In digital age, no such thing as perfect privacy

Nearly a week before WikiLeaks revealed that the Central Intelligence Agency may be using personal electronic devices for espionage, a lawsuit settlement admonished Facebook for reading messages the company had led its users to believe were private.

These were not the first instances in which Facebook and the federal government have been accused of gathering information from people’s private devices, conversations or even homes.

And they won’t be the last.

What both cases show, experts said, is a grim slice of reality: When it comes to digital data — photos, conversations, health information or finances — nothing can be perfectly private.

And for those entities charged with keeping and protecting people’s data, including governments and big tech companies, what’s best for consumer privacy may not always be in line with their own priorities.

“When it comes to making these decisions about privacy and vulnerabilities, without any clear law or anything, it all becomes a matter of opinion,” said Jeremiah Grossman, the chief of security strategy for cybersecurity firm SentinelOne. “The CIA could have a really reasoned argument for why it’s in the country’s best interest to hoard (tech vulnerabilities). Whereas I would prefer to have the information so we can fix our software and make everyone safer.”

Internet users are increasingly aware of this, and increasingly wary of institutions charged with protecting their data, according to studies from the Pew Research Center.

Just 12 percent of Americans and 9 percent of social media users report a “very high level of confidence” that the government and tech companies can keep their personal information safe and secure, according to a Pew study from 2016.

Overwhelmed with stories of hacks, attacks and the prying eyes of private companies and public agencies, fatigued consumers may feel even attempting to protect themselves in a digital age is futile, security experts said.

That, they added, is exactly the wrong approach.

“The truth is there’s no silver bullet,” said John Breyault, vice president of public policy at the National Consumers League. “There’s no foolproof way to protect your privacy and data security from the government, for example. But there are plenty of basic, important steps people can take to reduce their risk.”

WikiLeaks, an activist organization that exposes government secrets, revealed what appeared to be a legitimate trove of internal CIA documents Tuesday that suggested hackers within the agency had been able to co-opt Android and Apple smartphones, Samsung SmartTVs, and Internet-enabled cars, among other computer systems, to spy on targets.

Using a variety of tools, CIA hackers found ways past antivirus systems and defensive software and around messaging apps that encrypt communication by scrambling messages so third parties cannot intercept a conversation by hacking into the deepest parts of a phone or computer operating system.

By Wednesday, companies cited in the data leak had responded, saying they were working to patch the apparent vulnerabilities of their products.

Samsung, whose Internet-connected TVs were put into a false off-mode and used as listening devices by CIA operatives, according to the leak, said Wednesday that it was “urgently” trying to fix the security flaws.

According to the leaked documents, the CIA discovered and kept secret 14 methods of exploiting Apple devices. Those vulnerabilities are known as zero-day attacks, meaning they pounce on security defects unknown even to the company itself and, therefore, have no known fix.

Apple said in a statement that most of those issues were already fixed in its latest software update; those that weren’t were being quickly addressed, it said.

The spy agency also collected 24 “weaponized” zero-day exploits against Android devices, the documents said. Google, the creator of Android operating systems, did not respond to a request for comment.

Of course, some of these same companies have been embroiled in controversies over how they use and collect consumer data.

Google, which was sued for its practice of scanning Gmail users’ emails for advertising purposes, agreed to modify its own use of data following a lawsuit in 2010.

“Data has become such a part of wearables, smart homes, social media, smart cars, surveillance, that it’s not about privacy as much as it is about disclosure,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “These are data-driven products, tools, services, and the ethics of how you design and use these tools, and how people understand what you’re doing with their personal information — that’s the central point.”

Facebook was not named outright in the CIA documents, though WhatsApp, an encrypted messaging service owned by the social media giant, was.

But just six days prior to the WikiLeaks data dump, Facebook had been dealing with its own privacy concerns.

In settling a 2013 class-action lawsuit accusing it of violating the federal Wiretap Act and California’s Invasion of Privacy Act by mining Facebook users’ private messages without their knowledge or consent, the company agreed last week not to read its users’ private messages.

Facebook, which pointed out in the settlement that it had dropped that particular message-mining practice several years ago, vowed to make it clearer to users how all their data and information is scanned, used and sold to advertisers. The settlement still has to be reviewed by U.S. District Court Judge Phyllis Hamilton in Oakland on April 12 before it can take effect.

Though Facebook is not the CIA, and mining user messages using an algorithm is not the same as a human hacker breaking into someone’s cell phone or the TV they have at home, privacy advocates said both actions stem from a lack of transparency and strict privacy regulations in the U.S.

“What this settlement suggests, and not just to Facebook, but to other companies in the tech world, is if you tell people you’re offering people a private tech service, your word needs to be matched by what you’re doing,” Breyault said.

President Trump has pledged a forthcoming cybersecurity executive order that would push for studies of current vulnerabilities and the United States’ cyberattack capacity. But leaked drafts do not indicate a clear plan for addressing privacy concerns or creating a national mandate that protects consumer data.

“One of the key challenges of the Trump administration, which has been very pro-security, is learning how to integrate privacy concerns into surveillance concerns,” Polonetsky said. “Being responsible for deciding exactly what is too far or what is not for the CIA to use and deciding when we need strong encryption to protect our infrastructure even though that leads to security tensions is so important. These are conversations we need to have.”

Marissa Lang is a San Francisco Chronicle staff writer. Email: mlang@sfchronicle.com Twitter: @Marissa_Jae

Protect your tech

Here are some best practices experts recommend to protect your personal data:

Use better passwords: Create a truly random password that is not a word you can find in the dictionary using 11 characters or more, including numbers and special characters. Do not repeat passwords for multiple accounts.

Use a password manager: The average person today has more than two dozen different online accounts that require passwords, according to a study by Intel Security. For most, that's too many to remember without using duplicates, which can leave multiple accounts vulnerable should one password fall into the wrong hands. Using a password manager, like1Password, Dashlane and Passpack, allows users to store a list of passwords in a secure account for which they only need to remember one strong password.

Update your software: Always make sure you’re using the most up-to-date version of software as updates from manufacturers often come with security patches and bolstered protections.

Enable two-step verification: Activating two-step verification on your online accounts will require a step beyond entering a password — like sending a text message with a code to your phone — before you can log in. If someone gets your password, the text message may alert you to an attempt to break into your account and allow you to deny them access.

Use strong encryption: Security experts suggest downloading Signal or similar messaging apps that scramble messages and calls, which can prevent third-parties from intercepting or eavesdropping on a conversation. In the recent Wikileaks leak, it was revealed that the CIA may have found a way around these apps, by hacking into the phone on which the apps were run to record conversations, both written and spoken, before they were transmitted via the app. Still, experts suggest using something called end-to-end encryption, which means even the app makers can’t unscramble your conversation.