Privacy needs where you least expect it.

[ Music ]

Kim Jones: Welcome back to "CISO Perspectives." I'm Kim Jones and I'm thrilled that you're here for this season's journey. Throughout this season we will be exploring some of the most pressing problems facing our industry today and discussing with experts how we can better address them. Today we're expanding upon our last conversation, this time looking at a specific industry and how privacy is all too often an afterthought. Let's get in to it. [ Music ] In 2016 during a free ranging discussion with journalists at the consumer electronics show Ford Motor Company CEO Mark Fields made the following statement. "Overall when you look at our business we're not only a car manufacturing company," he said. "We're a technology company. As our vehicles become part of the internet of things and as consumers give permission to us to collect that data we'll also become an information company." Fields went on to say that Ford is building up its analytics workforce as it gets ready to process the terabytes of data which will stream to them in the future. Further Ford believes that the end result of all this data collection will be a product that Ford can then offer current and future customers. This goal shouldn't really be a surprise to anyone as it speaks to the importance of data in today's economy. I would contend that data in this so-called data driven economy is not the end though, but a means to an end. Data are raw unorganized facts which have little value in and of themselves. Information, on the other hand, is data in context, that context being provided through organization or processing efforts. Intelligence, the last step in the process, is information that has been analyzed, interpreted, and synthesized to provide actionable insights and/or guide strategic decision making. Intelligence is the ultimate goal of most companies that consume or advocate for your data. The more intelligence a business collects on you the better and quicker they can anticipate your needs as a consumer and at a lower cost point. We'll have to take it a step further. If I can obtain the intelligence by passively gathering seemingly innocuous data from devices you use every day I can build a complete picture of your habits and needs easily anticipating your future purchasing decisions. Sound crazy? It shouldn't. It's happening every day. And we are often willing, if not naive, participants. Consider grocery stores use loyalty programs to collect personal information. Shopping history, purchase frequency, and sometimes location data can build detailed customer profiles. This data is analyzed to create personalized offers, optimize store layouts, and power internal advertising platforms. Google uses information collected about you by its multitude of platforms and systems to determine which advertisements to display to you. Going back to our automotive use case that we used to start this conversation, we routinely connect our cell phones to the computer systems of rental cars. Oftentimes we copy our contact list to the automobile to make it easier for us to navigate in unfamiliar cities while conducting business. When we're done with the rental, however, how often do we take the time to wipe our data from the car's memory? Worse. How often do we ask rental car agencies what they do to clean data off of their rental vehicles after rental vehicles return or before rental vehicle is disposed of? Now as a CISO ask yourself this question. When is the last time you thought about how your corporate data might be leaking out to sources outside of your control such as rental vehicles? By a means for which you have no governance and have not had discussions, nor even an educational effort. As we said last week, we can't rely solely on the legal or regulatory frameworks to guide us in our privacy efforts. In many cases you will be the first person to bring these concerns to light in your organization. As we continue to enable our business lines we must ensure these so-called edge case situations are acknowledged and addressed by our business leaders. My 2 cents. Merry Marwig has been a crusader for educating consumers on how to better protect their personal data in an economy that is becoming ever increasingly data driven. I sat down with Merry to discuss the specific privacy dangers that exist when utilizing automation within automobiles. A quick note that the opinions expressed by Merry in this segment are personal and should not be interpreted as representing the opinions of any organization that Merry has worked for past or present. Merry, I really appreciate you making the time to have a conversation with us. Welcome to the podcast. How are you today?

 

Merry Marwig: I'm doing super. Thank you so much for having me, Kim. Glad to be here.

 

Kim Jones: I'm glad that you are here. This is going to be fantastic. So you and I met when I was listening to a presentation that you gave at the Rocky Mountain Info Sec Conference a few months ago. So would you please take a moment and introduce yourself? Tell us a little bit about you.

 

Merry Marwig: Absolutely. Well, first and foremost, thanks for having me and I'm super excited to have the opportunity to speak with your listeners today. So thanks to also the people listening in today. So about me. I've been a privacy professional for the past seven years or so. Prior to that I worked in technology roles at high tech companies of all sorts. And I got in to privacy when I heard about the GDPR. That's the European Union's data protection regulation which gives everyday regular people rights and controls over some of the data that companies have about them. So I just got super fascinated in that and decided to pivot my career and flash forward seven years now. I work at a company called Privacy for Cars. And what we do is provide both security and privacy solutions to automotive companies. I think there's a lot of overlap between security professionals and privacy professionals. We are distinct. We do separate things. But some of the times we work better together.

 

Kim Jones: What is one thing about Merry Marwig that most people don't know about you?

 

Merry Marwig: I'm kind of an open book. Despite being a privacy professional, I really do love privacy. A lot of people are like, "This is kind of dork of topic." I'm like, "Not to me." I live and breathe this. It's been a career highlight to do this the last seven years. Switching over in to the automotive world has been eye opening for me. As a consumer I just did not understand how the landscape of data security and privacy in the automotive industry was, the state of affairs. So that's been fascinating. But yeah. It's true I live and breathe this stuff. Big pro privacy person.

 

Kim Jones: Like most security professionals, you answer an open question without telling anyone anything directly about you which is what I usually do. So I'm really impressed. Well played. So that said let's get -- let's start very basic. What is privacy?

 

Merry Marwig: This is one of those things that's hard to wrap like one easy definition around just like security. You know, it's not just locking your front doors and you're good. It's always evolving. So this is interesting. I would say intrusion upon seclusion is what you're looking for. And that is the like legal definition of privacy or privacy issue or privacy harm or privacy invasion. And obviously legal definitions definitely matter, but what I think is a bigger problem is there's a lack of awareness. And again that kind of ties back in like how do I want to show up. How can I control information about me? What are people saying about me? Is it true? Like, you know, is that how I want to be perceived? I also if you want to get back to fundamentals, Kim, I will also mention that in the universal declaration of human rights article 12 deals with privacy. It's that no one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence nor to attacks upon his honor and reputation. So this goes way back, but what I think is important is the acceleration of data collection which is the privacy aspect of what we'll get to today and how that changes our perception of privacy because as technology changes so does our understanding of privacy.

 

Kim Jones: Yeah. And it's interesting that that declaration which I am actually familiar with talks about no intrusion upon privacy again without defining it which gets to be very interesting within the environment. So --

 

Merry Marwig: I want to tell you one thing too. This -- it's hard thing to capture and I struggle with this when I'm trying to do imagery to show privacy. It's like what's the graphic. Like when it's security it's like a lock and a key. You know, you get that. But privacy, you know, what is it? It's usually like an eye that's closed, you know, but is that really all encompassing? I'm not sure. But --

 

Kim Jones: So you and I are in violent agreement on this. I'm wondering and this is for later because I do want to get in to some of the hows and some of the ways that we are giving up privacy because I think that that's hugely important both at enterprise level and personal level. There gets to be a concern just to put in the back of your mind that I want to get to a little later is it's if we can't define we can't necessarily control. We don't know where to control which is why I push for definition within the environment. If I understand the definition I can then extend that control framework accordingly. So I want to put that aside because some of the areas that you've been alluding to which are hugely important in terms of some of the hows and where [inaudible 00:11:00] I want -- you know, I do want to spend some time on because, you know, I know it's important to you and it's absolutely important to me and I think our audience needs to get a handle on that.

 

Merry Marwig: So to that point, Kim, if you're looking for kind of guardrails there is a framework we can start from. In the United States we -- where I think we're both based there is the notice and consent framework where it's you tell people what you're doing and you get consent for it. But I would argue the notice part and properly informing people has some room for improvement.

 

Kim Jones: So let's get down to the hows and then we can go back and talk about some of the challenges regarding notice, consent, etcetera within the environment. One of the things that you brought up, one of the things that your company brings up, is there are places where we are surrendering our right to privacy or unaware that we have surrendered our right to privacy. And in ways that are potentially extremely harmful to our ability to control access within the environment. And obviously your company deals with that around automobiles. So let's deep dive in to that for a little bit. Talk to me.

 

Merry Marwig: So you're totally touching on this whole notice and consent framework. My argument is that if most people truly understood the data practices of many of the companies they do business with they probably would say no. And that leads to a fact that there's a problem with the notice. Right now you go to a company's website and read their privacy notice or privacy policy and it's written at, you know, postgraduate level. And it takes you six hours to read or something. Who is actually reading through those documents? So that's a good place to start in the automotive context. So in cars like every time you get in to like a rental car, for example, are you actually reading the privacy notice of that car? I mean I would say most people don't. I have this really great white paper that I'd like your readers to know about. It's called "Endpoints on Wheels: Protecting Company and Employee Data in Cars." We have some information in there about how long it takes to read a standard privacy notice for a car. And in this white paper it's over six hours to actually understand the data practices of that car and the car companies. And think about it. If you're going to rent a car, let's say you're on a business trip, you fly in, you get to the rental car place, they give you the key. Are you going to sit in the parking lot for six hours to understand what's going on or are you just going to turn on the key and go about your business?

 

Kim Jones: What are some of the typical practices you're seeing buried in these notices that we are ignoring?

 

Merry Marwig: Well, it all goes back to what types of personal data these companies are collecting. So for example it could be like identifiers. Like even something simple like your name, your email, your social media handles, biometrics. Does it take voice prints? What else? Your geolocation. That's a big one. And all U.S states in the United States that have a privacy notice precise to your location is a sensitive data type. So in some places you have rights to control that. So things of that nature. Your preferences. Some of the information that like communications information like your text messages or your call logs, all those sorts of things could be stored in the car. And I think a lot of people don't realize that it persists. When you turn off the car it doesn't go away. So I would really encourage people both on a consumer level and an individual level to be aware of the types of data that cars are collecting these days and what it gets used for. And then also at a corporate level I know you've got security professionals who are listening to this. This also applies to cars used in a corporate context. So your fleet cars, your rental cars, or what I call BYOD cars. You know employees may use their cars and access corporate information on there, and do you have a policy for that [ Music ]

 

Kim Jones: So if I'm renting a vehicle within the environment the data is persisting. What rights are you seeing car companies or rental companies assert in terms of the utility of that data?

 

Merry Marwig: So that's the thing. Again going back to notice and consent, I would argue a lot of people really just are unaware of the types of data that they are generating and then who owns that. You know, your geolocation. So if you're using a rental car for a business trip, you know, are you going to a confidential client location? Right? Who else should know about that? Your rental car company sees where you're driving. That information may be shared also with the manufacturer. And what kind of data points can be inferred from that? But it's not only just the data that's being shared, but it's also the data on the car. So for companies like rental car companies that do not have a data sanitization process in place let's say you pair your phone and you make a bunch of calls to your boss or your MNA client or whoever. That digital data trail is going to persist on that vehicle so the next person who has access could see that.

 

Kim Jones: And I understand that actually having walked in to vehicles where I have found that information sitting on, you know, the paired screens. I'm -- are we seeing automotive companies assert the right to actually not just collect that data, but utilize that data in aggregate for marketing, sales, or any reason whatsoever? If I rent my car at my rental car company are we seeing based upon your company's research -- I'm using Hertz as a common example that everyone is aware of. Are we seeing Hertz begin to utilize the aggregate data that their fleet has to do other things regarding marketing, analysis, etcetera, etcetera, etcetera, etcetera? Are we beginning to see those companies first, A, assert their right to utilize that data in their agreements which I'm suspecting is yes, but are we also beginning to, B, see them utilize that data?

 

Merry Marwig: Absolutely. When you think about telematics data it's really, you know, common uses are like geolocation. Where are my fleets going? What's the status of that car? Is the fuel consumption fine? What about the air filter? Is the person driving it driving recklessly? Are they falling asleep at the wheel? What -- all sorts of things that, you know, there are valid business purposes for. I would argue most people would be, you know -- understand that. But in terms of the other types of data collection for marketing like again it's that notice and collection. Where when you sign up with these car companies does it say very clearly and quickly, "Hey, cars collect, you know, identifiers. Cars collect geolocation data. Cars can collect, you know, biometrics. And we share this with insurance companies." Or, "We share this with our own like internal research." Right? That's just not happening as a business practice today and I would love to see that where people make informed choice. It's not just notice and choice, but informed choice. In terms of the data sharing, yeah, you know, there are some conflicts of who owns that data? Like who has access to that data? Which I don't want to get too far in to, but I will say if you are a security professional and you have a fleet or you use rental cars it's in your best interest to figure that out. Right? So one thing I'm really encouraging security professionals to do is work with their procurement teams and their GRC teams to define that data. So I would love for security teams to require two things when they contract with rental car companies or fleet companies. First would be to provide the drivers with simplified data disclosure. What are the capabilities of that car? And it's being specific. Right? Because some cars have different capabilities. All sorts of different infotainment systems, years, makes, models. There's a wide breadth of capabilities. So, one, just give me a quick overview so I can make informed choices on whether I decide to pair my phone in that car or not. Right? And then the second thing I would really like security professionals to do is to make sure there is media sanitization happening after your employees use a car. So in a rental car situation, you know, someone brings the car back. The rental company performs a data deletion to properly wipe that infotainment system of, you know, calls, contacts, locations, all that sort of stuff. And then they provide you with a certificate of deletion showing it's done so that you have the compliance record and the peace of mind to know that your corporate data and your employee's data is not lingering and persisting in a device that you don't have control over.

 

Kim Jones: Okay. So let me play devil's advocate. I work for Hertz. What's the value proposition for Hertz to do this?

 

Merry Marwig: If you had a provider that lent out laptops to your staff when they're traveling or whatever and they had a policy where you just bring it back and like the way they cleaned it was they wiped off the top of where your fingerprints are, but they did nothing with the hard drive and the files stored on the device itself, would that be acceptable to your security team?

 

Kim Jones: The answer's obviously no. But I would also say to you you're relying on security teams to come change the business of the rental car industry. It is very difficult for any advocacy group, etcetera, to come together to change a business practice or business model. So in the absence of that I'm trying to sit here and say, "Okay. Until that occurs, do I tell my company not to rent vehicles?"

 

Merry Marwig: Absolutely not. There's a what I would consider a very easy way forward. First and foremost there are commercially available data deletion solutions on the market available to automotive companies. So it exists. This is not some future forward thing. It's on the market. It's just that adoption's been low because there hasn't been the market demand. And so that's what I'd like to see, security professionals use their power to do that.

 

Kim Jones: Okay. I've been in this business for almost 40 years. I'm still fighting at an enterprise level and consumer level to get people to do the things that they should do in order for my job to go away. So phishing still works because people keep clicking on emails. Ransomware still works because people keep clicking on emails. The Nigerian prince scam still works because people keep responding to emails. I hear what you're saying and you know because we've had this conversation I'm in violent agreement.

 

Merry Marwig: Yeah.

 

Kim Jones: I used to when I went in to [inaudible 00:23:26] my first background was in healthcare security. I was at the HIMSS conference once and I heard a great presentation called "150 Years of Washing Your Hands." And it was a presentation and a security standpoint that says, okay, it was X number -- a century ago where we said "Hey, you need to wash your hands in order for us to eliminate germs and eliminate bacteria, etcetera, within the environment." 100 years later studies were showing that the number one cause for in hospital post surgical infections or illness, etcetera, are medical professionals not washing their hands. So if we can't get doctors and nurses and others to wash their hands, the point was why should we as security professionals expect people to do things that are in their best interest that are just basically electronic hygiene? My concern is, yes, you're absolutely correct. I would love to be able to force individuals and businesses to take this approach. But we -- how do I work this? At least here in the states we have surrendered our, you know, data protection for convenience in not just the automotive industry. So can we put that genie back in the bottle? And, if not, you know, are there other things we ought to be looking at within this? And this is someone who, by the way, and I want to make it very clear, Merry, who is in violent agreement with you.

 

Merry Marwig: No. I'm with you. Actually your two examples completely underscore my point which is this cannot fall on the consumer or the individual employee to do it. You need to have an organizational process. And who is the best person to make sure these media sanitizations happen? The company you are renting from. The company that owns the device needs to be responsible for that.

 

Kim Jones: And having them accept that responsibility and the associated costs when the consumers they're renting from aren't asking for it, think Google. And again no disrespect to Google, etcetera, but as someone who does read the terms and services that come out within the environment because I am a little paranoid, you know, a decade ago when Google said it was actually collecting 57 different signals for use of its product within the environment nobody blinked.

 

Merry Marwig: Right.

 

Kim Jones: And nobody is still blinking within that environment.

 

Merry Marwig: Here is where I think CISOs do have power. We know that consumers do not have the type of corporate power that some of these CISOs do have, and so for example we got access to an infotainment system of a car and our researchers at our company turned it on. There's no authentication. Opened it up. And we found all of the contact details of a large bank's executive, their family's names, their family's social security numbers, their CEO's phone number, plain text credentials. All sorts of things were on this car. I just can't imagine understanding that this is a problem and the security team turning a blind eye. And you also mentioned earlier, you know, why is it the security team's problem? And I'll say because procurement is busy doing purchasing and they are not security professionals and this is really a data security problem. Cars are to many people just ways to get around. Right? But they're also computers now. They're not just wheels. They're computers that store data unencrypted in plain text available to anyone with the authentication which is a literal key. So as long as you have physical access to this thing you can extract data or glean insights from that. And if it's used in a corporate context I don't see why it would not fall under the security team's purview. It's the blame game. No. It's them who should deal with it. It's them who should deal with it. It's them. It should be the fleet managers. They're not security professionals. They don't have the same type of knowledge and understanding and frameworks in place that can be carried over from how other endpoints like laptops and smart phones are managed in to an automotive context.

 

Kim Jones: Yeah. And I have no problem with that. As a West Point grad, I have no problem with taking responsibility, Merry. And you'll find most of my -- you know, most of my contemporaries feel the same way. It's not a matter of [coughs] excuse me -- why it should be my responsibility. It's a matter of, you know, are you over estimating our ability to, you know, create the change and impact that you're asking for? Can I as an example put together a policy that says either, A, don't pair your device with the car -- everyone will ignore that because I have no way of enforcing that. Can I put together a policy that says or a reminder that you need to delete, you know, your access and your contacts, etcetera, from the car should you pair? Yeah. Absolutely. I could do that. And on the bell curve that says, you know, 20-60-20, you know, 20% of the people will always follow it, 60% hopefully will follow it, and 20% will ignore me. I could still make things better in that regard.

 

Merry Marwig: Let me tell you one really incredible example of something we found. We were able to re-identify a military contractor's life using data left in a defleeted car. So a company car that this military contractor used for his work went to auction, was sold, and never had any sort of media sanitization in place because again in a lot of places this is not the policy which is banana pants to me. If you had a refurbishing of a computer they would wipe the hard drive. Why do we not do this for cars? But anyway getting back to my point about this example we were able to reconstruct this military contractor's movements. We knew this person's full name, the exact address he lived at, his smart phone contacts because a local copy of smart phone data is stored on the vehicle. It doesn't go away when you unplug the phone. It persists on that device which is the car. So contacts, call history, text messages, his personal email, work email. We found that he went to several military sites including a quote, unquote "decommissioned military site." We were able to find that in the car. We also found out his holiday home and information about his family, his children, and that he loves watching particular sports games. So all from a car. And this guy had no idea that this data was persisting and that we could recreate it. And thankfully, you know, we're ethical researchers. Nothing bad happened under our watch. But imagine if that gets in the hands of a competitor or another type of government or what have you. And so this is the type of data I am talking about and so if you're going to try to push this in your organization and you need a place to start start with your executives because that type of information that we were able to glean quickly out of a defleeted car is just jaw dropping to me. [ Music ]

 

Kim Jones: Merry, I really appreciate you taking some time to educate us about this gaping loophole in most of our protection postures and protection profiles out there. We will make certain that the links to your website and links to your reporting are available. I actually downloaded your report after I met you at Rocky Mountain. It is absolutely eye opening. So thank you for being here and thank you for educating us and thank you for sharing.

 

Merry Marwig: Thanks so much, Kim. Really had a fun time talking with you. And thanks for everybody for listening.

 

Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K pro subscribers. Your continued support enables us to keep making shows like this one and we couldn't do it without you. If you enjoyed today's conversation, and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post which provides you with additional resources and analysis on today's topic. There's a link in the show notes. This episode was edited by Ethan Cook with content strategy provided by [inaudible 00:32:23]. Produced by Liz Stokes. Executive produced by Jennifer Eiben. And mixing and sound design and original music by Elliott Peltzman. I'm Kim Jones. See you next episode. [ Music ]