“Ethical Hacker” Victor Gevers discusses the cross-cultural use of Responsible Disclosure and this week’s panellists talk privacy-washing in Big Tech, and the c suite perspective of “If it’s not a fine, it’s not getting funded.”
Joining BBC Cybersecurity Correspondent, Joe Tidy this week to discuss current events in the cyber space was Rob Bateman, Data Protection writer and digital rights enthusiast.
Discussing Colorado’s new privacy law, which will be the third comprehensive data protection bill in the states, Bateman says the patchwork approach will be confusing. “They’re ripping each other off a bit,” with their regulations, Bateman said, “but there’s still contradictions in places. […] It is going to be very confusing for multi-state businesses. There are thousands of businesses that will be hit if they’re operating in both Colorado and California, for example”.
On the topic of security, Bateman said the attack on Colonial Pipeline “was a trigger for steep escalation in how countries treat security.”
In conversation with Victor Gevers
Diving deeper into the work of hacking, Joe Tidy was joined by “ethical hacker” Victor Gevers for our In Conversation segment.
Grevers unintentionally made the headlines last year after gaining access to President Donald Trump’s Twitter account by guessing his password, “maga2020!”.
“I thought I was going to go back to the login screen, but I wasn’t - I was in,” said Gevers.
Disappointed with how big the story became, he said, “If it has to come in mainstream news then I have failed to do disclosure in the way that I like to do it.” Similarly, Gever’s discovery of data relating to the real-time movement of Xinjiang Muslims in an open cache by a Shenzhen-based facial recognition company.
But Gevers doesn’t like the word “hack” and sees himself and his team at the GDI.Foundation as “messengers with bad news and good intentions.”
When asked by Tidy if he regrets not taking any evidence from Trump’s Twitter account upon accessing, Gevers explained:
“When we train young volunteers, we say don’t take access for granted,” adding, “Twitter is not only a communication tool, but it also has a lot of information […] if you start digging into someone’s private messages or the data, you’re going too far.”
When informing companies that they may be in breach of the law, Bateman says it is difficult and requires strong communication skills. When addressing companies from different cultures with distinguishable principles, Bateman said, discreetly, quietly, and politely is the only way to do it.
“We are trying to be a respectful to all laws, cultures and religions. We stay as polite, helpful, and transparent as possible.”
“Your housing is on fire, there’s no fire brigade but you have random people show up to put out the fire and leave and don’t ask for appraise or compensation. That works well in every culture.”
On the topic of not receiving compensation, Tidy asks Gevers his opinions on bug bounties, which he believes are fine to use as security is challenging for a layperson to understand.
“They save hassle and can set a set of rules with a responsible disclosure set up.” But beg bounties, he says, are “people looking for low hanging fruit.” The biggest problem he has with these, he said, is the limited scope security researchers have to investigate a whole system, supply chains included. “If it’s not in scope,” he said, “you’re in trouble.”
“Anyone can put a responsible disclosure on their page,” Gever said as he encouraged businesses of all sizes can put their own rules out there on how they wish to communicate about exposed data.
Joining Joe Tidy for this week’s panel discussion: Trust and Transparency in a Digital World was Mark Sward VP and Global Head of Privacy at Sterling, Ann McManus, Market InfoSec and Privacy & Ethics Lead at Lloyds, and Sonia Cheng, Senior Managing Director at FTI Consulting and lead for the EMEA Information Governance Privacy & Security (IGPS) practice.
According to Ann McManus, the public are more educated on what data protection should and can look like, and therefore “people are more incentivised to query companies.” But she said, “People are less trusting of how their data is being used.”
In agreeance, Sonia Cheng said, “Trust has eroded but I think this is a process,” adding, “We’re seeing a phase now where there’s a lot of privacy-washing amongst Big Tech.”
Following on, Mark Sward said, “I’m optimistic in the long run, we’re in a period of revolution. A lot of these companies are paying lip service and a lot are doing concrete things, for better or for worse, and it’s complicated. Trust is low and users know that their data is going everywhere but they don’t know who to trust, who to believe and who is in charge.”
“The unfortunate perspective in some c suites,” said Cheng, “is unless it’s a fine it’s not getting funded.”
On the other hand, Sward said there is a “great deal of accountability” being driven between B2B companies who rely on each other to be transparent. Much like at Sterling, “when you’re selling a data driven service to a big business, there are opportunities for business to work together in the situation,” he said.
To watch this episode on demand - click here