Data Privacy and Security Starts At Design

By Michael Simon

In the last few months, Zoom made headlines with privacy and security concerns while at the same time dealing with a massive increase in users (see our prior post on Zoom here).  The privacy and security issues faced by Zoom have led to a loss of confidence in the application by consumers and has opened the door to competitors, such as the surging Microsoft Teams and now the revamped Google Meet.  While there is much to admire in Zoom’s commitment to getting it right this time, its CEO’s recent announcement of a 90 day feature development freeze to fix those bugs only drains its internal resources away from countering these competitors by creating new features for its paying customers.

It would be easy to blame the current crisis for why Zoom seemed so unready to face so many challenges.  However, there are a few who have focused on the real issue, that Zoom didn’t build privacy and security into their system to the degree necessary from the start: “Zoom wasn’t nearly as focused on security and privacy as many people and organizations thought they were and as they should have been.”

The issues Zoom faces is a harbinger for other platforms and applications. Companies that do not design their systems with privacy and security in mind from the start are going to find that one day, inevitably, things will break – and perhaps break in an ugly, public way.  Case in point, Untapped. Recently, the “legendary” OSINT website Bellingcat reported that one of the most popular beer-rating apps, Untappd, suffered a massive security and privacy leak.  And not just an ordinary massive security and privacy leak (if there is such a thing), but one that may have exposed military secrets.

“Beer is proof that God loves us and wants us to be happy.”

Somebody other than Benjamin Franklin

If you have not already heard of Untappd, it is a popular app used to create a community for craft beer drinkers that are looking for a guide to the bewildering array of available craft beer.  Even my local, small town craft beer store uses Untapped to draw distinctions between IPAs, dry-hopped IPAs, and New England IPAs.

Bellingcat reported that they have been able to use Untappd to trace military and intelligence agency users’ locations:  

“Examples of users that can be tracked this way include a U.S. drone pilot, along with a list of both domestic and overseas military bases he has visited, a naval officer, who checked in at the beach next to Guantanamo’s bay detention center as well as several times at the Pentagon, and a senior intelligence officer with over seven thousand check-ins, domestic and abroad. Senior officials at the U.S. Department of Defense and the U.S. Air Force are included as well.”

Untappd may not have been designed to prevent searches for military bases or sensitive government installations (linking beer and military in this manner seems far-fetched), but, it has an API with Foursquare that allows for user  locations to be identified through user “check ins” at various locations. Untappd lists “loyal patrons,” the top 15 users that have checked in most frequently at that location – something that the experts used to identify military installations across the globe.

Moreover, it was shown that experts were able to exploit a users’ profile data “to confirm the person’s identity by cross-referencing the username and profile picture with other social media.”  As Bellingcat reports, someone could use these capabilities to learn an awful lot about these users (who, again, are sometimes working at sensitive intelligence and military installations):

“The other locations these users have checked in paint a very rich picture of where they live, how they travel, and which places they frequent. Most of their check-ins are accompanied by a photo of their drinks, sometimes revealing family, friends, and colleagues in the background.”

Of course, all of this would be bad even if it was only the top security experts who could extract such sensitive information. But it’s worse, because the reporters at The Register were inspired by the Bellingcat report to try to do this themselves.  The reporters found that it was “easy” to replicate these findings.

And if all of that was not bad enough already, the experts provided examples of things that happen to be in the pictures of the beer – because beer tends to be photographed on tables or desks. Thus, one can find in those pictures of beer, on tables and desks, such things as debit cards, IDs, Post-it Notes with passwords and even classified military documents.  Maybe those users should have taken those pictures before drinking any beer?  Or maybe better yet, the people who designed Untappd should have focused more from the beginning on security and privacy, on how their system could fail, on what would happen when it does, and on how they could have designed it from the start to prevent such drastic failures.

This is not the first time that we have seen apps overshare information to the point where it could put people – and perhaps national security – in danger.  A few years ago a 20 year old Australian student identified how the fitness app Strava could be used to identify US military installations, even those in active combat zones.  Just a few months later, it was revealed that experts were able to spoof the API of another fitness app, Polar, into revealing names and locations of users at military facilities, missile silos, and spy agencies all across the world. So, while this problem isn’t new, the new focus on privacy and security helps to highlight how consumer-driven applications, that appear harmless, can actually create more risk than the users even realize. 

Isn’t it time that we think, before we drink design?

If we cannot do something as seemingly simple as rating beer without revealing military secrets, it will be challenging (but not impossible) to gain consumer trust for bigger challenges, such as secure video conferencing systems, or even far more importantly, the contact tracing apps needed to combat the current COVID-19 crisis. Because Untappd left these holes open in their system, they could be opening themselves up to a bewildering array of liability, such as data breach lawsuits, breach of contract claims and the like.  The fact that these issues are now public means that Untappd, like Zoom is now playing catch-up, having to hope that, unlike Zoom, the class action lawsuits will not follow.

Companies need to identify these issues at the beginning, before they become front-page news.  They need to think through the potential privacy and security problems during the development process, so that prevent the headlines that lead to lawsuits.  After all, it’s much better to drink your beer at happy hour than to drown your data security sorrows. 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.