Is the CIA secretly listening to what kind of pizza you order with Alexa?
It’s been one week since the “incredibly revealing” information drop by Wikileaks about the apparent abilities of the CIA to eavesdrop on individuals via devices ranging from smartphones to smart TVs and potentially digital assistant devices like the Amazon Echo and Google Home. The United States, most of planet Earth, and even the International Space Station, were immediately sent into a mass-panic with nearly everyone abandoning their electronic devices, pulling the plug on their Internet routers, chucking their smartphones right out the window, and wrapping their microwave ovens with that special blue masking tape.
After the news broke, there were indeed many people who were genuinely concerned about their digital privacy, obviously more so than ever. But the real question is “are our private digital lives more vulnerable now than before?” The answer is: not necessarily.
Before I go any further, let me say this—something I’ve said numerous times on Smarter Home Life—any device that you connect to the Internet, via a cable or wirelessly, is potentially vulnerable to being manipulated by individuals somewhere else on the Internet. If such a device that you connect to the Internet has a weak password, no password, bad security or no security, then it is more likely that the device could be compromised, but not necessarily guaranteed. Also, just because you use good security practices (strong passwords, two-factor authentication, regularly update your devices) doesn’t mean that your device can’t be compromised, but it does make it less likely. And, the same goes for the digital world as the physical world: “A really good burglar will get into your home, no matter what kind of locks or security system you may have installed.”
The next question that you have might be one of these: “Am I being monitored?” “Is the government spying on me?” “Can my neighbor listen to me via my Google Home or smartphone?” The answer to these any other variants of these questions is: probably not. You have to ask yourself an additional question “am I a likely target to be monitored?” to truly know if your digital privacy is at risk. Only you can answer these questions. And Smarter Home Life won’t try to speculate on how you should arrive arrive at your conclusions.
Many people tend to believe that everything that they do on the Internet, whether encrypted or not, can be seen by the government and spy agencies, especially since the Snowden revelations from several years ago. But, it’s important to remember that the various intelligence agencies in this country, and probably others elsewhere, don’t actually have the ability to capture every single thing that happens on the Internet, even in just their own country. To attempt to store copies of all communications, and then attempt to search that trove later, would not just require enormous storage, but tremendous computing power as well (of course, with cloud computing these days, that might not be that far-fetched as it used to be). In the United States, intelligence agencies are, in general, not permitted to spy on U.S. citizens. And while some news stories would lead one to believe that some government agencies are headed by a “Dr. Evil”-esque leader who wants to know every single thing and trend about what citizens do, that probably isn’t the case. And, to play devil’s advocate, it does make sense that intelligence agencies would want to have all the possible “investigative” tools at their disposal. But these agencies would always be pushing up against the limit of what they are truly allowed to do, legally.
So, if you’re not necessarily a target for eavesdropping or monitoring, then you’re in the clear, right? Probably, but not necessarily. As information (and potentially, the tools themselves—assuming they exist) continues to be released by various organizations like Wikileaks, the content of those releases can be used for good by device makers like Apple, Samsung, Microsoft, etc but also be obtained for malicious intent by “bad actors”, hacker organizations or possibly by foreign entities. And this is where the real challenge lies for pretty much everyone, not just those with a higher public profile or visibility. As previous attacks have demonstrated, devices connected to the Internet can (and probably will) be compromised, some more easily than others. And, in general, these attacks are large-scale, designed to obtain any information available from any vulnerable devices that the attack program locates. Why a “general sweep”? Well, if a “bad actor” is going through so much trouble to get into these devices, it’s better to just download as much as possible from as many as possible before the “malicious program” gets blocked. I’m simplifying here, as many of these attacks are done through multiple-layers and different “attack vectors”. A large-scale attack on devices might target a certain country or region, but it will unlikely target individual people.
And so now, we have arrived back at the beginning. And thus, I’ll repeat my general advice for all of your connected devices and services, from PCs and Macs to smarter home devices and your smartphone to web sites: Use good security practices! Update your devices regularly (and avoid devices that can’t be updated), turn on two-factor authentication where possible, and use strong passwords of at least 12 characters long with numbers, symbols, and yeah, you get it. Can’t remember all those passwords? Use a password manager such as LastPass (used and highly recommended by yours truly), most are free of charge and are generally very, very secure…just ask legendary security expert Steve Gibson.
The Bottom Line
Does the CIA (or anyone except your local pizzeria) really care about what kind of pizza you order via Siri, Alexa, Cortana or the Google Assistant? Probably not.
The Other Bottom Line
Should you turn off your “smart” devices, or think twice about purchasing a home automation, connected gadget, “Internet of Things” thing or “smart” device? Nope. Just do a little research before your purchase, and read articles like this one. Oh, and change the password on your microwave to something other than the one from your luggage. 😉