Exploits and our digital rights

Yesterday, Richard wrote about the need for new global infrastructure to support consumer rights. I’m particularly interested in tracking exploits, because they break the products we use in ways we can't notice. They affect the security of our data and our privacy. I think this harms our digital rights.

Digital rights are an emerging area. Policies like the General Data Protection Regulation are starting to sketch these rights out, but we more often look to human rights and consumer rights to understand what our digital rights are.

People will need new tools to know when these rights aren’t being enforced, or when weaknesses in the things we buy mean our rights are being undermined. We need to start working out what that involves now.

Faults we can't see

A recent example of an exploit is CVE-2017-7240. It affects an industrial dishwasher made by Miele.

This dishwashers software contains a web server. The server makes files inside a certain folder accessible over a network, and you shouldn’t be able to access anything outside this folder.

But this exploit means that someone could. It could expose information that would help someone intrude on other parts of the network the dishwasher is connected to.

I see stories like this in the technology press almost every week. Companies are pushing themselves to make “smarter” products, while not considering the risks to the rights of their customers.

Cve Miele
This entry in CVE describes the directory traversal bug in a Miele industrial dishwasher. (Photo: Screenshot/MITRE).

Tracking exploits is hard

The rather cumbersome name CVE-2017-7240 is an identifier for the exploit in the Miele dishwasher. It comes from the Common Vulnerabilities and Exposures database, that gives a reusable identifier to an exploit. Accompanying this is a brief description of the exploit on the National Vulnerability Database. More detail is usually published by the researchers, on their own websites or on mailing lists like SecLists.

The way exploits are described and documented to date has been for a technical audience. These services aren't legible or usable in a way that would help most people find out about problems with the things they own. Sometimes journalists pick up on high profile exploits and make them readable to a general audience, but it's impossible to cover every exploit in every product.

Some organisations have started to look at making exploit information more accessible so people know when their digital rights are being affected.

Have I Been Pwned lets people test their email addresses to see if they appear in known data leaks. Often these leaks include other data with email addresses. Bank account details are an obvious risk. People sometimes reuse passwords, so leaked passwords on one service can be a risk to their wider online identity.

We’ve also looked at this in our consumer advocacy research project. We prototyped an electronic price tag that interprets sources of exploit information and wraps them into an indicator that gives a consumer a clearer view of a products digital safety.

Both these interventions introduce a usable layer on top of exploit data to make it more useful to people. But we think it would be better if the databases themselves were human-readable, easy to use, and built in a way that helped developers use that data more effectively.

Cloudpets
The exploits found in CloudPets toys are part of a wider trend of new Internet of Things products that rely on an external server for connected functionality. (Photo: CloudPets).

There’s a lot to be done

While doing research for our recent project with Consumers International, I came across an essay by computer security writer David Wheeler. He outlines a dozen interventions that help protect people from software exploits, from changing how we educate developers, to policies that ensure products have a minimum support period.

This multidisciplinary approach is needed in building tools that help people understand their digital rights. No single intervention will resolve everything because software is a complex mix of code, design and policy.

A good place to start, would be to interrogate the ways we design for consent in digital services. We've prototyped new design patterns like data licences, that give people a clearer idea of what data is being shared in a service through a consistent visual language.

We're expanding this conversation with the wider community through our design patterns meet-ups. Join the mailing list to find out details about our next session.