“Your entire life is online.
And it might be used against you.
Be vigilant.” (Febelfin)
Three years following the explosive mass cyber surveillance revelations from Edward Snowden and the global privacy debate that they ignited, the release of the Snowden movie gives us an opportunity to reflect on the current state of our cyber privacy:
- How much do we care about our cyber privacy?
- What are we doing about it?
- How achievable is it to attain enough cyber privacy?
The importance of Cyber Privacy
Cyber privacy is our right to understand and control what happens with our personal information online. It relies on our appreciation of what personal data of ours is stored, processed, transited and accessed in the cyber space and whether it is managed accordingly to applicable privacy regulations, such as the Australian Privacy Act, the privacy policies of the online service providers we choose to entrust our personal information to (e.g. online banking, Facebook, Skype), and our own confidentiality expectations of the online services we use, such as for example sharing a family picture with a select group of people only, or texting or making a private VoIP call or video with somebody.
Cyber privacy is simply privacy and it should essentially be as important to us as we value privacy in the physical world, such as when we send a private paper letter by good old fashioned mail. However, privacy risks are significantly amplified online because of the scale of access points to digital information, the speed of access to that information, the scale of vulnerabilities and threats the cyber world is increasingly subject to and I think a general lack of information security and privacy awareness education amongst many cyber users. As such, the likelihood and impact of privacy breaches is significantly increased online, and even more so as we further extend the realm of the cyber world to many connected devices in our lives (the Internet of Things) that also collect, process and may put at risk private information.
Cyber Privacy risks are inherent to the following key trends:
1. Over-publishing personal information online, or publishing information without enough control
Personal information published online, such as personal details, photos, locations and activity updates can be used maliciously and expose people to key risks including identity theft and cyber-preying for example. The further data we publish, especially with not enough control, the greater is the privacy risk.
General cyber privacy risks can be simply presented through the amazing performance of Dave, an alleged Belgian “psychic” revealing intimate details about random volunteers in search of clairvoyance enlightening. The video can be found on YouTube, for example here: https://youtu.be/F7pYHN9iC9I . Dave was actually sourcing intelligence from his subjects during his consultations through a team of “hackers” mining the internet and feeding him with the personal information they uncovered. The video was part of a campaign from the Febelfin, a Belgian federation organisation for the financial sector, to demonstrate how easy it is to access someone’s personal information online, and raise awareness on the subject. It concluded with “Your entire life is online. And it might be used against you. Be vigilant.” – very true!
2. PII thirsty technologies
The technologies we enjoy in our daily lives for both personal and professional purposes, purposes which are often jointly served on devices (i.e. BYOD), are consuming by design an increasing volume of personal information for the sake of functionality and security. The personal information they consume is often exported out of the devices to the Cloud, creating a privacy risk that I believe to be often overlooked. There are many examples such as personalised content through geolocation (e.g. local weather update) and identity and web access history tracking for tailored content such as advertisements. I refer to some examples of mobile security agents data collection in a previous article.
3. Online service providers are regularly hacked
The data we entrust to online service providers is also susceptible of being accidentally or maliciously leaked resulting on privacy breaches impacting individuals, and in some occasion to severe consequences such as resignation, divorce and even suicide such as for the Ashley Madison case.
4. Government surveillance
The Snowden revelations in 2013 have revealed to the world a mass Government digital surveillance program of impressive scale, which was supposedly designed for the good intent of protecting state and citizens through the sourcing of intelligence principally applied to counter-terrorism activities. The issue with the program was the sourcing and the processing of a huge amount of citizens’ private and confidential information, without citizens’ consent, which raises a great concern of potential privacy abuses.
How much do we care about Cyber Privacy?
We are quite concerned about cyber privacy, but we increasingly compromise on it for convenience and opportunity purposes. Our understanding and control of the trade-off is questionable.
In Australia, the OAIC who report a total number of 13.3 million internet-connected Australians by the end of June 2016, last published a privacy survey in 2013, the “2013 Community Attitudes to Privacy”, which already reported at the time that:
- 1 in 3 had issues with how their personal information had been handled in the previous year.
- 3 in 4 were more concerned about sharing personal information online than in the previous survey.
- More than 60% of individuals would censor using organisations or mobile apps over concerns of personal information handling.
In North America, the Pew’ survey on American Attitudes about Privacy, Security and Surveillance reported in 2015 a strong concern about the privacy issue for individuals based on a study conducted on an American population sample. Most Americans hold strong views about the importance of privacy in their everyday lives. They believe it is important, and often “very important”, that they be able to maintain privacy and confidentiality in commonplace activities of their lives, both online and offline. For instance,
- 93% of adults say that being in control of who can get information about them is important (incl. 74% “very important”).
- 90% say that controlling what information is collected about them is important (incl. 65% “very important”).
- 88% say it is important that they not have someone watch or listen to them without their permission (incl. 67% “very important”).
In Europe, the European Commission also released a report in 2015, the Data Protection Eurobarometer, which reported similar findings. For example:
- More than eight out of ten respondents feel that they do not have complete control over their personal data.
- Two-thirds of respondents are concerned about not having complete control over the information they provide online.
- 55% say they are concerned about the recording of their behaviour via payment cards.
- 55% say they are concerned about the recording of everyday activities via mobile phone use or mobile applications.
We are certainly claiming to be concerned about our cyber privacy, but to what extent do we really care about it?
We routinely trade-off privacy for convenience, more personalised services and opportunities to an extent where we may not understand, and be able to best manage, the privacy risks we expose ourselves to.
For a start, we understand that providing personal information online is an increasing part of modern life (71% from the 2015 Data Protection Eurobarometer), and that there is no alternative other than to provide personal information if you want to obtain products or services (58% from the 2015 Data Protection Eurobarometer). For example, many professional and social opportunities are reliant on online services such as LinkedIn and Facebook. Not compromising enough with the publishing of private information could prove to be a limiting and disadvantaging factor.
We trade-off privacy for more personalised online services. Telstra’s research on Millenials, Mobiles and Money reports that young adults or “Millenials” (18 to 34 years old in 2014/2015) “demand speed, convenience, exibility and customisation” from banking online services and mobile apps, where “the optimum trade-off between privacy and personalisation is changing daily”.
We trade-off privacy for convenience, such as for the privilege of using personal mobile devices to access corporate data. Such a privilege is increasingly subject to the deployment and operation of enterprise security agents on personal devices. For instance, I recently had 2 enterprise mobile security agents deployed on my personal mobile phone as an enforced security requirement to my enjoyment of work email and calendar access from my device. My knowledge of what those agents were doing on my device, what personal data they might be capturing and what they were doing with it was rather limited.
We can also appreciate a level of trade-off for state and citizens’ security purposes.
However, the extent to which we can and do really appreciate the privacy risks we are trading-off with is really questionable.
What do we do about our Cyber Privacy?
There are options to improve the security of personal data and communications.
For a start, personal data management practices can be improved through education and the application of further caution online about privacy. For example, in Australia, we can highlight the program ThinkUKnow, which is oriented toward children cyber safety, as one of the great initiatives sponsored by the Government and industry partners. Such programs are growing and I hope will change behaviours over time.
Technology is also available to reduce some privacy risks, such as for example (non-comprehensive list):
- VPNs for private web-browsing (a myriad of service providers, but which to trust?),
- Anonymous web surfing browser such as the TOR browser,
- Encryption toolkits such as PGP to protect communications such as emails,
- Applications to secure mobile communications (messages and calls), such as Wickr and WhatsApp (both of which have been reported to be used by leading Australian political figures), Signal, and ChatSecure just to name a few. The Electronic Frontier Foundation (EFF) provides a very good reference and security scoreboard on Secure Messaging Applications,
- Applications positioning a more identity centric view of privacy, such as SudoApp (virtual identity management), etc.
While some of those options appear to be growing in popularity, perhaps amongst the most security and tech-savvy community, they are not of widespread use – too many options? Perceived as too technical to use? They are also the subject of a relative privacy protection due to technology vulnerabilities and also the increasing pressure from some law and intelligence agencies to tap into those technologies, sometimes through backdoors that would also present a risk of exploitation by malicious parties.
Are we doing much with the options we have?
According to the 2015 Pew’ survey, few individuals would appear to do anything tangible to protect their Cyber Privacy. For instance, very few individuals would have adopted effective privacy protection measures such as encryption of their communications, hereby accepting – if not ignoring – the risk of compromise of their private communications and data.
How achievable is it to attain enough Cyber Privacy? (Conclusion)
The Pew’ survey offers an element of answer as to why we may not do much about better managing our privacy risks. The report refers to the following quote from some information scholars, which may well summarise the high *cost* of attaining privacy: “privacy is not something one can simply ‘have,’ but rather is something people seek to ‘achieve’ through an ongoing process of negotiation of all the ways that information flows across different contexts in daily life”. The referred ongoing process of negotiation may imply a high effort of discipline to achieve better privacy and it may simply be too hard to do to achieve great cyber privacy.
We are clearly concerned about our online privacy, but we don’t do much about it. We trade-off privacy for the sake of convenience, opportunity and security without measuring the implications of it. Technology options exist to better manage some privacy risks, but we also don’t use them much (too hard) and they are themselves the subject of risks.
The focus and the development of cyber safety education programs may however provide the best opportunity for improvement longer term, especially as they start with young children. Such programs may provide the key to achieving over time enough Cyber Privacy.
What do you think about it?