Fight for your right to privacy — an interview with Troy Hunt

Have I Been Pwned?

It feels as though data breaches and hacks have become a daily occurrence, but many people still don’t know how to prevent their private information being exposed on the internet. The Have I Been Pwned website is a great way to start improving your security.

Troy Hunt, the man behind the project, is a leading cybersecurity expert who has worked tirelessly to educate internet users and business leaders on how to combat cybercrime.

In this interview, Troy elaborates on the present state of cybersecurity, discusses some of his own projects, and debunks common online security misconceptions.

What are the best and most effective online privacy protection tools at the moment? What would your advice be to an inexperienced user?

Well, a combination of things. Obviously, a VPN is very useful when someone wants to maintain privacy from the service that they are using. That’s clearly the first step.

The other important thing is password managers. Simply because when you don’t have a password manager, and you reuse passwords, sooner or later, one of those accounts will be breached, and someone will log in to your other accounts. Having someone else logging into your accounts is not a very privacy-centric behavior.

Another thing is being conscious about how much you wish to share. We see people oversharing a lot of information via social media that is unintentionally public, and it may appear in a data breach. So trying to minimize your digital footprint is a very practical non-technical thing to do as well.

What are the most popular and the most dangerous general misconceptions about cybersecurity?

I think the most common misconception is that hackers wear hoodies, that they are dark and shady characters. In reality, hackers are often very unsophisticated people, and there are even children and young adults among them. I think that’s a big misconception, and it is perpetuated a lot by the media.

Every time we see a news story about hacking, there is a guy in a hoodie with some green screens and some other scary imagery. I think it does a bit of a disservice because very often, things like cybersecurity and hacks are not sophisticated. They are very basic. There are certainly occasions when it is sophisticated, e.g., in the cases of nation-states, but very often it’s just someone exploiting very weakly protected systems.

If a person thinks they don’t have anything to hide online, should they still use a VPN? And is the very idea that they have nothing to hide a misconception in itself?

The reality of it is that everybody has something to hide, and, I think, the correct way to look at this is not that we have things that we want to hide. It’s just that there are some things that we might not want to share.

Let’s pick something easy — for example, passwords. There is nothing embarrassing to me about my password. I have different passwords for every website. But I don’t want to share that with other people. Most of my discussions on social media with my fiancé are not embarrassing, but that’s the information I want to keep private for her and me. I just don’t want to share it with other people. We have privacy as a human right. It’s a fundamental thing.

I think people should look at VPNs from this perspective. A very good example is many data breaches where we see lots of IP addresses leaked. Do you want to share that information with other people? Do you want to have your browsing habits potentially associated back to you and shared publicly?

We often tell people that they shouldn’t reuse login details or rely on generic words and phrases in their passwords. Do you think these tips will still be relevant in the future?

We are witnessing a change driven by the likes of NIST in the US in recent years, where they’ve started to advise organizations to move away from arbitrary password complexity criteria and mandated password rotation.

These two concepts made sense at the time, when it was a lot simpler when we started coming online, and people had a small number of accounts, and there was a risk of people using easy-to-guess passwords. They really don’t make much sense now as we are starting to have a very large number of passwords, and people start using the same simple ones that pass arbitrary password complexity criteria, and they use them across everything.

When I used to travel and talk about password security, I used to ask audiences: “Imagine, you go to a website, where you try to use the same terrible lower-case six-character password you use everywhere, and the website says you must have at least one upper-case character. What would you do?” And everyone kind of looks around nervously, and one person says — you just capitalize the first letter, and then everyone laughs. But I just got really nervous thereafter and thought, “Oh, they figured it out, this is the trick, this is the thing that I do.” So arbitrary password complexity criteria lead to very predictable patterns, and we are no longer recognizing that as a viable means of increasing security.

But there are a lot of other things that we can do instead that help us to improve our security. One of them is more ubiquitous encryption, partly because we have a very large number of websites implementing it, partly because we have more easy access to things like VPN.

They all protect passwords in a way that wasn’t easy to do fifteen or twenty years ago when people started creating passwords on many different sites. So it is changing, and, of course, we’ll start to have more viable passwordless options in the longer term. We are starting to see more things like security keys. We are starting to see more biometrics, we are getting better options to use things that aren’t memorized secrets, and that in the end will decrease the dependency on passwords.

But wouldn’t these options bring new threats?

Well, they changed the landscape. I often have this debate with people about biometrics. People say biometrics is a bad idea, because you can’t change your fingerprint when someone else gets it. And I think that doesn’t make sense for many different reasons.

So here’s a good example — if somebody else sees your password, they can very easily use it on the website you used it on because everybody knows how to use a password. If someone picks up a glass that I’ve been holding and has my fingerprint on, what do they do next? I don’t really know. It could involve melting down gummy bears and even some James Bondian scenes.

So, we are talking of a very sophisticated knowledge to both obtain the secret and then also create the prosthetics. And you also need to fool a biometric reader within the first n number of attempts because, usually, when it fails five times, it will fall back to other authentication means. So yes, they might create some risk, but when we look at them as compared to the risks of passwords, most passwordless solutions are significantly more secure than the ones we have at the moment.

What changes should take place in the legal system to prevent data breaches and cybercrime in general? Should companies be punished more severely for not protecting user data properly?

I think it’s a combination of factors. In terms of organizations and data breaches, it differs significantly worldwide. I think Australia is way too relaxed. We have the Notifiable Data Breach Scheme in Australia, which is effectively a mandatory disclosure. It’s extremely casual compared to somewhere like Europe. There are things like the ability to self-assist whether or not a data breach has likely caused serious harm for individuals, and then you don’t have to report if it doesn’t. You can take up to a month to report a data breach, while in Europe, it’s generally 72 hours plus all the GDPR stuff. So, I would like to see more alignment across the globe.

Then in terms of the penalties for hackers, it’s a bit tricky for a couple of reasons. Number one, most hackers don’t think they will be caught anyway. The other issue is the global nature of the internet. We may impose more stringent penalties in Australia. Still, criminals can be based overseas (and many of them are based overseas, in jurisdictions that may not be particularly cooperative with Australian law enforcement).

What I would be cautious about, like I said earlier, is that the people responsible for hackings are often very young, very often quite immature, and not aware of the social consequences of their actions, so I would like to see the right amount of penalty if that makes sense. Their course of life should be corrected as opposed to their life destroyed by serious prison time and criminal records.

What are the common factors in modern data breaches and leaks? What are the most vulnerable areas at the moment?

If we look at what is potentially the most impactful, it is certainly the attacks that we saw against the medical system, e.g., ransomware against hospitals. This is particularly damaging because of the nature of healthcare being very personal and private. And also the fact that we are dealing with people’s lives.

When I follow the news, I see these huge data breaches happening every week. What can individuals and businesses do to make data breaches less frequent and less damaging?

I think one of the best things we can do is to practice this concept of data minimization. So how do we reduce the amount of data about us that is stored and retained by the service providers? So I will give you a good example — many services ask for your date of birth but don’t need it. It’s a little bit different if it’s a government service.

For example, you need to provide your date of birth when you do your Covid test as it’s a relevant government health service. But do I need to provide my date of birth if I need to sign up on a forum to talk about cats? That is actually not relevant information. That sort of data should be optional, and if it’s not, you should probably raise a question about how important it is to leave a comment about cats.

And it’s quite funny because very often I process a data breach and it will have dates of birth. And then some people tell me, “Well, you need to ask someone’s date of birth because of COPPA, the Child Online Protection and Privacy Act. You need to be thirteen to use certain services.” And I reply to them, “Why don’t you just ask, are they thirteen.” And honestly many times people come back and say “Well. you can’t do that, because people could lie.” And I reply that they can lie on their date of birth too — just look at how many people are born on the 1st of January in data breaches that happen all the time. So what I would prefer to do is for service operators to use a little more intelligence about how they can meet the criteria they need with the minimal amount of data.

We are testing a digital driver’s license in our state here in Australia. It is a way more convenient option. Let’s say you wanna go and get a beer and you need to bring ID. At the moment if you hand down your physical license, someone sees your exact date of birth, your home address, your name, your photo, all this personal information. The joy of a digital driver’s license is that we can say what this facility needs without exposing your other personal data. So this is a service designed with privacy in mind.

Another example of this — you bought a t-shirt ten years ago, but the service still got your name, your phone number and your home address, your email, and the password you use. Do they still need to have this if I haven’t used the service in ten years? Perhaps the service could email a person and say, “Look, you haven’t logged on for more than five years. In 90 days from now, we are going to remove your data.”

The problem is that organizations look at data as an asset and don’t tend to look at it as a liability. And particularly with cloud and really cheap storage and the fact that people’s data is valuable, organizations are just really not motivated enough to no longer store data that they don’t need. And I really would like to see that change.

What measures would encourage the necessary changes?

This is another thing that depends on the jurisdiction. In places like the EU, people have the right to erasure. But even in the EU, there are cases when you don’t have that right.

I remember a story from a friend of mine who is a data protection officer in the UK. He said that there are people, who are contacting the police and saying “Under my rights to erasure, I would like you to delete my speeding tickets.” That’s not the way it works.

But there is a formal process people can use for other organizations holding back their data. Now I would like to see that thing becoming more accessible to everyone regardless of what part of the world they’re in. And just as we have privacies as human rights, I would like to see control of people’s data being much more a human right as opposed to an exception.

Do you think the value of data will decrease in the future? What would make it decrease?

I think it’s really hard to devalue the data, because there is a lot of value to it. It’s more of a question, how we would make the data more of a liability than it is at the moment.

So one way of doing that is, let’s say, if data is retained beyond the period in which it is reasonably needed for the purpose of providing a service, then there could be penalties if it was exposed. Let’s get back to that t-shirt example. If anyone has used the merch facility and hasn’t logged in for the last five years and if the data retained beyond that period later appears in the data breach, then there may be a penalty issued to that organization. The organization must delete such data after a certain period.

What cybersecurity challenges do you foresee in the future?

I think the most threatening challenges in the near future are the concerns we have around the nation-states. I think since the USA’s election in 2016, it has become a very front-of-mind for many organizations, and there has been a lot of press coverage. And we talk about disinformation campaigns and attacks on the critical infrastructure. It makes a lot of sense insofar when we have large amounts of value in things that can be attacked digitally.

I mean, who needs kinetic warfare when you can sit behind a computer on the other side of the world and cause huge amounts of damage with much less risk and also less likely to have a lot of attribution. So I think that this nation-state phase is the thing that’s gonna keep gaining a lot of steam and particularly the impact from the critical infrastructure sort of things.

Now let’s talk about your own projects. What are your plans for the Have I Been Pwnd website? Do you have other upcoming projects?

It’s a good question. Certainly it’s gonna keep expanding in terms of the number of data breaches, and my problem is just finding the time to be able to process all the data. It’s becoming a very time-consuming exercise, because there is just so much of it. So I expect to keep moving in that direction.

Before Christmas we’ll launch the ingestion pipeline for the FBI, so the FBI will begin feeding passwords into our thepwnedpasswords page. So other organizations will be able to check if their or their customers’ passwords have been breached before. So I am just trying to get a richer password database.

What do you think organizations and businesses can do to educate people and spread awareness?

I think we can just look directly into the things like data breaches and the amount of information which is very often exposed through them. I think the frequency to which people’s personal data appears helps greatly to make them understand the necessity for privacy.

Just use Have I Been Pwned. I am not going to make much money out of people putting their email addresses, but I think what’s really beneficial about that service is that it gives people a sort of moment when they realize how broadly their data has appeared. Roughly about half of the searches in Have I Been Pwned return a hit. So 50% of people suddenly realize that they have been victims of a data breach or some sort of security incident. I think that would help them to take their online privacy a lot more seriously.

You know, the interesting thing is that people say to me how I don’t end up being breached myself. And I don’t know the answer. Well, not having a digital footprint is obviously the way to go, but then how do you do your shopping or book a flight? You can’t just stay offline either. For example, I was in a data breach while trying to request a blood test, and I put my data onto paper with a pencil. I just find that it is impossible not to have yourself exposed to a data breach, and the only thing you can really control is how badly it impacts you.