Are the usual suspects the only problem?

When we talk of communication security, we are reminded of various threats from the usual suspects such as:

• Insider threat, Tool bloat backlash, Hackers, State actors with terrorism in mind, mobile device security and enterprise vulnerability, etc.

We recently discovered all of the above issues are trivial compared to reality.

Today, networks and communication technologies are not at all secure. Everything is broken. Everybody is vulnerable. Even the pillars of trust in capitalism are all in question today[1].

Let us see how….

Secrecy usually attempts to hide information that can be gleaned through simple observation and analysis from others, while privacy attempts to keep communications between people from being intercepted. Today, at an individual level there is neither security nor privacy.

 Let us look at a simple example.  Advertisers push medical advertisements based on the open transcripts of a voice message that the doctor leaves on a patient’s voice mail. This voice message  gets transcribed and sent as an email to the patient’s email address and finally to a smart device. The email service provider mines the transcript and the advertisers then push competitor medication advertisements. Sounds familiar?

Today, it is a common practice for employees to work remotely using their computer. They communicate via corporate communication tools and sometimes outside of corporate boundaries and communication channels. We carry in our pockets devices that are capable of storing gigabytes of data and are equipped with mass distribution capability.

Enterprises are developing capabilities and strategies based on what they think their competition will be able to do. Unfortunately, corporate IP (which can be a new Strategy, technology, Patent, IPR, Solution, product, partnerships, R&D, Procurement, customers, etc) is vulnerable to modern technology and tools which are being leveraged by 3^rd parties to get access and distribute such secrets beyond the set of people authorized.

Today, tools exist to narrow down the identities of individuals, a group of individuals or corporate traffic. Using these tools outside entities can glean information about  what corporations or certain individuals in corporations are doing. This information can be used by investors in investment decisions. For example, “Apple’s practice of sourcing its components from certain vendor” can be used in buying the shares of that vendor company. Capabilities exist to collect information from individuals or entities without breaking any insider information/trading laws.

Let us illustrate this by taking into consideration the following case study:

Online Retail Transaction - Case Study:

Gmail, hotmail or yahoo mail services are widely used around the world, especially in US and Europe. Every retail transaction is tied to an email address. Whenever a retail transaction is completed, the retail consumer receives an email of the transaction completion to the email address provided to the retail merchant. The email consists of the details of the transaction and shipment details. Several follow-up emails are sent   regarding when the shipment is made, when it is going to arrive with tracking details, etc.  All, of these emails are in clear text and the email service providers have already taken our consent that they have rights to parse through our emails to provide us better services.

To, understand the kind of information that the email service providers have at their disposal, let us take a look at a real retail transaction.

Details of Retail Transaction in an email to a consumer

The information in the above email is sufficient for email service providers to know exactly which product was bought by the consumer. From these emails, email service providers can  estimate how many people bought what kind of products. Furthermore,  email service providers (or any 3rd parties that do business, like advertising, with them) can predict the strength of sales of a particular product and whether the company can meet or beat wall-street estimates.

Based on Comscore October 11, 2011 and January 2012 reports, the number of subscribers using web email services Gmail, Hotmail and yahoo is given below:

• Gmail has 350 million Gmail users
• Hotmail has 350 million email users
• Yahoo has 310 million email users

In FY 2011, Apple Inc. sold a total of 121 million iPhones, iPads and Macs. Let us assume that a small percentage of these transactions (say 5%) used one of the above email services for their retail transactions. This would result in approximately 6 million transaction related emails with the web email service providers or around 2 million transactions at each of the above email service provider.

Statistically, one does not need more than 30,000 randomly selected samples to estimate an accurate earnings outcome for a given product/corporation with high degree of confidence in the result.

But, the amount of information available above is at least an order of magnitude more than what is needed for predictive analysis of Apple Inc’s numbers. Before, Apple Inc., can  gather and analyze their numbers for quarterly earnings release, much of the insider information is already available with a small set of outside parties, which are in the business of making money with that information.

The above issues discussed here are not just related to privacy, as a lot of academics and regulators are projecting them to be.

And then, now a days we see glorification of hacker culture and the talk of breaking things in the name of innovation. What will happen if our capital markets are broken again?  Are we prepared for such a global event again? To remind, the housing bubble was a $7 trillion disaster, born by ordinary unsophisticated individuals.  What all excesses that were done, they were done within legal boundaries. Regulators had no clue as to what was brewing at that time.

There are solutions available to fix the above issues to make retail transactions completely secure. But, it takes a resolve for whoever it is to have a backing and support to provide unified solutions that could be seamless deployed over underlying OTT platforms.

Again, we believe the implications of this state of affairs are profound. We are all in the open, individuals and corporations alike. Our societies and their structures will be a stake, if these issues are not addressed properly and on-time.

In general, regulators need to play a major role in understanding the dynamics and complexities of the existing technologies and potential dangers they pose. Even if regulators start acting now, it may take several years to have regulations passed and broader solutions to fix these kinds of problems.

So, now the question is where are we heading? The security topics discussed today by solution providers (or in publications/journals/blogs) are merely a superficial manifestation of the real danger that is out there. What do you think? Should we be proactive and act now and do something before we see the proof?

---

[1] Insider Trading: Insider trading is the trading of a corporation's stock or other securities (e.g. bonds or stock options) by individuals with potential access to non-public information about the company.

Insider Information:  Insider information is knowledge about a publicly traded company that could be used to an investor's advantage. Knowing about a company's significant, confidential corporate developments, such as the release of a new product, could provide an unfair advantage if the information is not public, that is, if only a few people know about the developments.