Technology’s prevalence in modern life is a double-edged sword. While it has provided many major benefits to individual comfort and the economy, it comes at the cost of individual privacy, often without the user’s knowledge.
The widely available nature of this data has contributed to the growing success of open-source intelligence (OSInt) techniques. Criminals, stalkers, and even foreign powers can use OSInt to combine information gathered from online data collection, cybersecurity incidents, and public records to create detailed user profiles. These profiles can then be used to target the user’s accounts, steal identities, or even recruit users for espionage purposes. Government employees have the same right to use the internet as any other U.S. citizen, but their unwitting provision of user data—combined with a lack of governmentwide policy to protect and hide their data from open-source access—creates an enormous insider threat, increasing the public sector’s already vulnerable attack surface.
Public information has always been accessible, by definition. But what has changed to make this information dangerous is that, over the past 20 years, companies have created increasingly innovative ways to use this data to make a profit. Many analysts consider data more profitable than oil. Machine learning and data mining provide great insight for businesses and advertisers, allowing companies to know (famously) that their customers are pregnant before their customers do. Data aggregators have sprung up to collect huge volumes of data from every corner of the internet, draw correlations, then sell the output. Nearly every collector of customer data, including the U.S. government, sells it to boost profit.
Publicly available information on the internet from private or public sector employees benefits criminals. Identity theft affects millions of individuals every year: $1.4 billion were lost to this crime in 2018. The result for government employees can be not only loss of their savings or good credit, but also their security clearances, which then can affect their employment status—and financial stress is often a reason for people to violate the trust of their office intentionally. Data is traded on dark-web markets. If a buyer happens to be a stalker or someone seeking to “dox” government employees (publishing private information about someone, often for revenge), the information sold could put U.S. personnel at risk of physical violence or death.
Because user data is readily available online, OSInt has become a cheap source of information for foreign powers looking to gather intelligence. Online data makes it easy for them to determine who works in which parts of the U.S. government and target individuals in hopes of gathering more information or even turn some into knowing resources. A determined adversary, through OSInt, can gather enough details to social engineer their way onto a base, forge credentials, or conduct cyber operations.
Individuals have lost control over which data is made public. Governments now consider any communication with government offices to be public records and collect the data within. Any email address or phone number used to contact a local branch of the U.S. government becomes public, even otherwise unlisted numbers.
Private companies are even worse. Facebook creates “shadow profiles” of data on individuals who have never even used its services. In fact, many online companies leave cookies in browsers so that they can track user activity across the internet. Google collects so much data from its browser and search engine, it is possible for the company to identify people based solely on their typing patterns. In the presence of little or no privacy laws or regulations, organizations often have clauses deep within their privacy policies allowing them to do whatever they please with personal data, even when they claim not to.
While some companies have anonymization measures in place, machine learning makes it easy to circumvent anonymization attempts if enough data is provided. Some aggregators exist specifically to collect data from many sources, deanonymize it, and resell it. Some companies even post aggregated data publicly to extort money, or they sell the data for a small fee to those seeking to stalk, steal identities, or worse. Most aggregators have opt-out options, but they make it difficult for users to find or complete, and new aggregators pop up every day. The burden is placed on an individual to track down every data aggregator (and there are hundreds) and physically go through each individual opt-out process, which is often cleverly disguised to collect even more information.
The prevalence of publicly available electronic data make OSInt activities easy and cyber attacks incredibly cheap and reliable. Public data make phishing schemes and other social-engineering attacks even more successful. The same poor OpSec practices the United States has tried to fight for decades today result in violations that can be instantly correlated with other aggregated data, leading to devastating outcomes.
Outside the Office
For all the military does to improve cybersecurity and warn of threats on base and in the field, there is hardly any effort put into improving individuals’ home networks or protecting against threats to personal privacy created by digital footprints. Modern phones can be used to identify individuals, and nearly every app and program on a smartphone collects data from its user. Much of this data collection and sharing is unregulated; thus, it is made available to any app creator, those they sell the data to, and anyone curious enough to be paying attention to what is being transmitted from every phone near them. The possibilities for abuse are nearly endless, when you consider the many sensors on cellular phones and the ways they could be used by an attacker.
Most people fail to use even the simplest security measures on their home networks including encryption, firewalls, or Virtual Private Networks (VPNs). Failure to do so not only leaves people vulnerable to cyber attacks, but also creates huge privacy issues. Internet service providers (ISPs) and anyone on the network could collect and sell data or use the data to track individuals and everything they do in the privacy of their own homes. This also applies to government computers, but most IT departments at least have the basic security measures in place. But government computers still pose risks, because users still go to Google, and IT departments deliberately block use of privacy-enhancing tools.
The dramatic expansion of internet-connected cameras creates a myriad of issues as well. A hacked camera could provide a great source of information for an attacker. Built-in cameras and microphones can be hacked and turned on to capture valuable information. Cameras off base have become a threat, too. Facial recognition technology is improving at a fascinating pace, but this means even a fraction of a second exposure to a camera could mean an individual’s every movement is tracked, placed in a database, and sold. Automatic license-plate readers (ALPRs) have the same effect, tracking every movement of a vehicle. Hats can be worn to obscure facial recognition, but covering a license plate, even partially or with a transparent, polarized film is a crime in most states.
The many ways to violate privacy create an easy recipe for an attacker to gain ample data for planning and executing attacks. For less than $100, all the above information is easily available to terrorist organizations, foreign governments, bored and malicious teenagers, or a disgruntled employee.
Better Data Protection
The three-part solution to this is simple, and does not require the extreme measures Michael Bazzell teaches in his book Extreme Privacy. First, federal law surrounding individual data privacy must be enacted. Many states and foreign countries have already passed various laws to attack these privacy issues. The best known is the European Union’s General Data Policy Regulations (GDPR) that allows EU citizens legal privacy protections online. The United States can and should pass a similar law protecting the privacy rights of all its citizens. The California Consumer Privacy Act (CCPA) is a step in the right direction, and should be improved on and expanded nationwide.
Second, protections for public officers that exist in some states should be expanded federally, and public-sector employees should be made aware of these protections. Most states have special protections for law enforcement, elected officials, and public officers that often allow people who fall into these categories to redact certain information from public records including home address, phone number, and other personal data. Florida and a few other states have expanded many of these protections to the military. However, these laws are not widely known, and, as a result, their intended beneficiaries rarely take advantage of them. These policies could easily be expanded federally and the necessary forms automatically processed as part of every new protected employee’s standard in-processing paperwork. Protecting their public records (permitting exceptions only with a court order or during clearance investigations) will stop much of the data aggregation that threatens to allow their willing or unwilling co-option into insider threats.
Finally, all levels of government need improved privacy policies and cybersecurity that includes privacy protections. The best security against military or government officials being spied on or coerced is to prevent collection and use of data in the first place. Equally important is training employees how to better protect their data, as are policies limiting the sharing or selling of data to non-government entities. Government employees need to be trained on how to freeze their credit, manage digital privacy settings, and question anyone asking for their personal data.
These privacy mitigations are not a perfect solution. There will always be those who do not care or make mistakes. But these policies are a good start and can reduce the insider threat posed by OSInt.