Checklist 169: New Year, New Rules!

It’s the first Checklist of 2020, and we’re starting things off with some important privacy news from the great state of California. We’ll also discuss (another) potential issue with Amazon’s Ring doorbell surveillance camera. And finally, we’ll leave you with a decidedly low-tech security tip that you’ll want to remember all year long!

The first Checklist of the 20s will cover:

• California pulls the country down privacy road
• A twist on privacy issues and Ring
• An analog security warning

As goes California…

Have you been sent an unusual number of privacy policy updates in the last couple of weeks? 

If so, it’s no coincidence: California’s new digital privacy law has just come into effect, forcing companies to — among other things — inform their customers about how their data is being used. The law, known as the California Consumer Privacy Act (CCPA), could have implications for the rest of the country, and so it’s definitely worth having a look at even if you don’t live in California.

We’ll begin with a caveat, though: This is a security and privacy podcast, so we’re not claiming to offer legal advice in what follows (or even a comprehensive explanation of the new law). But we would like to provide you with an overview of the CCPA, as well as some thoughts about what it might mean for the future digital privacy in the United States.

So what are the major provisions of the CCPA? The law requires the following of any company to which it applies:

• Websites must feature a link on their homepage which allows users to opt out of having their data sold to third parties
• Businesses must provide detailed information on what kind of user data is being collected (often this will be disclosed in the privacy policy)
• Businesses must provide information on third parties with whom user data is shared (this too will often appear in the privacy policy)
• Upon request, companies must provide a user with a copy of all data that has been collected on that user
• Companies may not charge more for a service if a customer has opted out of data sharing

It should be noted that this law doesn’t apply to every business across the board, but only to companies that satisfy one of the three following conditions:

1. Businesses that gross over $25 million per year
2. Businesses with data on more than 50,000 people
3. Businesses which earn over 50% of their revenue through the sale of data

While the intention of these threshold tests is to target the worst offenders in the world of data collection and free smaller companies from the burden of compliance, we may see some negative consequences as well, since hackers may increasingly set their sights on smaller companies in order to steal user data — companies which often have weaker security than large corporations.

Nevertheless, the law seems to be a step in the right direction, especially since the giant tech companies (perhaps with the exception of Apple) have shown little inclination to respect user privacy of their own accord. While we appreciate the dangers of over-regulation, it does seem that some intervention on behalf of lawmakers is necessary in order to protect the public’s privacy from those seeking to monetize customer data. 

While California is just one state, it’s an extremely important one. Its economy is one of the world’s largest, and the state’s outsized political influence is reflected in the old adage “As goes California, so goes the nation”. It remains to be seen whether or not other U.S. states — or even the federal government — will follow California down the path of data privacy by legislation, but there’s reason to believe that the CCPA may signal the beginning of robust privacy regulation in the United States.

Ring gets sued

We’ve covered the issues with Amazon’s Ring doorbell camera system before, but more from a civil liberties and data privacy angle. However, a recent story suggests that there may also be security concerns with the system: An Alabama man is suing Amazon over allegations that the company’s poor security practices allowed hackers to contact his children through a compromised Ring device.

There are two sides to every story, however, and Amazon says that there is no evidence of a breach on their end, suggesting that the most likely explanation is that hackers had breached another site where the plaintiff was using the same credentials that were supposed to secure his Ring device, and were thus able to access the man’s Ring account as well. In short, Amazon is saying that this was a case of credential stuffing. 

Credential stuffing is something we’ve talked about before, but as a quick refresher, it refers to a hacker obtaining a victim’s username and password in a data breach on one site, and then trying those same login credentials on as many other sites and services as they can until they find a match, at which point they are able to access another of the victim’s accounts. Of course, credential stuffing only works when people reuse passwords, which is precisely why we’re always saying to use strong, unique passwords for all of your accounts (and to use a password manager to make this easier to accomplish). Unfortunately, not everyone listens to The Checklist, and hackers know that many people are reusing the same credentials on multiple sites. They know that if they manage to get usernames and passwords from one site, it’s only a matter of “stuffing” enough of these into other sites’ login fields in order to compromise people’s accounts — even on sites that never suffered a data breach.

Since Ring is cloud-based — meaning that you can sign into the service from your browser — Amazon’s explanation is entirely plausible, though of course we’ll have to wait to see how the case plays out in court to know who has the most compelling evidence to support their claim.

The story is a good reminder of why it’s so important to take password security seriously — and why it’s vital to take steps to protect potentially vulnerable IoT devices on your home network…as well as the network itself. Because even if it turns out that Amazon did everything right with Ring device security, there are plenty of companies that aren’t as careful. Many routers, for example, still come with extremely hackable default login credentials like “username: admin; password: admin”. Make sure you’re always changing manufacturer default credentials to strong, unique passwords; protect your home network with a good password and strong encryption; and make sure every device in your home receives regular security patches and updates!  

Low-tech security

For our final segment this week, we’re taking a break from hash algorithms, encryption standards, authentication protocols, and all of the other high-tech security stuff you’re used to hearing about on The Checklist.

Instead, we’d like to offer you a simple security tip that you should keep in mind for the rest of 2020: Do not abbreviate the year 2020 as “20” on signed documents.

Why not? Because if you only write “2-0” at the end of a date, fraudsters could easily add two more digits to that number in order to alter the year. And this could lead to trouble if, to offer just one example, a document contained a financial deadline. Say you agreed to start a loan on February 15, 2020, and you were to write that date as 02/15/20 on the agreement. Someone could very easily add a couple of digits and change the start date to 02/15/2019 — and then accuse you of being a year behind on your payments, with all the legal and financial repercussions that this might entail.

So the next time you date something, be sure to take that extra half a second to write the year out in full — and keep doing this for the rest of 2020!

Do you have a question about digital security and privacy? Ask us! We’d love to answer your questions on a future edition of the Checklist. Our email address is Checklist@SecureMac.com, and we love hearing from our listeners, so don’t hesitate to reach out to us if you have something you’re curious about or want to suggest a topic for a future podcast.