Are your devices listening to you? No, Yes, Maybe…

Picture this…you’ve secretly been wanting a new pink, polka dot dress (don’t judge me). You’ve told no one. In a moment of out-loud self-reflection you confess your heart’s desire within ear shot of your phone or smart speaker. Fast forward to the evening scroll through social media and BOOM: an ad for the aforementioned pink polka dress. What? I knew it. My phone is listening to everything…[insert your brand of panic-stricken behavior here].

In actuality, that is most likely not what happened. I’m not guaranteeing it given all the crazy things that have come to pass in recent history. However, I do want to offer some tangible and in my opinion, more palatable explanations for what occurs in a world of big data, IoT (Internet of Things), and smart toasters (an actual thing).

Disclaimer: This article is not meant to be a hard hitting investigative journalism piece. Violations of privacy in the tech and business world do exist. My intention here is to take an informal look at how our data can be used and offer some advice on how to reasonably protect yourself while still living in the 21 century.

Hang in till the end of the article for a nice distraction which harnesses the power of text to speech and speech recognition for something fun and silly.

Internet traffic. What have you googled?

Did you search for the item or something similar in your favorite search engine? Perhaps you have viewed the item on a few retailer websites to compare prices? In many cases your internet traffic is being harvested for data by retailers and online advertisers. This happens in a variety of ways.

  • Your ISP (Internet Service Provider) has direct access to your browsing history and in some cases they are allowed to sell that with a certain level of anonymity.
  • Most shopping and social media sites utilize cookies and session data which can be leveraged by partner sites to enable targeted advertising.
  • Companies share data behind the scenes and take action on it when they recognize key identifiers such as mailing address, email address, user names, and even IP addresses.

Siri / Smart Speakers. What have you told Siri?

Have you asked Siri or your smart speaker about the item? The smart speaker is technically listening all the time, how else can it know when you say “Hey Siri” or “Alexa”. However, the companies offering these services say they do not record anything prior to hearing the keywords. However, once you you say the magic words, that conversation is being sent over the wire and stored in a variety of formats. Is there someone in a dark room listening in cold-war style…eh…depends on who you ask, but it is likely anything that could be mined from trends in your searches or behavior is a candidate for sharing / selling. Read those EULAs (End User License Agreements).

Shopping. What have you bought?

Have you bought a similar item or an accessory that typically goes with the item? This could be in person or online. Do you ever wonder why every store has some discount club that requires a phone number or address? Again, its all about data mining. Companies can sell this data to advertisers, other companies, and even use the information to improve inventory models and project future traffic in stores.

I’m Freaking Out. What can I do?

Take a deep breath and try to stay calm. Here are some things you can do, and also some reasons you may not actually need to.

  1. Use private or incognito modes in your browsers. However, keep in mind this doesn’t help for sites which you are logged into or for those sites that may be sharing purchase history behind the scenes. The same goes for more extreme measures like VPN and proxy servers.
  2. If you are having a confidential or sensitive conversation, mute or turn off your smart speaker and phone. The extreme measure here would be to build a Faraday Cage.
  3. Consider using cash instead of plastic and opt to not use the discount card for purchases you want to keep private. Alternatively ask the clerk to use the “store” card and keep the discount.
  4. Be aware of the data you are willingly sharing with companies you do business with. Why is this awesome app that makes me look like a unicorn totally free? Did you have to give them your email and other info to sign up? Did you quickly scroll through a user agreement and click okay at the end? What did it say?
  5. Save yourself some time and realize that you love big brother…kidding, but if you don’t get that, read 1984 and Brave New World while you’re at it.
  6. Seriously, be open to the possibility that some of these things are actually beneficial and make your overall shopping experience better. Just be aware, its not serendipity or divine intervention encouraging that purchase. It’s BIG DATA.

I’m Still Freaking Out. Distract me!

A while back I wrote a website for my son that encouraged him to have conversations. I took some of his favorite characters and gave them a few short dialogs. It was pretty limited, but it did keep him occupied for a bit. I’ve posted a link here if anyone wants to give it a try. It leverages the SpeechSynthesis and SpeechRecognition features of JavaScript. The recognition features will likely only work on a PC in chrome, but the text to speech is supported on most devices / browsers.

https://www.robwalters.net/js-speaks/

Shout out to GoNoodle which was his obsession at the time (sshhhh…I used their character images without permission). The code is a bit messy (I haven’t had the time or motivation to clean it up), but you can find it here if interested.

Here’s a video of Mason giving the website a spin.

I prefer my hash with salt. . .

Earlier this year, I spent a few hours exploring the world of HTTPS and SSL/TLS. The following Monday when some of my friends and family members asked me, “what have you been up to lately?” I began to bore them with wonderful tales of public/private encryption keys, hashing (preferably salted), and apache redirect configurations. Once I realized I had somewhat missed the mark of the appropriate level of conversation on a Monday morning, I quickly pivoted to sports and the weather. All that to say…I realize that cyber security isn’t always the most interesting topic (although I personally find it to be intriguing). However, I think it’s valuable to capture some general thoughts and ideas about the need for secure web sites and security aware users. This article is meant to be a light-hearted, high-level explanation of some simple concepts that all internet users should be informed about.

Is Your Connection Secure?

It’s an interesting question. Especially now that the Google Chrome web browser has labelled all web sites as one of the following three categories:

  • Secure (valid / verified HTTPS)
  • Info or Not Secure (HTTP)
  • Not Secure or Dangerous (invalid HTTPS, stay clear of these)

In the past Chrome (other browsers such as Safari still do) distinguished between different types of secure sites and presented some as a “green” lock. This is being phased out as a part of an industry-wide effort to make secure sites the norm by calling attention to any site that isn’t explicitly considered secure.

Why is it important for my connection to be secure?

The reality is that it’s becoming more and more difficult for you to keep your financial and confidential interactions entirely offline. Even if you somehow have managed to largely stay off the web, something as seemingly innocuous as searching for a car on Craigslist or checking your email over an insecure connection could have unforeseen consequences.

Let’s dive a little deeper by defining a few basic acronyms and technical terms.

Encryption

Encryption is the process of encoding a message so that only the sender and the recipient can understand the content. Encryption requires a encryption scheme (algorithm) and a key (legend). A very simple example of this is a substitution cipher which many of you have most likely encountered on the back of a cereal box or perhaps on a school worksheet.  The “cipher text” (encoded text) will be presented on the back of the cereal box and appears to be a jumble of nonsensical letters, numbers, or symbols.  

A simple example of encryption in action.

Somewhere on the box (or maybe a nifty ring) is a key (legend) that tells you what each of the characters stands for..  

The secret decoder ring is the “key”

Once you apply the key to the cipher text you end up with a readable message called the “plain text”.  This is a very simplistic example of encryption and is obviously not very secure. Computers use advanced mathematical equations and large prime numbers to perform encryption that is very difficult to crack.

HTTP / HyperText Transfer Protocol

This is the language of web browsers and web servers.  In short, it’s the foundation of why you can tag your friends on facebook and check your bank balance in seconds. However, HTTP was popularized back in the 90s when the internet was more of a novelty than the critical infrastructure it has become today.  HTTP has enabled some very cool and inventive things, but it falls short when it comes to security.

By default HTTP sends all messages in the clear (not encrypted – which we covered above).  This means a clever hacker can listen to your message and read information as it travels from your computer to the server.  

HTTP is also a bit naive because it trust that any message it receives is from whom it claims to be without demanding any proof.  This is another dangerous vulnerability that hackers can exploit by pretending to be a site that they are not. Under the right circumstances a malicious actor could trick your browser into thinking { www.my-bank-site.com } should actually go to { www.give-me-all-your-money.com }.  If they made a very convincing site you may be caught off guard and enter your credentials into the “fake” site.  Once the hacker has your credentials he may login to your actual account and steal your actual money.

This may be the point where you say “I don’t bank online, so what do I care if they steal my password for netflix.com”?  The potential danger arises if you use the same password for several accounts / sites as many people do. Once the attacker has a set of credentials they will attempt to login to a huge list of predefined sites with an automated tool.  If they are successful on a more lucrative target which shares that same password you may still have a problem.

Note: Now that every place you go wants you to login, it is very hard not to reuse passwords.  I personally use a password vault called LastPass which I highly recommend.

SSL / TLS –Secure Socket Layer / Transport Layer Security

(TLS is essentially just the new and improved version of SSL)

This is the magic fairy dust that can make a HTTP connection secure.  It’s all about, you guessed it….encryption. There is certainly more complexity involved, so if you are curious click the Wikipedia link in the section header to learn about symmetric vs. asymmetric cryptography, public vs. private keys, and digital certificates..

HTTPS – Hypertext Transfer Protocol Secure or HTTP over SSL/TLS

HTTPS provides the internet you know and love with the added benefits of privacy and integrity. It’s still possible for someone to “listen” in on your conversation; however since the data is encrypted only the true recipient can decrypt the message with the key.

It’s also still possible for a hacker to impersonate a popular site.  However, all modern web browsers validate HTTPS sites using their digital certificate. If you run across a message like this, stay clear, something fishy is going on.

All that to say…enjoy these two newly secured websites.