Collecting personally identifiable information is the new gold rush in an internet as regulated as the Wild West.
I don’t care about privacy, I have nothing to hide.
It is common for decent, every-day folk to believe they have no digital privacy concerns because they have nothing to hide. But this is confusing privacy with secrecy.
Privacy is the reason you shut your bedroom curtains to the street at night, close the door behind you at a doctor’s appointment and use a change room at the department store. What happens when you go to the toilet isn’t a secret, but you still close the door.
The list of examples like these is endless and you can probably think of many more because privacy is a societal norm and, whether you are conscious of it or not, it forms an intrinsic part of your everyday life.
However, in the online context, privacy is often confused with secrecy due a lack of understanding and awareness about what is at risk.
For more than a decade, we’ve been posting our every thought, activity and interpersonal interaction online with increasing frequency. We perceive value and efficiency through connecting and integrating as many different apps and services as we can. To do this, we click “OK” to grant each app read/write permissions to the personal data stored in the other apps.
We don’t read Terms & Conditions or Privacy Policies. We just accept them. In doing so, we agree to trade all our personal information for unpaid access to email and social networks.
We implicitly trust app developers and service providers. We naively assume ethical and moral behaviour because so many other people are using the same apps and networks. We think the provider couldn’t get away with questionable actions because we expect someone else, or the system, would hold them to account.
Behind the scenes, corporations and governments are converging technologies, building ever-more-capable networks, retaining & analysing metadata and sharing information.
Tech headlines talk of the future and the impending “Internet of Things” (IoT). But, the IoT has quietly arrived and is already busily doing its thing. In the rush to be first to market, companies don’t design, develop or test as well as they should. They introduce even more vulnerabilities.
We find ourselves looking down the barrel of a future without privacy as we have historically known it. By removing the layers of abstraction between our online presence and our daily lives we make it easier for others to exploit and manipulate us, steal our identities and, possibly the scariest of all, intellectually isolate us.
In this article, I talk about what is at risk, how we let it get this far and some of the actions you can take to regain some control of your privacy.
What is at risk?
We live in a world where we expect information on demand and in context; based on where we are and what we are doing.
To offer this functionality, the apps and services we expect this from depend on the collection, recording, storage, analysis and application of data and information about individuals and groups.
All of the data that is tracked (more on this below) is paired with Personally Identifiable Information (PII) such as your name, date of birth, address, phone number, job, tax file number/social security number, your face and even details about your partner/spouse and children.
When it is all crunched together, the data from your social networks, the apps you use, the websites you visit and general PII combine to build a very comprehensive profile of exactly who you are, what you do, what you like and who you interact with.
All of this data can be used effectively and with good intention to improve our lives.
But, it can also be used to exploit you.
Data has an extremely high value. Your profile, once collected (legitimately or otherwise), is often sold. There is an entire industry of data brokerages who collect, crunch, analyse and sell data about you without you being aware.
Those buying the data will use it for a range of purposes, including (but not limited to) serving specific advertising to you, performing risk assessments (for example, credit or insurance risk assessment) and directly targeting you for marketing campaigns.
When the Internet was first created, it was “open” and “free”. Indeed, these are the very principles we seek to protect with Net Neutrality, but it costs money to provide “free” services and the services and networks that have become part of your daily routine cost a LOT to run. Let’s use Facebook as an example:
- According to Statista, in the fourth quarter of 2017 Facebook had 2.2 billion active users monthly.
- The cost of the compute and storage required to run the social network for this many users is astronomical. (Compute is required to ensure the service is available and loads, no matter how many people connect to it at the same time. Storage is very expensive and it is forever expanding with all the photos and videos that users upload).
- No one could afford to run Facebook without a business model to cover costs, pay employees and, ideally, profit.
- Advertising is the original business model of the Internet. Today, your personal data informs advertising. The logic is simple: the more tailored an advertisement is to your interests, the less annoying the advert is to you and the more likely it is that you will click it. “Everyone wins”.
- Facebook is not free. You and your personal information (who you are, what you like, who you know, what you are doing, what you are buying, who you vote for, where you holiday, who you bank with, what brands you wear, what toys your kids play with etc etc) are the primary asset Facebook has to profit from. In fact, Facebook collects 98 data points on you to sell to advertisers. They are very explicit about this.
- Facebook sells your data and the ability to target advertising specifically at you for serious coin; earning over $6 billion USD in advertising revenue in Q2, 2016. Statista predict that, in general, Social Network Advertising will account for $51.3 billion USD in 2018.
Those are mind boggling numbers and the implications are concerning.
Targeted advertising is intrusive and a little bit creepy. You would call the police to report someone as a stalker if you discovered that they were following you everywhere you go; collecting, monitoring and recording your every movement and interpersonal interaction and rifling through your trash to keep snippets of your correspondence. (Not to mention using this information to try to get you to perform actions that suit them.) Yet this is exactly what is happening online.
The Orwellian application of this data collection is also concerning. With China rolling out a Social Credit System, this risk is suddenly very real; not just some far-fetched, dystopian conspiracy theory of the tin-foil-hat brigade.
But, when it comes to privacy, your concerns are not limited to this.
The more information that is available about you online, the more you can be exploited or manipulated through social engineering, identity theft, stalking and/or harassment.
Data brokers sell PII databases online, both legitimately and illegitimately.
There have been numerous documented cases, such as the Palin Hack, where an attacker has taken over an individual’s email address by using personally identifiable information sourced online to trick password reset tools.
Your email is your identity; it is the gateway to all networks and services that you use online. Once an attacker has access to your email, they can take control of most of your life.
The moment an attacker has locked you out of your email, they can audit your mail directories at their leisure to identify which banks and financial institutions you use, which social networks you are active on and any other accounts that may be of interest and then, using your email for password recovery, it is a simple task for them to click “forgot password” on each site to reset the passwords for those accounts and make a real impact on your credit line, your life savings and your reputation.
If they need to, a hacker won’t shy away from social engineering to impersonate you, to get around extra levels of security that financial institutions might impose.
The “filter bubble” is possibly the most concerning of all.
Companies like Google, Amazon, Facebook, YouTube and Netflix use computer algorithms to determine the search results, articles, media and advertisements you see.
These algorithms show you content based on what the company *thinks* you want to see, based on the information it knows about you, including inferences from your previous search history and links that you’ve clicked. You won’t be shown things the algorithm thinks you are less likely to click.
This “filter bubble” effectively locks you into a cultural or ideological loop, where you are not exposed to viewpoints that differ from your own.
This is a really big deal. Not only can it result in a state of intellectual isolation, it also means your viewpoints can be used to manipulate you into specific action, as feared with the Cambridge Analytica controversy surrounding the Trump presidential campaign and other elections around the globe.
How did we get to this?
Waaaaay back in 1948, the United Nations declared privacy a fundamental human right. That was well before the Internet.
Today, we, as individuals and corporations, seek to use data, analysis and machine learning to optimise and enhance our lives.
In fact, nearly every aspect of our lives is backed by a computer chip and a sensor, as technology innovates and iterates in the Internet of Things. Very soon, everything will be interconnected.
Depending on the appliances, automobiles, devices and peripherals you purchase and use, perhaps even regardless of them, the corporations who make those devices probably know more about you than you could list yourself!
“Governments — that’s one threat; businesses are also collecting more information than they should. We now have a stalker economy where businesses are finding out everything about you.” Al Gore
Just for a moment, consider the BIG picture:
To paraphrase Bruce Schneier and Kevin Mitnick, your telco knows where you are, who you talk to, where you live and, because they can tell where devices physically are, they can tell which phone is on what nightstand and, therefore, who you sleep beside. Your car knows how fast you drive, where you’ve stopped and what pressure your tyres are. Your fridge knows when your milk goes out of date, your shopping list and, through its integration with your calendar, what you’ve got planned for each day of the week. Your watch knows when you stand, when you sit, when you workout, how many steps you take in a day, how well you sleep and even when you have sex.
Your computer knows what websites you visit, what your interests are and what you buy online. As an example, and bearing in mind that I take proactive action to minimise the amount of outbound communication that my machine can make and still have functioning software, this is a visual representation of how my laptop is talking to the world right now while I type this sentence:
Google stores your Internet search history, every location you search for in Google Maps and every place you visit (so long as your phone is in your pocket or your bag). (Check for yourself here).
By utilising tracking tools like Google Analytics, Facebook Pixel and cookies, Facebook and Google both track what websites you navigate to (even when you are not logged in). They know which bank you use and what your credit limit is, what medical symptoms you want to know more about, what your favourite genre of adult entertainment is, which sporting teams you support, who you place a bet on, when you need family planning advice, what you’re growing in your garden… and because you searched for what ratios you should use to mix borax, sugar and water, they even know that you have ants.
As home automation moves into the mainstream, products like Google’s Assistant, Apple’s Siri, Microsoft’s Cortana and Amazon’s Alexa are always listening. Their core function depends on tracking your conversations and scanning for the keywords that tell them to spring into action. So, they know what you’re talking about, what music you’re listening to and what you watch on television. Start adding in further automation hardware, such as Google’s Nest and they know what time you get out of bed, what temperature you like your living room set to, how often you burn the toast and, paired with some publicly available facial recognition APIs, who is knocking on your front door.
The apps you use can even recognise your emotional state and respond accordingly.
You may join retail loyalty programs. You may use apps to track your run/ride/gym session. Perhaps you scan the barcodes of the food you eat to track your nutrition and calories. You might opt-in to tailored advertising on Twitter. Maybe you tell Google to remember what videos you watched on YouTube. You might “pin” your wishlist of fashion items and home decor in Pinterest. You might review restaurants and hotels on TripAdvisor or upload photos to social networks and tag locations and friends. You may tweet your opinions about the latest headlines. Maybe you regularly speed when you are behind the wheel but slow down when Waze (Google owned) reports that the police are ahead. Even when you’re not using it, your smartphone is sitting in your pocket reporting a constant stream of statistics back to vendor HQ.
If you use “free” email services like Gmail or Yahoo! or social networking services like Facebook, Twitter or Google+, then you are trading your personal information for access to and use of the service.
Your every thought and action is either directly captured, or can be inferred from, your activities online. You granted full access to, and usage of, this data when you clicked “I accept” to the terms and conditions of the service without reading them in full. In some cases, you even weakened or gave away your unique intellectual property rights for any ideas you’ve had and then talked about using a service.
Maybe you don’t do all of those things I just listed.
Maybe you do none of them.
You might not even own a smartphone.
But that doesn’t matter — the corporations can use data from their other users (such as their telephone address book) in combination with tracking scripts, cookies and browser fingerprinting to build a “shadow profile” that represents you. Which they then use to track you and serve targeted advertising to you.
This is the world of big data and data analytics. The sheer volume of data captured about you is overwhelming. Data is captured from every available source, to the point that James Comey stated, as FBI Director, that everyone should cover up their webcam when they are not using it.
If that feels a little melodramatic, consider that Facebook CEO, Mark Zuckerberg, who believes that privacy is no longer a social norm and who has built a multi-billion dollar company from the collection and brokerage of personal data, covers his laptop webcam and microphone with strips of tape. (Pictured below)
Our respective governments legislate and mandate the retention of data and the provision of data on demand for persons of interest. They surveil society as a whole and trade with corporations for even more data and any associated insights. They monitor and analyse all this data to identify opportunities and threats.
While there is legislation to protect you and your rights online, enforcing it is complicated. This is primarily for two reasons; firstly, legislation can be contradictory (for example, one European law might protect an individual’s right to be forgotten, while another might require telecommunications providers to store communications data for at least one year). Secondly, the Internet is universal, but our legal systems are not. As data flows across borders, it enters different jurisdictions that are regulated by different legislation and different judicial systems.
It’s a bit of a mess. Legislative initiatives like GDPR are steps in the right direction, but there is a long road ahead.
I worry about the future my son faces. He will never know privacy, at least not the same way that I did growing up. I was lucky enough to grow up playing in the backyard with my family, or in the bush with my friends or simply hanging out by myself; perfectly entertained by a book or my imagination. If I experienced angst, stress or conflict with other kids at school, when I got home I was free of it until the next day. Whereas, my son will never know a life without the Internet. He will never know what it is like to be offline or to have a life that isn’t driven by interconnected technology.
While I am hopeful that our future will see more regulation of the industry and us having full control over our own personal data, the reality is that online anonymity is a thing of the past for most people. We are too busy and the convenience offered to us by all the apps and services available is too great to refuse.
Don’t get me wrong, you can be invisible online, but it takes dedicated computing equipment, time and effort. Only the most dedicated and paranoid can achieve it and maintain it.
For the rest of us, there are a bunch of relatively simple things you can do to limit the data that is collected, increase your security, help minimise the filter bubble and help protect your identity and your privacy.
What can I do?
When it comes to using social networks, smartphone applications and other online services, there is a general rule to remember:
If you do not pay for the product you are using (smartphone app, social network or service), then YOU are the product.
Even if you do pay for the product, you should be reading the T&C’s and privacy policies to see what data is shared.
Using an “incognito” or “private” browser window is a misnomer. They do little more than not save which webpages you visited:
10 things you can do right now
In the future, I hope to publish detailed “how-to” articles on specific steps you can take to increase your privacy and harden your system, but there are ten things you can do right now to vastly improve your privacy online:
1.Use a different password for every account
Passwords are a flawed authentication mechanism. We pick ones that are easy to remember… and, when we use the same password on multiple accounts, the password is only as secure as the weakest website you’ve used it on. Website authentication credentials are hacked all the time. (You can check whether your account has already been compromised by entering your email address here: https://haveibeenpwned.com )
Using a password manager, such as 1password, will help you generate strong and unique passwords for every account. You only need to remember your master password and let the password manager deal with the rest.
The caveat: password managers are only as strong as your master password. If you lose your master password, or if it is a weak one, you are still at risk.
To create a strong master password, avoid using common words or key combinations. Instead, use a memorable phrase and substitute letters with characters and numbers. For example, you might find it easy to remember“Mary had a little lamb, its fleece was white as snow”. That can easily be morphed into a strong password: MHAl1ttleL@mb-IFWWAsn0w.
Even if you use a password manager you should periodically change your passwords.
2. Use Two-Factor Authentication (2FA)
Many providers now offer 2FA. If it is offered, turn it on. Especially for email, financial institutions and social networks. (What is 2FA?)
3. Don’t click links in emails
Phishing attacks are rampant. A phishing attack is an email that falsely claims to be from a trusted source, such as your bank, and that includes a call to action in the form of a request for information (usually asking you to click a link in the email) to confirm some detail, or authorise a transaction.
If you do click that link and enter your authentication details, it will be on a fraudulent website purpose built to capture your information and your account will be compromised.
The emails will look legitimate. But, legitimate institutions will never send you an email asking you to click a link regarding any type of sensitive information.
You can carefully look at the sender address or the link’s URL, they will always be incorrect. But, the safest thing you can do is to ALWAYS delete the email without clicking anything and go to the website directly to login and action anything required. If in doubt, pick up a telephone and call them.
4. Instal Firefox and privacy-enhancing plugins
Mozilla, who make Firefox, are committed to enhancing your privacy.
Ditch your current browser and instal Firefox.
Open the settings/preferences:
- Navigate to the “General” section and make Firefox your default browser. Scroll down the page to “Firefox Updates” and select the radio button next to “Allow Firefox to automatically install updates”.
- Navigate to the “Search” section. Change the default search engine from Google to DuckDuckGo in the drop-down menu. Turn off all search engines under “One-Click Search Engines” except DuckDuckGo. (You can always go directly to google.com if you need to.)
- Navigate to the “Privacy & Security” section. Select “Always” under the “Tracking Protection” and “Do Not Track” sections. Scroll down to “Security” and ensure “Deceptive Content and Dangerous Software Protection” is enabled.
To automatically block tracking scripts, enforce SSL encryption on all websites, block advertising and automatically delete cookies; you should instal and configure the following privacy-oriented plugins:
- Privacy Badger
- HTTPS Everywhere
- uBlock Origin
- DuckDuckGo Privacy Essentials
- Multi-account containers
- Cookie AutoDelete
To be clear, completing this step in full will vastly improve your online privacy. While you can still be fingerprinted, the plugins listed will encrypt your connections to websites, block tracking scripts and automatically remove tracking cookies.
5. Don’t use public Wi-Fi
Either tether to your phone or enable your phone’s WiFi hotspot and use 4G data instead. (If you do enable the WiFi hotspot on your phone, always set a password.)
If you must use public WiFi, connect to a Virtual Private Network (VPN) first. A VPN will encrypt all traffic between your machine and it’s server, preventing anyone spying on your traffic while you do things like log in to websites or your internet banking.
When you are connected to a VPN, the only people who will know what sites you’ve visited are you and your VPN provider. But, this in itself creates another issue. Not all VPNs are equal. Not all can be trusted. Do your research on the different VPNs available before choosing one. Don’t rush this process.
You should avoid VPNs that record (log) user activities, such as Onavo VPN (Facebook Israel). You may also want to avoid VPNs based in The Fourteen Eyes.
Look for VPNs who use Perfect Forward Secrecy (PFS), also known as “Forward Secrecy”. PFS protects past sessions against future compromises. In other words, if any of your encrypted traffic is captured now, it cannot be decrypted later even if an encryption is key is compromised.
6. Set up a dedicated debit card for online purchases
Contact your bank and set up a new, linked, bank account with a dedicated debit card attached to it.
Use this card exclusively for all online purchases. Keep a little bit of money in the linked account, but not a lot.
If your card details are ever compromised, you can only lose as much of your hard-earned cash as you have deliberately transferred into that specific account.
That will mitigate the risk of lost funds.
If you want to increase your privacy even more, use cash to buy pre-paid debit cards or gift cards and use those online.
If you’re completely paranoid, you could instead use those pre-paid debit cards to purchase Bitcoin and then run the Bitcoin through a tumbler. Bitcoin isn’t as widely accepted as Visa or Mastercard, though.
7. Update your permissions
For whatever social networks and services you use, update your permissions to ensure what you share with others only goes to the audience you intended it to.
Carefully consider if you really need to share what you were about to share.
If you use tools like Strava or Garmin to track your run/ride/swim, set up a privacy zone around your home and work addresses.
Be aware that the photos you take with your phone contain location data that shows exactly where they were taken. If you post the photo online, others may be able to extract this information from the image.
For this reason, you should always consider what is visible in the background of the photo. Is there a private letter on the bench? What else is reflected in the mirror? Are you wearing expensive jewellery? Are your children in the photo? Here are several things you should consider before posting photos of your children online.
8. Opt out of ads
There are digital services that allow you to opt out of advertisements, such as http://optout.aboutads.info. Do this.
Opt out of tailored advertising wherever you can, for example Twitter, Google and within the privacy settings on your mobile device.
When you opt-out of tailored advertising, you will still see ads, but they won’t be as relevant to you. This is a good thing, as it means you’re not being as tracked as you were before. (If you install uBlock Origin, as suggested above, you won’t see many ads anyway.)
9. Keep device operating systems and apps up-to-date. Back up what you need.
The web is not a safe place and attackers constantly strive to exploit vulnerabilities in web browsers (and their plugins) to run malicious code without your knowledge.
For example, a perfectly legitimate website may unknowingly serve you malicious content through third-party services on their site, such as advertising. This is known as a “drive-by” attack.
In recent years, there has been an increase in ransomware attacks, where an attacker locks you out of your files until you pay them a fee to restore access. It is not advisable to pay a ransom, as there is a strong likelihood the attacker will simply increase their ransom demands once they know you are willing to pay. So, it is important to consider what data you have that is irreplaceable (such as your photos) and keep these backed up.
Don’t use software past it’s end of life date and check for system updates regularly (and apply them when they are released because they often fix security vulnerabilities and keep you in control of your own data).
10. Use an email provider like atmail who doesn’t scrape your email
Unless you use email encryption, the body of your email is sent across the web and stored in clear text with all the privacy of a traditional postcard. If you do use encryption then the email metadata (To, From, Time, Date, Subject etc) is not encrypted.
Finally, stay vigilant.
- Don’t blindly trust your providers. Always read Terms & Conditions and Privacy Policies carefully. (It only takes a few minutes and you don’t need to speak legalese to understand when something doesn’t look right).
- Keep your software up-to-date.
- Before you act, think carefully about what apps you use, what systems you integrate and what you post online.
Picture two houses that neighbour each other in your street.
One house has the front door closed. The lights are on. People are active inside. The front door of the other house is wide open, it’s dark and quiet and it’s obvious that no one is home.
Which house is more likely to get burgled?
The one that poses the least amount of risk and requires the least effort.
Don’t be that house.
Daniel Viney is atmail’s Innovation Director. He first published this article on Medium.com on 5 June 2018.