Before you go, check out these stories!

0
Hackernoon logoMain Security Concepts and the Importance of Data Privacy by@this-too-shall-grow

Main Security Concepts and the Importance of Data Privacy

Author profile picture

@this-too-shall-growClo from This Too Shall Grow

UX researcher, UX designer, conversational UX designer

Trigger warning: authoritarianism, state surveillance, the Holocaust. If you want to avoid these topics, please jump to the last paragraph of this introduction, starting with ‘Enough about the depressing stuff.’

Before we start, I feel like I need to give a bit of background on why I care so deeply about privacy. It’s partly historical. Being Ashkenazi, I learnt from a very young age about the importance of sensitive information, and who you give that information to. My grandfather broke the law by not going to the police station to register himself as a Jew. The Holocaust saw 76,000 Jews deported to death camps from France alone - around 1/4th of the country’s Jewish population at the time. There’s a chance that not being part of the Jewish census saved his life. Lesson: be careful who you give sensitive information to.

My grandfather and two of his brothers left Paris in the middle of the war, and took a train south with no plan, no luggage, no contact, and no destination other than, well, heading south. They were helped by strangers and survived. Their mother however, along with two other siblings, had a plan. They had a deal with a smuggler to reach unoccupied France. The smuggler informed the Nazis, and all 3 of them died in deportation. Lesson: each person who has information on you represents an additional chance for it to be leaked.

And yes, we can raise the irony of mentioning my Jewish grandpa to warn you against sharing sensitive information online. There, I just did.

While this happened in the 1940’s, a data point’s lifespan is drastically different today. It’s possible that you posted something online 10 years ago, and it was fine back then, but 20 years from now you will hope that no one finds it.

My message is: the Internet never forgets, cultures change, and retroactive laws exist. People can get screwed over digital data. Let’s take the obvious example: China’s state surveillance has an eye on literally each and every move of its inhabitants, whether physical or digital. The state uses extensive data to allocate social scores, which can have a drastic impact on Chinese people’s lives, including banning them from purchasing train or plane tickets, providing them with lower Internet speed, and denying them visas and loans.

China also makes use of this surveillance system against its Uyghur population, detaining between 1 and 2 million people - the estimates vary - in concentration camps, where prisoners suffer extensively reported torture, brainwashing and forced labour.

Apart from governmental issues, there’s also the topic of pervasive tracking and ads, championed by Facebook and Google.

I’m yet to see the difference between today’s digital advertising and individually-customized mass manipulation. Maybe because there is none. Please try and change my mind if you have any conclusive elements.

Enough about the depressing stuff. I’ve explained why your privacy matters, and we’re now about to dive into a few security concepts. I wrote this article with lp1, as he knows much more about these concepts than I do. So here’s my first pro tip for you, unrelated to privacy or security: date people you admire. Now, let’s get into the technical aspects.

CIA

The CIA ‘triad’ is a summary of the main concepts of information security. There are 3 aspects regarding information which are targeted by infosec:

  • Confidentiality: the assurance that a piece of information can only be observed by authorized third parties.
  • Integrity: the assurance that a piece of information is and stays accurate over time.
  • Availability: the assurance that a piece of information can be accessed by an authorized user when they need it.

Encryption: Server-side vs. Client-side

Encryption secures data and aims to maintain its confidentiality and integrity.

We differentiate server-side from client-side encryption. Server-side means that only information stored on said server is encrypted. This means that the company has the encryption key, and therefore can access your communication (yes, including your nudes). However, server-side encryption doesn’t apply to the transmission of your communication. The data you share is not necessarily encrypted, only the storage is, which is why you should favour platforms that use https.

Client-side – or end-to-end – encryption means that the transmission of your information is encrypted, and that only your device has the key. If you log in from a different device, you won’t be able to see the exchanges. Since the company does not have the key, they cannot access your messages. As a result, even if they were to store your exchanges, said exchanges would automatically be encrypted. However, this also means that you won’t be able to recover your messages, should you lose the key.

In the case of a communication service, this means that the nudes you're sending to someone you trust are encrypted from your device to the company's server, as well as from their server to your trusted partner's device. Without encryption however, anyone on your network can see and tamper with all your communications. By 'tamper with', we mean any kind of modification by an unauthorised third-party. Examples include someone changing your password and email address on a platform to take over your account, deleting your private files on a cloud file storage service, replacing software in your online backups with malware, etc.

A recent example is the July Twitter hack, during which hackers managed to read users' messages from Twitter's admin control panel.  

With end-to-end encrypted DMs, no one at Twitter would have been able to access them.

Encryption vs. Hashing

A distinction has to be made between two important notions: encryption and hashing. Encrypting information means that you turn it into scrambled text which can be decoded with a key. For instance, it's useful to make sure a communication between two peers cannot be read by an unauthorized person.

Hashing a piece of data on the other hand means that you turn it into a unique signature which cannot be reversed into its original readable state. The only way for someone to obtain the original input based on the hashing output, is to try inputs themselves until their output matches. Hashing is not intended as a cypher to decrypt, which is why encryption and hashing serve different purposes and are used in different cases.

Hashing is noticeably useful to store passwords, because you avoid storing the actual easy-to-steal-and-reuse passwords. Instead, you compare the hashing output that you store to the hashing output of what a user entered while trying to log in. If you get the same hash that you’ve stored, then the password is correct.

100% secure does not exist

Flaws and vulnerabilities can always be found. However, the sturdier your tools, the safer you'll be. And contrary to what A-ha used to sing, it is better to be safe than sorry.

Free vs. Open source

Free and open source software are specific philosophies, based on specific values. Free software specifically refers to the notion of users' freedom, which isn't the case in open-source software. As the GNU website puts it:

'To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”'.

There are 4 criteria for software to be free:

  • Freedom 0: The freedom to run the program as you wish, for any purpose.
  • Freedom 1: The freedom to study how the program works, and change it so it does your computing as you wish. This entails having access to the source code.
  • Freedom 2: The freedom to redistribute copies so you can help others.
  • Freedom 3: The freedom to distribute copies of your modified versions to others.

On the other hand, open-source software has a less strict definition, and a different philosophy. You can also see the source code, amongst other things.

If you want to get into the political aspect of these terminologies, here’s a good explanation.

Credential stuffing attack

Credential stuffing is a popular attack whose goal is to automatically test a user’s known credentials on multiple platforms on a large scale. Nowadays, it is widely used by malicious intruders because of the online accessibility of billions of credentials gathered from data leaks (MySpace, Dailymotion, Dropbox to name some of the biggest).


And there you have it, a roundup of the main security concepts. Feel free to reach out to lp1 or me on Twitter. Part 2 will be available next week, with a list of the privacy and security tools we frequently use and recommend.

If you’re looking for a UX researcher or UX designer to work in the privacy and security sphere, I’d love to have a chat with you! You can find me on Twitter or contact me via my website.

Previously published at https://thistooshallgrow.com/blog/privacy-security-roundup

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.