tag:theconversation.com,2011:/columns/benjamin-dean-134708Dreams of Cybersyn – The Conversation2016-01-25T10:48:46Ztag:theconversation.com,2011:article/524122016-01-25T10:48:46Z2016-01-25T10:48:46ZThe heavy price we pay for ‘free’ Wi-Fi<p>For many years, New York City has been developing a “free” public Wi-Fi project. Called LinkNYC, it is an ambitious effort to bring wireless Internet access to all of the city’s residents. </p>
<p>This is the latest in a longstanding trend in which companies offer ostensibly free Internet-related products and services, such as social network access on Facebook, search and email from Google or the free Wi-Fi now commonly provided in cafes, shopping malls and airports.</p>
<p>These free services, however, come at a cost. Use is free on the condition that the companies providing the service can collect, store and analyze users’ valuable personal, locational and behavioral data. </p>
<p>This practice carries with it poorly appreciated privacy risks and an opaque exchange of valuable data for very little. </p>
<p>Is free public Wi-Fi, or any of these other services, really worth it? </p>
<h2>Origins of LinkNYC</h2>
<p>New York City began <a href="https://web.archive.org/web/20141005103333/http://www.nyc.gov/html/doitt/downloads/pdf/payphone_rfi.pdf">exploring</a> a free public Wi-Fi network back in 2012 to replace its aging public phone system and <a href="https://web.archive.org/web/20140513114014/http://www.nyc.gov/html/doitt/downloads/pdf/Public-Comm-Structures-RFP-Fact-Sheet-04-30-14.pdf">called for proposals</a> two years later. </p>
<p><a href="https://web.archive.org/web/20150914192452/http://www.link.nyc/assets/downloads/LinkNYC-Media-Kit.pdf">The winning bid</a> came from CityBridge, a partnership of four companies including advertising firm Titan and designer Control Group. </p>
<p>Their proposal involved building a network of 10,000 kiosks (dubbed “links”) throughout the city that would be outfitted with high-speed Wi-Fi routers to provide Internet, free phone calls within the U.S., a cellphone charging station and a touchscreen map. </p>
<p>Recently, Google <a href="http://www.prnewswire.com/news-releases/dan-doctoroff-and-google-announce-sidewalk-labs-300097255.html">created</a> a company called Sidewalk Labs, which snapped up Titan and Control Group and <a href="https://www.theverge.com/2015/6/23/8834863/google-sidewalk-labs-linknyc-free-wifi">merged</a> them. </p>
<p>Google, a company whose business model is all about collecting our data, thus became a key player in the entity that will provide NYC with free Wi-Fi. </p>
<h1>How free is ‘free’?</h1>
<p>Like many free Internet products and services, the LinkNYC will be supported by advertising revenue. </p>
<p>LinkNYC is expected to generate about US$500 million in advertising revenue for New York City over the next 12 years from the <a href="http://www1.nyc.gov/site/doitt/initiatives/linknyc.page">display of digital ads</a> on the kiosks’ sides and <a href="http://www.link.nyc/assets/downloads/LinkNYC-Fact-Sheet.pdf">via people’s cellphones</a>. The model works by providing free access in exchange for users’ personal and behavioral data, which are then used to target ads to them. </p>
<p>Yet <a href="http://www.link.nyc/assets/downloads/Privacy-Policy.pdf">LinkNYC’s privacy policy</a> doesn’t actually use the word “advertising,” preferring instead to vaguely state it “may use your information, including Personally Identifiable Information,” to provide information about goods or services of interest.</p>
<p>It also isn’t clear the extent to which the network could be used to track people’s location.</p>
<p>Titan previously made headlines in 2014 after <a href="http://arstechnica.com/tech-policy/2014/10/new-york-city-orders-bluetooth-beacons-in-pay-phones-to-come-down/">installing</a> Bluetooth beacons in over 100 pay phone booths, for the purpose of testing the technology, without the city’s permission. Titan was subsequently ordered to remove them.</p>
<p>But the beacons <a href="http://www.link.nyc/assets/downloads/LinkNYC-Fact-Sheet.pdf">are back</a> as part of the LinkNYC contract, though users have to choose to opt in to the location services. The beacons allow targeted ads to be delivered to cellphones as people pass the hotspots, but their use isn’t spelled out in the privacy policy.</p>
<p>After close examination, it becomes evident that far from being free, use of LinkNYC comes with the price of mandatory collection of potentially sensitive personal, locational and behavioral data.</p>
<p>This is all standard practice in the terms of use and privacy policies for free Internet-based products and services. Can we really consider this to be a fully informed agreement and transparent exchange when the actual uses of the data, and the privacy and security implications of these uses, are not clear?</p>
<h2>A privacy paradox</h2>
<p>People’s widespread use of products and services with these data collection and privacy infringing practices is curiously at odds with what they say they are willing to tolerate in studies.</p>
<p>Surveys consistently show that people value their privacy. <a href="http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/">In a recent Pew survey</a>, 93 percent of adults said that being in control of who can get information about them is important, and 90 percent said the same about what information is collected. </p>
<p>In experiments, people quote high prices for which they would be willing to sell their data. For instance, <a href="http://infosecon.net/workshop/pdf/location-privacy.pdf">in a 2005 study</a> in the U.K., respondents said they would sell one month’s access to their location (via a cellphone) for an average of £27.40 (about US$50 based on the exchange rate at the time or $60 in <a href="https://www.measuringworth.com/uscompare/relativevalue.php">inflation-adjusted</a> terms). The figure went up even higher when subjects were told third party companies would be interested in using the data.</p>
<p>In practice, though, people trade away their personal and behavioral data for very little. This privacy paradox is on full display in the free Wi-Fi example. </p>
<p>Breaking down the economics of LinkNYC’s business model, recall that an estimated $500 million in total ad revenue will be collected over 12 years. With 10,000 Links, and approximately eight million people in New York City, the monthly revenue per person per link is $0.000043. </p>
<p>Fractions of a cent. This is the indirect valuation that users accept from advertisers in exchange for their personal, locational and behavioral data when using the LinkNYC service. Compare that with the value U.K respondents put on their locational data alone. </p>
<p>How to explain this paradoxical situation? In valuing their data in experiments, people are usually given the full context of what information will be collected and how it will be used. </p>
<p>In real life, though, a lot of people <a href="http://www.theguardian.com/money/2011/may/11/terms-conditions-small-print-big-problems">don’t read</a> the terms of use or privacy policy. Those that do are not always able to understand what these documents are saying owing partly to the legalese used and partly to the intentionally vague wording of some passages. </p>
<p>People thus end up exchanging their data and their privacy far less than they might in a transparent and open market transaction.</p>
<p>The business model of some of the most successful tech companies is built on this opaque exchange between data owner and service provider. The same opaque exchange occurs on social networks like <a href="http://www.newyorker.com/business/currency/facebook-should-pay-all-of-us">Facebook</a>, online search and online journalism.</p>
<h2>Part of a broader trend</h2>
<p>It’s ironic that, in this supposed age of abundant information, people are so poorly informed about how their valuable digital assets are being used before they unwittingly sign their rights away. </p>
<p>To grasp the consequences of this, think about how much personal data you hand over every time you use one of these “free” services. Consider how upset people have been in recent years due to large-scale data breaches: for instance, the more than 22 million who lost their background check records in the Office of Personnel Management hack. </p>
<p>Now imagine the size a file of <em>all</em> your personal data in 2020 (including financial data, like <a href="https://www.propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you">purchasing history</a>, or <a href="http://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/">health data</a>) after years of data tracking. How would you feel if it were sold to an unknown foreign corporation? How about if your insurance company got ahold of it and raised your rates? Or if an organized crime outfit stole all of it? This is the path that we are on.</p>
<p>Some have already made this realization, and a countervailing trend is already under way, one that gives technology users more control over their data and privacy. Mozilla <a href="https://blog.mozilla.org/blog/2015/11/03/firefox-now-offers-a-more-private-browsing-experience/">recently updated</a> its Firefox browser to allow users to block ads and trackers. Apple too has avoided an advertising business model, and the personal data harvesting that it necessitates, instead opting to make its money from hardware, app and digital music or video sales. </p>
<p>Developing a way for people to correctly value their data, privacy and information security would be a major additional step forward in developing financially viable, private and secure alternatives.</p>
<p>With it might come the possibility of an information age where people can maintain their privacy and retain ownership and control over their digital assets, should they choose to.</p><img src="https://counter.theconversation.com/content/52412/count.gif" alt="The Conversation" width="1" height="1" />
New York City is developing a ‘free’ public Wi-Fi network to be deployed throughout the city, but the poorly appreciated price is our privacy.Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs, Columbia UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/456372015-08-05T03:56:21Z2015-08-05T03:56:21Z‘Zero-day’ stockpiling puts us all at risk<figure><img src="https://images.theconversation.com/files/90849/original/image-20150805-22471-1ld6d8w.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Once a software maker learns about a "zero-day" vulnerability, there's usually no time left to fix it.
</span> <span class="attribution"><span class="source">Midnight via www.shutterstock.com</span></span></figcaption></figure><p>“Zero-days” are serious vulnerabilities in software that are unknown to the software maker or user. They are so named because developers find out about the security vulnerability the day that it is exploited, therefore giving them <a href="http://www.eset.co.uk/Press-Centre/Blog/Article/flash-zero-day">“zero days” to fix it</a>. </p>
<p>These vulnerabilities can be found in some of the most widely used software and platforms on the commercial market: Adobe Flash, Internet Explorer, social networks (Facebook and LinkedIn, to name two) and countless others. </p>
<p>The <a href="http://www.bloomberg.com/news/2014-05-02/us-contractors-scale-up-search-for-heartbleed-like-flaws.html">recent dump of emails from Hacking Team</a> sheds new light on the extent of government involvement in the international market for zero-days. Rather than disclosing these vulnerabilities to software makers, so that they can be fixed, government agencies buy and then stockpile zero-days. </p>
<p>This practice and the policy that permits it expose billions of internet and software users to serious and unnecessary cybersecurity risks. A number of solutions to this problem are available, but first let’s take a look at the zero-day market.</p>
<h2>The growing market for zero-days</h2>
<p>Knowledge of the existence of zero-days is valuable to criminals and intelligence agencies alike. They pay lots of money to learn about these vulnerabilities and then develop exploits (or simply purchase the exploits) to circumvent the information security of their targets. </p>
<p>Among other techniques, the hackers that breached <a href="http://recode.net/2015/01/20/heres-what-helped-sonys-hackers-break-in-zero-day-vulnerability/">Sony Pictures Entertainment</a> and the <a href="https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html">Office of Personnel Management (OPM)</a> exploited zero-day vulnerabilities to pull off these high-scale hacks.</p>
<p><a href="https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/">This has become serious business</a>. The international market for the buying and selling of zero-day vulnerabilities comprises <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">three overlapping markets</a>: “black,” “gray” and “white.”</p>
<p>Sellers in the black market include freelance hackers and organizations. Buyers include <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">criminals and criminal organizations</a>. Given the underground nature of the market, there’s no telling how many vulnerabilities are bought and sold on the black market. Roy Lindelauf, a researcher at the Netherlands Defence Academy, believes that <a href="http://www.economist.com/news/business/21574478-market-software-helps-hackers-penetrate-computer-systems-digital-arms-trade/">more than half of exploits sold are now bought from bona fide firms rather than from freelance hackers</a>, suggesting that the black market is not the biggest of the three interlinked markets.</p>
<p>The second market is “gray” in the sense that it is legal though unofficial and unregulated. <a href="http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?_r=0">Nation-states historically have had a monopoly over buying in the gray market</a>. They include Brazil, India, Israel, Malaysia, North Korea, Russia, Singapore, the United Kingdom, the United States and many more. Defense contractors such as <a href="http://www.techweekeurope.co.uk/news/zero-day-exploit-vulnerabilties-cyber-war-91964">Northrupp Grumann</a> and <a href="Raytheon">Raytheon</a> are also thought to be buyers and/or sellers.</p>
<p>Firm estimates of the size of the gray market are difficult to make. The National Security Agency (NSA) in the United States is considered to be “<a href="https://wikileaks.org/hackingteam/emails/emailid/169933">the best, surest zero-day acquirer … in truth, a really insatiable one</a>,” according to a Hacking Team email indexed by WikiLeaks. It spent <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/">US$25 million in 2013</a> to procure “software vulnerabilities” from private malware vendors. <a href="http://www.researchgate.net/publication/259150675_The_Known_Unknowns_In_Cyber_Security">One source</a> suggests that the average price for a zero-day ranges from $40,000 to $160,000. </p>
<p>Buyers in the also legal “white” market include software makers such as <a href="http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?_r=0">Facebook, Google, Microsoft</a> and <a href="https://threatpost.com/linkedin-goes-public-with-its-private-bug-bounty/113362">LinkedIn</a>. Software makers offer a sum of money, sometimes called “bug bounties,” to anyone who finds and discloses the existence of a vulnerability to them. </p>
<p>There are also platforms that connect dozens of software makers with security researchers and experts. They promise a commission to those who disclose vulnerabilities to software makers through the platform. iDefense and TippingPoint were two early companies in this space. New companies have joined the scene, such as HackerOne, which <a href="http://venturebeat.com/2015/06/24/hackerone-raises-25m-to-make-the-internet-safer-via-bug-bounty-programs/">recently raised $25 million in venture capital</a>. </p>
<p>Bug bounties are a novel solution to the problem of zero-days: pay people not to hack a system. Instead, pay those people to use their skills to find and disclose vulnerabilities so that software makers can fix them, thereby improving overall cybersecurity.</p>
<p>The amounts paid through bug bounty programs can be significant. In all markets, <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">prices tend to be determined by the type of bug and the potential for hacking use</a>. However, the prices on the <a href="http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5633685&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5633685">white market are not typically as high as prices on the black market</a>, nor do the prices come close to the losses incurred by the victims of zero-day exploits. </p>
<h2>Risks of government stockpiling</h2>
<p>While many government agencies are buyers in the global gray market for zero-days, almost no countries have an explicit policy stance toward what they do with the bugs that they buy. </p>
<p>In the US, some details of the official policy toward disclosure of zero-days have been made public. Former NSA Director General Keith Alexander has stated that the agency uses zero-days “<a href="http://www.wired.com/2014/05/alexander-defends-use-of-zero-days/">for defense, rather than … for offensive purposes</a>.” President Barack Obama’s <a href="http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html">view</a>, according to his advisers, is that “when the National Security Agency discovers major flaws in internet security” it “should – in most circumstances – reveal them … rather than keep them mum so that the flaws can be used.” A broad exception, however, is made for a clear national security or law enforcement need.</p>
<p>The use of the phrase “<em>national security</em>” is curious considering that a policy of withholding any zero-days at all effectively puts the security of all users of the software in question – which in today’s world includes companies, government agencies and individuals – at additional risk of being hacked. </p>
<p>To its credit, the US has gone further than all other governments in explaining its policy toward zero-day disclosure. Australia, China, Russia and the United Kingdom have not made their stance on zero-days public at all. </p>
<p>The consequences of this practice – and the often-murky policies that permit it – are severe. When knowledge of a zero-day is bought and then stockpiled by a government agency, there’s no guarantee that another malevolent person or organization might not discover (or purchase) and exploit that same vulnerability. </p>
<p>By withholding knowledge of zero-days, government agencies keep all software users in a state of suspended risk. The scope of this risk is global, as the software and platforms in question are used by billions of people.</p>
<h2>What alternatives are there?</h2>
<p>Instead of a policy of stockpiling zero-days, and the risks that this policy entails, what alternative policies might exist? </p>
<p>Mandatory disclosure, or <a href="https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf">greater oversight</a>, over the discovery or purchase of zero-days are obvious domestic alternatives to the status quo. At an international level, “voluntary collective action to harmonize export controls on zero-days through the <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">Wassenaar Arrangement</a>” is seen as another possible direction, particularly given that it is currently under review. This agreement was designed to control the export and import of weapons and technologies that have potential military applications.</p>
<p>Computer security analyst and risk management specialist <a href="http://geer.tinho.net/geer.suitsandspooks.19vi15.txt">Dan Geer</a> has proposed that the US government outbid (by 10 times) every other buyer in the international market for zero-days so long as bugs are “<a href="http://studentbounty.com/essays/cybersecurity-as-realpolitik-dan-geer/6/">sparse not dense</a>” (that is, the software in question has few, not many, bugs). </p>
<p>If the NSA spends $25 million a year on zero-days, under Geer’s plan this would increase to at least $250 million. The NSA budget is at least $10 billion annually, with <a href="https://www.washingtonpost.com/blogs/the-switch/wp/2013/08/29/the-nsa-has-its-own-team-of-elite-hackers/">$1.2 billion spent in 2013</a> on offensive cyber-capabilities (in other words, state-sponsored hacking). </p>
<p>Given the size of these budgets, Geer’s proposal is financially possible, though it would require a serious change of official policy, starting with mandating the immediate disclosure of all bugs to software makers so that they can be patched. </p>
<h2>Going for the root</h2>
<p>If governments were really serious about addressing the problem of zero-day vulnerabilities, they might consider going to the root of the problem: placing liability on software makers for buggy code. </p>
<p>The common practice for software makers, since the 1980s, is known as
“<a href="http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/?hpid=z1">patch and pray</a>.” In short, software makers rush a product out the door, opting to release patches for vulnerabilities later, instead of investing time and resources for additional testing and patching of bugs (including zero-days) before release. </p>
<p>The economic logic is simple. Shipping equals sales and revenue. Delaying release to test and correct bugs adds to costs. Given that the losses from faulty software fall on the user, not the software maker, <a href="https://medium.com/message/why-the-great-glitch-of-july-8th-should-scare-you-b791002fff03">there’s little incentive for the software maker to fix the bugs before shipping</a>. It’s easier to “<a href="http://mashable.com/2014/03/13/facebook-move-fast-break-things/">move fast and break things</a>” when you don’t have to pay for the things that end up broken. </p>
<p>To make matters worse, users do not always promptly update their software, which is really the only defense they have. Vulnerabilities can thus persist for years after they have been discovered and patches made available. </p>
<p>Placing liability on the software maker for the losses due to their buggy software would completely alter these incentives. A number of approaches could be investigated in an attempt to find one that balances the need to minimize bugs, and protect users, while not smothering innovation. </p>
<p>Placing any kind of liability on software makers for their faulty products would take a great deal of political will, <a href="http://homeland.house.gov/hearing/subcommittee-hearing-promoting-and-incentivizing-cybersecurity-best-practices">particularly in a climate where current proposals are pushing for the opposite</a>. However, if done correctly, it would create a strong incentive for software makers to adopt more rigorous measures to reduce the number of bugs in their software. This would give a meaningful boost to the cybersecurity of billions of software users.</p>
<h2>Paradox of cybersecurity policy continues</h2>
<p>Government officials claim to be doing everything possible to enhance cybersecurity. Zero-days are a serious threat to the cybersecurity of individuals, government agencies and corporations. </p>
<p>Yet government agencies are the biggest buyers of zero-days. If they’re serious about cybersecurity, why then do these government agencies withhold knowledge of some of the zero-days that they discover or purchase? </p>
<p>This is yet another example of the <a href="http://www.mantlethought.org/other/paradox-cyber-security-policy">paradox of current cybersecurity policy</a>: government agencies tasked with enhancing cybersecurity conduct activities that result in the opposite outcome. </p>
<p>A clear policy of disclosure of all discovered or purchased zero-days would be a major step forward in bolstering cybersecurity internationally. Even better would be a policy that goes to the root of the problem, by allocating some liability on software makers for the losses linked to their buggy software. </p>
<p>Until the political will is mustered to address the problem of buggy software, including zero-days, the best that software users can do to protect themselves, unfortunately, is to follow the software makers’ lead: patch and pray.</p>
<p><em>This article has been updated to remove an estimate, derived from a ResearchGate report, of the number of vulnerabilities bought by the NSA in 2013. This estimate likely overstates the number of vulnerabilities purchased.</em></p><img src="https://counter.theconversation.com/content/45637/count.gif" alt="The Conversation" width="1" height="1" />
“Zero-days” are serious vulnerabilities in software that are unknown to the software maker or user. They are so named because developers find out about the security vulnerability the day that it is exploited…Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs, Columbia UniversityLicensed as Creative Commons – attribution, no derivatives.