In 2013, the U.S intelligence community was turned upside down by the revelations of government whistleblower Edward Snowden after he exposed top-secret, domestic surveillance activities carried out by the National Security Agency (NSA). Following his first round of leaks in UK-based paper, the Guardian, a conversation about data privacy was sparked around the world which continues to this day with rippling effects on emerging legislation, public discourse, and popular conspiracy theories.
To some, Snowden is a traitor who violated the conditions of his government security clearance and endangered America by exposing classified information to its enemies. To others, he remains a champion of transparency who brought much-needed scrutiny to dangerous government overreach enacted in the name of counterterrorism.
But whether Americans think Snowden should live out the rest of his days a free man or behind bars, they are much less divided in their opinion of the activities which he exposed: in 2014, polls revealed that most Americans disapproved of the NSA’s data collection and surveillance activities, with 74% of respondents agreeing that privacy should not be sacrificed for the sake of safety.
Seven years on from Snowden’s early revelations, and little has changed: while external pressures have gradually forced U.S intelligence agencies to adopt a posture of greater public accountability, most of the programs originally exposed by Snowden have not ceased – in fact, the NSA is collecting more data on Americans than ever before. Even so, there is a bigger scandal for them to worry about.
Since 2013, data privacy legislators have shifted their attention from government surveillance programs to big tech. And even though the NSA depends on the cooperation of companies like Facebook and Microsoft to track the activities of Internet users, Americans are largely ignorant of the way their data is collected by non-government organizations.
Today, it is an open secret that mobile apps, tech products, news, media and entertainment sites collect information on their users for advertising purposes and track them across the web. To be sure, there are differences between this practice and government surveillance, but many of these differences put big tech in a worse position – not a more benign one.
Consider data usage: although the NSA continues to harvest terabytes of information on Americans every day, a miniscule percentage of that data is ever accessed, and almost always during an investigation with a court-issued search warrant. Tech companies use nearly all the data they collect on users for targeted advertising, personalization or to improve their marketing algorithms – and they don’t need a warrant.
Consider data protection: while the NSA stores the data it collects from Americans on servers defended by layers of cutting-edge encryption and cybersecurity controls, the lax security protections used by tech companies make them vulnerable to cyberattacks that lead to frequent data breaches.
Above all, consider data sharing: the NSA keeps most of the data it collects to itself, and only ever shares it with other intelligence agencies who employ similar standards of protection – and even then, only is special circumstances. Tech companies not only share user data directly with multiple partners, but they also allow hundreds of third-parties to freely access their userbase with little monitoring or protection.
Today, digital third-parties provide up to 90% of the code across consumer facing websites driving advanced features like content recommendation, media galleries and programmatic advertising. Not only is third-party code (3PC) ubiquitous across web and mobile applications, but it is also frequently bundled with IoT devices, Smart TVs and smartphones – often in the guise of “research” in how that product is used.
Unfortunately, 3PC lies completely outside the control of its host organization, and a systemic lack of oversight allows a minority of malicious third-parties to wreak havoc on consumers in many ways. They may collect and share personal information without permission, execute malware attacks, or redirect users to a phishing site where they will be prompted to enter their credit card or social security number.
On average, 2 – 3% of the domains present across Alexa 500 websites have the potential to be malicious, and this problem grows worse every day: as the number of vulnerable third parties increases, so too does the number of data breaches, identity theft victims and malware attacks. In short, third-party code is a data privacy scandal that has a more concrete impact on millions of Americans than NSA spying. So why don’t we hear about it more often?
Many consumers have come to see data breaches as the inevitable consequence of living in a connected world, and businesses are quick to seize on this justification whenever they are targeted in a cyberattack. But while digital technology carries a certain amount of inherent risk, negligence – rather than bad luck – is responsible for a majority of the data breaches and identity theft occurring today.
When organizations scan and monitor the activities of their online partners, it is possible to recognize abusive patterns of behavior and eliminate the culprit. Moreover, by vetting those partners early on, it is usually possible to identify the bad ones and prevent them from ever accessing users. The simple truth is this: most organizations just aren’t motivated to make the effort, so they don’t.
Earlier this year, a court ruled that portions of the NSA’s data collection practices were unconstitutional, and while the same thing has not yet happened to big tech companies, it should. Current data privacy legislation stipulates that businesses must use “reasonable security practices” to protect the personal information of their customers, and every business with hundreds of unmonitored third-party domains fails this standard of reasonable security by a substantial margin.
Ultimately, social norms allow abuses to pass uncorrected. For instance, most Americans have simply accepted that there will always be a certain amount of government surveillance over their lives – and this may be true. But indifference to the activities of intelligence agencies is ultimately what allowed the NSA’s counter-terrorism program to become an unconstitutional exercise in domestic spying.
Likewise, Americans tend to accept that a certain amount of data collection is part of living in an Internet-connected society. At the same time, indifference towards data collection practices has allowed the digital ecosystem to be overrun with bad actors who target users specifically to abuse them, and few organizations or legislators are doing anything to stop it.
Third-party code needs an Edward Snowden. For organizations to change, consumers must demand more from them while placing pressure on legislators to specifically address digital third-parties in emerging legislation. Until then, they constitute the largest unaddressed data privacy scandal in the modern world.
by HARRY REGAN
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.