OVERSPILL – when there is just a bit more that we wanted to say in the weekend BONG! report
BY:
Eric De Grasse
Chief Technology Officer
15 March 2021 (Paris, France) – This past weekend we re-launched BONG! , but we put it on steroids. The bedrock is still selected news from the e-discovery and information governance communities as collected by Jonathan Maas, the originator of BONG!, but with additional contributions from Rob Robinson at ComplexDiscovery, plus our own media team, plus our cyber security and digital media communities. As we noted, our intent is to go beyond the usual news and provide a look at the trends and technologies that have accelerated the convergence of the discrete yet mutually inclusive domains – cybersecurity, digital media, and legal technology – which we have covered for 20+ years.
We are pleased with the initial outing. Briefly:
• We have about 9,000 industry subscribers on our legaltech list and we had an Open Rate of 28.6% (subscribers who opened and scanned the post), and a CTR (click-through rate) of 34.8% – subscribers who clicked through to the individual articles. Nice metrics no matter how you slice it.
• The most popular article was Manfred Gabriel’s story on how he paved his eDiscovery expertise to a partnership at a Big Law law. The second most popular article was on how the UK has been quietly building and testing surveillance technology that logs and stores the web browsing of every single person in the UK.
• We received 102 email responses: people wishing to join the list, suggestions for future topics to cover, etc.Â
Obviously it is impossible to cover everything but we’ve decided to expand future editions of BONG! to get more in. We’ll still have a lead article but we’ll have a total of 10 story links in order to expand our scope. And every Monday we’ll distribute OVERSPILL – when there is just a bit more that we wanted to say. One or two noteworthy items that did not make the weekend BONG! report.
If you live in the U.S. you are well aware that (most) mobile phone operators are pummelling their clients with how to opt out of their forthcoming “sell your data” initiatives. This story came from one of our data privacy mavens (as in “I-am-so-fed-up-with-this-crap” data mavens). His story was about T-Mobile. But Angela Gambetta (who is perched in the Project Counsel Media Washington, DC office) had the same issue but with Verizon so we’ll use that.
Angela dutifully clicked on the link she received via an SMS to her phone to “opt out” and was drawn to a series of web sites, eventually getting to a page that required an (awful) lot of data, including a very long Google ad tracker number. She clicked the submit button and … nothing happened. There was a link for “help with your privacy settings” … which brought you back to the same form. And a phone number for customer service with a recording *promising* a call back. That never came. Me thinks they really don’t want you to opt out.
In Europe this is similar to the struggle EU citizens face with “Data Privacy and Data Subject Access Requests” (DSARs) mandated under the GDPR – a request addressed to an organization that gives individuals a right to access information about personal data the organization is processing about them. Responses to DSARs are incredibly varied, and there is no consistent way anybody responds to a DSAR. And that is due to the fact, as we noted last year, that a very detailed response process was scrubbed from the GDPR early on. A hat tip to the industry lobbyists and lawyers for that one. But at least data privacy vendors are making a bomb handling DSARs for their clients. Represented by the same lobbyists and lawyers? [wink, wink]
On Thursday, as we were putting BONG! to bed, we were seeing the early takes on the Biden Administration analysis of the sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States. The extraordinary failure of the intelligence agencies to detect them and the gaping vulnerability in the existing cyber system has been there for all to see. These attacks were launched from inside the United States – on servers run by Amazon, GoDaddy and smaller domestic providers – putting them out of reach (legally) of the early warning system run by the National Security Agency. But the F.B.I. and Department of Homeland Security – the two agencies that can legally operate inside the United States and with systems as sophisticated as those run by the National Security Agency – were also blind to what happened, raising additional concerns about the nation’s capacity to defend itself from both rival governments and non-state attackers like criminal and terrorist groups.
Let me be clear. Organizations spending money for advanced, artificially intelligent, and proactive methods for dealing with cyber attacks face some difficult circumstances.
• First, the cash for that *security* is gone
• Second, the security *fix* is neither quick nor easy
• Third, boards of directors and those with oversight will ask difficult questions to which there are no reassuring answers. For example, as detailed in the Biden Administration report as well as multiple cyber reports, the answer to “What information has been lost exactly?” is “Uh, no one really knows yet.”
The nub is this: the hacks were detected long after they had begun not by any government agency but by private computer security firms. And let’s be even more clear. The SolarWinds’ misstep was detected because a single human (at the cyber security firm FireEye) took the time to chase down an anomaly related to allowing access to a single mobile phone. One guy.
I don’t mean to steal the thunder from a quite lengthy monograph due out shortly from our boss, Greg Bufithis (well, *boss* in that he’s retired but keeping his hand on the tiller a bit to guide us through a bunch of things) but several observations are warranted:
1. Cybersecurity vendors have been peddling systems which don’t work
2. Companies are licensing these systems and assuming that their data are protected. The assumption is flawed and reflects poorly on the managers making these decisions.
3. The lack of information about the inherent flaws in the Microsoft software build and updating processes, the mechanisms for generating “on the fly” builds of open source enabled code, and the indifference of developers to verifying that library code is free from malicious manipulation underscores systemic failures.
Remediating the issue will take more than BrightTALK security videos, more than conference presentations filled with buzzwords and glittering generalities, and more than irresponsible executives chasing big paydays.
There has been a disastrous erosion of responsible engineering practices and now corporate PR to cover the misdeeds. That sucks. In fact, it double sucks.
We’ll have a new BONG! out this coming Friday. Enjoy your week.
