by Marc Goodman
Though the 2003 Northeast blackout and the Deepwater Horizon disaster were by all accounts accidents, they provide useful insights into the tremendous harm that can stem from computer system malfunctions. Whether a computer system fails because of accidental or criminal action, however, is only a question of intent. Given the large number of bugs in modern computer code, what might come to pass if malicious intent were applied? The very same technology that can save the world and enable globalization can be used by radicals, criminals, terrorists, and governments to destroy it.
Unfortunately, once a cyber weapon is released into the wild, it does not die. It can be repurposed. Unlike conventional bombs, which explode into a million parts when dropped on their targets, weaponized malware can be used over and over again. Though military and intelligence officials may spend millions of dollars secretly developing a particular weapon, computer code is easy to copy. Once released, it becomes available to hacktivists, crime groups, and terrorists to exploit for their own purposes, enabling new forms of cyber-weapons proliferation.
Think of it as a virtual Molotov cocktail that, once lobbed their way, can now be thrown back over the fences at us. We’ve already seen this happen as criminal organizations and rogue governments have copied the code designs initially used against them and repurposed them for their own attacks. As computer code continues to be weaponized, attacks like these will become both more common and more sophisticated.
It is unsettling but true that to date no computer system has been created that cannot be hacked—a sobering fact given our categorical reliance on these machines for everything from communication to transportation to health care. Not only are the passwords and system checks that left Mat Honan so vulnerable a farce, but so is the software we use to run the world. Plainly stated, when everything is connected, everyone is vulnerable.
The power of Moore’s law applies not just to the positive aspects of technology but to its negatives as well. With Moore’s law come Moore’s outlaws—criminals, terrorists, hacktivists, and state actors who exploit technology at will. They are keenly aware of how to take advantage of system complexities and poorly written software to wring what they want from our rapidly developing technology-based civilization. With all objects transforming themselves into computers and all computers run by code, these powerful new illicit actors clearly understand that if you control the code, you control the world.
But it’s not just criminals and rogue governments that we should be worried about. Often, the very companies and organizations that we count on for protection, advice, and entertainment are leaving us incredibly vulnerable, for they too control the code that runs our lives.
CHAPTER 4
You’re Not the Customer, You’re the Product
The truth will set you free, but first it will piss you off.
GLORIA STEINEM
Parkinson’s, relapsing remitting multiple sclerosis, necrotizing fasciitis, acute lymphocytic leukemia, childhood-onset diabetes, HIV, amyotrophic lateral sclerosis—a diagnosis of any one of these diseases would undoubtedly strike fear in the hearts of most patients receiving such life-altering news. In years past, individuals with such illnesses would have found themselves depressed and alone, unable to discuss their plight with others who knew exactly what they were going through. Moreover, the paucity of comprehensible medical information written for actual human beings would have further isolated these patients from friends and family. That is why Jamie and Ben Heywood (whose brother was diagnosed with Lou Gehrig’s disease) founded the Internet site PatientsLikeMe.com—to allow visitors to share their stories and connect with others going through the exact same health trials and tribulations. Since the site’s founding in 2004, it has grown to a global community of more than 200,000 patients diagnosed with fifteen hundred unique diseases. For thousands of people, PatientsLikeMe.com has been both a figurative and a literal lifesaver, as users learned more about their illnesses and exchanged survival strategies and treatment protocols in a variety of online discussion forums.
It was that opportunity to connect with others that first drew Bilal Ahmed, a thirty-three-year-old businessman from Sydney, Australia, to the site. Ahmed had been suffering from anxiety and depression since the death of his mother, and he found it difficult to discuss his condition with friends and family. Ahmed created a pseudonym account on PatientsLikeMe and joined its Mood Forum, where users share intimate details about emotional disorders such as bipolar disease, PTSD, bulimia, addiction, OCD, and thoughts of suicide. On the Mood Forum, he dutifully listed his symptoms, test results, and all the drugs he had been prescribed to treat his depression. There he connected with other patients around the world, formed friendships, and shared the most intimate of details regarding his illness on the password-protected site—receiving exactly the type of support he had yearned for.
It was for that reason that Ahmed felt so violated after having been notified by PatientsLikeMe of “unauthorized activity” on its Mood Forum discussions board. At 1:00 a.m. on May 7, 2010, system administrators noticed suspicious activity coming from several new accounts that were “scraping,” that is, copying every single message off the private online forum and downloading the information to a third-party site. PatientsLikeMe eventually identified the intruder responsible for the break-in: the Nielsen company, the same advertising giant known for TV’s Nielsen ratings. A Nielsen subsidiary known as BuzzMetrics admitted taking the data, which it added to its online collection of information purloined from the other 130 million blogs, eight thousand message boards, Twitter, Facebook, and other social media sites it tracked. Nielsen sells these data to advertisers, marketers, and, in this case, major pharmaceutical houses as raw material in a multibillion-dollar global data-mining industry.
Nielsen’s egregious activity, though ethically repugnant, was technically legal under current federal law, and on May 18, 2010, PatientsLikeMe disclosed the incident to its entire user community. The company also took the opportunity to remind users of its own privacy policy terms and conditions:
We take the information patients like you share about your experience with the disease and sell it to our partners (i.e., companies that are developing or selling products to patients). These products may include drugs, devices, equipment, insurance, and medical services …[Y]ou should expect that every piece of information you submit (even if it is not currently displayed) may be shared.
Wait, what? The note disclosing the Nielsen break-in was bad enough, but the follow-up e-mail detailing the Web site’s privacy policy was a massive wake-up call. For most users of PatientsLikeMe, it was the first time they realized that all the medical information that would previously have remained securely locked in the filing cabinet of their doctors’ offices—their conditions, diagnosis dates, family histories, symptoms, CD4 counts, viral loads, lab results, biographical information, gender, age, photographs, and even entire genetic sequences—was now being sold by PatientsLikeMe, the very place these desperate patients had entrusted to help them and to protect their information.
Though PatientsLikeMe claimed it only sold de-identified/anonymized data on its patients, new and emerging data companies such as PeekYou LLC of New York had long ago worked out a variety of patentable techniques to match people’s real names to the pseudonyms they used on blogs, chat forms, and Twitter. In other words, any pharmaceutical company or health insurer that wanted the information from PatientsLikeMe need only hire PeekYou to reverse engineer your user name or pseudonym en masse to fully identify you. For Bilal Ahmed, this meant that all of the personal data he had entrusted to PatientsLikeMe were now owned by Nielsen/BuzzMetrics. In a public interview after his identification, Ahmed noted he felt totally violated by the incident and immediately deleted all his posts from the site as well as the list of drugs he had been prescribed, but by then of course it was too late. Every time he and other patients had posted highly detailed accounts of their illnesses and symptoms on PatientsLikeMe, there were companies like Niel
sen lurking in the background scraping up all the data he shared. Those that weren’t siphoned off by third parties were freely sold by PatientsLikeMe itself, disclosed in the fine-print privacy policy that Ahmed and so many others failed to ever read when they created their accounts.
As Ahmed discovered, social networks are the new public records. All that you share, wittingly or not, is being scraped, sorted, and warehoused by newly emerging global data behemoths and sold to advertisers, governments, and third-party data brokers, each with an increasingly voracious appetite to know the most intimate details of your life. These data can be used to determine if you have any preexisting conditions, if you should pay higher life insurance rates, or if you should be denied a job or promotion. While sharing may be caring, it also could mean higher insurance rates. As a result, the hundreds of thousands of people using PatientsLikeMe learned a valuable if painful lesson: they were not in fact the Web site’s customers; they were its product, sold to the highest bidder in an effort to drive the company’s own bottom line.
Our Growing Digital World—What They Never Told You
By 2013, Americans were spending more than five hours a day online with their digital devices. We read the news on Web sites run by CNN, the New York Times, and ESPN. We check our bank balances at Citibank and Wells Fargo. We shop at Amazon and Macy’s. We pay our ConEd and Comcast bills, make appointments with our doctors, and check our health insurance with Blue Cross. We watch House of Cards on Netflix and Downton Abbey on Hulu. And that’s just the beginning. Take a moment to think about how you used your smart phone today. Eighty percent of us check our mobile phones for messages within fifteen minutes of waking up. Did you provide a quick status update today to your friends on Facebook? You’ll probably get a “Like” or two or maybe a funny comment from a friend. And what about those selfies you sent your boyfriend? The Internet has become a vast and free treasure trove of information and entertainment, and so we dutifully gorge ourselves at the trough. And at every step of the way, we are collectively leaving behind a daily digital exhaust trail big enough to fill the Library of Congress many times over. How all these data are created, stored, analyzed, and sold are details that most of us readily gloss over, but do so at our own peril.
There is no denying the power of social media. In a mere ten years since its creation in 2004, Facebook sprinted from zero to 1.3 billion members around the globe. Each day, more than 350 million photographs are uploaded, while the omnipresent Like button is pressed approximately six billion times. Social media chronicle our dates, graduations, home purchases, childbirths, new pets, marriages, and divorces. They also can be instruments for geopolitical change, as was seen during the 2010 Arab Spring, when a Google executive named Wael Ghonim created a Facebook page to highlight the slaughter of a young Egyptian protester at the hands of Hosni Mubarak’s internal security forces. “Two minutes after he started his Facebook page, 300 people had joined. Three months later, that number had grown to more than 250,000.” Similarly, Twitter, Google, and other services were credited with helping to drive change in Tunisia, Iran, and Libya. While history will judge the role social media played in the Arab Spring, there is no doubt these services can be a force for good.
And the allure of these tools is clear. After all, most of us spend our lives trolling the Web for music, recipes, investment advice, news, directions, business opportunities, celebrity gossip, and sports scores. When we’re not checking e-mail, we’re playing Temple Run or Fruit Ninja. And it’s all entirely free of charge. Even the fees we once paid to travel agents, newspapers, and music companies have all but disappeared—eliminated thanks to the generous people who brought us the World Wide Web. But did you ever stop and wonder why Google never sends you a bill?
Ask the average person why Google, Facebook, Twitter, YouTube, and LinkedIn are free, and he or she may be a little fuzzy on the details. Many think it has to do with advertising—that is, those annoying banner ads or pop-up screens with which we are constantly barraged. Perhaps, but that is only a small part of the story. Others may believe the trade-off to be pretty simple. These companies give us valuable services for free, such as e-mail, news, videos, and a place to post pictures, and in return we give them a little bit of information about ourselves. Occasionally, we need to watch an advertisement that has been specifically designed to suit our needs, but privacy settings put us in the driver’s seat and nobody gets hurt, right? If only it were that straightforward. The reality of the bargain we’ve made is much more disconcerting.
Take Google as an example, a company founded in 1998 by two Stanford PhD students, Larry Page and Sergey Brin, in a friend’s garage in Menlo Park, California. The pair invented a groundbreaking algorithm that vastly improved search results on the nascent World Wide Web and attracted a loyal following drawn in by their simple interface and high-quality search results. In 2000, they began selling ad keywords for particular products aligned with any given search phrase. For example, if your query were “Paris, France,” you would be served up sidebar ads for Air France, travel insurance companies, or Hilton Hotels. Companies looking for new customers could now market via Google’s keyword ads with previously unknown precision, getting a much better return for their advertising dollars. What started as a humble idea by two Stanford students in 1998 had by 2015 grown into a global juggernaut.
Over the years, Google has introduced dozens of products that make our lives simpler and more productive. When it launched Gmail in 2004, it offered an amazing one gigabyte of data, vastly outmatching the paltry two megabytes offered by the dominant player of the day, Microsoft’s Hotmail. As the young organization hit its stride, other fantastic products emerged, and eventually we were introduced to Google Calendar, Google Contacts, Google Maps, Google Earth, Google Voice, Google Docs, Google Street View, Google Translate, Google Drive, Google Photos (Picasa), Google Video (YouTube), Google Chrome, Google+, and Google Android, to name but a few. One by one, services such as phone calls, translation, maps, and word processing—services for which we would previously have paid hundreds of dollars (think Microsoft’s Office)—were now suddenly free.
The most benevolent interpretation of this bounty would be that Google was merely providing products the public wanted, satisfying our ever-growing technological needs (and those of advertisers). A less altruistic explanation might be that each and every one of the aforementioned products was created with the specific intent to trick, cajole, and coax users to reveal an ever-increasing volume of data about themselves and their lives ad infinitum. People might balk if they fully understood the true nature of the exchange. So, to paraphrase Otto von Bismarck, it’s best for Google’s customers if they don’t see or know quite how the sausage is made. But pulling back the curtain and studying the sausage factory are fundamental in order to understand an ever-growing mountain of data security risks facing our world today.
The gradual siphoning of your data begins innocently enough when you first start using Google to search the Web. You search, and it tracks and records the queries, not to mention every link you click on. From that initial search product, the carefully orchestrated acquisition of your personal information is carried out with artful precision. Eventually, a search engine wasn’t enough, and Google craved additional ways to gain further insights into you, your hopes, dreams, and desires. The result? Gmail. By providing a vast amount of storage space and a wonderfully seamless experience, Google gained access to both your personal and your professional e-mails. Now Google could understand not just your searches but everything you were writing and to whom. Google scanned and electronically read your messages and found new insights it could offer to advertisers, increasing its fees along the way as it refined its profile of you. If you wrote an e-mail to your mom telling her you were sad over a recent breakup, Google might suggest an antidepressant, a comedy club, or a Caribbean vacation. As long as you remained logged in to Gmail, it could track all of your searches to your unique identifier with the company; as a result
, Google’s profile of you grew richer, as did the company.
When Google offered you the opportunity to store your contacts online, it in turn could evaluate the size, strength, and purchasing power of your social network. When Google introduced its Maps program and provided gratis GPS and driving directions, it could now track the places you went. Google wondered whom you were calling and created Google Voice to find out. Not only could it now track every one of your telephone calls, but it would transcribe your voice-mail messages using voice-recognition and voice-transcription software. A very cool technical feat at the time, it also allowed Google to understand what you and your interlocutors were discussing. If somebody left you a voice-mail message suggesting Italian food for dinner, Google would sell that information to its advertisers, and suddenly ads for pizza would show up across your Google world. For further precision, Google created the Android operating system (OS) and gave it away for free. In exchange, Google could now track you anywhere and everywhere you took your smart phone.
