Wednesday, 2 March 2016

Death by a Thousand Cuts

The security of our online data is being compromised again and again by all sorts of folks and companies who are simply ignorant of the grave potential consequences of what they are doing. By now I am sick of being the only one that notices these things and raises the alarm bells.
Perhaps one needs to be the victim of identity theft to be able to feel what I am feeling? That said, if that is the case, how come I am the only one? Why is it that everyone else is so ignorant on these matters? How come everyone else is accepting things the way they are, no matter how shitty they are?

Stabbing

As can be expected, problems start with institutions running on low budgets. In other words, our health and education systems.
This past month I noticed an interesting fact. All the medical institutions I have been visiting, from GPs through dentists, specialists and culminating with private hospitals, all of them are still running on Windows XP. That’s incredible given how long we have had to move away from Windows XP, the fact that by now those institutions should have learnt their lesson, and the fact that some of these specialists and private hospitals are actually swimming in money.
I can see how hard it is for a bulk billing GP clinic to make the upgrade effort, though. By the same token, these are the people maintaining the bulk of our deeper secrets as well as some of our most important personal info. And by continuing to use their archaic system with their multitudes of well publicised vulnerabilities, they are sacrificing the security of all of us.
Oh, and do I need to mention last week’s case, when a clinic sent us a whole set of documents relating to another patient of theirs? Those documents contained pretty much all there is to know as far as that patient’s health was concerned: contact details of patient and doctor, Medicare and private health numbers, you name it. When we pointed the mistake out to the clinic their excuse was they misfiled our information because both patients have the same name.
You know your information is in good hands when you hear that.

Next in line is the education system.
Last year, our school started implementing a system to send us notifications with. It felt much better then what fellow parents in sending their kids to other schools had to endure. One such school forced all parents to communicate via Twitter (a commercial company making its money from data mining people's tweets), comfortably forgetting that Twitter is thus a part of all children related communications.
Things changed at the start of this school year. Us parents were informed that all communications with the schools and the teachers will now be based on this system; generally speaking, no more emails. To emphasise the point, school started a competition between classes: the first to have all parents registered on the system would win an award. The following week, all children had it in their homework to ensure their parents are registered; as the children know all too well, those that do not “do” their homework by Friday are punished.
It was time for me to check this system out. Up to that point, I couldn’t care less if all the notifications we received were public; no one cares if “tomorrow is pink dress day, don’t forget to come dressed in a pink dress”. However, when I am now required to enter some very personal information into the system, information of the type that can be used to separate me and the contents of my bank account, my alert level steps up a notch.
So I went to the system provider’s website and checked their privacy policy. I could tell they were reliant on Google systems, which is not a good match for school; one doesn’t want Google to mine their children’s data. I could also tell that privacy policy missed out on vital information, such as how the school’s data is stored: does it reside on a server on someone’s garage? Is all the data stored with, say, Google? For a parent to trust their child's data with someone, one expects more than the usual "we take every measure to protect the data" ass covering statements.
Curiously, the privacy policy stated the facilities utilise Google Analytics and provided instructions for parents on how to avoid Google Analytics’ tracking. Adding to the intrigue was the fact our school’s facilities did not actually utilise Google Analytics (but rather some other trackers), plus the fact those counter measures specified in the privacy policy cannot be applied to a smartphone app.
Thus, several weeks ago, I contacted the provider with questions concerning the application of their privacy policies. To date I am still waiting for an answer.
A week went by and my son was threatened by his father’s lack of registration to the school facilities, so I decided to give those a try despite the lack of provider feedback. I did not get too far: that password protected website, where all the school communications are now being dealt through, and where tons of private information is now stored? That website is uses a very open HTTP protocol with no protection whatsoever. Any two cent hacker in Russia listening in to the traffic could pick my login credentials up, as well as all the rest of the information passing through. And we know there are enough such people in the world (Russia, please accept my apologies for picking on you) that actually do so.
So I raised a complaint with school and wrote on my child’s homework form that I refuse his homework. Two weeks later, I am still waiting for a reply.
I know what’s going to happen. No one would answer my feedback on account of no one willing to take the “credit” for coming up with such a shit system. Further, now that there is awareness on the matter, no one would dare claiming “the facilities are well protected as they are”, because they know they will only be making fools of themselves and endanger their positions once matters are escalated. Talking escalation, once I am fed up and do bother to escalate things, I will be the school’s evil parent, the one single person because of whom this entire lovely system had to be dropped.
But hey, I love being the evil guy. The thing that amazes me is how, in this school with more than 500 children, I happen to be the only evil parent.

Then again, it’s not only the health and education systems that screw with our online security. There are also tons of companies out there seeking to save a buck by not giving a fuck about their customers’ data security and privacy.
Take my car manufacturer as an example. I received an email from them informing me I can now save time and book my car services online. Not only that, but online is the only place I could go to find out how much I can “save” through their service capping plans.
So I went to have a look. And guess what? Just like that school online facility, this car manufacturer - a global brand with tons of stuff going for it, racing titles and all - is also completely insecure. That could be fine, still, if all I want is to book a service time slot. Alas, in order to do so - or, for that matter, in order to receive that service capping information - I have to provide a long list of private details through that very exposed website. Screw that.
So I raised a formal complaint, citing the manufacturer’s own privacy policy claiming that “We take all reasonable steps to protect the security of personal information collected by us.” Unlike school, that email of mine was quickly escalated through the car manufacturer’s upper echelons. Within a day the matter was raised before their IT provider. They also called me the next day to let me know they agree with me. I still doubt they will do anything about it; that would require them to spend some cash.
Amongt other things, they pointed out yours truly is the first of their customers to ever notice the problem. Sometimes I hate being right.


Image by Seniju, Creative Commons (CC BY 2.0) licence

No comments: