Every year on January 28th, we celebrate Data Privacy Day. Throughout Europe and in the US and Canada, people are coming together to raise awareness about how our personal information is being used. Every day, we are asked to “accept” an end user license agreement (EULA) or to provide private information in order to get a service or product. Every day, consumers around the world wonder if they are sharing too much or if those they are entrusting with their private data will guard it as securely as we might want. For more information, please visit the special Data Privacy Day page on the StaySafeOnline.org website of the National Cyber Security Alliance (NCSA) for tips and resources for parents, teens and employees.
We don’t understand how advertising works - And data privacy concerns extend to the use of the information we intentionally share (such as to network with friends or colleagues on a social networking site) being used for purposes we poorly understand. For example, most online sites that are free to use make their money by showing us advertising. This is true on online news sites, social networks, even search results. Often consumers complain about those ads. They don’t understand why they are presented with a particular ad or complain about the images they see. Sometimes people think the information they share with the website in their profile is being sent to the advertiser, but that’s often not the case at all. It’s just that the mechanism of websites is usually not well understood by consumers and they are left to make their own conclusions because no one is helping them figure it out.
We need simpler EULAs - Of course, you could read the site’s privacy policy but let’s be honest. Some of those policies are written for the entertainment of other lawyers. We need to get use agreements and privacy policies developed that are clear to the average consumer, not those with advanced degrees only. Whenever you install an app on your mobile device, you are presented with a screen full of text, a scroll bar to view more and an option to “Accept” the terms. How many of us actually take the time to review the agreement? Few, I’m sure. Most of us just want to play the game we downloaded. Often, in those very terms you can see what data the app will access and how it will use it. This can be surprising. In fact, Norton’s www.mobilesecurity.com site has tools to help show you how potentially invasive some of our favorite apps can be; displaying ads from ten’s of ad networks, sharing our geo-location information, sending our contact lists and even our phone number back to the app’s maker. Often, the use of our private data is necessary for the program to function properly and the app maker is probably completely above board. The gap is in the consumer’s knowledge of how their mobile device is sharing information and who is getting it. Sometimes, the only clue you have that your apps are busy sending data is noticing that your battery charge isn’t lasting as long as it used to, due to the constant streaming of information to the server.
Sometimes, we have to trust but monitor for problems - In other environments, you share data with a measured level of trust. For example, you probably have a credit card. In the application process you shared a great deal of private information, ranging from your social security number to your employment information. Data breaches, where databases of customer information are leaked, stolen or lost, can make any consumer nervous about how our private information is stored, maintained or even who has access to it. Consider your doctor’s office as well. Despite US protection such as the HIPAA, it’s still possible that someone in the office could access your data for inappropriate uses. As a result, all of us who are active consumers, offline and online, need to accept a certain amount of measured risk to our privacy while at the same time demanding more effort from our vendors to keep our information safe.
Real world benefits from sharing data - Consider your key chain, are there any grocery or drug store membership tags on there? When you visit a store, do you enter your phone number into the keypad to receive discounts and incentives? That means your shopping activity is being entered into a vast database of consumer information, helping the store tailor the products on offer, the weekly specials and inform you of recipes or healthy living tips. Sometimes, the level of knowledge the retailer has about individual customers can turn a strange corner and the store can actually predict things about their customer that the customer hasn’t yet realized or shared.
And the consumer loss to turning off these services is pretty obvious. You might pay higher prices when you opt-out of membership schemes. Turning off the geo-location map in your mobile device means you can’t “check in” at stores and restaurants and receive incentives. It also means you can’t easily navigate in unfamiliar locations.
What was once hard to find is now online - On a larger scale, there have long been databases of information about you that you don’t control like mortgage information, property deeds and legal databases. In the online world, sites like Spokeo or Zillow emerge to provide these databases to the public, for free or a small fee. Now, your political contributions are listed online and include a map to your neighborhood. You can snoop on your next-door-neighbor to find out how much they paid for their home. You can check out a potential new hire or new romantic partner to see if they have any legal troubles. In the good old days, that data was only available to those who went into a physical location like a courthouse or the department of motor vehicles to request the information in person. Other examples might include the public listing of those with gun permits, on the sex offender registry, and very low cost background checks available online to anyone.
Information about you in the wrong hands can lead to real world harm - Rebecca Schaeffer (at left) was a TV actress in Los Angeles. In 1989, a deranged fan obtained her home address by paying a private investigator $250 to gain the records from the DMV. He learned this technique from newspaper reports of another stalker’s methods. So the potential risk of having so much very private data available either free or for minimal cost and effort can have serious real world consequences. Ms. Schaeffer’s story illustrates the real world security risk. But what about online?
In the online world, the harm is just as real - In the online world, we rely on passwords and (usually) email addresses to validate our identity with online sites and mobile apps. Your email address is readily known to anyone you correspond with or if you use your work email address, it can be readily guessed by anyone familiar with your employer. Therefore the pressure is entirely on the password to let you in and keep others out of your account. Most of us rely upon the fact that few hackers will target any of us individually. But sometimes, it happens, either due to our actions, a data breach or malware enabling someone to gain knowledge of our password. Once this happens, the intruder can steal money, destroy data, or present themselves as us to others. It can be a nightmare as Wired magazine reporter Mat Honan recently discovered.
Just to illustrate the ease with which private information is available to anyone, I decided to select a co-worker at random. I entered her name into a search engine and quickly found her information on social network and work networking sites. I discovered where she lived, the name of her husband, even some of her family tree on a genealogy site, which means I know her mother’s maiden name (often used for security questions). I also found numerous photos of her in the search engines’ image display.
Presence versus no online presence - Accept that there’s a lot of personal information out there about you. Can you opt out? You can choose not to participate in social networking; you can pursue some of the companies that post your information to request its removal; you can work with services to help you manage your online reputation but the downside might be that you minimize your online presence. Presence has value and the lack of an online presence may have risk.
A friend of mine was being “set up” with a man. She asked for his name and said she would check him out on Facebook first. And if she liked what she saw, she’d allow her phone number and name to be given to him. What if he wasn’t on Facebook?
You apply for a job and claim certain skills. So does another equally qualified candidate. The employer uses LinkedIn and sees the other candidate’s full resume is posted, he’s networked with his ex-co-workers and many have left testimonials praising his efforts. Who gets the job offer?
What’s your level of risk? My advice to any of us is to try to balance our paranoia with our reality. If you are someone with reason to fear the misuse of your private information to cause you real world harm (if you are a public figure, famous or have a history with dangerous people), you must take steps to minimize the information about you online and in easy-to-use databases. Police officers regularly make sure their home address and other private information is removed from public databases. They choose not to use social networks.
Use privacy settings to minimize who has access to any of your information. Monitor your settings as the vendor site may change how things work from time to time. Remove anyone in your network that you really don’t know. Remove photos you think might provide too much information or are genuinely private. Never post your phone number, address, or other physical world details on the site. If someone wants to send you an invitation, they can email you to request that information. This gives you the option to provide a PO Box, office address or other alternative to your home address, if you are concerned.
Curate the mobile - Remove any apps you no longer use. Configure the settings on your apps to minimize the information they transmit or the frequency of their activity. You will find your battery charge lasts much longer as a benefit to this effort. I highly recommend Norton Spot, a free Android app that detects apps that spam you with ads so you can dump them.
Empower yourself – Take the time to visit the Data Privacy Day page at StaySafeOnline.org (the website of the NCSA). Explore the Privacy Tips, and Parent and Teen resource pages for ideas about simple ways you can take control over your data and increase your awareness of risk factors.