It’s about time we rethink cyber-home security, argues Lord of the Invoice
Surely I can’t be the only person who has come to the conclusion that just about every aspect of computer-related home security is utter pants. The collective “head in sand” would be hilarious if it weren’t so sad. And the industry preys on our willingness to simply hand over important pieces of information to anyone who asks, while turning a blind eye to those who do.
Let’s take web browsers. A more horrible piece of nonsense would be hard to find. Why is it that in 2018 we tolerate trackers, spybots, JavaScript code, and a whole world of pain? The amount of stuff going on in the background of a typical modern website is terrifying, yet the person on the street still doesn’t care. Is this because they simply don’t know what’s going on – or is it sheer ambivalence?
As an industry, the rallying cry is that “it’s handed over willingly, we have a clear privacy policy”. Just try reading some of those privacy policies you sign up to when you install an app or visit a service. Here’s one: “The Controller [the internet company] reserves the right to change, update, add or remove parts of this privacy policy at its discretion and at any time. The interested party [the user] has the responsibility to check periodically for any changes.” So it can just change the terms on a whim and it’s my fault if I don’t “periodically” check whether such a change occurs.
Is this really the sort of behaviour you would expect from a household name? You should do – it’s as commonplace as a Wetherspoons on the high street.
The reality is that obfuscation and then, frankly, outright theft is the name of the game. Theft of my stuff, pertaining to me! Take an Android app as an example: it demands access to my “Device & App History, Location, Phone, Photos/Media/Files, Camera, Microphone, Wi-Fi Connection Information, Bluetooth Connection Information, Device ID And Call Information”. And if I told you what it did, you would laugh out loud. Then furrow your brow as the full enormity of the unnecessary data slurp starts to become clear.
Why are we putting up with this? I wish I could believe the, “well, the user said it was okay” argument, but I can’t. If you’ve bought this piece of domestic hardware and want to use its app, you have little choice but to sign up to this agreement – which is precisely what most users will do. They’re now so tired of permissions boxes that they just hit “yes” even when they actually understand the question.
This isn’t a position with a happy long-term outcome. The rise of the Internet of Things just makes matters worse, because the number of yeses required increases proportionately.
That’s why we need an entirely new breed of intelligent home firewall that can spot this stuff, and block it from leaving the home network. It needs to know about endpoints that are somewhat dodgy. It needs to have the concept of a timeline: to notice new, changing and unusual behaviour. It needs to block first and ask later, allowing for a reasonable set of whitelisted sites. It needs a user interface that works on a smart TV and is simple enough that a parent can understand what is being asked and why. Yet the unfortunate fact is that almost everyone who could provide such a service has a vested interest in it not working. More or less the entire tech world has its collective snout in the advertising revenue trough. Firms such as Google, Facebook and Microsoft have no qualms about making you the product, their source of revenue. Consequently, we need some sort of security portal that’s driven by the likes of Ghostery and AdBlock Plus, complete with a solid smattering of outbound port filtering and real-time monitoring.
I’m certain that it would sell in huge numbers to those of us who accept that the industry is unwilling and unable to make things safe, or to design things in a realistic way. What’s more, it should help to encourage companies to put customers first.
Maybe this is something I should set up in the vast tracts of free time I don’t have? I would just need a few tens of millions in venture capital funding, especially if the companies were happy to write off everything as a huge tax loss. Then I could ensure that my own snout was deep in the home security trough as I leapt aboard the quango gravy train. I could end up as the new “digital tsar”, and maybe even get a lordship. Lord Jon of Invoice has a certain ring to it.
Sadly, I fear my project would go nowhere because people are too lazy, too trusting and too unconcerned for it to gain any success.
Firms such as Google and Facebook have no qualms about making you the product, their source of revenue
Jon Honeyball is a contributing editor to PC Pro. He’s willing to accept a knighthood if the lordship isn’t forthcoming. Email jon@jonhoneyball.com