Just when you thought 2020 was bad enough, 2021 ushered in its own chaos. The events that transpired in the United States during the first weeks of the new year were highly emotional, wrought with anxiety and, in many ways, an embarrassment to every US citizen who wakes up each day just trying to do and be better than the day before. Growing up, I recall it was considered taboo to discuss politics or religion, despite the value in having conversations with those who have differing opinions. There is no doubt that the United States is polarized. While magnitude and causation could be explored, neither of those are helpful in the workplace. However, the nature of these incidents has presented unique learning opportunities and areas to discuss and analyze.
I read many reports surrounding the events of 6 January 2021 and, subsequently, social media platform Parler. But, I’ll focus on the overwhelming lack of digital literacy and understanding about the modern threat landscape that this case presents.
In the center of it all was Parler, a relatively new social media platform that, by all accounts, failed to follow a multitude of cybersecurity best practices and arguably could be a key case study for entrepreneurial academic programs. Parler rose in popularity, at least in part, due to inconsistent moderation of posts by longstanding platforms.1 In other words, many users began using Parler because it did not moderate posts, and as such, users felt they could speak freely on the site.2 The growth of Parler and others platforms like it shows the increasing displeasure many users feel toward automated moderation tools used by established platforms such as Facebook and Twitter. Most would agree that technology is far from perfect and only as good as its human inputs and unbiased validations.
Available reporting corroborates Parler’s poor coding that resulted in privacy issues.3, 4, 5, 6 Regardless of why the platform had lax security, user data was, ultimately, obtained by an unauthorized person for unintended usage. This point is particularly important, since reporting is mixed and, at times, has claimed that the hack really amounted to data scraping. In the United States, data scraping is currently legal with one caveat: it must be public data not requiring authentication (because terms of service are coupled at this point).7 This decision was appealed to the US Supreme Court, and is currently awaiting a ruling.8, 9, 10
Service level agreements are undoubtedly important; however, nearly every application (app), platform, software model and piece of hardware is accompanied by some version of an acceptable-use policy. These policies are only getting longer, which increases risk, as most users simply scroll through and check any boxes necessary to use the technology without even reading the acceptable-use policy. Parler either lacked an understanding of, or plainly dismissed, Amazon Web Service’s (AWS) terms and conditions resulting in litigation which, at least for the moment, favors AWS.11
Soon after, Apple and Google removed Parler from their respective app stores; the app Wimkin would then face a similar fate: Providers ceased hosting and name services. Several years ago, then little-known social network Gab was shunned by multiple platforms and ecommerce partners.12 There are probably more examples. While some have hailed these actions, the matter calls into question the enormous power possessed by tech giants. Whereas digital norms would be considered benign and largely beneficial, the reality is that very few users have ever read every word in each terms-of-service agreement tied to the technology we use. The lack of any singular, agreed-upon set of terms fosters an environment whereby any app developer or service provider who wishes to do business must conform to the beliefs of delivery and service platforms. I do ponder whether as-a-service platforms rely too much on terms of service rather than traditional contract processes, therefore undercutting proper legal reviews. Such issues translate to business risk that transcends the third party and into the fourth party and beyond.
The end of 2020 underscored concerns of monopolization, with a US Federal Trade Commission complaint filed against Facebook.13, 14 This should be of interest to users and US enterprises alike, because each year that passes makes it harder for market challengers to survive. Some have accused the government of remaining idle while tech giants grow—often through the acquisition of competitors—which is plausible, given the lack of technical savviness among lawmakers. Meanwhile, Facebook has alleged Apple does not follow its own rigorous guidelines surrounding its app store and is reportedly considering filing an antitrust suit.15
I chose to examine the Parler case for the lessons it has provided the industry. Political strife and large-scale unbalanced reporting help no one, especially those who lack a digital understanding. It is easy to blame technology newcomers; however, anyone who actually uses a myriad of social platforms knows every one of them is misused daily. In the case of Parler, it was punished for substandard moderation. In this regard, the criticality of the risk of scaling too fast cannot be overstated. The same is true for understanding the growing number of dependencies that accompany vendor services. While intentional misuse is damning, the damage resulting from the often unintentional propagation of misinformation cannot be overlooked. Thus, automated content moderation is necessary and relied upon heavily.
Endnotes
1 Arnold, R.; “The Rising Popularity of Parler,” Click2Houston, KPRC, USA, 24 November 2020
2 Ibid.
3 Bugcrowd, “Parler Security: What Happened?,” USA, 21 January 2021
4 Vanlperen, P.; “Parler Hack Due to Zero Security,” PWV Consultants, 18 January 2021
5 Jackson, M.; “Parler Wasn’t Hacked: It Just Lacked the Most Basic Security & Privacy Measures,” Security Bash, 13 January 2021
6 Rosenzweig, P.; “The Parler Breach and the Capitol Rioters,” Lawfare, The Lawfare Institute, USA, 11 January 2021
7 Waterman, T.; “Web Scraping Is Now Legal: Here’s What That Means for Data Scientists,” Medium, 29 January 2021
8 “LinkedIn Corp. v. hiQ Labs Inc.,” SCOTUSblog, USA
9 Baig, Z. S.; K. Bryan; “Scraping By: Data Scraping Litigation Continues to Test Limits of Longstanding Data Privacy Laws,” Lexology, Law Business Research, United Kingdom, 30 November 2020
10 “LinkedIn Corporation v. HiQ Labs, Inc. On Petition for a Writ of Certiorari to the United States Court of Appeals for the Ninth Circuit,” USA
11 “Parler, LLC vs. Amazon Web Services, Inc.,” Casetext, 21 January 2021
12 Robertson, A.; “Gab Is Back Online After Being Banned by GoDaddy, Paypal, and More,” The Verge, Vox Media, USA, 5 November 2018
13 Federal Trade Commission, “FTC Sues Facebook for Illegal Monopolization: Agency Challenges Facebook’s Multi-Year Course of Unlawful Conduct,” USA, 9 December 2020
14 Feiner, L.; “After Suing Facebook, the FTC Has a Chance to Show Critics It’s Not Toothless,” CNBC, USA, 19 December 2020
15 Keane, S.; “Facebook Reportedly Considers Hitting Apple With Antitrust Suit,” CNET, USA, 28 January 2021
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CPI, CSA+, PMP
Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.