January 28th was the fifth annual observance of National Data Privacy Day, the annual date devoted to raising awareness about the use (or misuse) of our personal data and the importance of keeping it private. Many would argue that ship has sailed.
Everything about us can and is being collected, analyzed and sold, every moment of every day. Location data from mobile phone apps track individuals’ travels with astonishing precision, accurate to within a few yards and updated up to thousands of times a day.
Apps that gather your location information often sell it without your knowledge, and while that data is supposed to be anonymous, someone with a need to know could ultimately identify you. Privacy expert John Verdi described such a scenario in an interview with Forbes magazine:
“It is not possible to stop my ISP from selling my surfing habits to my healthcare company, which combines it with my vacation data, my neighborhood data and so on, to know things about me that I would never tell them, and that they possibly have no legal right to ask.”
There is little that Google, Amazon and Facebook don’t know about you
The online giants and telco carriers have deep insight into who we are, what we do, and how we spend our time.
- Google knows perhaps more about us than any other entity--what you search for, what videos you watch, the websites you visit, the devices you use, the apps you download and your use of Google docs, sheets or other tools. Google’s data collection practices even scan your email to extract keyword data to customize other Google products and services.
- Facebook has your profile, relationships and activities since you signed up. Every friend in your network, groups you belong to, trips you’ve taken, hometown, schools, photos you’ve been tagged in, political preferences, and every post and page you “liked”.
- Amazon has an expansive, 360-degree view of our lives and buying habits that grows deeper with each acquisition and visit to its properties. You can track everything you have ever purchased from its online stories. Your Alexa device connects you to “everything you’re into”—Amazon Music, Audible, Kindle, and Prime TV, aided and abetted by its Fire TV digital media player and Echo smart speakers, protected by its Ring video doorbells and security cameras. All this doesn’t even include data from its Curse gaming network, movie/celeb site iMDb, comicbook and other retail subsidiaries.
The problem with data transparency
Under pressure from consumers and lawmakers, each of the online giants has taken steps to provide more transparency and allow us to impose privacy controls over certain aspects of our data. The problem is that the responsibility of policing our data still falls on consumers, not the companies using our data.
The New York Times published an eye-opening look into the illusion of data privacy provided by mobile phone apps with location tracking. The Times found dozens of companies receive anonymous but precise location data from apps whose users enable location services. These companies use and sell this data to advertisers seeking insights into consumer behavior.
Advertisers say they are interested in patterns the data reveals, not identities, but the Times article shows how location data can connect the dots, for instance, tracking dozens of devices in a school that are traceable to nearby homes.
Don’t collect it if you can’t protect it
It’s not only advertisers and businesses who want this data. Cyber criminals do too, but for much more nefarious purposes than targeted advertising. With the increase in businesses collecting this data, it’s imperative if businesses collect it – they protect it!
The Identity Theft Resource Center reports that in 2017, hundreds of millions of records were stolen from breaches. Retailers, hospitals and doctors, legal offices, non-profits and many other organizations collect a wide variety of information on individuals. Everything from social security numbers and tax information to medical records, physical addresses, emails, credentials and more.
Criminals use the information they collect to file for loans, conduct insurance fraud, set up burner phones, access bank accounts, and create entirely new identities for themselves using your data. The impact can be long lasting and stressful.
That’s why IT security professionals put such an emphasis on security awareness. If hackers can simply pose as someone else via email and ask for data, rather than attempt to breach sophisticated technical controls, they’re going to follow the path of least resistance. Each one of our Security Awareness Service clients has had employees that fell victim to our baseline phishing testing. Education, alertness, and the ability to avoid the threats is key.
Can we get the data genie back in the bottle?
It’s technically possible to solve the data privacy problem. Apple CEO Tim Cook says all we have to do is strip identifying information from customer data or avoid collecting it in the first place.
If only it were so simple. Data is the fuel that drives innovation, personalization and product development, which in turn, fuels consumer demand and dependency. Would we all be willing to give up Google search, Google Maps, mobile payment, streaming music, online shopping, Uber and Lyft? It’s safe to assume that answer is a resounding no, so is it possible to structure a balance that does not put privacy on the line? That’s the issue for 2019.
A Data Privacy Reality Check
U.S. lawmakers are under pressure by consumers to write a national privacy law similar to the European Union’s GDPR rules. A Pew survey reveals two-thirds of respondents don’t believe current laws provide sufficient protection, and 60 percent want more autonomy over their personal data.
Several members of Congress have asked for laws that require data minimization to ensure companies do not keep sensitive data they no longer need. Legislation introduced would require large tech companies and other data providers to take steps to safeguard user data and stop its misuse. Under the The Data Care Act, tech companies would be required to provide the same level of data protection as banks and hospitals. The legislation would allow the Federal Trade Commission to make rules and impose penalties and let state attorneys general enforce new protections.
This is the state of data privacy today. Next year on January 28, we’ll see how far we’ve come.
