Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning everybody. Uh Monday morning, um, June 4th, I think it's June 4th, let's say June 4th. Um, wanted to talk to you today about transparency and backpedaling insecurity. The reason why I added backpedaling in there was, there was a report over the weekend um on Facebook and the continuing data scandal.
Um This thing's been stretching out for months and it just seems to have that perfect sort of media beat where just when it dies down enough, it pops right back up with something else that Facebook failed to disclose or wasn't completely truthful about. Um, this time, it's their agreements with device manufacturers, uh the New York Times and I'll link to that below and I'll tweet that out at marknca.
Um Basically, uh the gist is they had agreements with 60 plus um device manufacturers that they provided private access to a special API to help integrate Facebook into the devices on Android on I OS. This is, um, you know, log in with Facebook account in the system setting so that you can see various share um capabilities throughout the entire operating system, totally reasonable feature.
Um, you know, nothing out of the ordinary there except for the fact that apparently this api also provided a bunch of um consent. Uh Let me just adjust that there we go. Um a bunch of consent uh to third parties, even if they had um uh or to friends of friends and things like that, even if they had explicitly denied that access.
So as uh me saying, don't share my info with third parties. This api ignored that setting and share that information with third parties anyway, because Facebook considers them part of the platform, not actually third parties. And while I'm sure legally they're covered, there's a huge difference. So we've talked about on this show before.
There's a huge difference between being legally covered and doing the right thing and when it comes to security, um it's all about transparency when you're with your users, you don't have to tell them, hey, this is how we do a bit wise shift on every packet uh header.
Um You don't need to do in depth technical things, but you don't need to tell them the essence of what you're doing. The reason why I wanted to talk about this today besides just the Facebook um announcement or the media story around that was this week I met the Gartner um Risk and uh security Summit in um DC.
We'll be there tomorrow giving a talk around security in a dev ops world. Um Now I didn't write this original title or the submission stepping in for, for a colleague of mine. But I did write the talk and where I'm taking that talk is really um because it's mainly security professionals um at this conference is to really dive into the like, hey, you need to shift your perspective, you need to shift how you handle the soft side of security and the soft side is the people interface.
And this example from Facebook is a perfect one where they said, you know, you could imagine discussions legally and this is just me speculating, but you can imagine the discussions internally where they're like, well, legally, we're allowed to do this. And um you know, it makes total sense from a technical perspective and maybe, maybe hopefully someone in the back of the room, raise their hand and say like, shouldn't we tell people or shouldn't we implement this additional privacy layer?
And they're like, no, no, no, we can do this. It's fine, don't worry about it. Um I've heard those discussions internally in organizations when they're talking about implementing new security controls. Um very little regard for the user or they take one line of thought and justify that's how it's gonna go forward.
Um Because, you know, technically it's possible or it's not supposed to be intrusive. Personally, my experience has been the more transparent, you can be the more out in the open with your users, the better off you're gonna be. And that's simply because people like to know what's going on, even if they don't need to know the very specifics of exactly how it's technically implemented, telling people you've implemented something like filtering all the web traffic.
But hey, we put exceptions in for your banking. So that, that doesn't even get looked at, at an automated system or, hey, all of your email when it comes in is scanned by a set of systems to look for these types of threats. But we're not worried about the fact that you're arranging, um, you know, movie night with the guys or you're setting up your, your pickup, uh, tennis game or whatever it is.
I don't know if they do pick up tennis, but I was playing Mario tennis this week. That's why on my mind. Um, but, you know, that's the thing is just letting people know the principles of what's in place so that you can have an open and honest discussion about it.
But also people understand like, oh, wait a minute, I know why you're doing that. It's for our safety because you're gonna block this stuff and block this stuff. But it's not a person looking at all my data. Um, it's a system and I'm ok with that because you told me as opposed to not telling them and then finding out something some way through an hr complaint where they pop up and said, well, we know you did this online, everyone goes what you're monitoring my traffic.
I had no idea. Um So even if it's legally possible, even if you can get away with it with terms of service for users, even if it's corporate policy, still telling people is important because that engenders trust security is all about trust. Privacy is all about trust and the more transparent you can be the better off you'll be in the long term.
So that's my rant for today, despite the fact that the call is coming in, if you're picking that up on the speaker, not the reason we're wrapping up. But I think that's the of it. Um Hit me up online at marknca in the comments down below or on email as always me@markn.ca.
Um What do you think about transparency? How do you tackle it? How do you move forward? Um Let me know. I hope you're set up for a fantastic Monday. Um Depending on how the summit scheduling goes. I might not be on air uh tomorrow Tuesday. Um, but I'll be uh tweeting live throughout the day.
Um, and then, uh, back on on Wednesday, we'll talk to you soon. Take care.
