Privacy needs where you least expect it. [CISO Perspectives]

A

You're listening to the Cyberwire Network powered by N2K.

B

This exclusive N2K Pro subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full stack zero trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP Foreign welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. Throughout this season we will be exploring some of the most pressing problems facing our industry today and discussing with experts how we can better address them. Today we're expanding upon our last conversation, this time looking at a specific industry and how privacy is too often in an afterthought. Let's get into it. In 2016, during a free ranging discussion with journalists at the Consumer Electronics Show, Ford Motor Company CEO Mark Fields made the following statement. Overall, when you look at our business, we're not only a car manufacturing company, he said, we're a technology company. As our vehicles become part of the Internet of Things and as consumers give permission to us to collect that data, we'll also become an information company. Fields went on to say that Ford is building up its analytics workforce as it gets ready to process the terabytes of data which will stream to them in the future.

C

Further, Ford believes that the end result.

B

Of all this data collection will be a product that Ford can then offer current and future customers. This goal shouldn't really be a surprise to anyone as it speaks to the importance of data in today's economy. I would contend that data in this so called data driven economy is not the end though, but a means to an end.

C

Data are raw unorganized facts which have little value in and of themselves.

B

Information, on the other hand, is data in context, that context being provided through organization or processing efforts. Intelligence, the last step in the process is information that has been analyzed, interpreted and synthesized to provide actionable insights and or guide strategic decision making. Intelligence is the ultimate goal of most companies that consume or advocate for your data. The more intelligence a business collects on you, the better and quicker they can anticipate your needs as a consumer and at a lower cost point. Want to take it a step further? If I can obtain apptelligence by passively gathering seemingly innocuous data from devices you use every day, I can build a complete picture of your habits and needs easily anticipating your future purchasing decisions. Sound crazy? It shouldn't. It's happening every day and we are often willing, if not naive, participants considered Grocery stores use loyalty programs to collect personal information, shopping history, purchase frequency, and sometimes location data to build detailed customer profiles. This data is analyzed to create personalized offers, optimize store layouts, and power internal advertising platforms. Google uses information collected about you via its multitude of platforms and systems to determine which advertisements to display to you. Going back to our automotive use case that we used to start this conversation, we routinely connect our cell phones to the computer systems of rental cars. Oftentimes, we copy our contact list to the automobile to make it easier for us to navigate in unfamiliar cities while conducting business. When we're done with the rental, however, how often do we take the time to wipe our data from the car's memory? Worse, how often do we ask rental car agencies what they do to clean data off of their rental vehicles after rental vehicles return or before a rental vehicle is disposed of? Now, as a ciso, ask yourself this question. When is the last time you thought about how your corporate data might be leaking out through sources outside of your control, such as rental vehicles via means for which you have no governance and have not had discussions nor even an educational effort? As we said last week, we can't rely solely on the legal or regulatory frameworks to guide us in our privacy efforts. In many cases, you will be the first person to bring these concerns to.

C

Light in your organization.

B

As we continue to enable our business lines, we must ensure these so called edge case situations are acknowledged and addressed by our business leaders. My two cents. Mary Marwig has been a crusader for educating consumers on how to better protect their personal data. And in an economy that is becoming ever increasingly data driven, I sat down with Mary to discuss the specific privacy dangers that exist when utilizing automation within automobiles. A quick note that the opinions expressed by Mary in this segment are personal and should not be interpreted as representing the opinions of any organization that Mary has worked for, past or present. Mary, I really appreciate you making the.

C

Time to have a conversation with us. Welcome to the podcast. How are you today?

A

I'm doing super. Thank you so much for having me. Kim. I'm glad to be here.

C

I'm glad that you are here. This is going to be fantastic. So you and I met when I.

B

Was listening to a presentation that you.

C

Gave at the Rocky Mountain Infosec Conference.

B

A few months ago.

C

So would you please take a moment and introduce yourself, tell us a little bit about you.

A

Yeah, absolutely. Well, first and foremost, thanks for having me and I'm super excited to have the opportunity to speak with your listeners today. So thanks to also the people listening in today. So, about Me I've been a privacy professional for the past seven years or so. Prior to that, I worked in technology roles at high tech companies of all sorts. And I got into privacy when I heard about the gdpr. That's the European Union's Data Protection Regulation, which gives everyday regular people rights to and controls over some of the data that companies have about them. So I just got super fascinated in that and decided to pivot my career and flash forward seven years. Now I work at a company called Privacy for Cars and what we do is provide both security and privacy solutions to automotive companies. I think there's a lot of overlap between security professionals and privacy professionals. We are distinct, we do separate things, but some of the times we work better together.

C

What is one thing about Mary Marwig that most people don't know about you?

A

I'm kind of an open book. Despite being a privacy professional, I really do love privacy. A lot of people are like, this is kind of a dorky topic. I'm like, not to me, I live and breathe this. It's been a career highlight to do this the last seven years. Switching over into the automotive world has been eye opening for me as a consumer. I just did not understand how the landscape of data security and privacy in the automotive industry was the state of affairs. So that's been fascinating. But yeah, it's true. I live and breathe this stuff. Big pro privacy person.

C

Like most security professionals, you answered an open question without telling anyone anything directly about you, which is what I usually do. So I'm really impressed. Well played. So that said.

B

Let'S get, let's start. Very basically.

C

What is privacy?

A

This is one of those things that's hard to wrap like one easy definition around. Just like security, it's not just locking your front doors and you're good. It's always evolving. So this is interesting. I would say intrusion upon seclusion is what you're looking for and that is the like legal definition of privacy or a privacy issue or privacy harm, a privacy invasion. And obviously legal definitions definitely matter. But. But what I think is the bigger problem is there's a lack of awareness. And again, that kind of ties back and like, how do I want to show up? How can I control the information about me? What are people saying about me? Is it true? Like, you know, is that how I want to be perceived? I also. If you want to get back to fundamentals, Kim, I will also mention that in the Universal Declaration of human rights, Article 12 deals with privacy. It's that no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. So this goes way back. But what I think is important is the acceleration of data collection, which is the privacy aspect of what we'll get to today, and how that changes our perception of privacy, because as technology changes, so does our understanding of privacy.

C

Yeah, and it's interesting that that declaration.

B

Which I am actually familiar with, talks.

C

About no intrusion upon privacy, again, without defining it, which gets to be very interesting within the environment.

A

So I'm going to tell you one thing too. It's a hard thing to capture and I struggle with this when I'm trying to do imagery to show privacy, it's like, what's the graphic like? When it's security, it's like a lock and a key, you know, you get that. But privacy, you know, what is it? It's usually like an eye that's closed, you know. But is that really all encompassing? I'm not sure, but.

C

So you and I are in violent agreement on this. I'm wondering, and this is for later, because I do want to get into some of the house and some of the ways that we are giving a privacy, because I think that that's huge, both at enterprise level and personal level. There gets to be a concern. Just to put in the back of your mind that I want to get to a little later is it's if.

B

We can't define, we can't necessarily control.

C

We don't know where to control. Which is why I push for definition within the environment, or, you know, if I understand the definition, I can then extend that control framework accordingly. So I want to put that aside because some of the areas that you've been alluding to, which are hugely important in terms of some of the hows and awareness, I want, you know, I do want to spend some time on, because, you know, I know it's important to you and it's absolutely important to me, and I think our audience needs to get a handle around that.

A

So to that point, Kim, if you're looking for kind of guardrails there, there is a framework we can start from in the United States. We. Where I think we're both based. There is the notice and consent framework where it's you tell people what you're doing and you get consent for it. But I would argue the notice part and properly informing people has some room for improvement.

C

So let's get down to the hows and then we can go back and talk about some of the challenges regarding notice, consent, et cetera, within the environment. One of the things that you brought up, one of the things that your company brings up, is there are places where we are surrendering our right to privacy or unaware that we have surrendered our right to privacy in ways that are potentially extremely harmful to our ability to control access within the environment. And obviously your company deals with that around automobiles. So let's deep dive into that for a little bit.

B

Talk to me.

A

So you're totally touching on this whole notice and consent framework. My argument is that if most people truly understood the data practices of many of the companies they do business with, they probably would say no. And that leads to a fact that there's a problem with the notice. Right now you go to a company's website and you read their privacy notice or privacy policy, and it's written at, you know, postgraduate level and it takes you six hours to read or something. Who, who is actually reading through those documents? So that, that's a good place to start in the context. So in the, in cars, like every time you get into like a rental car, for example, are you actually reading the privacy notice of that car? I mean, I would say most people don't. I have this really great white paper that I'd like your readers to know about. It's called Endpoints on Wheels, Protecting Company and Employee Data in Cars. We have some information in there about how long it takes to read a standard privacy notice for a car. And in this white paper, it's over six hours to read to actually understand the data practices of that car and the car companies. And think about it. If you're going to rent a car, let's say you're on a business trip, you fly in, you get to the rental car place, they give you the key. Are you going to sit in the parking lot for six hours to understand what's going on, or are you just going to turn on the key and go go about your business?

C

What are some of the typical practices you're seeing buried in these notices that we are ignoring?

A

Well, it all goes back to what types of personal data these companies are collecting. So for example, it could be like identifiers, like even something simple, like your name, your email, your social media handles, biometrics, does it take voice prints? What else? Your geolocation, that's a big one. In all US states in the United States that have a privacy notice, precise geolocation isn't specific sensitive data type. So in some places you have rights to control that. So things of that nature, your preferences, some of the information that like communications information like your text messages or your call logs, all those sorts of things could be stored in the car. And I think a lot of people don't realize that it persists when you turn off the car. It doesn't go away. So I would really encourage people both on a consumer level and an individual level to be aware of the types of data that cars are collecting these days and what it gets used for. And then also at a corporate level, I know you've got security professionals who are listening to this. This also applies to cars used in a corporate context. So your fleet cars, your rental cars, or what I call BYOD cars, you know, employees may use their cars and access corporate information on that. And do you have a policy for that?

B

Sam Foreign.

D

They know cyber security can be tough and you can't protect everything. But with Thales you can secure what matters most. With Tallis industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most, applications, data and identity. That's Talas T H A L E S learn more at thalesgroup.com cyber meet.

E

The computer you can talk to with Copilot on Windows working, creating and collaborating is as easy as talking. Got writer's block? Share your screen with Copilot Vision to help spark inspiration and use Copilot voice to have a conversation and brainstorm ideas. Or maybe you need some tech help with Copilot Vision. Copilot sees what you see. Let Copilot talk you through step by step guidance so you can master new apps, games and skills faster. Try now@windows.com copilot.

C

So if I'm renting a vehicle within the environment, the data is persisting. What rights are you seeing car companies or rental companies assert in terms of the utility of the of that data?

A

So that's the thing again, going back to notice and consent, I would argue a lot of people really just are unaware of the types of data that they are generating and then who owns that? You know, your geolocation. So if you're using a rental car for a business trip, you know, are you going to a confidential client location? Right. Who else should know about that? Your rental car company sees where you're driving. That information may be shared also with the manufacturer, and what kind of data points can be inferred from that. But it's not only just the data that's being shared, but it's also the data on the car. So for companies like rental car companies that do not have a data sanitization process in place, let's say you pair your phone and you make a bunch of calls to your boss or your M and a client or whoever, that digital data trail is going to persist on that vehicle. So the next person who has access could see that.

C

And I understand that actually having walked into vehicles where I have found that information sitting on the paired screens. Are we seeing automotive companies assert the.

B

Right to actually not just collect that.

C

Data, but utilize that data in aggregate for marketing, sales, or any, any reason whatsoever if I rent my car at my rental car company? Are we seeing, based upon your company's research, I'm using Hertz as a common example that everyone is aware of. Are we seeing Hertz begin to utilize the aggregate data that their fleet has to do other things regarding marketing, analysis, et cetera, et cetera, et cetera, et cetera? Are we beginning to those companies first, A, assert their right to utilize that data in their agreements? Which I'm suspecting is yes. But are we also beginning to B, see them utilize that data?

A

Yeah, absolutely. When you think about telematics data, it's really, you know, common uses are like geolocation. Where are, where are my fleets going? What's the status of that car? Is the fuel consumption fine? What about the air filter? Is the person driving it driving recklessly? Are they falling asleep at the wheel? What. All sorts of things that, you know, there are valid business purposes for. I would argue most people would be, you know, understand that. But in terms of the other types of data collection for marketing, like, again, it's that notice and collection where when you sign up with these car companies, does it say very clearly and quickly, hey, cars collect identifiers, cars collect geolocation data, cars can collect biometrics. And we share this with insurance companies or we share this with our own internal research. That's just not happening as a business practice today. And I would love to see that where people make informed choice. It's not just notice and choice, but informed choice in terms of the data sharing. Yeah. You know, there are Some conflicts of who owns that data, like who has access to that data, which I don't want to get too far into. But I will say if you are a security professional and you have a fleet or you use rental cars, it's in your best interest to figure that out. Right. So one thing I'm really encouraging security professionals to do is work with their procurement teams and their GRC teams to define that data. So I would love for security teams to require two things when they contract with rental car companies or fleet companies. Now, first would be to provide the drivers with simplified data disclosure. What are the capabilities of that car? And it's been specific, right? Because some cars have different capabilities, all sorts of different infotainment systems. Years makes models. There's a wide breadth of capabilities. So one, just give me a quick overview so I can make informed choices on whether I decide to pair my phone in that car or not. Right. And then the second thing I would really like security professionals to do is to make sure there is media sanitization happening after your employees use a car. So in a rental car situation, someone brings the car back, the rental company performs a data deletion to properly wipe that infotainment system of calls, contacts, locations, all that sort of stuff. And then they provide you with a certificate of deletion showing it's done so that you have the compliance record and the peace of mind to know that your corporate data and your employees data is not lingering and persisting in a device that you don't have control over.

C

Okay, so let me play devil's advocate. Yeah, I work for Hertz. What's the value proposition for Hertz to do this?

A

If you had a provider that lent out laptops to your staff when they're traveling or whatever, and they had a policy where you just bring it back, the way they cleaned it was they wiped off the top and where your fingerprints are, but they did nothing with the hard drive and the files stored on the device itself. Would that be acceptable to your security team?

C

The answer is obviously no. But I would also say to you, you're relying on security teams to come change the business of the rental car industry. It is very difficult for any advocacy group, et cetera, to come together to change a business practice or business model.

B

So in the absence of that, I'm.

C

Trying to sit here and say, okay, until that occurs, do I tell my company not to rent vehicles?

A

Absolutely not. There's what I would consider a very easy way forward. First and foremost, there are commercially available data deletion solutions on the market available to automotive companies. So it exists. This is not some future forward thing. It's on the market. It's just the adoption's been low because there hasn't been the market demand. And so that's what I'd like to see. Security professionals use their power to do that.

C

Okay. I've been in this business for almost 40 years. I'm still fighting at an enterprise level and consumer level to get people to do the things that they should do in order for my job to go away.

A

Yeah.

C

Phishing still works because people keep clicking on emails.

A

Right.

C

Ransomware still works because people keep clicking on emails. The Nigerian print scam still works because people keep responding to emails. I hear what you're saying, and, and you know, because we've had this conversation, I'm in violent agreement. Yeah, I used to. When I went into the civilian sector, my first background was in healthcare security.

B

And I was at the HIMS conference.

C

Once and I heard a great presentation called 150 Years of Washing your hands. And it was a presentation in a security standpoint that says, okay, it was X number a century ago where we said, hey, you need to wash your hands in order for us to eliminate germs and eliminate bacteria, et cetera, within the environment. 100 years later, studies were showing that the number one cause for in hospital, post surgical infections or illness, et cetera, are medical professionals not washing their hands.

A

Exactly.

C

So if we can't get doctors and nurses and others to wash their hands, the point was, why should we as security professionals expect people to do things that are in their best interest, that are just basically electronic hygiene?

A

Yes.

C

My concern is, yes, you're absolutely correct. I would love to be able to force individuals and businesses to take this approach.

A

Yeah.

C

But we, at least here in the States, we have surrendered our data protection for convenience in not just the automotive industry. So can we put that genie back in the model? And if not, are there other things we ought to be looking at within this? And this is someone who, by the way, and I want to make it very clear, Mary, who is in violent agreement with you?

A

No, I'm with you. Actually, your two examples completely underscore my point, which is this cannot fall on the consumer or the individual employee to do it. You need to have an organizational process and who is the best person to make sure these media sanitizations happen. The company you are renting from, the company that owns the device, needs to be responsible for that.

C

And having them accept that responsibility and the associated costs when the consumers they're renting from, aren't asking for.

B

Think Google.

C

When I get no disrespect to Google, et cetera, but as someone who does read the terms and services that come out within the environment, because I am a little paranoid. You know, a decade ago, when Google said it was actually collecting 57 different.

B

Signals for use of its product within.

C

The environment, nobody blinked, right?

B

And nobody is still blinking within that environment.

A

Here is where I think CISOs do have power. We know that consumers do not have the type of corporate power that some of these CISOs do have. And so, for example, we got access to an infotainment system of a car, and our researchers at our company turned it on. There's no authentication. Opened it up, and we found all of the contact details of a large bank's executive, their family's names, their family, Social Security numbers, their CEO's phone number, plain text credentials. All sorts of things were on this car. I just can't imagine understanding that this is a problem and the security team turning a blind eye. And you also mentioned earlier, you know, why is it the security team's problem? And I'll say because procurement is busy doing purchasing and they are not security professionals. And this is really a data security problem. Cars are, to many people, just ways to get around, Right? But they're also computers. Now. They're not just wheels. They're computers that store data unencrypted in plain text, available to anyone with the authentication, which is a literal key. So as long as you have physical access to this thing, you can extract data or glean insights from that. And if it's used in a corporate context, I don't see why it would not fall under the security team's purview. It's the blame game. No, it's them who should deal with it. It's them who should deal with it. It's them. It should be the fleet managers. They're not security professionals. They don't have the same type of knowledge and understanding and frameworks in place that can be carried over from how other endpoints like laptops and smartphones are managed into an automotive context.

C

Yeah, and I have no problem with that as a worst point, Greg. I have no problem with taking responsibility, Mary. And you'll find most of my, you know, most of my contemporaries feel the same way. It's not a matter of, excuse me, why it should be my responsibility. It's a matter of, you know, are you overestimating our ability to, you know, create the change in impact that you are Asking for. Can I, as an example, put together a policy that says either a, don't pair your device with the car car, everyone will ignore that because I have no way of enforcing that. Can I put together a policy that says or a reminder that you need to delete your access and your contacts, et cetera, from the car, should you pair? Yeah, absolutely, I could do that. And on the bell curve that says 20, 60, 20, 20% of the people will always follow it, 60% hopefully will follow it, and 20% will ignore me. I could still make things better in that regard.

A

Let me tell you one really incredible example of something we found. We were able to re identify a military contractor's life using data left in a defleated car. So a company car that this military contractor used for his work went to auction, was sold, and never had any sort of media sanitization in place because again, in a lot of places this is not the policy, which is banana pants to me. If you had a refurbishing of a computer, they would wipe the hard drive. Why do we not do this for cars? But anyway, getting back to my point about this example, we were able to reconstruct this military contractor's movements. We knew this person's full name, the exact address he lived at, his smartphone contacts. Because a local copy of smartphone data is stored on the vehicle, it doesn't go away when you unplug the phone. It persists on that device, which is the car. So contacts, call history, text messages, his personal email, work email. We found that he went to several military sites, including a quote unquote decommissioned military site. We were able to find that in the car. We also found out his holiday home and information about his family, his children, and that he loves watching particular sports games. So all from a car. And this guy had no idea that this data was persisting and that we could recreate it. And thankfully, you know, we're ethical researchers. Nothing bad happened under our watch. But imagine if that gets in the hands of a competitor or another type of government or what have you. And so this is the type of data I am talking about. And so if you're going to try to push this in your organization and you need a place to start, start with your executives because that type of information that we were able to glean quickly out of a deflated car is just jaw dropping to me.

B

Mary, I really appreciate you taking some.

C

Time to educate us about this gaping loophole. In most of our protection postures and protection profiles out there, we will make certain that the links to your website and links to your reporting are available. I actually downloaded your report after I met you at Rocky Mountain.

B

It is absolutely eye opening.

C

So thank you for being here and thank you for educating us and thank you for sharing.

A

Thanks so much Kim. Really had a fun time talking with you and thanks for everybody for listening.

B

And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's content conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the Show Notes this episode was edited by Ethan Cook with content strategy provided by Mayon Clout, produced by Liz Stokes, executive produced by Jennifer Ibin and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next episode.

F

And Doug Here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating. It's accompanied by his natural ally, Doug.

A

Limu is that guy with the binoculars watching us.

F

Cut the camera. They see us. Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Ferry Unwritten by.

B

Liberty Mutual Insurance Company and affiliates Excludes Massachusetts.