“The inexorable evolution of technology is a real threat to your privacy. Left unchecked, it will erode your privacy in ways you may not even have considered.”
Technology Breeds Complexity
Have you noticed that every new product seems to claim it will save you time and effort with its new and improved features? It’s no wonder why: Who would ever purchase an appliance that promised to create more work to accomplish a task than your current model or method?
Technology is created to reduce work, not increase it. However, there is a hidden cost to the convenience of may “smart” products: added complexity. Such a device should not be thought of as a black box in which intuitive user-experience goes in and desired complex action comes out. Rather, the more capable a product is of doing intellectual work, the more complicated it tends to be.
Reflect for a moment on some of the consumer products you own: your television, your microwave oven, your washing machine. Compare them to the products you had when you were a child, or when your parents were children, and ponder:
- The amount of “technology” they brought to their task
- The “intelligence” they had about their task
- The full set of features and capabilities available in the product
- The “user interface” presented by the product
- The “user manual” for each product
Clearly, as technology has enabled more productive and capable products, this progress has come with increased complexity.
That is our first observation: Most products tend to become more complicated as they evolve, particularly products that involve technology.
Complexity itself introduces increased risk, as the likelihood of misconfiguration is proportional to the number of knobs, dials, or settings supported by the product.
It is also interesting to recognize how product designers attempt to mask complexity. At first glance (meaning, “without having read the User’s Manual”), the modern washing machine above appears to support 576,000 different configurations the user can select. However, instead of simply providing a list of 576,000 options, the choices are presented in an intuitive and organized fashion. In addition, there is a default setting for each group that allows the unsophisticated user (meaning, “one who doesn’t understand the options, or care about them, or who is just in a hurry”) to simply accept the default settings and get the task completed. The organization of options and settings, combined with default choices for each, neutralizes the complexity for the casual user, while preserving the full array of choices for more sophisticated or demanding users.
This brings us to our second observation: Product designers tend to help us manage complexity by providing useful defaults for the many options and configurations their product supports. In fact, many products are so complex that their typical user has little choice or inclination but to accept the vast set of default values in their quest to successfully use the product. I would go so far as to say that this is one of the keys to being successful in modern life: the ability to tweak the right settings of a complex machine to get non-default behavior that is appropriate for the problem at hand. Recall the last time you used a copy-machine or printer to make double-sided copies.
Default Settings and Conflicting Interests
That might be the end of the story if we lived in a perfect world—one in which product designers always made choices about default settings that were truly in the best interest of their customers or users. I am sad to inform you, dear reader, that we do not live in such a world, and the race toward inter-connectivity has put product designers in a position where they must make tradeoffs between what is best for consumers and what is best for their company. As we will explain later, this means that one of the consequences of contemporary technological evolution is an increased risk of the erosion of privacy.
As an example, consider your web browser. It works fine right out of the box, but even a quick review of “Options” or “Settings” reveals the dozens of settings and thousands of possible combinations. Note that some of these settings pertain to privacy and security; accepting the default settings means you have empowered the web browser vendor to make those choices for you.
The delegation of responsibility to the vendor to make judicious choices regarding your privacy is highly questionable, particularly when they have a financial incentive to gather the data governed by those settings. Indeed, information on the usage of a product can have great monetary value. Call me a cynic, but I am sure that most vendors will prefer to collect as much data as legally allowed.
This brings us to our third point: The blind acceptance of default security and privacy settings, which is characteristic of most users, empowers product vendors to establish the default privacy boundary with their users, facilitating the quiet collection of usage information for their own marketing and development purposes, or even for sale.
This is the model that many television manufacturers have adopted, despite the inevitable privacy lawsuits. Many software applications, including Windows 10 itself, feature settings that share usage information by default; information that that users might not be comfortable sharing, if they were fully informed. If you every clicked “I Agree” to the terms of an End-User License Agreement (EULA), you probably agreed that you were fully informed, even if you didn’t realize it.
So if we summarize the argument thus far, we have:
- The evolution of technology naturally engenders more complexity
- Complexity increases the risk of misconfiguration
- Complexity is typically managed through default settings
- Vendors of interconnected products often have conflicting interests with respect to user privacy
- The default settings of interconnected devices do not always reflect the most restrictive information sharing configuration possible
This brings us to our concluding point: The inexorable evolution of technology is a real threat to your privacy. Left unchecked, it will by default (pun intended) erode your privacy in ways you may not even have considered.
The best way to address this reality is to routinely test and audit your systems and configurations. Only through diligent monitoring can we detect settings that jeopardize our security or privacy.
Vulnerability scanners are a popular solution, as they provide an automated solution for checking device configurations in a networked environment. They do so using “credentialed scans,” in which the scanner logs into each device and examines its software and settings. Vulnerability scanning can also help organizations to define policies regarding potentially problematic security and privacy settings for specific applications. The enforcement of those policies (to whatever degree possible) through governance can also minimize organizational risk.
A combination of properly governed Policies and Procedures, along with automated scanning offers the greatest impact at the most affordable cost.
On the other hand, if you fail to account for the creeping impact of complexity on the organization’s risk, you may unintentionally expose sensitive information, and even be put at risk of breach. Simply put, left unaddressed, your privacy and security is at the mercy of product designers.
About Affinity IT Security
Affinity IT Security Services has been helping clients maintain a safe online presence since 2009. Visit affinity-it.com to learn about our full range of cybersecurity consulting services including Vulnerability Scanning, and contact us or send email to firstname.lastname@example.org to discuss your challenges and how we can help.