Privacy on Social Media
Oblivious to the ROI, many companies see the internet as a vast interactive Yellow Pages where the goal is to
- collect data on prospects
- profile them and then
- push them “personalized” content inveigling them to reveal more and buy now.
It’s very like a game where visitors stake bits of personal information against their own privacy and dignity. The pot is friends, money and influence.
Have You Received this Request?
A company sent us an offer for an interesting catalogue. All we had to do was provide an email address and name. It seems a valid exchange since
- The catalogue is free.
- The email address is necessary for the company to validate me.
- The company offers to email everyone a new version of the catalogue when it becomes available.
But what safeguards are in place to protect my information?
Information Flows
Starting with a name and email address, a little online research would allow any persistent sales rep, investigator or human resources manager to find out more about me as an individual. Although one’s personal information is scattered across many social networks and websites, people are usually surprised to find out how often they are mentioned on the web. Every mention tells an investigator a little more about you: about the types of things you buy, the questions you ask, the information you look for, what your interests are. The location of the services you check indicates where you live. Through your profile on social networks you may have provided information on your living arrangements.
A profile begins to build around the name.
In many cases, the email address itself tells me where the person works. The name may suggest ethnicity or religious affilation.
Addresses and phone numbers are generally regarded as public domain information and readily available, but even unlisted numbers get posted to websites by people filling in forms or by accident. For example, you may volunteer to co-ordinate a garden event at your church and provide a phone number for the church newsletter …. which gets published on the church website.
- Search engines tailor your search results on the basis of your search history and the profile they build from it.
- Marketing companies use this information to build their own profiles and tailor advertising to suit your predilections.
- Criminals use the information to decide if your home is worth a visit and when you are likely to be out.
Information Piles Up
With your name or email account, I can search Google for more information about you. I can look for you on LinkedIn, Facebook and other social networks. Through one of these I can probably discover where and when you went to school. Which will tell me when you were born and where you grew up.
Recently a research team showed it is possible to successfully predict a person’s social security code from a person’s date of birth and location. As the investigators say, “In modern information economies, sensitive personal data hide in plain sight amid transactions that rely on their privacy yet require their unhindered circulation.” How many people use the birthday plugin on Facebook then, in a comment, mention their birth place?
Opportunities for Abuse
Do you need to worry about privacy online? The research mentioned above cites an example of someone who applied for credit cards by impersonating real people. They began with a commercial database that contained the type of information that many of us enter into forms. From this they were able to predict about 2/3 of the social security numbers of the people on the list. Age and location gave them part of the number. The rest of the number came from persistently applying for credit online. For each name, they entered the part of the SSN that they knew and randomly generated the rest. On average, within about 1000 tries, they had the correct SSN for each name.
With the name and social security number it was easy to find a phone number, address, and other data … A quick lookup on Google earth allowed the impersonator to estimate income on the basis of residence.
Friendly Abuse
Setting aside the malevolent evil-doer who uses this information to predict when a victim’s home is likely unoccupied, the fact is that governments and police forces have access to this information. Recently in Ontario the courts have been admonished for doing inappropriate background checks on potential jurors allowing them to set aside people they deem unfit. The police in Britain and potentially here, don’t need a warrant to read emails. Is it a huge leap of imagination to believe that a well-meaning government might randomly check the emails of people who fit a profile the government generated out of concern for the safety and security of the state?
Marketing firms have enough information to personalize direct mail to target a person at their home according to their interests, with language that is sympathetic and engaging for that individual, increasing the probabilities of making a sale.
Concerns
The free flow of information is seen by many as a positive thing. Truth will out. Information is democratized. Everyone has access to the facts. It also means that data floods the airways without restraint. It’s very hard to place firewalls around information you may prefer to keep private.
Security online: Few people protect themselves adequately online. The culture of social media is one of friendship, liking and trust. The truth is that many of our friends and followers are friends of friends that we have never met.
Commercialization of the web: Opinion, not insight, dominates the web. Even on sites purporting to be written by professionals for professionals, much of the content is editorial because it is fast to produce and less costly than research. Companies are not looking to inform people but to attract eyeballs. Eyeballs are traffic and traffic warrants high advertising rates and more opportunities to convert visitors into buyers.
The Evolution of Thin Culture: A long time ago, anthropologist Clifford Geertz coined the phrase Thick Culture to suggest the myriad ways cultures are reinforced through shared values, practices and beliefs, through the structure of society and the machinations of the political economy. What we seem to have online is Thin Culture: a network where people are linked by only one or two connections and share trivial information. One’s best friend may live on the other side of the world. We have never met them face to face and the basis of our friendship is the swapping of gifts on Farmville.
As to the web as a source of information, unquestionably there is a lot of information on the web but much of it is redundant or buried beneath a flood of similarly hyped sites where the content is weak. How often have you visited different websites looking for insight into a topic and found articles that are little more than re-writes of each other or RSS feeds from a shared source, or where the opinions are reinforced by referencing each other.
There are millions of original documents in archives: portraits, treaties, letters, and the like, but the sorting and analysis of these is limited. Where once you might have picked up a biography of John A. Macdonald that was 1000 pages long and read it knowing it wasn’t the final word, now you are likely to visit Wikipedia and believe the 2000 word article is complete.
Issues Raised in 2009
Myth Busting: Just because you opt-out of a program doesn’t mean information-gathering stops. Your choices are probably still being tracked and information on file is unlikely to be deleted. Opting out usually only means that you stop receiving the “benefits” of the program. In fact, as you travel around the internet, your decisions are constantly monitored and analyzed by artificial intelligences with the aim to push advertising to your screen based on your interests. It is comparable to the way CCTV cameras monitor your movements in the real work supplemented by facial recognition software and GPS Tracking via your cell phone. In the virtual world information is anonymized but it is easy to trace results to an IP, especially if you are on high speed internet that is always on. Your IP address only changes when you reboot the modem.
According to Justice Lynne Leitch of the Ontario Supreme Court, your IP address is no different than a phone number, published in the phone book and therefore in the public domain. However, the phone book doesn’t come with an attached file listing every call you ever made, including the wrong numbers and calls pushed to you. The internet does. As you surf, the IP address is used to track every click you make. That information is stored by a variety of databases outside your control including Google and your service provider.
February 18. You should worry about your privacy on Facebook.
Facebook updated its terms and conditions this month. According to their CEO there is no real policy change, and that should have you worried because what was removed was the provision that implied you, as a user had the right to delete your content at any time. Most people probably assumed that when they deleted information from their account it was destroyed, and if they wiped out everything, their account was deleted. It’s what the previous wording implied by saying the licence would expire.
What’s obvious now is that Facebook believes that your content belongs to them. They have added new wording to the effect that Facebook will retain your content even after you close your account. This is bad news. While Facebook denies this is their intent, the legal wording supports the position that ANYTHING you place on Facebook becomes a permanent record that may follow you through life and be used in whatever way Facebook or its successors choose to use it.
Addenda:public outcry forced Facebook to re-think their terms and conditions. They are adding more sophisticated privacy settings to allow users to sort who sees what with greater precision. Nevertheless, read the terms before you post, especially when using plugins.
Because Emerson Manitoba Threatens the USA
Drone spy planes that patrol the Canadian American border are not allowed within 16km of Canadian soil but their sensors penetrate 25km, allowing them to collect information on Canadian activities. The surveillance planes are part of a tactic to protect the USA from terrorist attacks and to that end, presumably, Predator B is set to patrol the border between North Dakota and Manitoba using infrared, cameras and heat sensors. Since this is an unmanned vehicle, the information is being recorded automatically and Canadians living within 16km of the border are being watched. This may not seem like much of an intrusion, but many Canadian towns line our border and this is only one of 4 drones currently planned unilaterally by the US government to patrol our side of the border.
Addenda: the USA is intending to expand this program to cover more of the border.
How far will the State Go to Watch You?
In the U. K. pubs are being told that they will lose their licenses unless they comply with a police plan to install CCTV.
February 9. Who Has the Right to Your Information?
Ivan Henry has been in prison in BC since 1982 for rape. After he was convicted similar crimes were committed and an investigation brought to light an alternative suspect who was confessed to 3 of the crimes in 2005, was convicted and released on parole in 2008. Mr. Henry claims he is innocent and for over 20 years was refused the opportunity to appeal. Whether of not he is guilty, one questions the judgment that he has no right to review the evidence that was brought against him. Both medical and DNA evidence were returned to the victims or destroyed and in 2000, his application to review the records were dismissed as frivolous. If I were in prison for a crime I didn’t commit, I doubt I would agree that my desire to review the evidence against me was some la-did-ah whim.
The question is: in a criminal investigation, what information should become public record or at least available to all stakeholders including juries, victims and accused?
February 8. You are Anon and I Know Where You Live.
According to the Digital Britain Report which sets out concepts to reduce illegal file-sharing, “Our response to the consultation on peer-to-peer file sharing sets out our intention to legislate, requiring ISPs to notify alleged infringers of rights (subject to reasonable levels of proof from rights-holders) that their conduct is unlawful. We also intend to require ISPs to collect anonymized information on serious repeat infringers (derived from their notification activities), to be made available to rights-holders together with personal details on receipt of a court order.”
February 8. You are Being Watched
If you think that surveillance is light years away from knowing who you are and what you are up to, consider what’s available off the shelf. Xtract is sold to advertisers and marketers to to let them eavesdrop on social networks and blogs. It analyzes both your movements and your links to gain in-depth understanding of who you are, your interests, and the type of people you hang out with. It looks for decision makers or communication nodes and allows the advertiser to target them with a campaign in the knowledge that if an influential person in a network comments on a product, others will listen and respond.
Xtract analyzes millions of customer transactions / hour and sells that information to leading telecom operators, publishing companies, banks, retailers and cell phone manufacturers.
NebuAd and Phorm market deep packet inspection technology. For those of you who don’t know what this refers to, all online requests use packets to send and receive requests. Deep packet inspection makes it possible to track all your online activity from web surfing to email, via your ISP and build profiles that not only know what you like, but know who you are and where you are located. Further, since ISPs are required to turn over any information they have to the authorities on request, this information could become subject to investigations by security forces fishing for criminal activity. For example, the UK government wants to require ISPs to collect information on illegal file-sharing. This can only be done if they monitor traffic patterns and link them to specific individuals. ISPs would also be told to contact repeat offenders with warnings. But what happens if the warnings are ignored?
Half of all advertisers expect to use this kind of behaviour targeting, based on finely shaded profiling, in 2009.
February 4. Retaliation is One Approach to Silly Legislation
Get ready for June 15. The UK Home Office has plans to create a super database to store and filter every email, phone call and text message from everyone in Britain. Martin Gray has decided to act: he is spear-heading a campaign whereby everyone in Britain copies the Home Secretary on every email message they send June 15. He is also asking people to forward every message they receive to the HS. 6,790 people have already signed up to join in the deluge.
January 22. From the office of the President
One of Obama’s memos says: “The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on an effort to protect the personal interests of Government officials at the expense of those they are supposed to serve. In responding to requests under the FOIA, executive branch agencies should act promptly and in a spirit of cooperation, recognizing that such agencies are servants of the public.”
Keep your fingers crossed.
Getting More Calls Now You’re on Canada’s Do-Not-Call List?
It’s probably true. Turns out the Federal Government has been selling the list to anyone willing to pay the small fee and if the buyer is located overseas, our do-not-call laws don’t apply.
Follow up for 2009s
A company that handles 100 million credit card transactions per month, admitted January 20 that cyber criminals had compromised its computer network with a sophisticated program that leaves them unable at the moment to tell how much information was accessed. However, the criminals may have enough to be able to physically duplicate credit cards for fraudulent use. Mastercard and Visa were the first to notice activity that hinted at a breach but early audits didn’t indicate a problem. Only after a forensic audit was completed was Heartland able to find the breach. Check your statements!
As of January 20, Privacy Rights Clearinghouse estimates that over 251 million sensitive records have been compromised over the last 4 years. All of this indicates that while we are more aware of the rising sophistication and organization around identity attacks, companies and governments are not acting quickly enough to put in measures to protect data. No matter what size your company is, you need to ensure that confidential information stays confidential. At the very least, don’t store private data on unencrypted, password free devices that may be lost. Lock your laptop. Don’t walk away from them in the coffee shop. It only takes a few seconds to steal the equipment or read the file you have open. Shred sensitive materials, including CDs before you scrap the. Wipe the drives on mobiles and computers before disposing of them. Make sure everyone in the company understands the importance of privacy and non-disclosure of information to people who call or email. Be discreet. Stay safe.
January 12, 2009. Over 2,800 Whitehall computers were lost or stolen since 2002. That’s more than one per day and the worst offender was the Ministry of Defense (3 per week). Also missing are 676 mobiles, 202 hard drives, and 195 memory sticks.
January 10, 2009. Privacy policies only mean what they say. Just because a company has one doesn’t mean you are protected: the purpose of the policy might be to inform you that your information will be shared with anyone who can afford the list.
Your email is neither private nor inviolate. In fact many governments at different levels require ISPs to provide access to emails to certain agencies, pretty-much on demand. A court order may or may not be required. You may or may not be informed of the decision. Leave them on your host’s servers, at your own risk.
Privacy laws do not protect you from people reading data you make public: like your facebook account or your cell phone’s whereabouts. And here’s more news: even though you erased something from your account, the webhost or phone company may have a copy on a back-up disk. In fact, they probably do. How far back can the online record go? If you have a website, do a search on it at archive.com or visit http://www.archive.org/web/web.php
January 2009. The U.K. British Police Get Freedom to Hack Your PC
The Home Office has adopted a plan to let British police hack into personal computers without a warrant. “Remote searching” allows officers to covertly examine your hard drive whether at home, in the office or a hotel room. They are permitted to gather the content of e-mails, web-browsing habits and instant messaging. This is an extension of an EU edict that expands a rarely used power involving warrantless intrusive surveillance of private property. A senior officer is only required to believe that the intrusion might prevent a serious crime. Reported in The Times
2008 Wrap-up.
Countrywide Financial Corp. senior financial analyst, Rene Rebollo, is charged with stealing and selling sensitive personal information on some 2 million mortgage loan applicants.
November. Security vendor RSA finds that the Sinowal Trojan (online virus) has been used to steal bank accounts credentials, credit card and other resources from over 500,000 accounts.
August: 11 alleged hackers accused of stealing more than 40 million credit and debit cards were arrested.
March. Hackers compromise the data on 4.2 million customer card transactions at Hannaford Brothers grocery store chain. Over 1800 credit card numbers are used for fraudulent transactions. In April Okemo Ski Resort in Vermont is beset with a similar attack, one of over 50 companies that are breached.
March. A former bank programmer at Compass Bank in Birmingham, AL. is sentenced for stealing a hard drive with 1 million customer records which he used to commit debit-card fraud.
Feb. 27. An unencrypted backup tape with data on 4.5 million Bank of New York Mellon customers went missing after being sent to a storage facility.
January. Iron Mountain loses a backup tape belonging to GE Money with data on J.C. Penney customers and 100 other retailers.
And Read Michael Geist’s A-Z summary of Canadian legal trends for 2008.