PDF
version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free
download.
Privacy
and Online Profiles
Copyright 2020,
Faulkner Information
Services. All Rights Reserved.
Docid: 00011545
Publication Date: 2004
Report Type: TUTORIAL
Preview
The privacy of online profiles has come into focus after
personal information from millions of Facebook accounts was
acquired through a deceptive app. But Facebook is just one of
the many online platforms that collect and store explicit
records of
user queries, Web
travel, and social graphs. The
unprecedented scale and precision of this sort of profiling has long
been a concern to privacy advocates, but now enterprises, governments,
and the
general public are
taking notice too.
Report Contents:
Executive
Summary
[return to top
of this report]
Many online
search
tools and social media sites collect users’ personal data so that they
can tailor
advertising to them and predict their
buying behaviors.
Related Faulkner Reports |
Search Engine Privacy Policy and Practice Tutorial |
Sites that offer “free”
services or shopping typically make a business of capturing user
activity,
amalgamating it
with data from other tracking sources, and then selling or
otherwise
making
a commodity
of it. Such data collection creates a security threat to enterprises,
whose employees are increasingly using online services for a variety of
business activities.
At a
minimum, enterprises should make employees aware of the degree to which
personally
identifiable Internet activities are subject to potential
disclosure. Such activities include buying anything, selling anything,
using
social
media, submitting medical information, or making
financial transactions. This information is being aggregated
completely
legally, and databases of it can be
purchased for as little as $65 per 1000 names. The data has no
expiration date and correcting erroneous information distributed in
this fashion is almost impossible.
All employees
should be educated about the
risks of
using the Web for sensitive communications and interactions,
particularly from
mobile devices or when connecting through public wireless networks.
Description
[return to top of this report]
A Digital Footprint
Online
services such as search
engines and
social networking sites collect, analyze, and share vast amounts of
personal
data. Collectively, this correlated information creates a
user’s
“digital footprint.” The importance of surveillance and data collection
is described
pointedly by computer scientist Jaron Lanier in his book Who
Owns the Future?: “Because spying on you is, for the moment,
the official primary
business of the information economy, any attempt to avoid being spied
on … can seem like an assault on the very idea of the Internet.”1
Such handling of data worries
many organizations
whose employees are using these
services. There
are no significant controls over the use
of
personal
information gleaned by online surveillance. User agreements spell this
out, but
few people read them and even fewer are deterred by their sweeping
abrogation of
personal privacy rights. Also, as shown by the incident in which as
many as 87 million Facebook users had their data taken under false
pretenses by an app, user agreements cannot prevent unauthorized
accessing of data.2
Further, when a company’s employees use mobile
devices
to communicate with corporate Internet points of presence,
their online activities can be tied to a specific physical
location. While there
are a
few tactics to limit the access of such trackers, defending against
them is difficult and the available shields are limited in their
ability to
create
boundaries around personal information and behavior.
Sources of Threats
There are two
common types of tracking – cookies and
Web beacons – that are widely used for both legitimate and
nefarious purposes but that, in either case, ultimately have the effect
of compromising
personal
privacy.
Cookies
Cookies
are files that are stored on a client computer by Web sites. A cookie
stores
information, both during and between a user’s visits, allowing the site
to
build
page views quickly, remember where a user was, and alert people to
things
that are
likely to be of particular personal interest. For example, a travel
site may
use stored location and browsing history data to automatically provide
information
about
fares for flights that depart from the airports a person typically
uses. Most browsers allow users to refuse cookies or to be alerted when
a cookie is being sent. In practice, however, Web commerce applications
are so reliant on this form of state storage that many will not work
without them and most users would find it impossibly tiresome to supply
the same information again and again.
Over time,
sites that are often visited by an individual have the opportunity to
develop a cookie jar
of fine-grained
information about them, all of which
might be
inferred through a savvy reading of stored data.
Cookies
typically reside in a “public” directory (with loose permissions) on
a Web client machine, which makes them vulnerable to disclosure and
misappropriation.
Web Beacons
Web beacons (also called “Web bugs”) are
images, usually minimally visual, that are used to monitor access to
Web page
content and validate addresses in bulk email lists. A tool often
employed by
spammers, online marketers, and snoops, they take their name from the
familiar spycraft device used for electronic eavesdropping.
Web beacons work as
follows: HTML pages or email can embed references to images
that
are
not resident
on the
same server as the one sending the body of the page or the mail
document. When
the page is loaded or the email is opened, the user’s browser sends a
retrieval
request to the server where the image is stored. The request includes
the IP
address of the client device making the request (in other words, the
computer a person is using), a timestamp, type of browser, and
optionally, flags
that denote
the existence of cookies left on the client device by the server that
sent the
Web page body or email message. This can be insidious for two reasons:
- The
image is often either completely
transparent or a 1×1 pixel .gif, so it is unlikely to be noticed by the
user. If the email contains no embedded advertising, it is unlikely
that the bug will be detected by mail filters. - Web bugged email messages
reveal personally identifying
information, as well as specifics about how an email message was
routed, whether it went to a mailing list, and valid email addresses
for all of the recipients.
This
information is very useful to spammers and identity thieves because it
allows
them to validate email lists, to find out what mail is beating spam
filters, and
to know who read what messages, when, and on what computers. It is
possible to undermine Web beacons by configuring email clients to not
display images
in an
HTML email where the image is denoted by a URL. Gmail, Yahoo, Mozilla,
and
Opera provide this capability, as do a number of other open source and
proprietary email clients.
Insecure BYODs
With the
rise of user-supplied mobile devices in the workplace, enterprises have
faced
many new and complex security issues – many fairly obvious,
others much
more
subtle but still extremely serious. Most enterprises observe best
practices
in validating mobile user access to backend
systems. However,
encrypting all enterprise data stored on mobile devices is also worth
consideration for the following reasons:
- Mobile
app hacks, affecting all major brands of smartphones, are
common. Insecure BYODs have been implicated as key factors in
enterprise privacy breaches, and they are particularly susceptible to
snoopers when used on public networks, passing and storing unencrypted
data. - Mobile
devices used for business typically contain company
directories including
names, phone and email contact information, reporting relationships,
and
job responsibilities.
This is a virtual map for spies plotting an attack.
Current
View
[return to top
of this report]
Governments Push in Opposite Directions
In Europe and America, governments have recently pushed in opposite
directions over security:
- In 2017, the Trump administration approved a Congressional
plan
to eliminate some Internet privacy regulations. The
restrictions had put checks on how ISPs can collect and use
consumer data. With this relaxation of consumer protections, ISPs may
be able to sell data such as “customer browsing habits, app usage
history, location data and Social Security numbers.”3
As a result, ISPs
might look to make money from targeted ads, as many Web sites do. Even
though data is collected online in many ways,
allowing ISPs to collect it has raised new concerns. ISPs could
potentially gather a wider range of information because they control a
person’s entire access to the Internet. Also, while someone could
feasibly choose not to use a particular Web site, there is less
competition among broadband providers, so consumers have less choice.
Explaining the difference between allowing Web sites to collect data
and allowing ISPs to do so, Dallas Harris of consumer advocacy group
Public Knowledge says that “You can live without Google or
Facebook … It’s pretty difficult to walk away from internet service
altogether.”4 - In 2018, the European Union put into effect the General
Data Protection Regulation (GDPR), which imposes strict and sweeping
regulations on how user personal data is handled. The GDPR even impacts
companies and organizations outside of Europe, depending on the data
they receive and transmit. And many US states have passed laws
strengthening protections for user data. Recently, the following states
have made their relevant laws at least slightly stricter or broader:
Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South
Carolina, South Dakota, Vermont, Virginia.5 - In early 2019, there was talk in the US from both Democrats
and Republicans of passing a new federal Internet privacy law.6
With previous regulations removed a few years earlier and states
creating a patchwork of regulations, the intent of federal guidance
would be to create uniformity across the country.7
But
efforts to craft a bill stalled, and it is unclear whether progress on
the legislation is possible in the foreseeable future.
Commercial Uses Create Controversies
Exposures of user data on Facebook have created pushback. “On both
sides of the Atlantic, data protection
authorities are under fresh pressure to enforce existing privacy rules
and better police the digital space,” write Mark Scott and Laurens
Cerulus, describing the political and marketplace climate in the wake
of the Facebook/Cambridge Analytica scandal.8
But Scott
and Cerulus also say that such pressure may not lead to much
change. Despite the pressure, authorities have “doubts over whether
they have the resources, clout and willpower to regulate tech giants
like Facebook.”
Other signs suggest that the use of customer data will expand
to other markets. For example, an analysis by Automotive News
observes that car makers are beginning to have the same incentives to
use customer data as Facebook: “[A]s vehicle technology advances, these
companies may clamor to
monetize the vast amount of data they’ll be able to collect – from the
hotels you like to visit to all the people you talk to on your daily
commutes.”9
Personal Data Collection
Is a Standard Online Practice
Google,
Amazon, Facebook, and many other sites collect and store in-depth
information
about the ways in which users interact with them. The scope of
this sort of profiling is enormous and the types of information
collected are very broad. Such data gathering can
also be highly controversial. For example, in early 2020, the
state of New Mexico sued Google based on a claim
that the company’s education software and services illegitimately
collected data from children and parents.10 The
suit is significant
because Google is the largest provider of technology to K-12 schools.
Depending on what is revealed about Google’s practices and how the court
rules on those activities, new laws could be passed and new legal
action launched. In 2019, Google settled a similar case
brought by the state of New York.
Technological
development is driving further data collection. An example of how data
could be collected in the near future came in
2016, when a photographer in Russia took pictures of people in
public
and then used the images to identify their social media accounts.11
When applied on a wider scale by major companies, techniques like this
could further increase and widen the gathering of data.
People Aggregators Are in Common Use
Recruiters
and human resources departments are increasingly using tools called
“people aggregators” to find job candidates. Instead of waiting for
applications for a job, people aggregator services search social media
and other online sources to identify potential
employees. These
aggregators have helped to make
the collection of personal data into a massive, streamlined business,
thus increasing security risks. Aggregated data
could be used for identity theft, social engineering, and other types
of attacks. And even the legal, legitimate practices of people
aggregators can
pose a business risk because they look for “passive candidates,” who
are not trying to find a new job but have their career history online.
Enterprises may see some of their employees targeted and lured away,
even if they were not thinking of leaving.
Some of the top people aggregator services include the
following:12
- Connect6 Group
- HiringSolved
- TalentBin
The data
used comes not only from search
engines
and social media, but also from credit
reporting bureaus and supermarkets, which routinely engage in this
practice:
- Equifax,
TransUnion, and Experian all sell credit report header
information, which
includes startlingly
complete personally identifying information. - Store
loyalty card programs
aggregate vast amounts of personally linked purchasing behavior data,
including
data from their in-store pharmacies and liquor stores.
Employers
Are Seeking Access to their Employees’ Profiles
Debate
continues
about whether employers can demand that employees share their social
networking passwords. Some organizations have made the case that they
need this information to protect confidential enterprise data and legal
interests. Many state legislatures have taken (or are now
taking)
action to protect employee privacy, however. In 2019 alone, Florida,
Hawaii, Massachusetts, Minnesota, and New York all proposed new laws
restricting employer access to employee social media information, and
many other states have done so previously.13 But
most of these efforts have failed or stalled.14
Regardless
of the outcome of these legislative efforts, it is likely
that the debate will continue regarding the boundaries between
personal and business activities online.
Outlook
[return
to top
of this report]
Organized
identity theft has its roots in online
profiling. This is not surprising because, in an effort to encourage
security breach reporting, there are
virtually no consequences for allowing disclosure of private
individuals’
personal data when breaches do occur. However, for enterprises
as
well as individuals, there has been
significant growth in the scale of the threat, the state-sponsored
nature of
its sources, and the far-reaching potential intents. We have
crossed the Cyber Rubicon, so to
speak, and organized, criminally intent profiling is being used in
service of
new criminal enterprises, some of which aggressively target
enterprises:
- Medical
identity
theft, often a byproduct of poorly implemented attempts to digitize
existing
medical records, has allowed impostors to fraudulently co-opt insurance
coverage
of legitimate insurance subscribers. In
addition to financial losses, this can result in co-mingled or
completely
corrupted medical records, where key information – like blood types,
drug
allergies, and prior conditions – is lost or changed. - Insider
attacks are
becoming common enough that the FBI has
warned credit unions and
banks to be on the lookout for criminal identity thieves attempting to
target
and turn employees in sensitive positions. Such attacks can originate
when
thieves gain access to the identity of individuals in key jobs, track
them
online, and
discover personal information that can be used coercively. - Mobile
devices are so useful
that enterprises simply cannot afford not
to use
them. However, they are very difficult to
secure, especially in the common scenario where users run business apps
on
personal devices.
Recommendations
[return
to top
of this report]
Consult
Guidance from Privacy Organizations
Users have
few advocates and even fewer legal protections when it comes to online
privacy. But one of the most significant activist voices is the EFF,
which editorializes, organizes,
lobbies, and
sues its way through confrontations with companies and governments over
online
privacy and freedom of speech. EFF publishes both timely alerts and
long white papers about online privacy. It also hosts events.
Other privacy organizations
worth consulting include the following:
- CyLab Usable Privacy and
Security
Laboratory (CUPS) - Department of Homeland Security Privacy Office
- Electronic Privacy Information Center
- Privacy
Rights
Clearinghouse
Guard
Against Insider Threats
Privacy threats come
not only from outside hackers but also from employees and other
insiders. In view
of this, consider implementing these defenses:
- A large
share of insider
attacks
take place when someone is tricked into infecting systems inside the
firewall by
syncing an infected mobile device or forwarding an
email. There is a cheap, simple defense against this
gambit: Virus check all internal file transfers, email,
and stored messaging. - Strictly
monitor all
access to
removable
storage and use two-factor authentication for data
transfers to mobile and removable devices. - Analyze the
scope of
existing
company directories and consider limiting the dissemination of
information
about internal reporting structures and job responsibilities. - Develop,
publish, and
enforce
polices
on what information employees can disseminate on social media sites.
References
1 Jaron Lanier. “Who Owns the Future?” Simon
& Schuster. 2013.
2 Issie Lapowsky. “Facebook
Exposed 87 Million Users to Cambridge Analytica.” Wired.
April 4, 2018.
3 Brian Fung. “The
House Just Voted to Wipe Away the FCC’s Landmark Internet Privacy
Protections.” The Washington Post. March 28, 2017.
4 Steve Lohr. “Trump Completes Repeal
of Online Privacy Protections from Obama Era.” The New York
Times.
April 3, 2017.
5 Jeewon Kim Serrato, Chris Cwalina,
Anna Rudawski, Tristan Coughlin, and
Katey Fardelmann. “US States Pass Data Protection Laws on the Heels of
the GDPR.” Norton Rose
Fulbright. July 9, 2018.
6 David McCabe. “Congress and Trump
Agreed They Want a National Privacy Law. It Is Nowhere in Sight.” The New York Times.
October 1, 2019.
7 Ibid.
8 Mark Scott and Laurens Cerulus.
“Facebook Data Scandal Opens New Era in Global Privacy Enforcement.” Politico.
March 26, 2018.
9 "Facebook’s Privacy Problem
in the Era of Self-Driving Cars.” Automotive News.
April 13, 2018.
10 Natasha Singer and Daisuke
Wakabayashi. “New Mexico Sues Google Over Children’s Privacy
Violations.” The New York Times. February 20, 2020.
11 Rick Falkvinge. “Subway
Photographer Connects Random Photos to People’s
Social Media Profiles.” Private Internet Access.
April 14, 2016.
12 “Top
People Aggregators for Sourcing.” Recruiting Headlines. April 11, 2016.
13 “Access to Social Media Usernames
and Passwords.” National Conference of State Legislatures. March 15,
2019.
14 Ibid.
Web Links
[return to top of this report]
- Connect6 Group: https://connect6group.com/
- CyLab Usable Privacy and Security Laboratory (CUPS): http://cups.cs.cmu.edu/
- Department of Homeland Security Privacy Office: https://www.dhs.gov/cybersecurity-and-privacy
- Electronic Frontier Foundation: https://www.eff.org/
- Electronic Privacy Information Center: http://www.epic.org/
- HiringSolved: https://hiringsolved.com/
- National Conference of State Legislatures: http://www.ncsl.org/
- Privacy Rights Clearinghouse: https://www.privacyrights.org/
- TalentBin: https://www.talentbin.com/
About the Author
[return to top
of this report]
Geoff
Keston
is the author of more
than 250 articles that help
organizations find opportunities in business trends and technology. He
also works directly with clients to develop communications strategies
that improve processes and customer relationships. Mr. Keston has
worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.
[return to top of this report]