The Desensitization of “Accept”
In the pre-digital age, people who engaged in espionage took big risks and had to conceal the much-larger tech of the day in order to do their jobs. These people, if caught, could face years in prison, hanging, or a firing squad. Today, espionage devices take many forms at the local spy shop, eBay, Amazon, and thousands of spy gadget producers around the world. But what about the thief you let in with the click of a button?
As TSCM examiners, we, by definition and trade, find audio, video, and data theft devices for a living.
Today, people often take for granted the modern conveniences of our digital age and the Internet of Things. These advances promise to make our lives better and entertain our children for hours. I have read several briefings and attended many lectures with titles like “Privacy is dead, get over it.” I cannot help but wonder what our grandparents and their parents would have said or thought.
The argument, “I have nothing to hide, so what is the big deal?” slays me!
Today, people log into websites from their phones or computers and are repeatedly faced with “terms of service agreements” (TOS). These documents are often accessed by clicking separate links, so reading is completely optional. A large “accept” button appears front and center for your convenience.
Thousands of spies have been let into your life, and for the most part, you do not know about any of it. But what the hell; you have nothing to hide, right?
Agreed, most people are NOT leaders of drug cartels or mafia kingpins. But the actions some people take every day when clicking TOS buttons or any other link can have far-reaching consequences.
What’s the Risk?
Everyday people can be and are victimized by nefarious actors on the web. This happens when they accept TOS agreements, visit websites that offer something of interest, or click links here and there when viewing websites, email, or text messages.
What most people do not know is that accepting a TOS now means that you are giving the owner of the TOS consent to spy on you. Spying can come in the form of:
- Cookies
- Beacons
- Pixel tags
- Web storage
- Other tracking mechanisms
All of these techniques, and so many more, are used to monitor your behavior on a website or application. The data that is collected can be used for marketing purposes as well as efforts to build a profile of you that can be quite detailed and intrusive. And oftentimes, there are multiple parties involved in the multi-step process of accepting the TOS and giving your consent. We’ll get into that more in a moment.
Your personal data can also be shared with or sold to other companies, and this is often done without your knowledge or approval. This process is known as data mining, and it happens every day on the internet.
In some cases, people have been arrested and jailed for things they posted on social media sites. Others have had their lives ruined because of a picture that was shared online without their knowledge or consent.
A Story
A client of a professional colleague of mine found out that his name had been linked to that of a pedophile. This client was imprisoned, and his name ruined, all because he fell for some clickbait.
How did this happen?
One day, he innocently clicked a photo link that caught his interest. Then, bang! It served up the story he was looking to read, but in the background—unbeknownst to him—several pornographic images of children were dumped onto his phone and network. Later, the hackers used his network to host the material for others to view.
Because of confidentiality agreements, we cannot discuss everything here, but the individual was freed from prison after serving time (1+ years) for a crime he did not commit. Even so, his name pulls up only his arrest and charges when entered into a search engine.
Buried on page 14 or 34, depending on what search engine you use, was a small two-paragraph story about his complete exoneration. However, it did not explain how this crime was committed against him. It was just one or two small paragraphs stating his release. It also did not point out the turmoil between him, his family, and his friends. Nor did it discuss the financial burden of spending over $50,000 to prove his innocence through legal forensic analysis and expert witness testimony.
For the most part, companies, groups and individuals are legitimate producers of products that people want and enjoy. But it’s possible to fall victim to primary or third-party outfits with more nefarious reasons to gain gateways into your life. From that gateway, additional parties have separate terms of service that are written down for you to approve: the terms of surveillance they will carry out against you.
For example:
- We may store your data whether you have an account or not
- Your identity can be used in ads that we or a third party utilize
- We can read your private messages
- We may collect, view and share your browser history
- You sign away your rights
- Terms can change at any time without notice
- This service can license user content to third parties
- This service can delete your account without prior notice or reason
- This service retains records that you have deleted
- Users have reduced time to take legal action
- We may use web beacons, browser fingerprinting and/or device fingerprints
- Your data may be stored in a location that we decide
- You agree to defend, indemnify and hold us harmless in court
- You waive your moral rights
- This service can track you on other nearby devices or networks
We have not touched upon all of the aspects of a TOS. Most people reading this have already (I would hope) questioned why a weather, game or flashlight app, for example, would want to have access to your phone’s personal contact list, documents stored on your phone, speakers, microphones, cameras and/or other apps… like music, photos or banking?
How to Protect Yourself
First, look to see if you are visiting a website that has an SSL certificate or web address that begins with HTTPS.
Read the Terms of Service. If they are updated, reread them to make sure you still agree. Understand that many companies, including creators of websites and apps, will bind you to their current terms of service if you continue to use their products or sites—even if they are different from the terms you accepted. This is why you will find, “If you continue to use the service(s), you are bound by and consent to these and the updated terms.”
In the past, we felt better sticking with large firms because we thought they did not want to risk losing our business. I’m afraid those days are now gone. The motto used to be, “do no harm.” That is not the case anymore. Just read any of their TOS agreements.
Additional Attack Prevention:
- Regardless of where it appears, think before clicking each link
- Avoid using public Wi-Fi networks
- Use a virtual private network (VPN)
- Turn off Wi-Fi and Bluetooth when outside of secure environments
- Change your passwords quarterly (if not monthly)
- Personal firewalls are great for home internet use
- If you want to add an app to your device, get it from a trusted source. If it looks sketchy, as my daughter says, don’t click on it.
- Avoid plugging charging cables into public receptacles
