Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

I’m shocked – shocked that Facebook sells data (not)

By

There’s been a lot of commentary about Facebook selling data to third party companies over the past week or so.  The distaste is understandable, but no one should be surprised.  Just who do folks think Facebooks customers are?

There’s a common refrain the privacy community:  if you’re not paying for it, you’re the product, not the customer.  Or put it another way – follow the money.  This article is posted to my blog, free for all, with no tracking.  It’s tweeted about and also posted to LinkedIn, which both definitely track you (I don’t, but they do).  If you’re reading it on the latter, you’ve probably been now ‘tagged’ as ‘Facebook, social media, privacy, LinkedIn’ and a bunch more.  That information is sold to advertisers and data brokers – and that’s how those companies make their money.  Both social media and credit agencies take as much care with your personal information relative to it’s value to them, not to you.

Social media is a powerful force, which is why I participate on certain platforms (selectively).  It’s why I urge people to be very cautious about how and what they share – those platforms never really forget anything.  Of course political campaigns want access to that information, and if they’re going to sell it to one side, they ethically need to sell it to both.  Rhetorical question: would there have been as much outrage in the media if the data broker had been working with the Hillary campaign instead?

All that aside, no one should be surprised that this happened.  That’s how Facebook, Google, Twitter, LinkedIn, and all the rest make their money.  It’s also why I use Apple products when practical – while Apple collects some data, their business model doesn’t involve exploiting their customer’s data.  I’m glad that the market gives me a choice – at least on the platform side.  Right now though, there’s no option on the social media side.  I’d like to see those platforms create a ‘paid private’ option, that allows access, but completely opts the user out from all tracking (even allegedly anonymized), but again, that’s their choice as a business.

I believe that information about a person belongs to that person, and that companies should only be custodians – not owners – of that information.  If that were placed into law, it would then require affirmative opt-in consent before each and every time it was transferred or sold.  Of course, that won’t really happen because it’d break the business model of most of the Internet.  So what can we do?  Something along the lines of GDPR coupled with a ‘plain English’ statement of how and where information is used and sold would go a long way, but even that will be hard.  Maybe eventually our congresscritters will pay attention to the individual instead of the lobbyist. Until then, all we can really do is control what information we share, choose the platforms we participate in, and make sure you read the terms and conditions.

And don’t be surprised.

Dreaming of a white March

By

Folks think of Colorado as the snow capital of the world, yet we can golf as likely as ski on Christmas day.  This is a shot of what I’m dreaming about – a nice dumping of fresh snow from a trip to Breckenridge a number of years ago.  A few feet would be nice right about now.

Chicken little has left the building – selling security without fear

By

(c) Dreamstime

Fear, Uncertainty and Doubt.  I still see security professionals – especially vendors – trying to use that tired old technique.  Even with lay audiences it’s lost effectiveness, and it has absolutely no place in the CISO’s office, inbox, or voice mail.  Fear based selling is a cop-out, and a sure way to not get a second meeting with a CISO.  So what do we talk about instead?

My day job is leading the pre-sales security architect program for one of the largest security vendors*.    We begin not by talking, but by listening.  We listen to their strategy and goals for the security program, and how they are leveraging it to support and align with the business strategy.  We interact and talk about pragmatic challenges facing security programs – drowning in data, difficulty in converting data to actionable information, staffing challenges, budget limitations, regulatory compliance with unclear requirements and irrational implementation deadlines and so on, yet always in the context of their goals.  We share information from peers (without attribution), and across industries about best practices, emerging trends and challenges.  We’re all in the war together, and sometimes the immediate value we bring as a vendor is brainstorming about a particular challenge, or validating that the customer is on a common track with their peers.

That almost invariably leads to great conversations about strategy and vision.  Yet, we are chartered to sell, which CISO’s well know.  So while engaging in that value-focused conversation, as a vendor we need to honestly ask ourselves how we can help.  In my team’s case, given the breadth of solutions we represent, we almost always can help with some part of the strategy, though it may different than our original impression.  That’s where the art of the architect comes in – we dynamically build a candidate architecture based on their strategy and our solutions, and work together to create a shared vision for the future.

As an aside, even when I speak on secure thinking to non-security professionals, FUD doesn’t get very far – we’re becoming numb to the breach reports – 50 million, 100 million, 175 million are all just statistics.  Instead, I tell real stories about breaches and victims – not about the retailer who lost 25 million credit cards, but about my wife getting a call from our credit card company wondering if she’d ordered Internet Viagra.  Not about ransomware shutting down a worldwide shipping company, but about my friend losing thousands of dollars in their small business, and another one who lost all their family photos.  It works well with those audiences, and captures their attention for the rest of my talk.  But there’s no way I’d use those with a CISO – they live them every day.

 

*just a reminder, these thoughts and opinions are my own.