Missing the Point: NBC Honeypot Story and Debunking

With the Winter Olympics kicking off in Sochi, Russia, we’ve seen lots of stories about preparations, security, Vladimir Putin, and occasionally a story or two about an athlete who will actually be competing. One of the stories that is capturing the attention of those interested in mobile tech, data security, and travel is the NBC Honeypot story from the Winter Olympics. NBC’s intrepid International reporter Richard Engel reported that he tested broadband security in Russia on new equipment and quickly found that the mobile devices were not only subject to infection, but infected within 24 hours once a connection was made to the Internet.

You can catch the video report at NBC. The reporting concluded that if you were traveling to Russia for the Olympics you shouldn’t bring mobile equipment or at least you shouldn’t have any data on your equipment you don’t want subject to prying eyes. As the report says, it isn’t “if” you’ll get hacked, it’s when.”

Of course this story went everywhere and fits this week’s Olympic reporting about problems and concerns. But then Robert Graham of Errata Security launched a blog post saying that Engel’s reporting was inaccurate. Well, not just inaccurate. According to Graham it was 100% fraudulent. NBC this morning is standing by the original reporting in the wake of Graham’s debunking.

Here’s where all sides are missing the point in the back and forth. Engel’s story, fraudulent or not has painted a picture that can’t easily be erased. In today’s climate of hacking, data breaches, and spying; and given the legends about Russian hackers, there is now big red stamp on the Winter Olympics in Sochi that says don’t bring your stuff here, or if you do, don’t use it. In fact, the US State Department tells US visitors to the Olympics to have no expectation of privacy.

The baseline reporting here should begin with that State Department warning. Whether at the Olympics in Sochi or anywhere, mobile users should assume no expectation of privacy. But we can’t just say that broadly in news reports, because that would have a severe impact on the social networks, sponsors, and media outlets that are counting on your page views and clicks to make some money off of the Olympics. (Including NBC.) If no one is using mobile devices at the site in this case, what does that say for the future of iBeacons or other location based technology at these kind of events? What does it potentially say for companies like Twitter, Facebook, Instagram, and others that are counting on traffic about the Olympics? More and more big event stories are being tied inextricably into social networks and websites.

If the general public ever wholeheartedly assumed the worst and stopped using mobile devices at events where they can be hacked and tracked, a good portion of the Internet economy would possibly collapse, as would some dreams of new things to come in technology. So, instead of a base line that assumes no level of privacy, we being with one that does assume you can be OK and treat reports of hacking and spying as abnormal.

We’ve been saying for some time that 2014 is going to be a year where the friction point between  what is possible with technology and privacy and security becomes a major story. The momentum for that story everyone is afraid to report is building.