9. The Application of Cybersecurity: Principles and Practices 253 Digital assistants such as Amazon’s Alexa, Apple’s Siri, and Hey Google also log activities. They are always listening in the background in case their voice prompt is spoken. In addition to the information they process while they are being used, they could conceivably record and upload to their company servers everything they overhear at all times. So even in the privacy of one’s home, in a car, or during a hike in the woods, if a person has a digital assistant or is wearing a smartwatch or carrying a smartphone, it is at least technically possible that his conversations could be overheard and even recorded. ISPs log website connections made by their customers. Because ISPs are their customers’ gateway to the Internet, all web browsing must go through them before reaching the wider Internet. Cellular providers are the ISPs for their smartphone customers. Most traffic is end-to-end encrypted with HTTPS and is opaque to ISPs, but even for HTTPS connections, metadata is not encrypted. For example, the source and destination IP addresses in HTTPS traffic are sent in plaintext (see Figure 9.13). IP addresses can be tied to websites, revealing which websites a person visited. For example, it would be possible for an ISP to determine that a person accessing the Internet at a particular residence visited a website at a specific time, such as google.com. The ISP could not see the search query the person typed nor the search results they received, but they could determine the next web server the person visited after Google, revealing some information about a likely query. Figure 9.13 The ISP can only see the metadata of a HTTPS packet, not the payload. Some people use VPNs so that their ISP is unable to perform this type of data collection. VPNs create an encrypted channel between the user and the VPN, and the VPN becomes the launching-off point for all web browsing. All traffic that flows to a VPN still must first go to the ISP, but because of the encrypted channel that is created, the ISP is only able to see that the person is using a VPN and nothing else—not even the metadata of the HTTPS connections (see Figure 9.14). However, the tradeoff is that now the VPN can see all the websites a person visits. In some cases this can be more invasive of a person’s privacy, because if a person always uses the same VPN even when connecting to the Internet on different devices and through different ISPs, then the VPN can track all of the websites that person ever visits. Most companies and ISPs are honest and are not looking to abuse their customers, but it is still helpful to know what access to information they have. If they retain data, they are legally obligated to turn it over to law enforcement if there is a signed warrant for the information—more on this in Section 10.2.3. Also, if a trustworthy company is hacked, the data they collect on their customers can fall into the hands of bad actors who may use it for evil purposes. Hopefully this section has made it clear that cyberspace is not as anonymous as it appears!
RkJQdWJsaXNoZXIy MTM4ODY=