Data Privacy

Zero-Trust Principles: Best Practices Refined

By | Data Privacy, Data Protection, Risk and Liability | No Comments

The Office of Management and Budget released a memo outlining the Federal Government’s strategy for implementing a zero-trust architecture (ZTA) across their technology footprint. This memo is part of a broader effort to modernize US cybersecurity in the wake of a string of high-profile attacks on the US and US companies.

While some of the requirements in the memo are already commonplace security policies, there are a few guidelines in the memo that might be a dramatic change from the strategy some organizations are currently employing. Here’s our summary of some of the new guidelines we think you shouldn’t miss:

  1. Authenticate users to applications, not to networks. It’s no longer good enough to lean on perimeter security to trust that traffic on your network is trustworthy. Single-sign-on solutions are mature and widely supported – use them for every application!
  2. Use multi-factor authentication (MFA), but don’t use one-time passcodes, SMS passcodes, or push notification prompts. These are susceptible to phishing attacks. Use a solution that is resistant to phishing, like FIDO2, WebAuthn, or PIV.
  3. Stop requiring that users regularly change passwords or use special characters. While this once was considered best practice, it is now known to decrease security because it leads to password reuse (and credential-stuffing attacks) or unsafe storage practices.
  4. Consider eliminating passwords entirely! It is possible to have multi-factor authentication without one of the factors being a password. It’s more convenient for your users, and a password isn’t adding much security if your users are reusing it across multiple sites and it ends up in a password breach.
  5. Encrypt all HTTP, DNS, and email traffic, even on internal networks. It’s not uncommon to see these unencrypted on many networks, but these all carry sensitive information, and leaving them in plaintext leads to an increased attack surface.
  6. Isolate environments and assign access with granular attribute-based access control, rather than giving role-based access to users or enhanced visibility by default.
  7. Have a process in place to take security vulnerability reports from the general public, and respond to them promptly.


Grey Market Labs is a Certified B-Corp founded with the mission to protect digital life. We build revolutionary software including Replica and hardware products, and partner with like-minded industry leaders, to create a future with “secure-environments-as-a-service”.

Contact us to see how we can work together.

Christmas Cookies

By | Data Privacy, Information Security | No Comments

Ho! Ho! Ho! It’s that time of year again, and old Saint Nick is back to deliver toys and sample tasty cookies left for him on his travels across the globe. With so many homes to visit, there are a lot of cookies waiting for him of all shapes, sizes, and flavors. Fortunately, Nicholas is impervious to viruses like Covid-19, so he has no qualms gobbling down the many treats he finds along his journey. It’s no secret to him that there have been lively debates in online forums for many years now discussing how in the world he could possibly make the journey to so many homes in just one night (and eat so many cookies). However, neither the jolly, old Saint nor his most technically savvy elves know that there have been plans brewing on the dark web to gather data to determine when and where Santa makes his deliveries.

A lively debate begins to brew in one online forum of #NorthPoleTruthSeekers.

ElfSlayer1225: NORAD’s Santa Tracker is a hoax perpetrated by the Big Toy Industry

FrostyFanatic: How can you be sure? Surely if NORAD can detect ballistic missiles, it has the capability to track flying reindeer pulling a sleigh through the skies!

AnonymousThere has to be a way to figure this out

FrostyFanatic: Well, how could we possibly even find this so-called Santa if he could be anywhere in the world at any time on Christmas Eve? It’s like Heisenberg’s uncertainty principle; the moment you try to determine where he is, you don’t know when he is, or vice-versa. I dunno, the whole thing makes my head spin.

ElfOnShelf 🧝🏽: I’ve been following this forum for a while now but never felt a need to contribute given all the half-baked conspiracy theories folks like ElfSlayer1225 love to espouse

ElfSlayer1225: 😠 Great, we’ve got a troll on here. The truth is out there, you’ll see! Say that again and I’ll rip you off that shelf 🗡️ elfie!!

ElfOnShelf: 🧝🏽: Look, no offense, I’ve actually got an idea and I need everyone’s help.

Dasher16: Ohh, not a reindeer trap, I hope

ElfOnShelf 🧝🏽: No of course not… no animals will be injured in this experiment

ElfOnShelf 🧝🏽: Here’s what I propose. I’ve actually been tinkering with this for a whileYou know how Santa loves those cookies sitting out for him every year. He scarfs them all down at every house he delivers presents. How he does it, I have no idea. And somehow he deactivates any cameras or recording equipment so we never see it happen nor can we pinpoint the time of his arrival. Trust me, I’ve tried. I’m not called ElfOnShelf for nothing!

FrostyFanatic: Haha, so how can we help?

ElfOnShelf 🧝🏽: Ok, so do you know how tracking cookies work in a web browser because my idea kind of goes something like that? When you go to visit a website, it will store information on your computer called cookies which allow it to basically identify you on subsequent visits and monitor your behavior over time. There are many other advanced methods of attribution as well but I digress. Now only the site you’re visiting can see that cookie data when you go to it, but sometimes these sites also use 3rd party services like Google and Facebook to track your behavior on their site. And since most sites use these trackers, those 3rd party services can then see the flow of your traffic across many pages on the web and begin to build a map of where you’ve been and when…

Dasher16: I think I see where you’re going here, we’re going to follow the reindeer droppings so to speak 💩

FrostyFanatic: Or the cookie crumbs, hehe

ElfOnShelf 🧝🏽: errr, yeah something like that…. Anyway, imagine now that instead of browser cookies we put real trackers in the cookies left for Santa! I’ve found a programmable nanochip that can be exposed to liquids and extreme temperatures. Perfect for baking into your favorite cookie recipe. Before you know it, Santa will be loaded with them. They’re super cheap and all you have to do is order them from this site and then download my open-source code to program them with you’re unique location data. Once swallowed the nanochips will record the time and voila, we have the information we need!

ElfSlayer1225: Alright, maybe you’re on to something here but you’re missing something too. How are you going to actually get the data off the chips?

ElfOnShelf 🧝🏽: good question, so unlike when a person visits a website, we can’t just record the visit on our server. We need a way to read the chips. Fortunately, the chips work on a short-range Bluetooth connection. And since we know that Santa will visit every home to deliver presents, then each time he visits a home and he has some trackers in his belly, we can scan the chips and get a status on each place he visited and when. Plus! We’ll get the data of when the scan took place to cross-reference it against the other data. So, each one of you will also need to turn on Bluetooth on your mobile or computer and run my other open-source software that will scan and aggregate that data to this forum in real-time so we can see the results. With this we can compare to NORAD’s data and see if NORAD really is a hoax!

ElfSlayer1225: NORAD is a hoax! Send me one of those chips ASAP, can’t wait to prove it! So, what are you going to do with the data once you have it?

ElfOnShelf 🧝🏽: Sell it to BIG Toy! Cha-ching! 💰

And thus, the commercialization of Christmas was finally complete thanks to the always watching eye of an elf on a shelf and a little help from the North Pole Truth Seekers. For the price of accepting a few “harmless” cookies Santa had unwittingly sold himself out. ElfOnShelf sold Santa’s secrets to the highest paying data brokers and lived happily ever after with a private island in the Caribbean.


Grey Market Labs is a Certified B-Corp founded with the mission to protect digital life. We build revolutionary software including Replica and hardware products, and partner with like-minded industry leaders, to create a future with “secure-environments-as-a-service”.

Contact us to see how we can work together.

Pattern-of-Life through Electricity Monitoring

By | Data Privacy, Information Security, Risk and Liability | No Comments

Household electricity monitoring provides insight into the usage of electronics in the home. Monitoring can be accomplished through commercial products (e.g. those described here or through a utility provider’s service (such as the Duke Home Energy Report). These insights can help pinpoint which devices are wasting energy to help the homeowner save money. The analysis of electricity by these products or providers is so in-depth that they extract exact brand information on individual devices based on how much electricity that device is using and the unique electrical signature it produces

This information can also be used for Pattern-of-life analysis to expose the daily activities inside the home – which could be used for anything from targeted advertising to exploiting security weaknesses. It is important for homeowners to be aware of how this data is being used and what rights they have over it in order to make informed decisions when managing risk and participating in politics.

#GREYdient Score: 3/10


Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Protecting Investigators

By | Data Privacy, Data Protection | No Comments

Private, federal, and state investigators are increasing their online presence because more of their work is going online.  For the most part, investigators are not trained in cybersecurity practices.  So, when they are online looking for criminals, there is a high chance that those same criminals are looking back at them.  This puts their organization, investigation, friends, and family at risk.  Most investigators try to separate their work life from their personal life, but the internet blurs the line between personal and work.

For example, in 2018, investigators were researching sex traffickers, specifically massage parlors in Manhattan, using VPNs; however, real estate agents were still able to track down their information and call those investigators on their personal cellphones.  These investigators suddenly became aware that their online presence was able to be tied to their personal lives even with cybersecurity practices.

The separation of work and personal is key, but investigators still need to access the tools and data needed for their job.  The undercover tradecraft needs to be applied to this field to protect legal and legitimate investigations.  So how do we protect investigators?

1st: Investigators need the tradecraft and training in cybersecurity to ensure they can protect themselves.  They also need to understand what will expose them to the digital world.

2nd: They need comprehensive tools to ensure they are not exposed at the seams.  Investigators are currently using multiple tools that are not designed to work cohesively together (VPNs, burner phones, anonymous browsers).  These individual products have a marginal benefit that leaves open cracks which criminals can exploit.  There needs to be a comprehensive solution/product that can combine these disparate tools in a seamless manner and seal the current gaps.

To work towards eliminating these gaps, check out for more information.

DNS: Still Insecure By Default

By | Data Privacy, Data Protection, Information Security | No Comments

The use of encryption on the internet has grown tremendously over the past decade; HTTPS has quickly shifted from a technology used primarily to protect e-commerce, to an industry standard for website development.[1]  Many users now know to look for the padlock in their browser’s address bar to confirm that their connection is securely established via HTTPS.  But that padlock is not telling the whole story.

Before your computer ever establishes a connection with a website, it must translate the website address into an IP address.  Your operating system typically handles this task, asking a Domain Name System (DNS) server to look up the address, much like a phonebook.   Unfortunately, the DNS system has changed relatively little since it was originally designed for the needs of the 1980’s internet, when there was little consideration for security or privacy.

Even now, most devices by default will pass these queries to the DNS server configured by the network operator or ISP that you are connected to – and in nonencrypted plain text!   While DNS queries do not expose the content of your internet activity, they do expose which sites you connect to, and when.  Anyone eavesdropping on DNS traffic can ascertain someone’s general browsing history, learn a lot about the device they are using, and the patterns of how they use it.  There is also a potential to block or change DNS records, preventing access to certain web addresses or redirecting your browser to malicious endpoints.  The collection of this data is a huge risk to privacy; earlier this year, a Thai ISP accidentally leaked an astounding 8 billion DNS records they collected about their customers’ internet usage. [2]

Luckily, the industry is starting to address these weaknesses by implementing support for newer DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) standards, both of which encrypt your DNS queries while in transit.  The latest versions of macOS and iOS have added support for encrypted DNS using both protocols [3], and Microsoft is currently testing DoH support for Windows 10 [4].  Unfortunately, these solutions are not turned on by default, and they still assume ultimate trust in the DNS provider, but they are a step in the right direction when configured properly with a provider you trust.

Today, Cloudflare announced a new proposed standard: Oblivious DoH (ODoH) [5].  This proposal takes DoH one step further, by adding a proxy between your device and the DNS server.  This approach aims to further increase privacy by hiding the identity of the request from the DNS server.  But, like any new internet protocol, it will likely be years before we see widespread adoption.

DNS is a foundational part of the internet and is critical to its security and privacy.  At Grey Market Labs, we think it is important to build solutions with security and privacy by design, and we hope to see the industry do the same with DNS.


Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.



The New Dirty Word: Default

By | Data Privacy, Information Security | No Comments

It’s 10PM and you’re ending your day but hackers are just getting started. Maybe a cup of brute-force strength hacking techniques to start their day? Before you drift to sleep, you can’t help but start thinking about that new corporate application you installed today. Did you configure everything correctly with the right passwords, settings, and certificates? You can check tomorrow but business doesn’t stop and with employees working from home, “business hours” are a thing of the past. Besides, everything you tested worked great and did what it was supposed to do so you know things will probably work fine. And they do for months… until something strange starts happening and you see that new competitors are taking your business by selling a product that looks eerily similar to yours. How could they have copied it so well? You suspect that you may have a mole in your organization and so you begin analyzing the network traffic of all your employees. But what you end up seeing is something unexpected, outside traffic not tied to any of your users is coming in and stealing your internal corporate data. How is this happening? After much investigation and discussions with the provider of the application, you discover that there were default settings you had to change and you are told it’s your fault for not changing them.

It was recently reported by Hacker News that over 200,000 businesses were susceptible to being hacked because of not changing a default setting in Fortigate VPN.  Customers have been told that it’s unfortunate they didn’t follow instructions but nothing is going to change.  “For its part, Fortinet said it has no plans to address the issue, suggesting that users can manually replace the default certificate and ensure the connections are safe from MitM attacks.”  I don’t know about you but if I have 200,000 clients buying a VPN that can be hacked because my clients aren’t aware of what they need to configure, then something needs to change. “‘The Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine,’ Hertz and Tashimov noted.  ‘These types of businesses require near enterprise grade security these days, but do not have the resources and expertise to maintain enterprise security systems. Smaller businesses require leaner, seamless, easy-to-use security products that may be less flexible, but provide much better basic security.’”

This is akin to the early days of home Wi-Fi where every router was public and not password protected. A common tactic of wardriving forced the consumer router industry to wake up and make their routers private and put default random passwords on the box like happypuppy632.  Perhaps this bad publicity will force a change to the default behavior for Fortigate VPN but that remains to be seen. For liability, Fortinet may publicly be pushing a hard line but perhaps changes will be quietly made in future releases. It defeats the purpose of an application explicitly designed for privacy to be insecure out of the box when so many will just plug it in and start using it while unaware of the dangers.


At Grey Market Labs we believe you shouldn’t need a computer science degree to be safe online. That’s why our solutions are built with Security and Privacy by Design, striving toward our mission to protect life online. Our products accelerate your business and work online and in the cloud, making you more productive and ensuring privacy and security especially with in a world of remote work.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Not all Scraping is Created Equal

By | Data Privacy | No Comments

CREXi and CoStar Group both sell real estate information to help customers follow trends and more accurately value properties. Having the right information when buying or selling a commercial property worth $100M can make or break a deal and shift profits into the hands of those with more knowledge.

These companies have trade secrets on how they gather the information, aggregate it, model with it, and produce recommendations, charts, reports, etc. Recently, CoStar Group sued CREXi for “massive” copyright infringement and intellectual property theft [1]. It is alleged that CREXi employees were creating fake accounts to access CoStar’s data. Generally, creating a “fake” account is a violation of the terms of service. It’s even more egregious if it is being done to steal (or scrape) data and reuse/sell it for profit.

In a similar manner, Google scrapes many sites at varying intervals. They keep the news results fairly up to date, and when displaying things like the news, they have advertisements. Is Google stealing someone else’s copyrighted works so they can sell ads? Google has a News Initiative [2] that is drawing attention from France and Australia [3], to name a few. Selling someone else’s news is illegal in some countries and jurisdictions. There’s got to be a limit to what one can “borrow” from another before it’s the equivalent of stealing, copyright infringement, or just not classic “fair use.”  Is it OK for Google to scrape a news site for information that it then monetizes indirectly (via advertisements) but not OK for CREXi to scrape CoStar’s website and resell that information directly? There’s clearly a difference, but like many of these differences, they’re not black or white; context is required, and they’re usually a shade of grey.


Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Do you control YOUR data and how exactly do you “control” it?

By | Data Privacy, Data Protection | No Comments

Privacy legislation has been on the horizon for almost as long as security legislation. Every year, digital tracking techniques get better (or creepier, depending on your perspective).  What if all these privacy rules/regulations actually came to fruition? What does “controlling your data” really mean – for the end user and corporations alike?

It’s hard to imagine what the internet would be like without advertisement supported projects like the Google search engine. That search engine is good because it uses data from a variety of sources to improve it. Microsoft uses data from Microsoft 365 (formerly Office 365) and its operating systems (e.g. Windows 10) to “improve user experience.” LinkedIn uses data about users to bolster professional networks (and in many cases social networks). What if all the data about your enterprise – including all your users—was configurable by you, and Google, Microsoft, Facebook, Apple, nation states, hackers, data brokers, etc. couldn’t see any of it. Maybe you’ve never thought you could control your enterprise user data to that extent … but we help make that happen.

There are speculations on what the technology landscape could look like when you start to control your own data, including this recent article from CMS Wire. The author mentions that some cookies are on the chopping block (3rd party cookies specifically). Fortunately for big tech they already have workarounds. Facebook has been allowing 1st party cookies for a while now but back-end data sharing agreements (which you probably agreed to with the Terms of Service) will continue to be a ripe source of data. Unfortunately for the end users, there’s really no functional change in the data that is exposed, stored, mined and monetized — even with GDPR and CCPA in full effect.

Truly controlling your enterprise data, including effectively masking your external enterprise footprint, is what we at Grey Market Labs enable with our Opaque platform. We expose privacy controls that administrators can understand and integrate with your existing infrastructure. Opaque is your “easy button” for digital privacy to the outside world (i.e. outside your corporate footprint).  Sometimes you need to control what users within and outside your organization have access to. We recently announced a partnership with Virtru to bring their TDF-enabled encryption and access controls to Opaque. Share data from within our platform to a user in another cloud, manage their access as desired, and get full audit of when they access it. If you need more granular controls (such as preventing a user from copying text you shared) you can share the data to have it open within Opaque directly – completely clientless. Our Virtru integration is a welcome layer of our defense in depth strategy.

Grey Market Labs® and Virtru Partner to Deliver Secure Analytics

By | Data Privacy, Data Protection | No Comments

Even with technological advancements in data processing, machine learning, and other analytics, organizations face challenges when sharing valuable data with collaborators due to a lack of transparency and ownership of data once it leaves its source point. Enterprises and agencies often rely on virtual machines to safely collaborate on their most sensitive information without losing control and giving up access to third parties, but existing solutions restrict the ways in which data can be classified, protected, audited, and shared across different platforms.

Grey Market Labs® and Virtru solve this problem by enabling data owners to maintain full lifecycle control over their sensitive information and securely share it for approved analysis. Grey Market Labs®’ Opaque platform offers patented secure virtual environments in which individuals can view and manipulate their TDF-protected data without ever having to expose this sensitive information.

Virtru’s Trusted Data Platform (TDP) is powered by the Trusted Data Format (TDF)—an open standard for object-level encryption created by Virtru Co-Founder and CTO, Will Ackerly, that keeps data protected and under the owner’s control. This technology ensures that companies can send information in a secure way that limits exposure risks.  Combined with the Opaque platform collaborators can have the assurance that content will always remain under their ownership, protected from misuse or unauthorized access.

Together, Virtru and Grey Market Labs® provide the ability to:

  • Share data more securely by adding persistent protections and attribute-based access control (ABAC). The Opaque platform uses TDF protections to ensure the integrity of sensitive data as it is shared from its original owner, so it can be trusted to inform business decisions and remain protected regardless of how it is analyzed or manipulated. Data owners can revoke, expire, or audit access to information at any point in its lifecycle, making it easier to share and collaborate with multiple parties. With ABAC, data created by different organizations in different applications can carry the same protections and access policies—whether the content is being collaborated on within a secure enclave, shared in transit, or brought outside of Opaque for offline consumption.
  • Improve performance with expanded access to analytic tools. By enabling granular audit of users and data activity, Opaque makes it easy for organizations to provide assurances that information can securely travel across environments and systems it might not otherwise be permitted to reach. As a result, end-users can ingest and analyze their most sensitive data using a broad array of collaboration and analytic tools, whether desktop, web-based, or cloud-based. Each Opaque virtual environment can be preloaded with the applications needed for an individual data analyst to perform his or her work and since each environment is isolated, owners are granted administrative rights to their virtual environments enabling them to safely configure instances on-demand.
  • Increase data transparency and accountability. By increasing transparency into where and how data is being shared, organizations can enhance trust and ensure they are safeguarding private information while providing the defensible audit of data to ensure regulatory compliance or third-party audits.

For more information, please contact Kris Schroeder, CEO at Grey Market Labs.

The Challenge of In-House Data Protection and Privacy

By | Data Privacy, Data Protection | No Comments

If you are a mid-size or larger business, you have an overworked security team. Those teams have responsibility across dozens of business areas, from executive protections, to cyber defense, to insider threat and more, many with competing priorities. Increasingly, security practitioners recognize that protecting customer or individual privacy is the most proactive way to protect the most important and sensitive activities of an organization (Apple Declines new API’s Due to Privacy Concerns).

The challenge is in the implementation – some companies with in-house engineering skill, or the resources to hire consulting firms, have tried to enact “enterprise privacy” by cobbling together integrations of “no track” VPN providers, isolated browsers, and imposing increasingly strict firewall and application rules. The end result is an increasingly costly environment to maintain and, in the end, a net decrease of the end user productivity with restrictions on internet services. In fact, these environments can be so brittle they actually increase the chance of compromise, since failure of one piece in this puzzle. For example, last month seven ‘no log’ Hong Kong VPN providers were accused of leaking 1.2TB of user logs onto the internet via unsecured Elasticsearch cluster (“No track” UFO VPN exposes user data). If any company or individual employees used those servers during that time, they were exposed and were ripe targets for hacking. Whether this was a misconfiguration or something worse, exposed VPNs are just one example of the fragility that comes with home-grown privacy solutions.

The goal should be to isolate external-facing internet activity and implement an architecture that enables zero-trust. While that sentence is buzzword heavy, the isolation approach limits exposure of any one component of a system, so if a VPN is compromised it doesn’t necessarily mean the company will be impacted. Also, when you bring in zero-trust concepts to a completely controlled environment, a company can increase the level of data sharing that is available while at the same time increasing data protection and privacy. Expect and ask more from the tech industry.

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.