M-Theory: Data privacy? I'm afraid that horse left the barn long ago

Hey, remember those wide-eyed, innocent days of 2016 when the Internet of Things was a security nightmare due to its easy hackability?

Any mildly bored tween could hijack your baby monitor and talk to your kid, monitor your family’s comings and goings via your smart thermostat, or take over your car and steer you into a hydro pole.

But this is 2017 and we’re so over that amateur level of privacy invasion and data theft. Hell, why do it for fun when there’s mad cash to be made?

For the real go-getters, we are at the vibrating edge of innovation. On the go, in your home and in your … well, there.

Apparently Canadian tech company We-Vibe’s 4 Plus Bluetooth-connected vibrator comes with an app to enable ... uhh… paired programming. And, naturally, said app is basically digital cheesecloth where security and privacy is concerned.

Not only did it send device usage data back to We-Vibe’s parent company, its remote activation function could be hijacked, basically by anyone within Bluetooth range and with a mind to do so.

Which might seem like a bit of a “Surprise!” worthy chuckle situation, except that, to quote one of the Def Con conference hackers who first revealed these flaws, “unwanted activation of a vibrator is potentially sexual assault.” Oh … right.

Lest you think you’re safe from prying, data analyzing eyes even when you’re not engaging in … recompiling your kernel, think again. Apparently anywhere you can listen to music, podcasts, or audiobooks is fair game for unauthorized monitoring.

Several Bose headphone models also come with an app, which allegedly collects users’ listening habit data and sells it to third parties without your awareness or permission.

Now, it’s potentially embarrassing enough for it to be known that you still have Backstreet’s Back on rotation. But your musical guilty pleasures are the least of the concerns.

As noted in the article:

“Indeed, one’s personal audio selections – including music, radio broadcast, Podcast, and lecture choices – provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity, says the complaint, noting a person's audio history may contain files like LGBT podcasts or Muslim call-to-prayer recordings.”

Not to mention the degree to which this information can be further tied to your identity and online footprint, given that you provide your name, phone number, and email address when you download the app and sign up. “Get the most out of your headphones,” indeed.

Speaking of online footprints and email, it’s also recently come to light that the Unroll.me subscriptions management service has been selling data harvested from your inbox. They’re “heartbroken” that people didn’t like it when they found that out.

Now, these are just a few examples, and certainly, no one’s forcing users to download any apps or sign up for accounts, but that’s hardly the point. Not everyone understands they’ve become a product that’s being sold when, at the time, it seemed they were getting something for free. Not everyone consents to having their data turned into revenue stream.

It’s remarkable this is taking place with consumer products. You already pay handsomely for them, and you’re still viewed as a revenue source. Apparently companies just can’t resist the lure of all that juicy data. And the trend toward data-driven business really only eggs companies on to further invasiveness.

I guess if the cost of a lawsuit settlement isn’t vastly more than they’ll get selling the data, then why not? We-Vibe’s parent company was ordered to pay CDN$4 million. Bose is being sued for around US$5 million. That’s pocket change in the grand scheme of consumer goods.

Also, these examples were only reported on because the companies got caught. Sure, dismal security in apps and Internet of Things devices is common, but we have no idea which other companies are doing things like this and just haven’t yet been caught.

Or which companies have their engineering and infosec acts together and would be much harder to catch.

I presume the next big thing is viewing this data harvesting and sale as a marketing tactic. Sure, you’ll get crunchy granola companies touting their ethics and how they don’t steal and sell your data (and some of them will still get caught doing just that).

Or, even more likely, you’ll see claims of giving users/customers agency in how and where their data is collected and sold. The idea that it wouldn’t be at all will become as obsolete as … devices that can’t be connected to apps.

Involve them in a club, game or competition, and people will pay companies to harvest their data (or will at least ignore End User Licence Agreements that authorize use of their data) in their pell-mell rush to get gaming.

Let’s face it, those of us who are online and connected are frogs who’ve been in the pot for some time now with regards to our privacy and security.

Even the content that many people readily post publicly on social media (and some make a lot of money doing so) would horrify many of our parents and grandparents with its blatant disregard for privacy and propriety.

It’s easy to understand and pay attention to big, public movements in social change (civil rights, gay rights, women’s rights, etc.). But we’re often not very good at paying attention to and understanding more insidious evolutions if they’re harder to understand and take place less publicly. The result? Hacking isn’t even needed.

I can say from extensive professional experience that most people will happily hand over whatever information they think is needed in the name of solving a problem or getting confusing things taken care of for them. Account login credentials? Credit card details? Mother’s maiden name? Sure, here you go.

I would also argue that it’s become normalized enough that trying to reclaim any true sense of privacy and data protection is laughable. That horse is out of the barn. And the door was probably connected to an app.