Privacy on the Internet: A Conversation Between Two Information Security Experts

Readers will find useful points and insights within the conversation; especially considering the often perceived adversarial relationship between anonymity and privacy.
The conversation begins…

[Rafal]

First – Why do you think that the state of personal privacy is so poor right now on the Internet? People seem to be giving away their intimate personal details for a “free” account on a social networking site – and then they seem slightly outraged when they find out their information is being sold to everyone who asks. Do you think this is a question of expectations, understanding, or simply apathy? Or is it something else?

[Rebecca]

There’s not one single reason, or a simple answer, to that. One significant factor is that this ability to share information, so widely and quickly, is a rather new capability. However, the people doing the sharing have had basically zero…NADA…education about how to protect their own personal information. I’m a strong advocate of getting information security and privacy education incorporated into school curriculum from the time children are in pre-school, and right up through every grade, under-graduate college, through PhD. But such education is simply not there. Information security and privacy should become the 4th “R” in basic education. I know it would make a difference. My own sons, who are 11 and 13 now, each started using computers at age 3, and were online starting at age 5. You can bet I provided daily discussions and “lessons” (unstructured) about the need to secure their personal information. Now they point out to me when others, or when I, are doing things that could be improved upon security-wise and privacy-wise. And I’ve overheard them having discussions with their friends about privacy. I like that!

As a result of this lack of background and knowledge of security and privacy, most people online, and in particular using social media sites, quite frankly don’t know or realize when they are doing risky actions or putting their privacy at risk. Most people are used to reputable (for the most part) companies protecting them, and their information. They believe that a promise made today, including those for privacy, will be kept tomorrow and forever. However this is not the case in our ever evolving and widening digital world. Facebook is a prime example, with their almost monthly privacy changes and re-arranges.

So, for your choice of answers, I’d say a lot of the reason that people put their personal information is at risk is certainly a lot of lack of education, into which factors unrealistic expectations and lack of understanding. There is a certain portion of the population for which apathy may be attributed, but I don’t believe it is as large as what some folks and vendors try to claim.

What do you think?

[Rafal]

I’m totally with you on the lacking in education. I just don’t think people are aware of the state of privacy today, or what it can really mean for them in any meaningful way. They’re ready to give their FaceBook account all their private information, they click on the ‘accept’ button when an app tells them it will take over their world, and no one reads EULAs.

For example, Apple just changed their EULA (again, for the 100th time of so) and so instead of just buying a song I had to read the EULA and accept. I’m willing to bet the click-thru rate, (the rate of people that simply click accept) is north of 90%. Me, I know better so I sent the new EULA to myself and will read all of it first before clicking accept, but most people are content with getting that pop-up box out of their way. I’ve seen some crazy things in those agreements people simply blow right through.

I think to a degree we can blame ‘today’s society’ in general. People are all into instant gratification, and if there is a chance they can get that one thing they want right now and risk some major thing at some point in the future, maybe… odds are good that 10 times out of 10 people will make the short term click for the long-term risk. It’s like this – you can’t begin to appreciate how precious the privacy is that you’re giving away until you don’t have any… but then we blame it on others for not taking care of our interests. Really?

[Rebecca]

To your first point, a significant issue that brings many privacy-related problems is that privacy is a concept that is not consistently defined from individual to individual, or from organization to organization. Most of the many organizations I’ve spoken with indicate they believe that privacy is just about protecting a few specific information items, as defined within the state-level breach notice laws. I’ve been alarmed to find many business leaders express the opinion, and even active pursuits, of information that is found online, including birth dates and addresses. I’ve read articles written by marketing consultants, and even more concerning by bill collection agencies, actually referring to the information posted on social media sites as “free” information that is available to use to meet their business initiatives, with absolutely no regard for the individuals about whom the information applies. There is a significant need to get organizations to truly understand the concept of privacy, and how it goes far beyond the protection of just a dozen or so items. So yes, I agree that not only individuals, but also businesses, do not have a meaningful understanding of the full breadth of privacy.

Your Apple EULA example is a good one. Another is Facebook; they changed their privacy “policy” multiple times throughout 2010, and continue to do so as they continue the “enhancements” to their site! And what businesses must get better at is answering consumer questions about their privacy practices. Most personnel simply don’t have the knowledge because they’ve received zero training and slim to none communications about their organization’s handling of personal information of all kinds. Not only this, but the times I’ve challenged businesses about their practices, the customer “service” people have either tried to dismiss my concerns, or they tried to tell me I was wrong with “my thinking.” Some serious communications then ensued between me and the executives at their companies.

I really think most people just don’t know what the impact of clicking that “like” button, or downloading a nifty app that promises to make their life better beyond their wildest dreams, will have on their privacy and the sharing of their personal information. People are agreeing to actions without any clue of what they’re agreeing to.

[Rafal]

Secondly, there appears to be an ever-blurring line between the need to track users of web sites to ‘enrich their experience’ and the desire to make a profit off of our habits. It’s like there is no difference between setting an anonymous cookie to track user’s preferences, and tracking that user across all sites they visit to data-mine their habits… it’s incomprehensible to me that such a simple distinction is being dissolved until we’re no longer able to see the difference… What would you say to that?

[Rebecca]

I’d say that’s pretty accurate! Individuals DO want to have their online experiences to be as personalized and intuitive as possible. And the marketing folks see this and realize that this gives them the opportunity to gather more types of information under the guise of enriching their customers’, and potential customers’, experience. There is certainly a fine line between collecting information and tracking online behavior in the name of enriching online experiences, though, and gathering more than necessary for the primary reason of simply knowing more about consumers’ online habits. A definite violation of trust, even if not of any laws, is when online organizations then share this information with other entities, without the knowledge, much less the consent, of those about whom the data applies.

For example, the new ways in which Facebook is using information from the profiles of individuals who have “liked” certain products, services and companies…including their photos…is completely beyond the recently in-effect privacy promises they had made to their community members. But, they were careful to build loopholes into their promises so they could get away with such unsavory actions.

The technologies certainly exist to track virtually every type of activities. The IT folks are pretty much building such tracking at the direction of their CEOs, CFOs and marketing areas. Are you seeing similar?

[Rafal]

No disagreement here. One of the most powerful groups in many organizations is the marketing department. Scary as it may sound, the minute companies realize there is money to be made from people in the social media they are in whole-hog and the marketing department rules. Often times the privacy officer or security people are over-ridden because the CEO is out for more revenue and growth. You’re right, FaceBook is an excellent example of a project gone horribly, horribly to the dark side of ‘tracking’… they’re unabashedly leaving loopholes in their privacy policies and data-mining and selling every little bit they can to make a profit. FaceBook is just a giant data-mining dream (or nightmare depending on how you see it) when you think of all the information that application/company knows about you. Sure, you can find new friends when you check into a place and see ‘others also here’ but isn’t that scary? What if you’re a predator and you’re just looking for places that have people willing to share their location and interests with you without ever actually knowing anything about you?! Their latest incantation of this is the use of “check-ins” from FaceBook Places. Companies can pay to use the check-ins that people post up, and their photos if they leave any to market their product or business. Oh, and did I mention you didn’t get the right to opt-out of this service? So if you use FaceBook Places app, you’re essentially consenting to doing free advertising and marketing for companies where you check-in at their business. What’s worse is that there isn’t a raging mob storming the FaceBook castle with torches and pitchforks… Boggles the mind.

[Rebecca]

Indeed. And speaking of marketing, not only do they (marketing, sales and CxOs) often override the information security and privacy areas, many times they take actions without even checking with those areas. And, as Facebook shows, once you give away your information by posting on their site, they are going to start using it in ways that you could never have even anticipated or imagined. People need to understand that. Every social media site now has numerous loopholes written into their “privacy policies” which are really overwhelmingly “lack of privacy” policies.

[Rafal]

I think the line between tracking and experience enrichment in real life is fairly clear. I think what’s happening is that marketing organizations and entire companies’ business models are purposely blurring that line to make it OK to exploit you as a social creature. Since there is no one there to stop it, the erosion of privacy in the name of profit marches on. Rather sad.

[Rebecca]

Exactly why we need to incorporate these issues and discussions into our curriculum from a very early age. The current marketing and sales folks do not have the background or mindset to understand privacy and related issues, and how information, even if it does not look like personal information to them, still has privacy ramifications in the ways that it is used. In fact, many marketers have told me that if no one tells them they can’t use information, they figure anything is fair game.

[Rafal]

As a follow-on to that last thought …there really isn’t (that I’m aware of) a body of literature or (self-) regulation out there that defines where that line between tracking and enriching is – why? Do we need a standards body to help define the line between tracking for the purpose of experience enrichment and application functionality, versus tracking for data-mining? Can this even be done … and if it is done – would it necessarily need to be a government body that could have enforcement capabilities? Would the FTC be able to stop up here and create some rules around what constitutes tracking vs. “tracking”?

[Rebecca]

There are various discussions about such activities. Various EU bodies have written about tracking technologies. I’ve also seen discussions about this through various IEEE papers. Also, I seem to recall the EFF, EPIC, Future of Privacy Forum and possibly even the Israeli Law, Information and Technology Authority (“ILITA”) may have issued opinions.

[Rafal]

Having an opinion is a good thing, unless no one cares – which I feel is the state of things today. I think the EU is a little more concerned about privacy but some of that western greed we’ve got in spades over here is seeping into their thinking. Unfortunately, greed tends to be an acceptable business model, and today’s business needs your private information to give you options you’ll make decisions on. Exploiting people’s willingness to give up their privacy has become a viable business model – and it’s catching on.

[Rebecca]

It’s a matter of balance. And right now the marketers and business leaders who see value in using personal information are much louder and more actively pursuing their exploitation of personal information than those who are trying to ensure privacy is addressed. However, in the past year there have been many legal actions related to online tracking practices. And the various privacy advocacy groups are certainly trying to bring the issues to the forefront of lawmakers’ attentions.

[Rafal]

So, what technologies or platforms do you feel are particularly difficult when it comes to stripping away your privacy for a profit? Sure we all pick on FaceBook and Google but there are others out there that are just as bad, or maybe even worse?

[Rebecca]

Oh, there are tons of such sites out there! Spokeo is notorious. The Privacy Rights Clearinghouse has a long list: http://www.privacyrights.org/online-information-brokers-list. Actually, regarding technologies and platforms, I have concerns about the unbridled bliss so many are having with Kindle and other types of e-Book readers. The e-reader vendors collect a ton of information when signing up customers for those devices, and then they track all the articles and books loaded, along with the items browsed, dates, times, and other logged info. Who gets access to all those logs? They are marketing gold. Plus, lawyers and law enforcement will love getting them also. Then there are the GPS and location-aware technologies that are increasingly being used; that information is being shared with many more entities than those using them are aware of. I’ve also been leading the NIST CSWG Smart Grid privacy group for the past two years; we’ve identified a volume of concerns with those related new technologies.

[Rafal]

What do you think it will take to get people to lift the rose-colored glasses from their eyes and realize what they’re giving away … or is this a lost cause in today’s modern society?

[Rebecca]

No, it’s not a lost cause; I’m not pessimistic. But I am realistic. Again, it comes down to making people more aware, in addition to establishing more regulations that require businesses and organizations to do more to protect all aspects of privacy. There are many groups out there trying to make a difference, such as the Privacy Rights Clearinghouse, EPIC, EFF, and Future of Privacy Forum, just to name a few. But we need to take a more direct approach and infiltrate the population in a more extensive manner with discussions of privacy throughout all daily activities. I know I will sound like a broken record, but we need to incorporate information security and privacy into our education system, from the earliest years on, to be able to ingrain such thinking and considerations into our daily decision-making processes.

[Rafal]

As a student of privacy …have you seen any particular legal decisions that simply make you want to give up hope? I caught this one when someone suggested it to me, and it blew my mind (http://www.infolawgroup.com/2011/02/articles/lawsuit/il- appellate-court-no-duty-exists-to-safeguard-ssns-for-purposes-of-a-negligence-claim/)!

[Rebecca]

No, I’ve not seen anything that would cause such a fatalistic response. There is usually a contrasting decision for every poor decision. Your example can be countered by several opposite judgments in California and other states. The judges in these cases are often influenced by their own agendas; the interpretation of rights and laws cannot help but have some degree of subjectivity involved; they are only human, after all.

If those of us who want to advance understanding of privacy, and help to ensure privacy protections are built into all types of business activities and new technologies, keep at it, the old way of thinking by these types of courts will eventually fade away.

About the Experts
Rafal Los is Security Evangelist & Blogger for HP Application Security, part of HP Software & Solutions. “Web Application Security is NOT a hat trick!” See his blog site, where this is cross posted in two parts, at http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/bg-p/119.

Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI 
Rebecca is an information privacy, security and compliance consultant, author and instructor who has provided assistance, advice, services, tools and products to organizations in a wide range of industries during the past two decades. Rebecca is a widely recognized and respected information security, privacy and compliance expert. 
Visit her website at www.privacyprofessor.com/