Malicious Life Podcast: What Would Happen If CBS Got Hacked?
Information security executives explain how media companies can be hacked and why we, as consumers, should care in this Malicious Life BSide podcast.
Malicious Life Podcast
We’ve all experienced the creepiness of modern data trafficking, but that kind of daily annoyance is the surface of a much bigger issue: Big Tech companies such as Amazon & Microsoft are lobbying policymakers to veto laws that harm their business, and often hide their lobbying behind industry coalitions or organizations with names that are vague and seemingly harmless. Will current and future privacy laws actually protect your information, or will they protect the companies collecting your information? – check it out...
Powered by RedCircle
The Malicious Life Podcast by Cybereason examines the human and technical factors behind the scenes that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution, with host Ran Levi interviewing hackers and other security industry experts about hacking culture and the cyber attacks that define today’s threat landscape. The show has a monthly audience of over 200,000 and growing.
All Posts by Malicious Life PodcastBorn in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:
All Posts by Malicious Life PodcastOn May 31st, 2009, at 10:03 AM, 67 year-old George Tiller was shot in the head, in the lobby of his local church in Wichita, Kansas.
Tiller was targeted for being one of America’s most well-known providers for abortions. In three and a half decades he’d survived countless protests, a firebombing, and getting shot in both arms. His eventual murderer was enabled by something called the “Tiller Watch,” a web page created by the extremist organization “Operation Rescue,” which actively monitored the doctor’s life.
Crazy as that sounds, religious extremists in America have frequently used surveillance as a tool to fight abortions. Providers regularly get threats in the mail, and, of course, at their workplaces. According to Jezebel, a tabloid website, some groups in Texas have been trained to track doctors and patients of abortion clinics by their physical features, license plates, and tax records. Most famous of all was the so-called “Nuremberg Files,” a list maintained by Georgia resident Neal Horsley, which contained photographs, phone numbers, home addresses and other personal information belonging to roughly 200 doctors.
You can think of this as the historical context for 2015, when John Flynn — a Boston, Massachusetts-based advertising executive — devised a rather unique business.
Flynn had observed a very obvious reality of our world today — that advertisers can know everything useful there is to know about you, right down to where you are at any given point in the day — and utilized it in a way that could make even Mark Zuckerberg cringe: using data mining to trick young women into having babies they didn’t want.
A Powerpoint presentation Flynn made for potential investors was obtained by the Rewire News Group. “We can reach every Planned Parenthood in the U.S.,” he wrote in it. His service would identify individuals in clinics and hospitals, even colleges and high schools, then “drill down” to identify finer data points like age and sex, to determine who might be likely to seek out an abortion. “We can gather a tremendous amount of information from the ID,” he wrote, referring to women’s unique cell phone identifiers, and adding, quote: “Some of the break outs include: Gender, age, race, pet owners, Honda owners, online purchases and much more.” .
But Flynn wasn’t content with simply knowing who was young, female, and possibly pregnant. His real ace in the hole was a nifty thing called “geo-fencing.”
Geo-fences are virtual boundaries around real-world geographic regions, enabled by GPS or RFID technology. They have some potentially interesting uses — maybe at big, outdoor concerts and festivals, or for games like Pokemon Go, where being in a certain area means getting access to some exclusive thing. In practice, though, geofences are only really used by advertisers, to sell you things based on where you are.
Maybe you can already tell how this would’ve been useful to Flynn. Or maybe you’re not evil enough, so we’ll spell it out.
In addition to gathering personal information about young women, Flynn’s service laid geofences around any facility offering abortions in America, and delivered advertisements to any women waiting for care inside. “Pregnant?” one mobile ad reads. “It’s your choice. You have time … Be informed.”
This ad linked to a website belonging to “RealOptions” which, by design, is supposed to sound like a pro-choice healthcare provider. But, Rewire points out, their tax filings indicate otherwise. RealOptions’ mission is, in their own words, quote, “empowering and equipping women and men to choose life for their unborn children through the love of Jesus Christ in accordance with his word regarding the sanctity of human life.” .
Through his ad targeting service, Flynn boasted about having already reached over 800,000 women aged 18 to 24, sending at least 2,000 to RealOptions’ website, utilizing relatively inexpensive ad campaigns..
We’ve all experienced the creepiness of modern data trafficking, but that kind of daily annoyance is the surface of a much bigger issue. A lack of online data privacy can go so far as to affect your safety and well-being, like if you’re a healthcare provider or a vulnerable, young woman.
We’ve talked on this podcast about other serious use cases for your information, too, like the citizens of the UAE being spied upon through messaging apps, and abusive partners around the world using spyware against their significant others.
And in episode 103, about Clearview AI. In that story, a failed entrepreneur, model and occasional hacker managed to build the Western world’s premier facial recognition app, using billions of pictures culled from social media and search engines.
You know where this kind of nonsense doesn’t happen? Europe. So if you live in a European Union country, and you’re listening to this podcast, please take this moment to feel superior to the rest of us.
Since it took effect, the General Data Protection Regulation — GDPR for short — has been invoked in over 1,000 corporate fines across the EU and U.K. And if you’re thinking that “fines” doesn’t sound so bad, think again. Google alone has been penalized to the tune of 50, 60 and 90 million Euros apiece, for violations relating to cookies, privacy notices and more. WhatsApp was fined for 225 million Euros in just one instance, and, in another case, Amazon was fined for 746 million Euros. For collecting personal data!
GDPR isn’t perfect in every way, but it has generally proven to be user-friendly, lawyer-resistant, and applicable across use cases — for big companies and small, social media, search, marketing or otherwise. In Italy, for example, a 20 million Euro fine was handed down to none other than Clearview AI, for its GDPR violations. More importantly, the company was ordered to delete all of its data on Italian citizens.
GDPR could’ve been trailblazing. Other countries could have looked to that model, and mimicked it for themselves. Remarkably, though, only one other actually did. Take 100 guesses and you won’t get it.
June 10th, 2021, saw the enactment of the Data Security Law of the People’s Republic of China. That’s right: the world’s greatest surveillance state has some of the world’s strictest consumer data privacy laws, requiring companies to employ “data protection officers,” submit collected personal information for “cybersecurity reviews,” and eat fines for breaking any of the rules. In some cases, the Data Security Law copies GDPR so closely that it’s arguably plagiarism.
(Of course, the law doesn’t really apply to the government, and it’s mostly an economic tool to keep out Western corporations, but still: how does it feel to have fewer privacy protections than somebody living in China?)
If even China will pass severe data privacy laws — albeit with a catch — why can’t it happen elsewhere? Why, in Europe, are citizens afforded the right to participate in the internet on their own terms, but in America corporations can trade your data like Pokemon cards?
This isn’t a simple subject — not the kind you can thoroughly exhaust in a 30-minute podcast — but you might be surprised how much of the problem comes down to one, very simple cause.
On June 8th, 2017, Illinois Governor Bruce Rauner donned an orange vest and took a tour of the Amazon fulfillment center in Romeoville, flanked by a cadre of dozens of staffers, press and Amazon employees. “Toured @Amazon’s new Romeoville facility today,” he wrote in a tweet. “Their success represents what is possible if we make real changes to attract employers.”
Amazon had only just moved into Illinois, but already they had plans to grow their presence there. Romeoville — a town of just 40,000 people — was already host to thousands of Amazon employees. On August 2nd, the company hosted a job fair to fill 4,000 new positions there and in nearby Kenosha, bringing their state total to 11,000.
At the fair, Illinoisans queued up in a line that snaked out the door. Demand was high. “I need to grab something fast,” one job hunter told the Chicago Tribune. Another job seeker put it more bluntly: “I go where the money’s at.”
So imagine the pressure on Governor Rauner when, right around the same time as the job fair, he received a letter from an Amazon public policy manager. The manager wanted to talk about a new bill up for a vote in Illinois’ legislature. According to Reuters she, quote:
“[A]sked the governor to veto legislation that would require technology companies to get consumers’ permission before tracking their whereabouts on smartphones. In one email, she sent the Rauner aide a letter from a trade group Amazon helped fund, warning that the bill sent a “terrible signal” to companies fueling the state’s economy and imposed “needless burdens that threaten technology investment and job creation in Illinois.”
It wasn’t hard to read between the lines.
Even worse: Amazon was announcing that it would create a second North American headquarters — its first outside of Seattle. Such a headquarters would bring tens of thousands of jobs, and all the prosperity that comes with that, to whichever state they chose. But, they specified, they required a, quote, “business-friendly environment.”
In September, Governor Rauner vetoed the bill that would’ve protected his states’ citizens from being tracked by their smartphones. He justified the decision by arguing that it could’ve caused job losses across the state.
Amazon’s relationship with your data isn’t quite as direct as Meta and Google, where the more privacy you have online, the less profitable you are to the advertisers that pay them. But, arguably, they care just as much.
For one thing, their online marketplace builds off the data they have about you to sell you more stuff, particularly a Prime membership. Most of all, though, they need your information for their “fourth pillar” — an idea Jeff Bezos first proposed in 2016, and has been echoed ever since.
Amazon, you see, is largely built on three pillars: its ecommerce platform, its Prime membership service, and its cloud service, AWS. For years, Bezos has been working to raise one more “pillar”: the Echo, what you might refer to as “Alexa.” Alexa, Amazon hopes, will become an intrinsic part of your everyday life. It’s what you’ll use to do dozens of daily tasks — like reading off the weather or shopping (hopefully on Amazon.com) — and it’ll follow you literally wherever you go, like an appendage.
To get you to use it more, and shop with it more, and get other people to use it and shop with it more, Amazon stores all your recordings, and uses your behavior to build a profile on you. But these are the kinds of practices that privacy advocates and a few well-natured politicians want to ban in America.
Were that to happen, Amazon and its kind claim, it would hurt the industry in myriad ways.
After Amazon helped kill off restrictions on Alexa voice recordings in their home state of Washington, for example, a representative of the company explained that their actual goal was to “educate lawmakers on the unintended consequences” such legislation can have. One reason you’ll hear a lot, for why data privacy should be limited, is “innovation.”
One can imagine where this idea comes from, and why it’s important to them. Mark Zuckerberg famously came up with the motto “move fast and break things,” which has since become a clarion call in Silicon Valley. Strict regulations prevent companies from moving fast and penalize them for breaking anything.
Another issue these companies face is the burdensome nature of state laws. Companies like Facebook and Google operate in hundreds of countries, and so have to invest time, money and resources into making sure they comply with all of those countries’ individual legal systems. America, on its own, is like 50 countries, if each state passes its own, unique rules about how its citizens’ data can be handled. This burden is especially difficult on small and midsize businesses, which may operate across multiple states but may not have the resources to keep track of and manage their compliance in each one.
For this reason, a common refrain in arguments about privacy lobbying is that the federal government should be the one handling the issue. Until they do, data traffickers argue, less variation between different states is for the best.
This was the stage for May, 2015, when, to prevent big government from getting in the way of big tech, Jeff Bezos made a remarkably shrewd appointment. A general to lead him into a war that would spread to nearly every U.S. state. This individual, newly unemployed, knew the battlefield better than just about everybody else in the world.
You’ll be familiar with him, if you followed U.S. politics at all in the early 2010s. From February 2011 to June 2014, Jay Carney was the voice of the Obama administration. As Press Secretary, he was the one giving daily press conferences about the Obamacare rollout, the Syrian civil war, the economy. Millions of Americans have seen Carney’s face — his rectangle glasses, his neat, blonde haircut — more often than they’ve seen some of their own family members.
Carney’s first job out of the White House was to run Amazon’s lobbying and PR apparatus. Among his primary objectives, according to a 2018 internal document, was to, quote, “change or block US and EU regulation/legislation that would impede growth for Alexa-powered devices.”
In his first year on the job, Carney and his team outlined their intentions in a 4,200-word strategy document. An early draft referenced how, quote, “journalists and policymakers should respect Amazon as a force for good,” but a liner note in a later draft spoke more directly to their intentions. An executive wrote, quote: “We want policymakers and press to fear us.” .
From 2015 to 2021, Amazon’s “communications” army grew from a couple dozen to nearly 250 personnel. In the year before Carney arrived, the company had 62 lobbyists in 27 states, but by 2021, they had at least 180 in 44.
But these numbers hardly represent just how thorough, and just how weird the entire operation really was. To understand fully what Amazon was — is — doing, you need to know about what they call “watering the flowers.” From Reuters, quote:
“The program spawned metrics for public-policy staffers. They were required to enter every policymaker and staff contact into a database, according to former Amazon employees and company documents. A 2017 public-policy planning document touted more than 1,000 watering-the-flowers engagements in the year’s first half by the team covering North and South America, up 30% from the same period the year before. Staffers’ metrics were circulated to colleagues quarterly; each had to explain why they did or didn’t meet goals.”
overnment officials were categorized by their strategic importance, with the VIPs — “Very Important Policymakers” — receiving extra attention by way of donations, meetings, and visits to Amazon sites.
You might have seen some of the country’s most prominent politicians, on both sides of the aisle, doing such PR events with Amazon — everybody from House Speaker Kevin McCarthy to Senators Amy Klobuchar and Elizabeth Warren.
Governor Rauner from Illinois was certainly a “watered” flower — the meetings, the PR, the threats of job losses. In a January 2018 internal memo, Amazon’s public policy team bragged how, quote: “In Illinois, we defeated a problematic geolocation bill by obtaining a veto from the governor.”
Of course, Amazon is certainly not the only company lobbying for their version of data privacy laws, or using weird, underhanded tactics to do it.
When Washington state considered privacy legislation a few years ago, Microsoft increased its lobbying budget in its home state by 11 percent, and Brad Smith — the company’s president — personally called several of the state’s lawmakers. In a final draft of the bill obtained by Politico, a Microsoft policy director wrote notes in the margins, quote, “often chiding lawmakers for their legislative approach and deleting sections of the bill that he viewed as unsatisfactory.” . Those unwanted sections never made it to a vote.
In Alaska, it was even easier. Microsoft submitted feedback on some proposed legislation and then, according to The Markup, quote:
“So did the Software Alliance, a trade group that Microsoft founded. Four other groups that Microsoft belongs to—The Association of National Advertisers, the Digital Advertising Alliance, the Interactive Advertising Bureau, and the Network Advertising Initiative—also submitted public comments to Alaska lawmakers.”
Alaska’s bill died in the water shortly thereafter.
Big Tech companies, aware of the optics around what they’re doing, often hide their lobbying behind industry coalitions or organizations with names that are vague and seemingly harmless — like the “Internet Association,” and “TechNet” — or outright misleading — like the “Future of Privacy Forum” or the “State Privacy and Security Coalition,” SPSC for short. You wouldn’t guess that something named “Future of Privacy” would, in fact, be a front for Amazon, Microsoft, Google, Meta, (formerly) Apple, and the major telecoms, all the companies trying to remove your privacy in the future.
These umbrella organizations operate in addition to all those companies’ independent lobbying efforts. Last year, when The Markup tried to get a sense of the full picture, they managed to count 445 lobbyists across 31 states — approximately 15 lobbyists per state government — working on behalf of those five Silicon Valley companies and their front organizations. But they added that, quote: “up-to-date lobbying information wasn’t available in several states, so that tally is likely an undercount.”
Much of what these lobbyists do is “advise” politicians on relevant legislation, like in the case of Microsoft in Washington or Amazon in Illinois. Or like in Minnesota, when lawmakers were considering a privacy bill in 2021. They invited experts to come speak on the subject: one from the Future of Privacy Forum, and the other SPSC, though neither identified themselves as being aligned with and funded by Silicon Valley.
Originally, this was the strategy: Big Tech would provide guidance under the guise of neutrality and, where called for, kill proposed legislation that would enhance consumers’ data privacy. In recent years, however, these companies have realized that there’s a more effective way to get what they want.
America’s first comprehensive data privacy legislation was passed on June 28th, 2018, right in Silicon Valley’s backyard.
The California Consumer Privacy Act (CCPA), in combination with the California Privacy Rights Act (CPRA) — which passed by majority vote two years later — limits how companies can collect and store your data, with some of the strictest restrictions advocated by privacy groups. It’s not perfect, but Californians now enjoy the right to access, delete and opt-out of data collection, they can opt out of sales, they can force companies to correct their data, and there’s even a limited scope within which consumers could, theoretically, sue companies for mismanagement.
For companies who traffic in user data it was a major failure, and a canary in the coal mine. And so, not content to lick their wounds, they decided a new strategy was required.
Senator David Marsden was long considered a very important flower for Amazon. He represented the state of Virginia, where, outside of Seattle, Amazon has made more investment than anywhere.
Virginia possesses unique geographic benefits for Amazon. For one thing, it’s neighbors with the city of Washington D.C. Federal politics — and the people who participate in it — tend to flow over into the state. It’s also centrally located on the east coast — where over a third of the country’s population lives — and it borders the midwest, as well. This may help explain why northern Virginia is the premier location for data centers around the world, already home to around 275. Many of those are Amazon’s, and the company announced earlier this year that by 2040 it plans on investing another 35 billion dollars into more data centers across the state.
The state and the company have demonstrated their friendship in other ways, too. From 2016 to 2020, Amazon increased its lobbying spend in Virginia by an exponent: 27,750 to 277,500. And remember when Governor Rauner was vying to attract Amazon’s second headquarters to Illinois? They went with Virginia instead. State officials were so “business-friendly” that, according to Reuters, it took them only 14 minutes of debate to approve 750 million dollars in subsidies — gifts — to attract Amazon’s business.
So it was after the failure in California, and considering the strategic importance of Virginia, that an Amazon contract lobbyist approached Senator Marsden with a fully-fledged draft of their own bill. “Amazon gave us the first cut of a draft to look at that was based on other work,” Marsden told the website Protocol. It aligned closely with a bill that Microsoft was trying to shop around at the same time, in states like Washington, Illinois and Minnesota, and carved out exceptions for the kinds of practices Amazon considered important to its business model.
To answer any questions, and help Marsden refine the bill, Amazon suggested a “neutral resource” he could call: Stacey Gray, a representative of… the Future of Privacy Forum.
While Marsden worked with Gray and the Future of Privacy Forum, he took meetings with other technology and financial companies that wanted in on the action. The result was a law which allowed companies to: 1) track searches and build marketing profiles on consumers, 2) collect and analyze smart speaker recordings without user consent, and 3) prevent any users from suing for misuse of their data.
Marsden told Protocol, quote, “If it has a business focus to it, it’s because the folks who put it together, they’re the ones who showed up.” But consumer advocacy groups claim to have found out about the Virginia law only a few weeks before it was put up for a vote. A number of consumer advocacy groups scrambled to criticize the bill in time for the Senator and Governor to reconsider, but it was as good as done. The bill passed days later, becoming the nation’s second state-level data privacy law.
Virginia could’ve opted to take California’s approach — upon hearing that the law wasn’t sufficient, introducing a ballot measure where citizens could vote on increased protections. Instead, a 10-member committee was formed to advise on how to implement the new law. Among its members were Stacey Gray, an individual from the Computer and Communications Industry Association — a Future of Privacy Forum-aligned group — and a member of SPSC, but no representatives of consumer advocacy groups.
Since Virginia, dozens of other states have considered privacy laws, and a few have passed, not all in good faith. Many follow the same lines — if not the same, exact language — as what Amazon and Microsoft have been shopping around. Some are even worse.
In 2019, Utah state senator Kirk Cullimore received a call from a lawyer. The lawyer represented some special interests, who wanted a hand in shaping business-friendly privacy law in the state. “He actually sent me some suggested language that was not very complex,” Cullimore told reporters. He proceeded to propose the bill for consideration, as is, without any changes.
According to The Markup, as the bill made its way through the state government, the five Big Tech companies registered 23 new lobbyists in Utah. 13 of them had never registered there before, though some had played an active role in shaping the new privacy bill’s language.
A few edits were made, eventually — like in February, when some language was adjusted with the help of a representative of the State Privacy and Security Coalition. Ultimately, the rules were enshrined into law last March.
To enumerate all the problems with Utah’s Consumer Privacy Act would take a while. It only applies to large companies of certain profiles, it excludes many categories of data collection, and offers weak mechanisms of enforcing the rules it does set forth. It’s “far too weak to protect consumers,” a policy analyst told ZDNet. “All of this means that consumers won’t be able to control their data. It’s a victory for companies like Google and Facebook.”
The reality is that even the combined force of every consumer and internet advocacy group in America is absolutely nothing compared to the might of Amazon, Apple, Google, Meta and Microsoft, or really any one of those companies on their own.
On the bright side, you might think: hey, something is better than nothing. Except that’s not entirely true. For every little concession in a law like Virginia’s or Utah’s, Big Tech companies get something bigger in return: guidelines for what they can get away with, loopholes they can exploit, and very clear lines in the sand preventing you or any class action lawsuit from doing anything about it.
And so, in the years that come, we might see more and more data privacy laws passing in America — maybe the state you’re living in, right now — as well as other countries around the world. But will they actually protect your information, or will they protect the companies collecting your information? We don’t know, but one thing’s for sure: the stakes are as high as ever.
After the overthrow of Roe v. Wade, law enforcement and activist groups are empowered to use internet data against women seeking abortions, and their providers. Women have reported being afraid of using certain apps, for fear that politicians and police will use their searches or geolocation history against them.
And it’s easy to imagine how the same technology enabled by laws written by Amazon and Microsoft could extend even beyond the ambitions of someone like John Flynn. What might Neal Horsley of The Nuremberg Files have done with the volumes of data we have online in 2023? How much more accurate and real-time could a “Tiller Watch” be today?
Unless you live in certain, specific parts of the world, your privacy is not honored on the internet. And unless something big happens to knock us off the course we’re on now, that won’t be getting fixed any time soon.
Information security executives explain how media companies can be hacked and why we, as consumers, should care in this Malicious Life BSide podcast.
Cybereason continues its exponential growth and expansion of the team by welcoming Greg Day to the company as Vice President and Global Field Chief Information Security Officer (CISO) for the EMEA region...
Information security executives explain how media companies can be hacked and why we, as consumers, should care in this Malicious Life BSide podcast.
Cybereason continues its exponential growth and expansion of the team by welcoming Greg Day to the company as Vice President and Global Field Chief Information Security Officer (CISO) for the EMEA region...
Get the latest research, expert insights, and security industry news.
Subscribe