Friday, 24 November 2017

Data Breach and Cover-Up Further Eroding Uber Image

Ride-hailing pioneer Uber has recently suffered a serious a blow to its reputation after officials in London failed to renew the company's operating licence following a discovery that illegal software was being used to circumvent official policy that bars government workers from using the service. In short, Uber has been accused by London of cheating the system. Their reputation will not fare any better on recent news that tens of millions of customers and drivers have been hacked – and the company has known about it for more than a year.

The BBC and other news outlets report that some 57 million Uber customers and drivers are victims of a data breach that occurred back in 2016. Not only did the company know about the breach at the time, but they also failed to report the fact to regulators as is required by law. Making matters worse is the fact that Uber paid the hackers $100,000 (£75,000) to delete the data they stole.

Both law and common sense would dictate that Uber report the breach when first discovered. They probably also should not have paid the ransom without making at least some attempt to fight the hackers. Why they paid and chose not to tell regulators is anyone's guess.

A Series of Missteps

This latest episode with Uber is just another in a long list of mishaps over the last three or four years. Former chief executive Travis Kalanick deserves much of the blame, as his management style and Lone Ranger mentality have upset customers, employees and investors alike.

Kalanick was at the helm when the data breach occurred. The BBC speculates that he may have prevented chief security officer Joe Sullivan or anyone else from reporting it because the company, at that time, was trying to secure a new round of funding. For his part, Sullivan resigned when news of the data breach broke.

Bigger Issues in Play

The BBC's Dave Lee says the biggest part of the problem is not the data breach itself, but the cover-up allegedly orchestrated by Kalanick. He says that most customers and drivers would eventually have forgiven Uber if they had been up front and forthright about what happened. Now that we know they refused to do so, forgiveness and future trust may be harder to come by.

All the Uber-specific implications aside, there are some bigger issues in play here. Most important is how the hackers managed to steal the information. They did it by hacking into Github, an online portal where software developers publish and share their work. Once inside, the hackers were able to find Uber's login credentials to Amazon Web Services. This is the cloud computing service Uber uses to host its software – and data.

Github and Amazon Web Services are equally culpable here. If either one knew about the hack when it occurred, neither reported it. Moreover, Amazon Web Services accounts for a significant portion of cloud software solutions used across the globe. They have some answering to do as well.

Wednesday, 15 November 2017

Johannesburg Cable Heist: Money or Something Else?

Officials in Johannesburg, South Africa have been left scratching their heads, following a brazen cable heist that resulted in the loss of 2 million rand (£110,000) worth of power cables during a burglary some are calling an inside job. The theft occurred at a brand-new data centre in Braamfontein.

News sources say the data centre is a combination data and recovery centre designed to increase the server space and infrastructure necessary for the city to end its reliance on outside service providers. The city essentially wants to host its own data on city-owned servers powered by city infrastructure.

Those plans took a step back after burglars broke into the data centre by entering through an emergency exit on the ground floor. However, there were no signs of forced entry. Once inside the building, the thieves broke into a room where contractors had been storing their tools. They used some of those tools to cut the cables that they eventually stole.

Apparently, the cables were attached to new generators that contractors were testing. There was no loss of power, indicating that the generators were turned off prior to the theft. There were no reports detailing whether the generators were damaged or not. Investigators are now left to speculate as to the motive behind the theft.

Several Possibilities

The first assumption is that the thieves stole the cables for money. After all, they are worth more than £100,000. But how would the thieves off-load the stolen cables without being discovered? This is a question that investigators are still trying to answer. However, there is another possible motive...

In an official statement released after the burglary was discovered, Mayor Herman Mashaba indicated that the heist was an inside job given how little damage was done. He maintained that whoever stole the cables knew exactly what they were looking for and where to find them. He believes the theft may have had nothing to do with money.

Mayor Mashaba has suggested that perhaps the heist occurred in order to dissuade the city of Johannesburg from continuing to build. If it was not to dissuade them, then at least to slow down the progress. If the mayor is right, this would indicate an action taken by one of the companies providing data centre services to the city. They do not want the city to succeed because that would mean a loss of contracts for them.

An Impressive Theft

Right now, there is no clear indication as to the motive behind the theft. Whether it was for money or competitive purposes, one thing is certain: the theft was a rather impressive event in terms of what it took to get in, find the tools, cut the cables and run.

The Mayor has made it clear that the theft will not deter his city's efforts to finish the data and operational centre. It is probably a safe bet that the city will beef up security until the centre is up and running, perhaps even beyond that.


Wednesday, 1 November 2017

WhatsApp and Facebook: Non-Compliance with EU?

Are WhatsApp and Facebook guilty of non-compliance with EU law? That is what a special task force wants to know, according to a 26 October (2017) story published by the BBC. That story says that a data protection task force has been established to consider practices related to data sharing between WhatsApp and Facebook.

Facebook purchased the WhatsApp messaging app in 2014 in order to better compete against Microsoft and other rivals. At the time of purchase, company officials pledged to keep the two platforms completely independent from one another. That changed in 2016 when officials at WhatsApp announced plans in August to begin sharing user information with Facebook.

Under EU law, any such information sharing can only be conducted with the explicit consent of users. Then UK Information Commissioner Elizabeth Denham complained that WhatsApp's plan for obtaining user consent was insufficient to comply with the law. Still, WhatsApp and Facebook went ahead with their plans to share friend suggestions and advertising information on the two platforms.

Deficient User Consent

According to the BBC report, the Information Commissioner's new task force has invited officials from both WhatsApp and Facebook to meet with them. There is no word yet about whether they will or not. However, do not rely on the Information Commissioner going easy on Facebook and its subsidiary. People in positions of power are already unhappy and that will not change unless WhatsApp and Facebook change what they are doing.

The BBC report cited a letter the Working Party to WhatsApp officials. That letter apparently pointed out a number of deficiencies with WhatsApp's current user consent practices, including the following:

  • An unclear pop-up notice that does not fully explain that user information will be shared with Facebook;
  • A misleading implication that WhatsApp's privacy policy has been updated to ‘reflect new features’;
  • Requiring users to uncheck a pre-checked box that otherwise gives consent; and
  • A lack of easier means to allow users to opt out of data sharing.

Greater Scrutiny of Digital Companies

The complaints against WhatsApp and Facebook come at a time when the EU is subjecting digital companies to greater scrutiny over privacy concerns. As to whether WhatsApp and Facebook will face any real penalties for their alleged lack of compliance remains to be seen. But the fact that a task force has been established shows that the government believes it has a fairly compelling case.

If the case goes against WhatsApp and Facebook, it could set the stage for other digital companies revamping their privacy policies. That is not necessarily a bad thing. We already know that people are rather careless about protecting their own data online, so it seems to make sense to implement privacy policies that protect users as much as possible, thereby forcing them to make a conscious decision to be less careless.

In the meantime, WhatsApp users should be aware of what the company is doing with their data. They are probably sharing it with Facebook.