Tag Archives: email

Internet Surveillance, Online Security and Privacy

Whether your business does all its business online or not, if you are starting or running a business today you will have some form of online presence. You’ll use email, you may use a web based accounting package, you may use a payment gateway, backup services, etc.

So, you will be using one or more of those services somewhere “in the cloud”. Does this mean you don’t have to think about privacy and security?

I reckon that the answer most companies give will, if not explicitly referring to the service provider, imply that they have essentially outsourced these aspects to the cloud provider, as a consequence of using them for the service. After all, the cloud service provider will have policies on this.

However, I also think that this is fundamentally wrong, and companies can’t outsource their obligations like that. Whether they can legally do this, I do not know – I am not a lawyer.

Let’s presume for a moment that you can legally do this, why would we bother thinking about it any further? Let me give you a few suggestions of why you might care about this.

If your service provider has a security breach, your data could end up in places it shouldn’t. Never mind competitors or perceived strategic information, I think that’s actually minor or irrelevant stuff.

But if you happen to have addresses of clients, and that list ends up in a spam database, then in many cases it can actually get traced back to you. This is because enough people use one address per company or mailing list they subscribe to, so when one address “leaks” they know exactly where it comes from. Apart from possible liability issues, publicity (or even rumours) involving your company name in this context is of course quite damaging.

And if your company maintains additional data related to clients, a leak may mean that you’ve breached the confidentiality agreement between your company and those clients.

Such things are not good for business.

One lesson is to not collect or store data you don’t really need, as this very basic considerations can significantly reduce the breadth and depth of data you will be responsible for. Collecting lots of data is cheap these days, but (and that’s aside from privacy and other legal factors) never forget that it implicitly comes with responsibility.

The other lesson is that you do need to care about what you host, where, and how.

On a related note, read the following article by Bruce Schneier: A Fraying of the Public/Private Surveillance Partnership. Insightful quote:

[…] today’s secret NSA programs become tomorrow’s PhD theses, and the next day’s criminal hacker tools. It’s impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot. We have a choice between an Internet that is vulnerable to all attackers, or an Internet that is safe from all attackers. And a safe and secure Internet is in everyone’s best interest […]

Seeing people such as Edward Snowdon as the problem doesn’t solve anything. I don’t want to get into a discussion on their actions as it’s irrelevant to the matter at hand. Without them, the issues would still exist, we just would learn about them later (or never). A house can be on fire regardless of whether anybody is watching it.

Also, what Bruce alludes to is the fallacy that a few “good guys” may have skills and access to particular technology or data, and others have not. Others not just being foreign governments, but also criminal organisations and other private enterprise.

The term I typically use when such a statement is presented: “arrogance”. As with all inventions, it is exceedingly arrogant, and provably wrong, to presume that no one else on the planet has (or can) come up with that idea. Typically, several people come up with the same idea around the same time.  These days we hear about this more often, which is a healthy lesson. Some may not be able to use the idea at that time (for whatever reason), but that’s a sideline and not something to rely on.

When you have a physical file in your office, and someone either copies it or walks off with it, the issue is more clear and fairly well understood. There might be signs that your office has been broken in to, or perhaps someone on the inside was involved. Some of these things can still be visible in an electronic environment, but it is possible to copy or eavesdrop on bits of data without getting detected [as a techie, I would note that it does depend on the mechanisms in place and how secuarity is monitored, but suffice to say it is possible and not likely to completely prevent as it becomes prohibitively expensive as well as too arduous to work with]. If your hosting provider has been breached somehow, others can have access to traffic on what you thought was a private network.

If you take a backup disk home, that’s pretty clear. If you store your backups “in the cloud”, someone else might be able to get to it either in storage or along the way.

I predict that with so many services and datasets now “in the cloud” and so many companies using these services, there is a significant (and sufficient) economic incentive for criminal organisations to capitalise on this. Corporate espionage, extortion scams (pay us or we’ll publish this info or give it to someone else). Based on this, I would guess that this is happening already. The problem will exist. At some point it will come to light that some big provider was breached years before, retrospectively accounting for many nasty things that happened to numerous companies in different countries.

I’m not saying to not use any cloud service. You could go that way if you have the tech savvy to do it all yourself including the skills and resources to make and keep that secure. But generally speaking many of these services have merit. They just come with additional responsibilities and considerations that are generally not covered by the services’ own information texts. So, what I’m saying is that by being aware of these matters, you can take more informed decisions, and be a more responsible keeper of information. When something happens, you might then be a vindicated observer, rather than a victim.

And of course, if you are (or are considering starting up) a provider of online services, be and stay aware of your responsibilities. Please do mention the issues described above in your communications, and specifically state how you address these issues. That’d be good marketing.

Spam selling contacts

From an email to my private address:

I hope you are the right person to talk about new companies interested in having business relationship with you.

If yes, then let me know the specific industry you are interested in, i will come back to you with a sample file of companies and their contacts with complete contact information such as business email, direct phone number etc of each executive.

These companies and contacts index can be used for your upcoming multi-marketing initiatives.

We also clean or append your inhouse marketing database. Just send me a minimum of 25-50 company names in an excel spreadsheet format, we will fill complete contact information such as e-mail address, phone, fax, mailing addresses etc. This way you can understand the quality of our service.
P.S.: If you want to stop receiving emails from us, please send a reply with the email subject line as “Leave Out”.

So many things wrong.

  1. Under the Spam Act 2003 (Australia) it is illegal to send, or cause to be sent, unsolicited commercial electronic messages. (see also the general info at ACMA)
  2. Offering contact lists. If not illegal (through your local legislation, or because of the way this company has acquired the info), it’s ethically dubious and use of such info would at the very least make you an originator of unsolicited contacts. Do you want to be such a company?
  3. “clean up and append your inhouse marketing database” – that’s a new one to me, makes it look all the more nice doesn’t it. So you give them your incomplete info, and they fill it in with their data. Doesn’t make it any more ethical though, or legal. You’d have to be very careful about what the origin of their data is, and how can you check?
  4. The opt-out clause. Sounds lovely but that’s not relevant to AU legislation. I shouldn’t have to exert any effort as they weren’t entitled to send me email to begin with. But even if it was legal, is it reasonable? You don’t really want to be part of and identified with that huge pile of junk emails that people find in their daily inbox, do you…

That’s why we have Upstarta principle#10: No spam. Not if you call it “email blast” either. Newsletter for clients is fine.

Spam may be “effective” in terms of being highly profitable compared to direct cost – but good business people care about more than just that.

This email is confidential

Every day we get mail with text like this at the bottom:

This E-mail and any of its attachments may contain [big company] proprietary information, which is privileged, confidential, or subject to copyright belonging to [big company]. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

Why do people put those tags on their mail? And do they mean anything? I can’t answer the first question, but the answer to the second is definitely No.

A notice like this is basically an attempt to make a contract: they send you the message and you agree to keep it confidential. But, of course, you haven’t agreed to anything simply by receiving a message. A valid contract also requires Consideration, that each party gets something of value from the agreement. There’s no value from just sending someone a message.

Read the rest of this story at John R. Levine’s blog (based on US law, but the basics will be similar in other countries so as a guide it should still apply).