Cybercrime , Fraud Management & Cybercrime , Social Engineering
'Clean Out Your Contact Lists' - Contact Data Can Be Toxic
Peter Gregory on Data as an Asset Versus Data as a LiabilityMy professional background goes back decades and includes connecting organizations to what we now know as the internet, enabling public email and newsgroup access before the web as we know it was invented.
See Also: IDC Whitepaper I Business Value of Dell VxRail HCI
My first email address - unrvax!bally!pete - was in a format known as “bangpath” that few recognize today. In those days, it could take days for an email message to arrive at a destination, and days more for a reply to appear. Since then, security and privacy have been a part of my thought process and practices.
Lately, however, I’ve become aware of a flaw in my routines, and it’s related to my contacts.
I have been collecting contacts for decades, and they’re stored in multiple services - primarily, Apple, Yahoo and Google.
I recently read an article on the security of encrypted messaging apps such as Signal and WhatsApp. In the article, the writer pointed out that many apps access our contact lists and build webs of associations.
The cryptography protecting message content is generally effective, preventing eavesdroppers from reading the contents of our messages. But it may be possible for law enforcement or intelligence agencies and others to know the identity of a person’s connections.
Let’s dig deeper.
'Person of Interest'
If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps such as Signal. While the agency will not be able to view the contents of your conversations, it will be able to see with whom you are conversing.
Also, that you are using an encrypted messaging app could suggest to the agency that you have something to hide.
Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.
Thousands of Contacts
As I read that article again, I recalled something I see in Signal often: When someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.
That’s when it hit me: I have been collecting contacts for decades, and they’re stored in multiple services – primarily, Apple, Yahoo and Google.
In current and previous jobs over the past 30 years, I’ve had associations with numerous clients, partners, vendors, co-workers and other associates, resulting in an accumulation of thousands of contacts.
I barely knew most of them and for most, I have no idea when or where I knew them or met them. I had slowly assembled a vast web of associations that could be used against me.
Recently, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over 1,000 contacts. After spending time deleting extraneous contacts, I’m down to about 300, and I might go back through them and remove some more.
Encrypted apps and your association with contacts are not the only risks related to maintaining an extensive contact list. Another issue is this: If someone breaks into any of the services where I keep many contacts, I don’t want people getting "joe job" spam emails and other attacks made possible through contact harvesting.
Contact Data Can Be Toxic
I didn’t consider my accumulated contacts a liability until recently, but I do now.
In my day job, one of my responsibilities includes leading numerous programs, including risk management, privacy and data governance, which includes data classification and data retention.
Having been a qualified security assessor for many years, the concepts of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: If that stored card data is compromised, the consequences may significantly outweigh its benefit.
Somehow, I didn’t apply this concept to personal contact data. Thanks again to that article I recently read for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.
Think about this in another way: Would you want others you worked with in the past to remove you from their contact lists? Wouldn’t it be nice if you could somehow cause your contact info to be selectively removed from their lists?
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Peter H. Gregory is a career IT engineer turned security leader. He is responsible for risk management, privacy, data governance, business resilience and third-party risk management in a telecommunications provider. As the author of over 40 books on information security and privacy, Gregory serves on advisory boards for continuing cybersecurity education for the University of Washington and the University of South Florida. He resides in central Washington state.