The growing danger of visual hacking and how to protect against it

In this Help Net Security interview, Robert Ramsey, CEO at Rain Technology, discusses the growing threat of visual hacking, how it bypasses traditional cybersecurity measures, and the importance of physical barriers like switchable privacy screens.

Could you explain visual hacking and why it poses a significant threat to individuals and organizations?

Visual hacking describes any attempt by an individual to see or capture information they have not been authorized to view. Also referred to as snooping or shoulder surfing, it can refer to anything from casual invasion of privacy, such as looking at someone’s phone, to using cameras to capture people’s banking information or PIN for the purpose of committing fraud or theft. The negative impacts of visual hacking range from invasion of personal privacy to theft or espionage.

Today, many organizations are focused on managing cybersecurity threats within the system, but if those significant barriers can be overcome by an individual peering over the shoulder of an employee as they view sensitive information, an important threat vector has not been sufficiently mitigated. Unfortunately, this is often the case today. This is an excellent example of “not everything can be solved with software.”

How effective are physical barriers like privacy screens in the overall context of hardware privacy?

Physical barriers are incredibly effective. Some solutions provide a barrier at 45+ degrees (to the primary viewing angle) that allows as little as 0.2% of the light from the display to be visible to everyone but the primary user. This is sufficient to block private information or content from being observed at ATMs, point of sale systems, on laptops or mobile phones, or to prevent drivers from being distracted in the case of a display in an automobile.

The benefits of a switchable solution are that this blocking of light may only be necessary in some situations, such as working collaboratively or at an ATM when not being used for a financial transaction.

What are some fundamental principles or practices when designing a privacy screen? What makes it practical and usable?

Most of the privacy screens people use today are of the fixed louver film variety and need to be adhered to a display after manufacturing. This has helped to address the immediate need for display privacy, however, there are significant drawbacks. For instance, adhering a privacy film to a laptop or mobile device means increased thickness which can impact the sensitivity of touch capabilities or prevent a laptop from closing properly. In many cases, the application of this privacy film renders the device permanently in “privacy mode,” which dramatically limits sharing or widescreen functions — a non-starter for personal device use.

Louver films are also not as resilient as a solution built into the display, as they are exposed to physical environment stresses that an LCD layer within a liquid crystal module of a display would not have — from light, to pressure, to heat.

Lastly, unlike switchable privacy display approaches, louver film privacy solutions are not automatically deployed and are not able to be controlled by software, which means that IT departments cannot enforce IT policy for confidential documents, and developers cannot automatically put your screen in private mode when confidential information such as banking details are displayed.

These are the reasons why switchable privacy built into your device screen is rapidly gaining in popularity. All privacy screens, in addition to the core function of preventing visual hacking, can also add polarizers to block harmful blue light or provide additional screen protection, but these would be seen as value-adds to the core function of providing privacy.

What are some of the best practices for organizations looking to implement privacy screens as a part of their data security strategy?

The best security measures are the ones that will be used. This means the less intrusive a technology is and the more automated its use, the more likely it is that it will be embraced and used. Offering devices — mobile phones, laptops, car displays, ATMs, POS systems — with automated switchable privacy is a top recommendation for device manufacturers, retailers and IT departments.