 Welcome back to the Cyber Underground, everybody, no guest today. Just boring old me, but my content, trust me, is going to be highly relevant and tremendously insightful. So stick around, we have some stuff to discuss. First of all, who am I? I'm Dave, cannot longer be the cyber guy. They call me the professor because I teach for the University of Hawaii, a capital line and community college, the University of Hawaii 10 campus system. The campus I picked is right outside of Waikiki Beach. I know, don't be a hater, it's just my campus. I teach ethical hacking and network security. Welcome to the show. If you're listening to the podcast, get ready, this is going to be great. First of all, sorry, I got to wear my glasses today. I have tons of notes, small fonts, can't see up close very well because of all the computer stuff I've done in my life. So bear with me while I look the part of the professor with my glasses on. Let's start off by giving everybody a warning out there. Now, the information isn't complete yet, but we have a fake app out there set up for Amazon Alexa. And it's by a company called One World Software. First warning, if you're going to install anything for your Amazon Alexa, make sure it's produced and made by Amazon. Amazon writes its own software for all of its devices. So if it's made by another company, don't trust it. Amazon makes its own stuff. And trust me, Amazon can breach your security just as easily as anybody else. However, you're giving yourself one more step towards safety if you trust the company that made the device. Again, defense and depth, do as many things as you can to keep yourself secure. One thing doesn't cut it, layer your security, defense and depth. Okay, so look out for that. It's called Setup for Amazon Alexa. It's in the App Store for Apple. It's an iOS app, so it goes on to your iPhone or your iPad. Don't install it. We don't exactly know what it's doing, but One World Software has produced other apps and they seem to all be spying, so don't install it. Okay, let's move on to some other news. Let me set this one up. I need to give you a little history. Back in February of this year, six SPI agencies for the United States government security agencies including the CIA, FBI, NSA and the Director of National Intelligence, they all told the Senate Intelligence Committee they would not advise, this is their quote, not advise Americans to use products or services by the Chinese smartphone makers of Hawaii or ZTE. Using phones from these two companies greatly increases the risk of information leaks, unauthorized network access and or unauthorized surveillance. That's Hawaii and ZTE. Now the Department of Commerce then imposed sanctions on those companies and told them they couldn't do business over here basically. However, in July of this year, our President Trump made a deal. He's a deal maker. That's what he does. When he told the company ZTE, we don't want to shut you down, we're going to help you out. I tell you what we'll do, ZTE put $400 million in an escrow account here in the United States and we'll let you do business in our country. Okay, now that you have that set up, let's get to today's news from the Washington Post and the New York Times that are reporting that now Trump is going to ban Hawaii and ZTE from doing business in the United States. However, in July he was willing to overlook this for the poultry sum of $400 million. So this tells me that our current President cares far more about money than your security. Now these devices, Hawaii and ZTE, they have about 80% of the 4G market right now and 5G coming up. I would not advise using these handsets for any reason whatsoever. You're setting yourself up to fail and if you're running a company and you're using bring your own device rules, don't let these on your network. My advice and now not only does the President agree and the agencies agree but now you're getting it for me as well. Everybody's telling you don't buy the handsets from Hawaii and ZTE. These IOS devices that go on your internet and cell phone carriers, they're probably spying on you. Okay, let's get to the real content of the show today. Terms of service, terms and conditions also known as we call these TOS or Terms of Service and every time you use software by just about any company in the world, you're going to have to agree to terms and conditions in their Terms of Service agreement and there's some stuff in there that you probably don't know about. Now go ahead, raise your hand, who out there has actually read the Terms of Service or the Terms and Conditions of any software before you actually used it? I mean all of it. You can't admit that you do because all of us would have fallen asleep in paragraph four when it says whereas and the third parties and so forth and so on. It's because it's a better sleeping pill than just taking a drug. It's really boring legalese but it's made that way so you won't get through it. Some people actually do slog through it but their job is to report on it. So I'm going to report on these Terms and Conditions that I've actually got most of this information from a great documentary but I've fact checked the information I'm giving you today. You can go on to Netflix and watch Terms and Conditions May Apply, great documentary, the facts I'm giving you today. I went out and fact checked myself as any good journalist would. So here we go. Now it's estimated right now that reading if you read the Terms of Service or Terms and Conditions of every service you use could feasibly cost one whole month of productivity every year. That's 180 hours approximately of productivity every year for every person out there that has to read those Terms of Service and that's just reading. I'm not saying you're understanding them, I'm just saying you're reading them. The Wall Street Journal came out and said that the consumers lose approximately $250 billion a year in productivity because of what is hidden in the fine print. So let's go over some of that stuff. Facebook's Terms of Service right now, and they just got nailed for this because their photos came out, they have the right to sell posted photos without your compensation for use in advertising. That means everything that you put up there, they can use and sell and make money and use for advertising. Did you know that? But you didn't. I need to start taking some down some photos because I have a Facebook account too. This is how easily it is to get taken in by some of these Terms of Services. An experiment was done in 2009 by the UK store Game Station and for one day, just one day, their Terms and Conditions stated and I'll quote, by placing an order via this website, you agree to grant us a non-transferable option to claim now and forevermore your mortal soul. 7,000 souls were taken that day, ladies and gentlemen, because people did not read or they didn't care. It could be that too because some people don't care. AT&T's Terms of Services make you agree that they can investigate, prevent or take action regarding illegal activities. The word prevent here is a little disturbing. There's actually been cases in the UK and the United States where people have been arrested and questioned and later released but only after 24 hours or so. But they are in custody for 24 hours being questioned because of something they posted on Facebook even when they quoted a movie. Now, I think the movie was scarred face, so it was a little violent. I get it, however, it's not a crime and it's freedom of speech and someone who was arrested and questioned kept in custody for over 24 hours just because of what they posted on Facebook. That's going a little too far. Let's look at 1994, the first major pizza chain to take online orders was Pizza Hut. They had no Terms of Service. That means all the data that was turned over to them in 1994, up until the time they had Terms and Conditions. Basically, it was a free market. So they could do anything with your information that they wanted. In 2001, toysmart.com went out of business. Now, in their privacy policy, they clearly stated they would never share any information with anybody else. However, when they were going out of business, they tried to make money by selling their database of 195,000 customers to another company. That included names, addresses, billing info, family profiles, and get this, your shopping preferences. Who does that sound like? Right, so if you've ever gone to amazon.com and searched for anything, those cookies that are left in your browser or left in your profile if you're logged in, they tell something about you to Amazon. So the next time you log on, those little ads that you get all around the sides and the suggestions you might get are just for you, they're going to look remarkably like what you've browsed for in the past because they're learning about you. And that information, as you will see very soon, is not private. 2001, Congress tries to introduce about a dozen new privacy bills. Seven months later, unfortunately, 9-11 happened. So while these bills for internet privacy were being mulled over by the U.S. Congress, both the House and the Senate, unfortunately, we were attacked by another country and 9-11 occurred. Now, we all know what happened right after that. We got the Patriot Act, so none of those bills went through. And there's still not been passed. There is still no internet protection privacy acts that protect from the terms and conditions I'll be reviewing today. It's a little scary that the Patriot Act was so indeed ingenious to be named the Patriot Act. It's not a spooky or a creepy name. And it allows people to take all of your information from the government. They can take all of your information and do whatever they want with it to, quote, unquote, protect America. The Patriot Act expanded government surveillance. So no need for a judge's order to see what websites you visit or the searches you use in Google. So I'll discuss this again towards the end of the show. I hope I get to it. Basically, you have a Fourth Amendment right to illegal search and seizure. So if the government wants to come and search your home or your phone for any reason, they need a judge's warrant. However, if you signed up from one of these internet sites and you've agreed to their terms and conditions, which we'll go over in a minute, you've given up that right. That's right, the Fourth Amendment does not apply to all these things. And it's much easier for the government to take the data that other websites and other software companies have accumulated regarding you. It's easier for them to do that than to get a search warrant just for you personally. So think about that. Every time you're given up information, the government calls that, quote, unquote, freely given, and therefore the Fourth Amendment hardly ever applies. Think carefully before you agree to terms and services. Google's privacy policy, and this is quite unique, Google's privacy policy in December of 2000 claimed that all of their users were, quote, unquote, totally anonymous. That's actually impossible now, and I'll tell you why in a little bit. But they stated in that policy, you may also choose to use cookie to store user preferences. But if you don't choose, I guess that means you're anonymous according to them. Cookies tell us, quote, this is the name, or this is the same computer that visited Google two days ago, but it cannot. Now, this is their privacy policy, the states. But it cannot tell us, quote, this person is Joe Smith, or even, quote, this person lives in the United States. And I think everybody out there who's my audience listening to this knows that's not true. We're going to have to take a little break for about one minute, and come back after the commercials when we make a little money. And I'm going to discuss the rest of our show today, and we're going to keep going over terms and conditions. And trust me, it's going to get scarier. Until then, stay safe. This is Think Tech Hawaii, raising public awareness. I just walked by, and I said, what's happening, guys? They told me they were making music. So I did. Hey, Aloha, Stan Energyman here on Think Tech Hawaii, where community matters. This is the place to come to think about all things energy. We talk about energy for the grid, energy for vehicles, energy and transportation, energy and maritime, energy and aviation. We have all kinds of things on our show. But we always focus on hydrogen here in Hawaii, because it's my favorite thing. That's what I like to do. But we talk about things that make a difference here in Hawaii, things that should be a big changer for Hawaii. And we hope that you'll join us every Friday at noon on Stan Energyman. And take a look with us at new technologies and new thoughts on how we can get clean and green in Hawaii. Welcome back to Cyber Underground. Let's keep going. We were just discussing about the Google's privacy policy and terms and conditions back in the year 2000. However, if you were to look at Google's site right now and look at their archive of privacy policy and terms and conditions from the year 2000, for some reason, it's changed. The reason we know this is because there's a site that's called the Wayback Machine. You can look that up on Google. And it's actually archive.org, internet archival service. It actually takes snapshots of websites periodically. So you have a historical piece of documentation you can go back to and say, this is what this website looked like at that time. And if you were to do that and look at Google's privacy policy from 2000, it looks different than what their archive says it does. In fact, their archive and Google's privacy policy actually shows the privacy policy from 2001 after 9-11, which there's a big change. We're going to go over those. LinkedIn, Facebook, Google, Amazon, and of course many more, they put this into your terms and conditions. We may use your personal data. We can change the terms at any time. And they italicized that, by the way. We can share your information with third parties. We can share your information with the government. And your data is anonymous. We're going to discuss all of these. Third parties is a change. So in Google's 2000 privacy policy, it quoted, I can quote, Google will not disclose its cookies to third parties except as required by a valid legal process such as a warrant, subpoena, or statute, or court order that clearly changed later on. Moving on to the next page. Facebook. Let's just talk about Facebook really quick. Now, the default for Facebook, sharing with everyone. This didn't used to be the default. They just keep opening it up more and more and more. By 2012, it was huge. Everything you do is automatically shared by default with everyone. So on Facebook, you have different levels. You can share with just friends. You can share with friends of friends. You can share with everyone. Now, careful about this. If you're on Facebook and you share with friends of friends, that means if any friend of yours accepts an invitation to link up with another person that they don't really know, and they're just haphazardly clicking away except, except, except, that other person that linked up with your friend can now see all of your stuff. So careful with this one. And everyone, of course, is that's internet-wide. I don't even need to log on to Facebook. And I can see most of this stuff. 2009, Facebook made changes to the privacy policy without telling anyone. They changed private information to, quote, unquote, public information. That was telling me they're widening the net. And by 2010, everything you posted on Facebook was shared with the entire internet, except for your contact info and your birthday. Everything else is public unless you go in and manually set it to not public. It tells you something, doesn't it? That means there are terms and conditions when you clicked except, it could be anything. In 2012, Google changed their terms and conditions and combined all information regarding users and all of their services into one single profile. That's scary. So if you're anonymizing data, let's talk about this. If you anonymize data, that means you take everybody's personal information out of it, but you keep the data elements in there. You might not keep their street house address, but you're going to keep their street address. You're going to keep their city. You're going to keep information about their searches and what they like. Those pieces of information on different websites can be compiled, and the aggregate of that data can be used to find you. We're going to go over one such case in just a little bit. Axion claims to have 1,500 data points on the average American citizen. That's every one of us. 1,500 data points. This is their business because they buy it up. They can purchase it from other companies. Companies can use this data, they'll get this, for hiring purposes. It's actually better than a security check. A security check only covers about 19 or 20 points. Sometimes they don't even go out of state. But if you use a company like Axion, they have 1,500 data points on the average American. Well, that's better than a security check, isn't it? You can get a personality out of this, what their religion is, where they went to school, what they majored in. You can find out how many dogs they own if they're a dog or a cat person. That might mean something to you. So this is kind of a little disturbing. For premium adjustments for insurance, yeah, they have information on you that can make you pay more for your insurance. Now, I'm not just talking about car insurance. Let's just talk about this. If you went on and you were searching Amazon.com, and all the clothing you searched for was plus sizes, OK, now you're at risk for diabetes and depression, both of which are high risk and high cost. If you don't believe me, go back and check the latest revisions to your medical insurance policies from whatever company you're in. I would be willing to bet that 50% of you or more will see this small change in your policy now. There is no coverage for diabetic medication at all. That's a big change, and it just happened in the last couple of years. I have an insurance policy that I got in. Sure enough, if I get diabetes, I'm not covered at all. And I wonder where the state is coming from. Interesting, right? In 2008, oh, sorry, let's go back. If you bought a lot of alcohol, you also might be a health risk, so if you like shopping for a lot of wine, you buy a case of wine every year, you buy whiskey, all those records of those purchases add up to you being at risk for being an alcoholic. Guess I'm at risk. In 2008, thousands of people had their credit limits reduced. And get this, the letters they received as the excuse from this company, by the way, it was an America's Express, some letters received by consumers stated, other customers who've used their credit card at establishments where you've shopped had a poor repayment history with American Express. So their poor repayment history made them reduce your credit limit. Interesting. Here's one, this is great. Tom Tom, that's a GPS system we used to use before we had Google Maps on our smartphone. The data was used in the Netherlands to provide speeding data to police. And those people got traffic tickets. Isn't that nice? Now, by the way, most rental cars now have GPS devices, which will track your speed. And a lot of them, in their terms and conditions, can actually find you and charge you a greater amount of money for using their car if they find you've been speeding. So when you get back and you try to pay that little fee that you thought you'd pay, it might be double because they caught you speeding on their GPS system. Nice, right? OK, watch out, you're always on the grid. There is no baseline, consumer privacy law. This is due to the enormous amount of tech companies are paying lobbyists to kill the legislation. Right now, lobbying was the people in the cheap seats. Those are the people that work for companies that go to Congress and they walk through the lobbies. That's where they're called lobbies. And they try to make appointments and talk to the congressional people, like the congressmen or the senators, and try to influence their decision by erring their grievances and saying, this is how this legislation might impact my company negatively. Which, that's fine. If you've got some money and you're trying to support your company and you want to do business in America, we're a capitalist society, OK, that's great. However, here's where that goes wrong. Some people in Congress don't really have a big budget, so they can't hire a lot of people to help them out. That's when big companies step in and say, you know what? We like you. We're going to provide you a free staffer. This person's going to come in and do whatever you need for them, for you. It's OK, it's free, we'll pay the salary. Unfortunately, those same staffers are the ones that help write the legislation that that congressperson is going to present to Congress for law. So think about that. If I'm a company, say I'm a huge company and I want to influence the law, why not give a free staffer to every congressperson out there and help write the legislation that's going to help my company? That's brilliant. It's capitalism at its best, but you need to know it's happening. Keep track of these things. Let's move on. Just to point this out, example in 2011, California. We're going to come back to California. California had a bill, SB 242, for internet privacy that surprise did not pass. Now if you look at the budgets of Google and Facebook that year, Google spent five times more on lobbying than they did the previous year. Facebook spent four times more than they did the previous year. And this bill would have significantly impacted those terms and conditions and the uses of data and privacy for consumers. So Google and Facebook would have lost. Now if you think you're getting something free from Google and Facebook, think again, nothing's free. It's all at a cost. The cost is you. Your data is worth something, and the only way it's worth something is that Google and Facebook have the right to sell that data or use that data to sell analysis of you and other consumers, two companies who are interested in that data. Therefore, you're the product. So that free Gmail account, there's your cost. Privacy. Now no one's going to dig a hole and live in a hole and give up everything you've got just because you don't want to lose your privacy. I just need to let you know. This is going on out there. Now with our last couple of minutes, let's cover something that's truly disturbing. And that's the quote unquote anonymizing of data. First of all, that's now a fantasy. Don't ever believe someone can anonymize your data. It does not happen anymore. And that's because of the vast proliferation of data across numerous data sets when combined the aggregate sum of which can identify you. Let me give an example. This is from the New York Times in 2006. So 12 years ago, they could do this. AOL released a large volume of an quote unquote anonymized data of search records. Now within a few hours, a reporter, OK, not me, not an ethical hacker, not a security researcher, not a data analyst, a reporter. Now they're good at research, but they're not experts at computers. A reporter within a few hours identified a user 4417749 because they're supposed to be anonymized. Everyone has a unique number instead of a name. Now that user conducted hundreds of searches over a three month period on topics ranging from numb fingers, 60s single men, and dog that urinates on everything. There were also inquiries for landscapers in Lilburn, Georgia. And several people with the last name Arnold and quote, home sold in Shadow Lake subdivision, Gwinnett County, Georgia. OK, the trail led to Thelma Arnold, a 62-year-old widow who lives in Levon, Georgia, and frequently researches for her friends, medical ailments, and her three beloved dogs. So you can see how we got all the data, put it all together, and came up with a single person. So when somebody says your data is anonymized, it's really not. Now here's the catch. When you go into Facebook or Google and you tell them, please delete my profile. Sure, they'll delete it. They delete your name, but they keep all the aggregate data. And they quote, unquote, anonymize it. Think about what I just said now. It's not anonymized. Your profile might have to be there. But your information, and indeed, you, are still there. These are the terms and conditions we use every day when we click on agree. So think about that next time. Maybe you should read those terms and conditions. Read the terms of service with the TOS before you click agree to anything. Thanks. Now tune in next week for another scary episode of the Cyber Underground with me. And maybe I'll even have a guess so it won't be so boring. Until then, everybody, stay safe.