The difference between vendor monitoring and vendor management

Sleek v2.0 public release is here

Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi at ante massa mattis.

Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent i
Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

What has changed in our latest release?

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut aliquam, purus sit amet luctus venenatis, lectus magna fringilla urna, porttitor rhoncus dolor purus non enim praesent elementum facilisis leo, vel fringilla est ullamcorper eget nulla facilisi etiam dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus ultrices in iaculis nunc sed augue lacus

All new features available for all public channel users

At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.

Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

Coding collaboration with over 200 users at once

Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.

“Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum”

Real-time code save every 0.1 seconds

Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget dolor cosnectur drolo.

Let me start with something from the heart: I strongly believe that a thriving, diverse media of all sorts is vital in any sane society. I abhor the decline of the smokey, charged-up newsroom. I am constantly on the lookout for muckraking journalists ready to defy the powers-that-be with occasionally embarrassing scoops. A living, breathing media in print, on the radio, on television, is a prerequisite for genuine democracy. And I really despise how media organizations, in particular print, became a pawn on the chessboards of hedge funds.

To give more evidence, much of my non-corporate privacy enhancing technology training experiences was with journalists. For instance, one of the most enjoyable events I was involved in organizing was at the Columbia Journalism School's Tow Center in 2014, with most participants being young aspiring student journalists. I was incredibly proud to play a role in getting them to appreciate the centrality of individual security practices and behaviors in a world hostile to transparency.

On that note, when I presented "Why Privacy and Security (usually) need Anonymity" for the ISSA Privacy SIG in June of 2022, I gave a few images of ClearOPS Service Provider Reports (referred to as “SPR”) about USAToday.com, although I was hesitant to do so based on that prior experience and what I found. Our service provider reports was named after terms used in the CCPA, the California privacy law.

SPR is our tool for assessing a web domain's privacy and security practices. The report itself displays two-dozen data points that we call "observations," and includes queries about whether the domain displays a privacy policy, the types of encryption for HTTPS available and a variety of other important topics. It's a tool we started building years ago, and is nothing less than a full-fledged search engine created by someone who has built them before.

I included the USAToday.com report to illustrate the importance of minimizing pointless data collection as critical to providing expected anonymity for customers.

Why USA Today? I honestly didn't want to pick on them, and thought one of the usual bad characters in the US would be preferred, maybe an oil company or some other entity that provokes the ire of your average American. But USA Today's report is almost an anomaly, since the number of third parties web site visitors are exposed to is shocking.

Now going back to my starting point, I appreciate the difficult position of media organizations today. Shrink the newsroom, pull the leash on the few remaining on-the-ground journalists, keep the advertisers happy since print sales continue to decline.

But USA Today's SPR from June 6th was shocking.

The first observation I displayed was the response to "Does usatoday.com expose web site visitors to scripts from other domains?".

Instead of a few domains, USAToday.com's report listed 20 other domains. Most of them are related to analytics and advertisements, often in the service of revenue. But exposure to 20 domains means a lot of surface area for data breaches.

More nuanced was the second graphic which illustrated the web site load time of usatoday.com. Some 116 requests were made in 21.79 seconds across 44 different domains.

Like the first observation, most of the domains are concerned with analytics and advertisements.

That's a shocking exposure to ordinary users innocently visiting USAToday.com, and not realizing that dozens of third parties are collecting information about them, usually without any form of consent. USAToday.com's security surface area is likely larger than most other web sites, and with it an increased possibility of their users' data being exposed.

But now for the good news.

Since ClearOPS conducts collections weekly, we now have three collections since the June 15 presentation.

So while I displayed the 20 domains web site visitors were being exposed to in the June 15 presentation, and that number did jump on June 20 to 24 domains, but then the last two collections from June 27 and July 4, that number declined to nine domains.

Similarly for web site load times, the June 20 data showed and increase to 317 requests in 38.79 secs (0.12 avg.) across 66 unique domains, that number declined to 69 requests in 12.71 secs (0.18 avg.) across 26 domains on June 27, and 49 requests in 26.59 secs (0.54 avg.) across 21 domains on July 4.

When privacy and security are quantified, it becomes easier to grasp its significance, and also to plot relative improvements. And while I did feel some level of guilt shaming USAToday.com as a struggling media entity, I was thrilled to see the relative improvements in their SPR results.

Exposing users to third parties is a logical result of the decline of print media, and the growth of data monetization. These trends aren't just going to reverse out of altruism. But recognizing the potential costs through third-party data breaches should certainly mitigate data monetization.

And for that, hats off to USAToday.com.

George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives in creating unorthodox solutions to ordinary problems.

‍