Data breaches are a serious problem. We do not live in an environment where it is safe for people’s PII (Personally Identifiable Information) to be widely available. When somebody’s data is leaked or stolen, there can be and have been serious repercussions for that person. It is desperately important that we not only carefully choose the platforms we use, but also that they’ve taken steps to protect their users from risks related to the platform itself. This piece aims to highlight examples where so-called “Alt-Tech” platforms have failed to do so, and hopefully provide meaningful insight from those experiences.
Big Tech has its own share of blame. By providing convenient access to privately owned (but often publicly funded) infrastructure, people have been lulled into a position of not only dependence, but outright helplessness. If it had not been for the model of everyone throws their private information into a handful of nominally-free services, it’s possible that problems we have to account for today wouldn’t exist at all.
Breaking free requires more than simply switching providers. Consolidating information into a single large target has its own risks, changing the operators of it do not inherently resolve those risks. Sadly, it is all too easy for people to fall into the trap of supporting ill-equipped, negligent or outright malicious providers if they merely brand themselves differently. As more people are and have been pushed out of mainstream providers due to escalating and extreme censorship, they may fall into outright traps.
Can You Trust an Online Service?
What most people underestimate these days is the position of trust one puts into any service they use, but especially those they share important information with. Those who profit off mass data collection are very content to keep this information in the dark. By connecting to an online service you are at minimum trusting the fact that you’ve accessed it won’t be used against you. The problem with data about you being leaked online is that suddenly you’re not just worried about big brother, but now you have to ask yourself if you have ‘nothing to hide’ from extremist political rivals, people with personal grudges, and a large variety of online cyber-criminals.
There are many concerns even for well-managed services:
Passive Data Collection
For the most part, most people are essentially navigating hostile cyberspace. Passive data collection is what’s collected by simply interacting with the service. From tracking scripts to ads, there are many dangers inherent to online services that people will mitigate with tools such as ad-blockers and firewalls. That’s only part of the picture however, as there are many nominally benign forms of passive data collection, which may include:
- Recording the IPs of your visits
- Technical details of your device or application (fingerprinting)
- Storing your activity across the platform
- Logs recording information across time
Active Data Collection
Active data collection is information you have to explicitly provide the service, this can be your account details, ID verification, or any posts and interactions made on the service. Active data collection can include a wide variety of forms including:
- Log-ins & Sessions
- Posts and uploads
- Requested personal information and documentation
- Payment information
Third-Parties
Of course, any nominally dissident service can defeat all the efforts of putting together a rock solid service by slapping Google Analytics on it to track their users. To go even further, it’s worth considering the entire “tech stack” that the service is built on. Is it dependent on hosting from Amazon Web Services or Microsoft Azure? Is it making use of hosted providers that themselves can be restricted or abused? The sad truth is that a lot of malicious activity can be hiding behind a pretty website or smartphone app.
Application Exploits
Even in an online service designed with the best of intentions, there are ways in which simple errors can create devastating security breaches. When there is a security vulnerability in the application running the service, additional data can be stolen from third-parties and misused. The impact can vary greatly in scale and scope: from impacting a small portion of the service, to potentially giving hackers and the curious alike admin-level access. Even worse, application exploits are a very important tool for hackers to gain system-level access to the operator’s systems.
System Compromise
System compromise is a disastrous and serious concern. It’s hard to imagine things worse than an application exploit giving the hacker admin-level access, but system compromise gives access to every component of the services that run the platform. This means that those who gain access can then modify records, cover their tracks, introduce new “features”, or disable others. The platform is effectively under new management and any information that’s available (far more than one would think) is vulnerable to destruction and publication. Without proactive vigilance from service operators intrusion can go undetected for quite some time.
Examples: Alt-Tech
It may seem unfair to focus on “Alt-Tech” when there are many data-breaches in Big Tech services. It’s true that data-selling and data breaches are a serious problem on those platforms, but this is a known problem. What’s harder is when people starting a venture to replace Big Tech are naive or flippant about the many security risks. In the name of being better than Big Tech these ventures are also taking on the massive challenge of properly safeguarding their users’ data. Especially when one is aiming to provide services for people who are being mistreated by their own governments. When working to help protect others from state overreach, they should realize the seriousness of their task increases their responsibility significantly. Some may sadly fall into a false sense of security when it comes to so called “alt-tech” alternatives. While a service that isn’t deliberately selling your data can be an improvement, one that gets breached can end up being just as dangerous if not more. When hackers seize the data from a service people trust maybe a bit too much, it can transform that service into a de-facto honeypot, even if the providers had no intention of being such.
Ledger
Those of you thinking ahead may have anticipated web3 as a solution. Unfortunately, there are many impure implementations of Web3 that allow for private profit and project governance. These projects are just as vulnerable as any other web service. Despite the security advantages of a hardware wallet, the associated Ledger service had its own breach in summer 2020. This is highly concerning alone due to the privacy and security benefits one may assume from using a dedicated security solution. The breach includes physical addresses, which is a very dangerous data-point to have exposed for many people.
Parler
Despite being de-platformed by Amazon Web Services, activists managed to scrape a large variety of public posts and upload terabytes of user content to The Internet Archive. This wouldn’t have happened if Parler had dead-simple rate-limiting features that many other services will have to basically keep bots in check. The lack of such feature, and other bad design choices created the problem. The scraping of public data is a grey zone when it comes to data protection. In many circumstances it’s not considered a real Data Breach. For the purposes of the impact it has on individuals, it often won’t have much of a difference. In this case, Parler’s data was used to create an interactive map of protestors and identify them for legal action or vigilante retaliation. Regardless of how one feels about that particular protest, it’s worth keeping in mind that this tactic would be effective against any protest that isn’t overwhelmingly popular.
Gab
Given the creator’s decisions over the years, It’s hard to take Gab seriously. Originally created by a “buy a website” online shop called Pusher, the social media site has had a long history of bizarre technical issues. In hopes to resolve some of these, Gab eventually used the code from the Federated Social Network Mastodon. This created some issues as the mainstream Fediverse urgently reacted to work against Gab’s inclusion into the wider network, a political decision that emboldened a culture of thought-policing over parts of the Fediverse. Despite this some other servers would have been interested in federating, but Gab itself decided to not maintain federation.
Eventually, Gab had its own data breach leaking 70GB of user information. The site DDOSecrets is holding on to the data and scraped additions. They claim to have restricted access to the data to “journalists and researchers” for what little that’s worth. This data was one of many treasure troves of data used to research not just extremism, but also a large swath of people who were displeased with mainstream social media and sought an alternative.
One can choose to believe that Mr. Torba is sincere in his effort to legitimately represent a large amount of the American public hoping to dissent against various policies. This gets harder to believe when the CTO of Gab has threatened to abuse data to build profiles on their own users. Ever since the site announced they would be pay-walling media attachments, the rise of anti-anonymity rhetoric by the founder and others is highly concerning. To be clear, it makes no sense to use your personal information on a site with a long history of security issues, no matter what their cause is.
Unjected
Data breaches from dating sites are a non-trivial concern even in ordinary circumstances. People are encouraged to share intimate details about themselves they likely wouldn’t on other services. Despite a fairly small amount of users, the “dating site for the unvaccinated” is a particularly troubling example. The technical details are very much worth reading, but an attempt to do them justice will be made. The whole saga involves an embarrassing attempt to downplay and dismiss grave security concerns. When building a service for a community of people one feels are in need of special protection, a lack of concern for user information is a serious red flag.
In mid 2022 Unjected was caught with their pants down with an application exploit that was trivially easy to avoid. Despite its simplicity, that exploit allowed someone to have full admin access immediately. To make things worse, there were other exploits discovered, the site effectively didn’t enforce any security at all. Once somebody knew the paths for particular items, they could access whatever they wanted. This meant that from the beginning the site had no real security, only security through obscurity which doesn’t help for long, if at all.
The Severity of the security risks raise more than just technical concerns. Like many other examples, there was a callous hubris on the part of the organization in the face of what should have been taken very seriously. The last thing you as a user want is for a service you rely on to have their spokespeople focused on PR and damage control over actually investigating and resolving potential problems. This absolutely raises the burden for those interested in starting this kind of venture, but the alternative is to lead users into a trap.
Update: Daily Dot reports that despite two years passing, the original researcher who discovered the 2022 breach confirms that the site is just as insecure as before.
GiveSendGo
Crowdfunding is an extremely powerful tool. Large amounts of individuals choosing to donate to accomplish an achievable goal is something society needs to consider more and more. Unfortunately, those who have concerns with the largest platform may feel the need to settle for the next best thing. This was the case for the Canadian Freedom Convoy protest of February 2022. After raising over $10M CAD, GoFundMe had closed the crowdfund. A new fundraiser was created on GiveSendGo that raised over $9.7M CAD, with donors across the country and some abroad. What could have been a success ended in disaster as hackers published a a website that published all the donors information.
Making the rounds on Twitter the release of information about supporters was given free reign on the platform. Eventually this lead to retaliation against those who donated even relatively small amounts. This was so egregious that even Ilhan Omar tweeted “I fail to see why any journalist felt the need to report on a shop owner making such an insignificant donation rather than to get them harassed. It’s unconscionable and journalists need to do better.”
This is an excellent example of how political polarization in the public can be manipulated to undermine everyone’s rights. The response to the Freedom Convoy protest by the Canadian Government as well as the media, is a mark against Canadian civil rights history. We should all be careful by what means we permit institutions to limit peaceful means of resolving conflict. It’s never a bad time to to ask ourselves just how far we’re willing to let states go to suppress protests and other forms of political dissent.
Epik
The more important a service is, the more dangerous information from it being abused can be. Epik was a web hosting provider and domain registrar. It’s one thing to have your own website hacked, but if your service provider is hacked you have a whole world of other troubles. The Epik breach was an epic disaster. Hackers effectively stole everything and made it available as a torrent.
- Domain purchases
- Domain transfers
- WHOIS history
- DNS changes
- Email forwards, catch-alls, etc.
- Payment history
- Account credentials
- Over 500,000 private keys
- An employee’s mailbox
- Git repositories
- /home/ and /root/ directories of a core system
- Bootable disk images
While the media will focus on the most inflammatory websites, a mass dump of the data doesn’t quite discriminate. Others who chose to use their service for whatever reason will end up caught in the crossfire. Since Epik’s own systems had been infiltrated, this has serious security concerns for any website hosted on their infrastructure at the time.
If you’re curious, you can see the list of Data Breaches during the Covid Crisis I started on Campfire.Wiki
A Concerning Pattern
Theres a similar pattern among similar incidents where irresponsible operators will put the needs of their business ahead the interests of their users. You can find examples of outright denial, downplaying, or even inadequate solutions touted as a complete fix. When a representative for a service follows the following script, it is a sure sign to never do business with them again:
- “There was no hack, they’re lying, it’s FUD!”
- “Okay there was a hack but it was a minor glitch and we fixed it.”
- Hackers claim it’s not fixed, and post more data
- “Okay it was bad, but it’s fixed, for real this time, but they’re not in our systems!”
- Media reports that the systems were in fact actually breached and/or data is posted online, potentially because of system compromise or a major vulnerability.
Does It Really Have To Be This Way?
One may argue that attempting to find solutions to this problem is a hopeless endeavor. If teams of people with serious funding aren’t able to solve the problem what hope is there? It is of utmost important that we take a second look and ask ourselves what problem we’re actually trying to solve. Are we actually trying to fight against censorship and democratize problem-solving? Are we truly motivated in making sure the problems caused by Big Data are put behind us? Resolving those questions is far beyond the scope of “how do I design my next website?” The answers lie in taking a look at the fundamentals of cyberspace and being willing to explore a much wider variety of possibilities.
Education Is Key
Communities need to prioritize their own technological knowledge capital. Spending time to teach the fundamentals can help people not fall prey to the most prevalent of problems. Relying on governments or corporations to secure the Internet for everyone is asking to be entirely beholden to them. The ideal way forward requires people to be taught not merely how to use various technologies but to understand them at a deep fundamental level.
When fighting for something that matters, the details matter. One must not only consider what someone is up to but also how they intend to achieve it. The means of achieving particular goals can very easily and quickly corrupt the entire enterprise. Having the knowledge, but also the courage to call out careless or negligent behavior among one’s allies is a very difficult but important thing to do.
Join The Self-Hosting Revolution
I can personally attest that self-hosting is a fun and liberating venture…most of the time. It does take a fair amount of skill and effort, especially to maintain across time. While it may not be for every single person, small communities self-hosting services can help distribute the data, and therefore the risk much better than large monolithic platforms. It’s much safer to keep everyone’s data separate and distributed. To make the most out of this, open protocols are the way to allow a variety of different systems to still maintain some form of interoperability. A heterogeneous network built with a common protocol will be much more resilient to cyber attacks than everyone running the same one-size-fits-all solution, or pooling their data in the same entities.
One of the best advantages of self-hosting or running services for a small community is that it reduces your reliance on large platforms. While it may be a challenge to protect your own systems, with proper backups you’ll have a lot less to lose than someone on a large platform that got breached or was selling the data anyways. With reasonable expectations, such as accepting that software is never complete but always improving, we can create radical change with relatively simple innovations.
OPSEC (Operational Security)
With our existing platforms and services harvesting more and more information on their users, it’s worth asking what you’re willing to do to mix things up. Does every website you use require your real name just to lurk occasionally? Is it even reasonable that most online entertainment includes all kinds of invasive forms of surveillance? Our predicament as individuals is that protecting our private information is a burden that has been placed on us by the circumstances we find ourselves in. It takes proactive work, and careful consideration to not fall into traps.
Let’s ask a few questions:
- Do you sign up to newsletters with your main or work email?
- How many sites have your only phone number or physical address?
- Do you repeat usernames (or even worse passwords) across services?
- How many accounts do you have open with sites that you haven’t interacted with in years?
Each of those are OPSEC problems that you may want to spend time resolving in advance of a breach. As always it’s worth checking known breaches for your information. Sometimes controversial online services will openly share guides with their users on how they can proactively protect themselves from being compromised in the event of a breach. General understanding and awareness can often go a lot further with a bit of creativity than relying solely on every service being impervious.
Advice for Future “Alt-Tech” Projects
Think all the above were just chumps or malicious from the start?
Believe that you could do better and want to build the next big thing?
It’s still worth it to consider the following:
- Have a plan to detect system intrusion proactively
- Build your product with security as a priority: Make deliberate choices in components and software
- Test your application for exploits based off previous breaches
- Get independent security audits
- Assume you will be breached, take measures to minimize harm
- Treat user information as radioactive: store as little of it as you have to, secure what you must keep
- Make an organized effort to ensure members of the organization are aware of important security practices
TL:DR Take cybersecurity seriously and don’t bite off more than you can chew.