Cybercrime, Fraud Management & Cybercrime, Governance & Risk Management
Peter Gregory on Data as an Asset vs. Data as a Liability
CyberEdBoard •
December 21, 2021
My work experience dates back decades and includes connecting organizations to what we today call the internet, allowing public access to email and newsgroups before the web as we know it was invented. .
See also: 451 Research S&P Global Business Impact Brief
My first email address – unrvax! Bally! Pete – was in a format known as “bangpath” that few people recognize today. Back then, it could take days for an email to reach its destination, and days longer for a response to appear. Since then, security and privacy have been part of my thought process and practices.
Lately, however, I have become aware of a flaw in my routines, and it has to do with my contacts.
I have been collecting contacts for decades and they are stored in several services, mainly Apple, Yahoo and Google.
I recently read an article on the security of encrypted messaging apps like Signal and WhatsApp. In the article, the writer pointed out that many applications access our contact lists and create networks of associations.
Cryptography protecting the content of messages is generally effective, preventing eavesdroppers from reading the content of our messages. But it may be possible for law enforcement or intelligence agencies and others to know the identity of a person’s connections.
Let’s dig deeper.
‘Person of interest’
If a law enforcement agency sees you as a person of interest, they may discover that you are using encrypted messaging apps like Signal. Although the agency cannot see the content of your conversations, they will be able to see who you are chatting with.
Additionally, the fact that you are using an encrypted messaging app might suggest to the agency that you have something to hide.
Let’s look at it from a different perspective. Consider an active police investigation focused on a specific person. If you are on the person’s contact list, and if that person is known to communicate with you over an encrypted service, then you can become another person of interest in the survey.
Thousands of contacts
As I re-read this article, I remembered something that I often see in Signal: When a member of my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I often don’t recognize the contact’s name and I reject the notification. I’ve had this dozens of times this year.
That’s when it hit me: I’ve been collecting contacts for decades, and they’re stored in multiple services, mainly Apple, Yahoo, and Google.
In current and previous jobs over the past 30 years, I have had associations with many clients, partners, suppliers, colleagues and other associates, resulting in an accumulation of thousands of contacts.
I barely knew most of them and for the most part I have no idea when or where I knew or met them. I had slowly gathered a large network of associations that could be used against me.
Recently I struggled to rationalize keeping all of these contacts and purged them. On Google alone, I had over 1,000 contacts. After spending some time deleting unnecessary contacts, I’m down to about 300, and I could review them and delete more.
Encrypted apps and your association with contacts aren’t the only risks in maintaining an extensive contact list. Another problem is this: if someone breaks into one of the services where I keep a lot of contacts, I don’t want people to receive joe job spam and other attacks made possible by the. contact collection.
Contact data can be toxic
I didn’t consider my accumulated contacts a liability until recently, but I do now.
In my day-to-day job, one of my responsibilities is to lead many programs including risk management, privacy and data governance, which includes classification and retention of data.
Having been a qualified security assessor for many years, the concepts of data as an asset and data as a responsibility are clear to me. For example, retaining credit card data after a transaction is completed can add value to an organization. Nevertheless, this also presents itself as a liability: if this stored card data is compromised, the consequences can significantly outweigh its benefits.
Somehow, I haven’t applied this concept to personal contact data. Thanks again to this article I read recently for making me realize that contact data can be just as toxic as other forms of sensitive information.
Think about it another way: Would you want other people you’ve worked with in the past to remove you from their contact lists? Wouldn’t it be nice if you could have your contact details selectively removed from their lists?
CyberEdBoard is ISMG’s premier membership-only community of senior executives and thought leaders in the areas of security, risk, privacy, and IT. CyberEdBoard provides executives with a powerful collaborative, peer-led ecosystem, private meetings, and a library of resources to tackle complex challenges shared by thousands of CISOs and senior security executives located in 65 different countries around the world.
Join the community – CyberEdBoard.io.
Comments are closed.