What Ever Happened to Privacy on the Internet?

Wednesday, February 09, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

What Ever Happened to Privacy? Insight into Internet Privacy with Rebecca Herold (Part 1)

Recently, I had the opportunity to exchange thoughts with Rebecca Herold, otherwise known as "The Privacy Professor" and talk about the erosion of privacy on the Internet, and specifically in social media. 

The topic is fascinating, as there appears to be an artificial adversarial relationship between anonymity and privacy - which merited deeper thought, and multiple perspectives.  I hope you enjoy the insightful read...

Rebecca – thank you for taking the time to do this.  I’m sure my readers (and likely yours) will appreciate the multiple perspectives on security and privacy.  I recently wrote a post on the juxtaposition of privacy and anonymity on the Internet… and just how difficult that can be. 

There are many specific “land mines” in this difficult subject so thanks for taking the time to discuss the issues, and offering your perspective!  Let's dive into the topic...

Here's Part 1 of 2 of our conversation with Rebecca "The Privacy Professor" Herold...

----

[Rafal]

First – Why do you think that the state of personal privacy is so poor right now on the Internet?  People seem to be giving away their intimate personal details for a "free" account on a social networking site – and then they seem slightly outraged when they find out their information is being sold to everyone who asks.  Do you think this is a question of expectations, understanding, or simply apathy?  Or is it something else?

[Rebecca]

There’s not one single reason, or a simple answer, to that.  One significant factor is that this ability to share information, so widely and quickly, is a rather new capability.  However, the people doing the sharing have had basically zero… NADA… education about how to protect their own personal information. 

I’m a strong advocate of getting information security and privacy education incorporated into school curriculum from the time children are in pre-school, and right up through every grade, under-graduate college, through PhD.  But such education is simply not there. 

Information security and privacy should become the 4th “R” in basic education.  I know it would make a difference.  My own sons, who are 11 and 13 now, each started using computers at age 3, and were online starting at age 5. 

You can bet I provided daily discussions and “lessons” (unstructured) about the need to secure their personal information.  Now they point out to me when others, or when I, are doing things that could be improved upon security-wise and privacy-wise.  And I’ve overheard them having discussions with their friends about privacy.  I like that!

As a result of this lack of background and knowledge of security and privacy, most people online, and in particular using social media sites, quite frankly don’t know or realize when they are doing risky actions or putting their privacy at risk. 

Most people are used to reputable (for the most part) companies protecting them, and their information.  They believe that a promise made today, including those for privacy, will be kept tomorrow and forever.  However this is not the case in our ever evolving and widening digital world.  Facebook is a prime example, with their almost monthly privacy changes and re-arranges.

So, for your choice of answers, I’d say a lot of the reason that people put their personal information is at risk is certainly a lot of lack of education, into which factors unrealistic expectations and lack of understanding.  There is a certain portion of the population for which apathy may be attributed, but I don’t believe it is as large as what some folks and vendors try to claim.

What do you think?

[Rafal]

I’m totally with you on the lacking in education.  I just don’t think people are aware of the state of privacy today, or what it can really mean for them in any meaningful way.  They’re ready to give their FaceBook account all their private information, they click on the ‘accept’ button when an app tells them it will take over their world, and no one reads EULAs.

For example, Apple just changed their EULA (again, for the 100th time of so) and so instead of just buying a song I had to read the EULA and accept.  I’m willing to bet the click-thru rate, (the rate of people that simply click accept) is north of 90%.  Me, I know better so I sent the new EULA to myself and will read all of it first before clicking accept, but most people are content with getting that pop-up box out of their way.  I’ve seen some crazy things in those agreements people simply blow right through.

I think to a degree we can blame ‘today’s society’ in general.  People are all into instant gratification, and if there is a chance they can get that one thing they want right now and risk some major thing at some point in the future, maybe... odds are good that 10 times out of 10 people will make the short term click for the long-term risk.  It’s like this – you can’t begin to appreciate how precious the privacy is that you’re giving away until you don’t have any… but then we blame it on others for not taking care of our interests.  Really?

[Rebecca]

To your first point, a significant issue that brings many privacy-related problems is that privacy is a concept that is not consistently defined from individual to individual, or from organization to organization. 

Most of the many organizations I’ve spoken with indicate they believe that privacy is just about protecting a few specific information items, as defined within the state-level breach notice laws.  I’ve been alarmed to find many business leaders express the opinion, and even active pursuits, of information that is found online, including birth dates and addresses. 

I’ve read articles written by marketing consultants, and even more concerning by bill collection agencies, actually referring to the information posted on social media sites as “free” information that is available to use to meet their business initiatives, with absolutely no regard for the individuals about whom the information applies. 

There is a significant need to get organizations to truly understand the concept of privacy, and how it goes far beyond the protection of just a dozen or so items.  So yes, I agree that not only individuals, but also businesses, do not have a meaningful understanding of the full breadth of privacy.

Your Apple EULA example is a good one.  Another is Facebook; they changed their privacy “policy” multiple times throughout 2010, and continue to do so as they continue the “enhancements” to their site!  And what businesses must get better at is answering consumer questions about their privacy practices. 

Most personnel simply don’t have the knowledge because they’ve received zero training and slim to none communications about their organization’s handling of personal information of all kinds.  Not only this, but the times I’ve challenged businesses about their practices, the customer “service” people have either tried to dismiss my concerns, or they tried to tell me I was wrong with “my thinking.”  Some serious communications then ensued between me and the executives at their companies.

I really think most people just don’t know what the impact of clicking that “like” button, or downloading a nifty app that promises to make their life better beyond their wildest dreams, will have on their privacy and the sharing of their personal information.  People are agreeing to actions without any clue of what they’re agreeing to.

[Rafal]

Secondly, there appears to be an ever-blurring line between the need to track users of web sites to ‘enrich their experience’ and the desire to make a profit off of our habits.  It's like there is no difference between setting an anonymous cookie to track user's preferences, and tracking that user across all sites they visit to data-mine their habits... it's incomprehensible to me that such a simple distinction is being dissolved until we're no longer able to see the difference... What would you say to that?

[Rebecca]

I’d say that’s pretty accurate!  Individuals DO want to have their online experiences to be as personalized and intuitive as possible.  And the marketing folks see this and realize that this gives them the opportunity to gather more types of information under the guise of enriching their customers’, and potential customers’, experience. 

There is certainly a fine line between collecting information and tracking online behavior in the name of enriching online experiences, though, and gathering more than necessary for the primary reason of simply knowing more about consumers’ online habits.  A definite violation of trust, even if not of any laws, is when online organizations then share this information with other entities, without the knowledge, much less the consent, of those about whom the data applies.

For example, the new ways in which Facebook is using information from the profiles of individuals who have “liked” certain products, services and companies…including their photos…is completely beyond the recently in-effect privacy promises they had made to their community members.  But, they were careful to build loopholes into their promises so they could get away with such unsavory actions.

The technologies certainly exist to track virtually every type of activities.  The IT folks are pretty much building such tracking at the direction of their CEOs, CFOs and marketing areas.  Are you seeing similar?

[Rafal]

No disagreement here.  One of the most powerful groups in many organizations is the marketing department. Scary as it may sound, the minute companies realize there is money to be made from people in the social media they are in whole-hog and the marketing department rules.  Often times the privacy officer or security people are over-ridden because the CEO is out for more revenue and growth. 

You’re right, FaceBook is an excellent example of a project gone horribly, horribly to the dark side of 'tracking'... they're unabashedly leaving loopholes in their privacy policies and data-mining and selling every little bit they can to make a profit.  FaceBook is just a giant data-mining dream (or nightmare depending on how you see it) when you think of all the information that application/company knows about you. 

Sure, you can find new friends when you check into a place and see ‘others also here’ but isn’t that scary?  What if you’re a predator and you’re just looking for places that have people willing to share their location and interests with you without ever actually knowing anything about you?! Their latest incantation of this is the use of "check-ins" from FaceBook Places. 

Companies can pay to use the check-ins that people post up, and their photos if they leave any to market their product or business.  Oh, and did I mention you didn't get the right to opt-out of this service?  So if you use FaceBook Places app, you're essentially consenting to doing free advertising and marketing for companies where you check-in at their business.  What's worse is that there isn't a raging mob storming the FaceBook castle with torches and pitchforks... Boggles the mind.

[Rebecca]

Indeed.  And speaking of marketing, not only do they (marketing, sales and CxOs) often override the information security and privacy areas, many times they take actions without even checking with those areas. 

And, as Facebook shows, once you give away your information by posting on their site, they are going to start using it in ways that you could never have even anticipated or imagined.  People need to understand that.  Every social media site now has numerous loopholes written into their “privacy policies” which are really overwhelmingly “lack of privacy” policies.

[Rafal]

I think the line between tracking and experience enrichment in real life is fairly clear.  I think what’s happening is that marketing organizations and entire companies’ business models are purposely blurring that line to make it OK to exploit you as a social creature.  Since there is no one there to stop it, the erosion of privacy in the name of profit marches on.  Rather sad.

[Rebecca]

Exactly why we need to incorporate these issues and discussions into our curriculum from a very early age.  The current marketing and sales folks do not have the background or mindset to understand privacy and related issues, and how information, even if it does not look like personal information to them, still has privacy ramifications in the ways that it is used.  In fact, many marketers have told me that if no one tells them they can’t use information, they figure anything is fair game.

Stay tuned for Part 2

Cross-posted from Following the White Rabbit

Possibly Related Articles:
18247
Privacy
Facebook Privacy Digital Identity Social Media internet EULA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.