It's Not Just About Privacy, but also Security
Protecting Email Addresses and Cell Numbers in the Surveillance Age
Back in 2008, there was a whole lot of hubub about people revealing their passwords in exchange for a chocolate bar.
Many of us are with Bruce Schneier, of course, that famous food critic, who apparently also wrote some tomes of cryptography.
Sarcasm aside, Schneier states the obvious: "I would certainly give up a fake password for a bar of chocolate." It’s safer to assume in 2024 that most passwords exchanged for that bar of chocolate are fake.
Passwords are an explicit security mechanism, a secret shared between you and an assumed, well-protected system on the other end. And we've been told ad nauseam to make them strong, not to put on a Post-it note on office computers and to not share it.
But what about your email address? Or cell phone number? Store loyalty programs and the myriad of discounts pushed online and off constantly request those data points. Those seem like harmless commodities in exchange for a 10% discount on some inflated grocery bill.
I'm calling them "data points" and not some less-loaded phrase for a reason. Email addresses and cell phone numbers are generally unique data points invaluable to the data collection players.
The good news is when a paper like the New York Post features a story about the privacy implications about handing over those data points, the news will go beyond the Wall Street Journal or New York Times paywall-protected access reader types.
To be clear, I'm not fan of the New York Post, but it's a hard fact that all urban tabloids are a vital news sources for a lot of people. But that's a story for another day.
While the privacy implications of giving up email addresses and phone numbers is covered in the New York Post article, the security angle might not be as clear.
Email addresses are more than just an identifier and a primary key (in the database sense) for building profiles on individuals, they are also connected to more dangerous threat scenarios.
Email accounts contain and transmit some of our most confidential data, such as financial statements in our paperless world, and where we perform password resets. And oddly overlooked, email addresses themselves are often logins for other services. We tend to focus on passwords for protecting access, but having the login is half the route to account compromise.
Phone numbers can be more chilling in their nefarious utility. Phones are the most common desktop for the vast majority of people, which is why the "Windows versus Mac versus Linux desktop" debate is really dead.
But cell phones aren't idle computers sitting in your pocket 24/7.
Your cell phone location data is a treasure trove of information for a variety of malicious characters, from private investigators to intrusive governments home and abroad. Location data announces where you sleep at night, where you socialize and where you spend your 12-hour work days. And disturbingly, it also announces when you're on vacation while an unoccupied home sits far away, and maybe social proximity to more suspicious characters.
As Richelieu might have said some 500 years ago, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.”
The contemporary example might be: "You state you don't know John Q Terrorist, but it seems like you were with him on January 10th from 20:37 to around midnight, then again on January 12th. Just a coincidence?" Social link analysis goes beyond just your innocent degrees of separation from Kevin Bacon.
The major cell phone providers in the US were never particularly concerned about protecting this user data. Then there’s the unintentional data breaches, which are also disastrous.
There are no simple mitigations to these threats, but all is not lost.
Start by being more resistant to handing over email and cell phone data to third parties. And it's worth considering the suggestions in the NY Post article.
TechCrunch also has an article detailing some additional measures.
There are other things to consider.
Figure out how to setup email aliases, which are incoming-only email addresses which arrive at your main account. Need an email address to login to your bank? Setup a unique email alias for that account. Figure out a memorable method for aliases so it doesn't become laborious to remember. So if you use Pineapple Bank, an email alias might be something like my-pineapple@email.com. Make it harder for the nefarious to correlate your login to you and your primary email address.
Unique email aliases are also a useful canary of sorts to determine if a service is reselling your email address. If you setup a unique email alias for one single service, and you receive email from another third party on it, something is fishy. Email aliases are also useful for one-time use email addresses, then deleting them once the purpose is done.
Side note: I recommend onboarding ClearOPS users create an email alias for their login, and to not use their default address.
Cash is always better than credit cards, which is usually better than using retail loyalty cards. But as I've repeated in many privacy workshops, if you're buying anything to do with "sex and drugs and rock 'n roll", stick to cash. More broadly, cash is a better mitigation when purchasing something you don't want your health or life insurance company or your employer to know. No email address or cell phone correlated, no credit card included, no useful data collected.
Avoid relying on cell phone-based applications, particularly retail store specific ones. "Less is usually more" privacy and security on a number of levels. If major security industry players' software get compromised regularly, do you think some retailer’s consumer loyalty phone app software is any better?
There are other mitigations to consider, but many will tilt towards “security” in the “usability versus security” pendulum. Most importantly, stop thinking like you're not a target just because you're name isn’t Pablo Escobar or you’re not some paparazzi-hunted celebrity.
Freely handing over your email address or cell number means providing a breadcrumb trail to both privacy and security compromise. The first step is to minimize access to those data points from anyone who doesn’t really need them.
About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.
About ClearOPS. ClearOPS provides security program management software to security experts powered by Generative AI. The platform is rooted in assessments, such as gap, security, privacy, RFPs and risk. Once a knowledge base is formed, all assessment can be automated or used to automate other features. Inquiries: info@clearops.io