Staying off the grid over worries about your privacy? That’s what crazy people do, longtime cybersecurity expert Joel Fulton told CyberNews and shared some advice on how to stay safe online without sacrificing the benefits of technology.
“Privacy is under assault,” Joel Fulton, the Co-Founder and CEO of Lucidum, once told CyberNews. It’s a high-value target for malicious hackers, employers, governments, e-commerce sites, and the most prominent “free” software apps and tool providers.
Thousands of laws guard our data, but that doesn’t do the trick, does it?
The internet was considered free for many years until it dawned on us that it is quite the opposite. We pay for “free” services with something more valuable than money - our privacy. Different surveys show that privacy concerns are growing. But if privacy is indeed our crown jewel, why do we still keep trading it for some shiny objects?
Fulton has spent two decades in the cybersecurity industry and held leadership positions at Splunk, Symantec, Google, Starbucks, and Boeing. He believes consumers are still pretty ignorant about the value of their privacy and are willing to discuss the trade-off. I virtually sat down with Fulton to discuss why we keep choosing convenience over privacy over and over again.
You once told me that privacy is under assault. Do we make ourselves an easy target?
We are willing to discuss the trade of some convenience or shiny object for my privacy. Most people don't value privacy the way I value privacy, so they are more willing to make that trade. Those goods that they receive become something common. I met with some folks in Beijing and privately asked them, 'tell me your feelings about privacy.' When you leave a house, you don't take a wallet, you don't carry cash, you don't take house keys, you take your phone because your phone opens the door to the house, your phone is your subway ticket, it's your fare for the taxi, and everything is on your phone, but your government sees everything you do, is that a concern for you? Their answer was, 'why wouldn't the government want to protect me, take care of me, and do what's right for me? No, I don't have any concern about them because they are the ones taking care of me.' There's a cultural difference wherein, more in the West, we think privacy is good, it's our right. That's a very different concept.
But we are not surprised when privacy is under assault in certain regimes, for example, China, Belarus, Kazakhstan, yet we raise our eyebrows and get furious when someone threatens our privacy in the West.
There's always this us vs. them, and we think there's got to be an evil regime somewhere, and therefore, ours is the opposite. And there are degrees. We know what the NSA took in their ECHELON program in the United States (ECHELON was a surveillance program established to spy on the Soviet Union and its Eastern Bloc allies during the Cold War). We know James Clapper lied to Congress about what he knew the NSA was doing and was capable of (Even though the leaked documents showed the NSA collecting telephone metadata on American phone calls, he was accused of perjury for telling a congressional committee that the NSA did not collect any data).
People believe in this greater good. I'm willing to lie to you if I think the outcome is going to benefit not just you but everybody. And so we act surprised, and I'm glad we at least act surprised because then there's negative feedback to that system, then there's pushback.
Can there even be a pushback? I see reports that people are concerned about privacy. At the same time, they are willing to trade very personal information, for example, from their fitbits, in exchange for cheaper insurance.
I think we focus on the benefit and not on the cost. People will say, and I heard friends of mine, who got to know better, say, 'well, somebody got this information about me anyway, so I might as well get the reward, having already given that up.' Do people really care about privacy? I think they do when the consequences of their privacy exposure become real. A cause-and-effect gap prevents people from being vigilant upfront about privacy.
There are three things we do in information security. We protect confidentiality, integrity, and availability. CIA, ironically. Availability is the system being alive and responsive to the right people. Integrity is that the data on the system reflects what it ought to reflect. So somebody changed your bank balance, for example. Blockchain is a significant step forward in immutable integrity. But confidentiality is the most difficult. If you are at a bank ATM, you enter your PIN, and if I am standing over your shoulder and I spy your PIN, you don't know your confidentiality has been breached until I violate your bank account.
There's this gap between your privacy having been exposed and the consequences. That, I think, is where these companies and governments have room to run. When they expose my privacy and abuse it, I don't know until a negative consequence happens. And that's so long in that cause and effect cycle that people don't make the connection that this came because I was on Facebook or because I didn't change settings on SIRI. They don't see that.
How do you understand privacy? Do you take many extra measures, such as staying off the grid?
I like that you started with staying off the grid. Because that's what crazy people do, that's what they'll say. You've got your water and your cabin in the woods. And that kind of stigma, I think, is interesting. If you act as though your privacy is important, you are weird because you become a hermit, a crazy person on the street.
I am very conscientious about where my data goes. I have never had a Facebook account, and I don't share private or personal information on Twitter. My behavior is formed by the fact I've used peoples’ disclosure of information for security purposes to protect a company or identify where a high net worth family is leaking information that makes them vulnerable. It's very apparent to me how the stuff could be used.
But it's really simple things. It wasn't that long ago, Verizon switched all of its cellphone subscribers from opt-out to opt-in and began collecting information. No notification just made a switch, and you got to dig in your phone to find the settings. Google did the same thing - opening up access to your Google docs to them so they can decide. So just paying attention to these services is number one.
I'm a little more extreme in that I pay for my services. If I pay, I have greater control over my privacy. So instead of Gmail, I use Proton. Instead of G Drive, I'll use Box or something. It's a commercial relationship, and I'm not willing to be the pay.
There are definitely some options and privacy-preserving technology and even business models. Can it become mainstream? Especially having in mind that big tech companies have the lion's share in the data economy? Also, it's not so easy, for example, to leave Facebook when you have all your friends here.
I find it interesting that privacy-preserving is an upgrade. If everyone opened their eyes to that. There are two ways that you can take. I wouldn't advertise on Facebook because I would choose not to be on Facebook. That's one way. But another one is you can advocate with those vendors. They do listen. They listen to governments, and they listen to their users.
There's one absolute and very difficult thing for people to accept. Especially if you've already spent seven years building a Facebook network and have followers on Instagram, you are not going to go crazy and turn all that stuff off. If you are influential and a user, you can use your voice, and they will make changes. The people behind it (data companies, such as Facebook) live in absolute secrecy themselves, and so they know its value, they've made themselves rich after understanding its importance, and so they can be influenced.
I want to come back to your thought about how not to become a crazy person. Some doomsday cybersecurity experts recommend deleting social media accounts and stopping using smart devices. But that's not the solution, right? I, for example, love technology. At the same time, I want to preserve my privacy. Any tips for people like me on how to have both?
You have to draw your line. And it's not about reducing your life to rough bread and water. You don't have to lose the pleasures and comforts of life. For example, I learned, and this was before phones were used for driving directions, with GPS, that I lost my sense of direction, that muscle atrophied. I could no longer find my way to places that I'd been to before. And so I stopped using a GPS, except for long distances that I wouldn't know the routes there. I found it interesting, and it's valuable to me. So when you hop into your car and you plug your phone in, and because of your schedule on your calendar, your phone knows it's time to go pick up your child from the daycare, and so it opens up the maps program and tells you how long it will be before you get there. When it does those sorts of things, I think you need to decide, is this something that I'm buying into thoughtfully, or is it not? And not in a religious or ideological kind of way. But the ability to carry you through your day means you give up information about yourself. And maybe that's fine. Maybe that calendar + map is precisely what you are after.
But when you add to it, I've got an Amazon device, listening to everything that I say, and recording what it knows about me, and the door knows when I come and when I go, the real problem, the proximal problem, the closest issue to you is not that Facebook knows things about you. It's very hard to persuade people that Facebook knowing something about you is bad. What are they going to do? They are a giant bureaucracy of software developers. Who cares? I don't care. Frankly, that's not my major concern.
My primary concern is that I know how vulnerable their products are. So the idea that somebody would know my routes, be able to look inside my home with the cameras that I've got, see when I leave, know whether anybody's home and access everything I own, including being able to place devices or software and steal. That is the real threat because you don't have to be targeted. I can be a passerby driving to the neighborhood, looking to connect to WiFi, and that is a real issue to me. It's not about whether this big evil entity can track me. It's the fact that Google doesn't protect what it knows about me. They use it for their purposes, and they do not protect it in a way I wish they'd protect it.
More from CyberNews:
Subscribe to our newsletter