Wednesday, March 08, 2017

Fake Facebook Friends and the CIA

Last night I received a Facebook friend request from an old friend and accepted it.  Within a minute or two, a FB Messenger chat started up about the UN and the Sustainable Development Goals.  So, I of course kept the conversation going.  Until it quickly became a classic advance fee scam conversation (originally made famous by folks in Nigeria with faxes). 

I quickly checked, and found that (of course) I already was Facebook friends with my old friend.  Someone had borrowed her picture and name and was starting to ply the scam trade.  Facebook has a handy way of reporting this exact problem and the fake account was suspended within minutes.  But, it was a reminder of how somebody who has been working with people at the forefront of the security field can be taken in, if only for five minutes. 

So, my advice: if an old friend reaches out to you on Facebook, someone who really should already be a Facebook friend, it's probably not your friend.  With the exception of a few folks who decline to participate on Facebook on principle (and are unlikely to join now), people in my network probably are not newcomers to Facebook.  And these new accounts are pretty obviously new: if you think about it.  If you want to check, go out of network and email them.  My friend appreciated me jumping on her impersonator.

Which brings me briefly to the WikiLeaks CIA disclosure, which doesn't surprise me in terms of capabilities that the CIA has. It did surprise me that it got disclosed!

Bottom-line:
  • If a sophisticated state actor really wants your data, they have a lot of ways to get it, and probably will
  • The whole point of crypto and security is to raise the cost of breaking into your data. Use crypto.  Use Signal.  Use WhatsApp.  Encrypt your hard drive. Use HTTPS. And so on.
The raising cost argument may be counter-intuitive, but it's intensely practical, and familiar.  The old lock analogy goes a long way.  I don't put my family's valuables on a table out in front of my house with a sign saying: take me.  I don't leave my front door wide open when nobody is home.  I do have a deadbolt and a security system, because I want to discourage theft.  Those measures do not ensure I will not get robbed, but they raise the cost of robbery, either by slowing the robbers down or increasing the chances they will be caught by the police. But, a perfect home security system does not exist, and if it were claimed, I wouldn't believe it. 

I can stretch this analogy a lot further, but here's my advice to the nonprofit sector specifically.  When we collect data on vulnerable people about what makes them vulnerable, we owe it to them to treat their data with the respect we'd like our most sensitive data treated.  We need to implement security so that getting that data is not free and cheap to grab: we need to protect it with locks (data security) that raise the cost.  And, we increasingly have to realize that parking that data openly with corporations that are susceptible to government pressure is not honoring our commitment to the communities we serve.  I'm ok with Amazon hosting sensitive data for us because I know that we encrypt that data so that Amazon can't be pressured into giving up anything more than encrypted (scrambled) lumps of data.

The fact that a government still may be able to get that data with enough expenditure of money in terms of people, technology and legal effort (warrants) is simply a fact of modern life.  We just need to make it hard enough that they don't bother almost all of the time.  That's what we owe to the people we serve.