People are sharing more than ever before (deliberately and indeliberately both), and more and better systems are collecting that data. The tools to parse such massive data repositories are finally field-testing and will soon become regular consumer technologies. As far as privacy and security go, it’s going to get worse before it gets better.

What Can We Do about Digital Security?

It’s impractical to stop sharing, in the same way, that it’s impractical to live completely off the grid. It can be done, but so much is lost in the bargain that it’s hardly worthwhile. The best thing you can do is to try to control the flow of information you put out and protect your digital security. Sign up for different profiles with different email addresses. Dedicate one email address only to online purchases, for shipping, and keep your address and physical location data away from the others.

If you’re signing up for a smaller site, use a burner address. Disable location services whenever you’re not using them. Use a VPN on your phone or computer to mask your IP address whenever practical. Get rid of the Facebook app (and any other apps) if you can access those services through your browser instead. If you work in any kind of sensitive industry, keep a separate device (an old cell phone, or a tablet, even) for work, and never use that device for any of your personal profiles. It’s not much, but it’s a start.

How to Practice Responsible Digital Marketing

Since our industry began, the big push in digital marketing has been for more data collection, more data mining, more sources, and paper trails. That was useful to a point. That push took us a long way, but the waves are starting to break. We have lots of data, and only a fraction of it was given to us voluntarily. There’s something that doesn’t sit quite right about marketing content or selling products to consumers under false pretenses, and right now, we have them at a significant disadvantage.

We talk a lot about transparency, but we rarely consider the inherent power dynamic that our work comes with. Our work is dangerously close to espionage. When we do our job well, we learn about our audience. We find a way to produce content that will make a meaningful difference in their lives. If we’re not vigilant and respectful, our job is more about spying on customers and using that information to sell them things. It’s a fine balance but a tremendously important one.

Being more open about the kind of data we collect, how we process it, and what steps we take to keep it anonymous is imperative for any good digital marketing agency. Just as its incumbent upon any social network or app to be clear about the potential risks with using the service.

Bottom line

Deception is bad business.

We learned almost half a decade ago that link farming and spammy content were hurting the industry as a whole. So, we moved away from these practices. We may be coming up on another learning experience. We owe it to ourselves and the internet as a whole to govern ourselves with decorum during this transition.

Colibri Digital Marketing

We’re the San Francisco Digital Marketing agency in the heart of Silicon Valley. We’ve got our fingers on the pulse of the tech industry, and the responsible use of personal data is something we put a lot of stock in. We’ve got a track record of superb digital marketing service for our clients.

Curious how your digital presence is holding up? Click below, and schedule your free digital marketing strategy session!