The last 20 years, the mass uptake of the Internet has significantly changed the way we communicate, work and play. It sometimes feels like our whole lives are digitized, we’ve become part of a wider connected ‘digisphere’. And to a large extent, this is true. Anything we decide to do that involves a smart phone or a website, ends up requiring an input of information, sometimes conscious, sometimes not. Much of this information is highly personal data needed for instance to setup accounts associated with services. As I write, I am wearing a Fitbit on my wrist. To setup the app and account that handles the data generated by the Fitbit, I had to enter personal details, including my name, email address, age and so on. The Fitbit now has all of that personal information that it can tie back to my health data in a Cloud-based database, on some server, somewhere. With all of this personally identifying information (PII) floating around cyberspace where does this leave our privacy?
Social media has been incredibly successful. According to Smart Insights, in 2016, there were 2.3 billion active social media users. That is a third of the world’s population have created social media accounts, requiring personal details to open, and that regularly post their daily lives and routines, online. It may seem that we don’t really care about our social privacy, we seem to put the most intimate of details on, often public, forums. However, this may be changing. Pew Research looked into the North American attitude towards social media and privacy and their findings show that attitudes towards privacy are maturing. More than half of Internet users are worried about the lack of privacy respect from companies, and 91% of them feel that their data is now out of their control. What is interesting, is that 86% of Internet users want to mask their online activity but aren’t sure how too. Social media platforms are waking up to this fact and some attempt at improving privacy has been made, for example, the ‘real names’ campaign on Google Plus, which tried to enforce users to sign up with their real name, had to be abandoned after user and industry pressure. Facebook, however, have not taken the hint and are insisting now on verifying a person’s name using identifying documents
Privacy issues within social media platforms rumble on. The most recent involve Facebook scanning private messages, the data being used for targeted marketing. This has resulted in a lawsuit and Facebook is currently being sued over privacy abuses.
Where we go next with privacy and social media is an interesting one. We are seemingly dependent on our dose of online socializing, but the privacy costs may see some fundamental changes in the way these platforms do business, perhaps moving to a paid for model for increased privacy. However, legislation is required to enforce respect for users privacy for this to be of any true value – this is especially true for vulnerable groups such as minors.
Privacy and Health Data
Going back to the Fitbit, one of the areas of increasing concern are the privacy issues facing us with regards our health data. Health-related data, sometimes called Protected Health Information or PHI, has been shown by research from The Ponemon Institute, to be worth more than any other type of data record. The reasons being that health information, as far as cybercriminal activity is concerned, has a longer shelf life than, for example, financial information, such as card details, which can have a stop placed on their use. This is likely the reason why IBM’s X-Force 2016 report into cyber security has shown that healthcare data is the most targeted by cybercriminals.
But privacy of health data is not just about cybercriminal exposure. Health data, shared with insurance companies, can, for example, be used to augment insurance policies – the use of which has both positive and negative connotations. For example, if you show that you regularly exercise by using a Fitbit, then your insurance costs may decrease. However, if genetic data shows that you are susceptible to a rare disease, your policy costs might escalate. Health data is also, by its very nature used in research and as such, collaboration around personal health information is needed for medical advancements. Cloud platforms such as Google Genomics, allows researchers from around the world to gain insights into genetic issues through sharing of genetic data. Collaboration of this nature is a vital tool in the fight against cancer and rare diseases. But at the same time, it has the potential to open up new privacy issues around our individual genome data. Compliance requirements for privacy and security, as exemplified by the likes of the U.S. based HIPPA act, try to ensure that privacy is upheld. HIPPA also includes biometric data, such as DNA as part of PHI. But laws like HIPPA and the EU personal data directive, still need to be augmented with robust security strategies, which respect privacy as a right of each patient.
The Internet of Things
The IoT is all about connectivity. It is the power behind the Internet of Things and it is a force that will have many positive benefits to industry. The IoT is also all about data, and the consumer version is about our personal data and information about our daily movements and life. If we thought the Internet and social platforms were disrespectful of privacy, we should be very wary of the IoT. Devices with sensors that know our very waking movements, as well as our sleep patterns, are communicating that information with connected devices 24 hours a day. We are rapidly becoming intrinsically linked with a digital version of ourselves and the privacy of that digital persona is easily exploited. Devices such as garage doors, which communicate with your car, via a Cloud portal, can give information to thieves about your comings and goings. Smart meters can potentially alert the same thieves that you’re on holiday. Smart TV’s send back all our viewing habits to services, which can then use this to target market us. Even the Uber app is now sending back information about our smart phone battery life so that taxi rides prices can be increased if our phone charge is about to expire. The IoT has not been built with a privacy layer and we are about to feel the impact of this decision.
Authentication As a Privacy Control
Privacy is a concept that cuts across many areas: It can be something as simple as an opt-in or opt-out to a marketing campaign; or it can be the tracking of online and offline activity; and it can be the disclosure of Personally Identifying Information, such as health data. Some privacy issues are difficult to contain and require the full co-operation of the organization utilizing your information, as we’ve seen in the Facebook, real name case above. However, respect for privacy of PII and PHI can be adhered to by using good security. Protection of data is a paramount part of controlling the sharing and disclosure of these data. A number of robust authentication measures can create a more effective security infrastructure that lends weight to privacy controls. For example, use of a second factor by both system administrators, and the account holders adds a layer of data protection that can reduce PII exposure. Enhancing this by weaving in adaptive authentication options, such as geo-location tracking, and additional credential requirements can take this to a level where accidental or malicious disclosure is much less likely.
Ultimately the individual also needs to make privacy decisions and become privacy aware. Certainly the Pew research into privacy attitudes shows that this is happening, and users are trying to protect their online privacy. Companies can help to retain customers by recognising this need and offering enhanced privacy services. For example, having a web application firewall in place to mitigate XSS and SQL injection based attacks, offers the consumer a level of comfort that their personal data is protected from these classic attack vectors.
As we run head first into a globally connected world, our privacy shouldn’t be seen as an afterthought. With the right care, respect, and technology, we can have our connectivity and retain our privacy.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.