Privacy and Online Profiles












PDF
version of this report

You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free
download
.

Privacy
and Online Profiles

by Geoff Keston

Docid: 00011545

Publication Date: 2004

Report Type: TUTORIAL

Preview

The privacy of online profiles has come into focus after
personal information from millions of Facebook accounts was
acquired through a deceptive app. But Facebook is just one of
the many online platforms that collect and store explicit
records of
user queries, Web
travel, and social graphs. The
unprecedented scale and precision of this sort of profiling has long
been a concern to privacy advocates, but now enterprises, governments,
and the
general public are
taking notice too.

Report Contents:

Executive
Summary

[return to top
of this report]

Many online
search
tools and social media sites collect users’ personal data so that they
can tailor
advertising to them and predict their
buying behaviors.

Related
Faulkner Reports
Search Engine
Privacy
Policy and
Practice Tutorial

Sites that offer “free”
services or shopping typically make a business of capturing user
activity,
amalgamating it
with data from other tracking sources, and then selling or
otherwise
making
a commodity
of it. Such data collection creates a security threat to enterprises,
whose employees are increasingly using online services for a variety of
business activities.

At a
minimum, enterprises should make employees aware of the degree to which
personally
identifiable Internet activities are subject to potential
disclosure. Such activities include buying anything, selling anything,
using
social
media, submitting medical information, or making
financial transactions. This information is being aggregated
completely
legally, and databases of it can be
purchased for as little as $65 per 1000 names. The data has no
expiration date and correcting erroneous information distributed in
this fashion is almost impossible.

All employees
should be educated about the
risks of
using the Web for sensitive communications and interactions,
particularly from
mobile devices or when connecting through public wireless networks.

Description

[return to top of this report]

A Digital Footprint

Online
services such as search
engines and
social networking sites collect, analyze, and share vast amounts of
personal
data. Collectively, this correlated information creates a
user’s
“digital footprint.” The importance of surveillance and data collection
is described
pointedly by computer scientist Jaron Lanier in his book Who
Owns the Future?
: “Because spying on you is, for the moment,
the official primary
business of the information economy, any attempt to avoid being spied
on … can seem like an assault on the very idea of the Internet.”1

Such handling of data worries
many organizations
whose employees are using these
services. There
are no significant controls over the use
of
personal
information gleaned by online surveillance. User agreements spell this
out, but
few people read them and even fewer are deterred by their sweeping
abrogation of
personal privacy rights. Also, as shown by the incident in which as
many as 87 million Facebook users had their data taken under false
pretenses by an app, user agreements cannot prevent unauthorized
accessing of data.2

Further, when a company’s employees use mobile
devices
to communicate with corporate Internet points of presence,
their online activities can be tied to a specific physical
location. While there
are a
few tactics to limit the access of such trackers, defending against
them is difficult and the available shields are limited in their
ability to
create
boundaries around personal information and behavior.

Sources of Threats

There are two
common types of tracking – cookies and
Web beacons – that are widely used for both legitimate and
nefarious purposes but that, in either case, ultimately have the effect
of compromising
personal
privacy.

Cookies

Cookies
are files that are stored on a client computer by Web sites. A cookie
stores
information, both during and between a user’s visits, allowing the site
to
build
page views quickly, remember where a user was, and alert people to
things
that are
likely to be of particular personal interest. For example, a travel
site may
use stored location and browsing history data to automatically provide
information
about
fares for flights that depart from the airports a person typically
uses. Most browsers allow users to refuse cookies or to be alerted when
a cookie is being sent. In practice, however, Web commerce applications
are so reliant on this form of state storage that many will not work
without them and most users would find it impossibly tiresome to supply
the same information again and again.

Over time,
sites that are often visited by an individual have the opportunity to
develop a cookie jar
of fine-grained
information about them, all of which
might be
inferred through a savvy reading of stored data.
Cookies
typically reside in a “public” directory (with loose permissions) on
a Web client machine, which makes them vulnerable to disclosure and
misappropriation.

Web Beacons

Web beacons (also called “Web bugs”) are
images, usually minimally visual, that are used to monitor access to
Web page
content and validate addresses in bulk email lists. A tool often
employed by
spammers, online marketers, and snoops, they take their name from the
familiar spycraft device used for electronic eavesdropping.

Web beacons work as
follows: HTML pages or email can embed references to images
that
are
not resident
on the
same server as the one sending the body of the page or the mail
document. When
the page is loaded or the email is opened, the user’s browser sends a
retrieval
request to the server where the image is stored. The request includes
the IP
address of the client device making the request (in other words, the
computer a person is using), a timestamp, type of browser, and
optionally, flags
that denote
the existence of cookies left on the client device by the server that
sent the
Web page body or email message. This can be insidious for two reasons:

  • The
    image is often either completely
    transparent or a 1×1 pixel .gif, so it is unlikely to be noticed by the
    user. If the email contains no embedded advertising, it is unlikely
    that the bug will be detected by mail filters.
  • Web bugged email messages
    reveal personally identifying
    information, as well as specifics about how an email message was
    routed, whether it went to a mailing list, and valid email addresses
    for all of the recipients.

This
information is very useful to spammers and identity thieves because it
allows
them to validate email lists, to find out what mail is beating spam
filters, and
to know who read what messages, when, and on what computers. It is
possible to undermine Web beacons by configuring email clients to not
display images
in an
HTML email where the image is denoted by a URL. Gmail, Yahoo, Mozilla,
and
Opera provide this capability, as do a number of other open source and
proprietary email clients.

Insecure BYODs

With the
rise of user-supplied mobile devices in the workplace, enterprises have
faced
many new and complex security issues – many fairly obvious,
others much
more
subtle but still extremely serious. Most enterprises observe best
practices
in validating mobile user access to backend
systems. However,
encrypting all enterprise data stored on mobile devices is also worth
consideration for the following reasons:

  • Mobile
    app hacks, affecting all major brands of smartphones, are
    common. Insecure BYODs have been implicated as key factors in
    enterprise privacy breaches, and they are particularly susceptible to
    snoopers when used on public networks, passing and storing unencrypted
    data.
  • Mobile
    devices used for business typically contain company
    directories including
    names, phone and email contact information, reporting relationships,
    and
    job responsibilities.
    This is a virtual map for spies plotting an attack.

Current
View

[return to top
of this report]

Governments Push in Opposite Directions

In Europe and America, governments have recently pushed in opposite
directions over security:

  • In 2017, the Trump administration approved a Congressional
    plan
    to eliminate some Internet privacy regulations. The
    restrictions had put checks on how ISPs can collect and use
    consumer data. With this relaxation of consumer protections, ISPs may
    be able to sell data such as “customer browsing habits, app usage
    history, location data and Social Security numbers.”3
    As a result, ISPs
    might look to make money from targeted ads, as many Web sites do. Even
    though data is collected online in many ways,
    allowing ISPs to collect it has raised new concerns. ISPs could
    potentially gather a wider range of information because they control a
    person’s entire access to the Internet. Also, while someone could
    feasibly choose not to use a particular Web site, there is less
    competition among broadband providers, so consumers have less choice.
    Explaining the difference between allowing Web sites to collect data
    and allowing ISPs to do so, Dallas Harris of consumer advocacy group
    Public Knowledge says that “You can live without Google or
    Facebook … It’s pretty difficult to walk away from internet service
    altogether.”4
  • In 2018, the European Union put into effect the General
    Data Protection Regulation (GDPR), which imposes strict and sweeping
    regulations on how user personal data is handled. The GDPR even impacts
    companies and organizations outside of Europe, depending on the data
    they receive and transmit. And many US states have passed laws
    strengthening protections for user data. Recently, the following states
    have made their relevant laws at least slightly stricter or broader:
    Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South
    Carolina, South Dakota, Vermont, Virginia.5
  • In early 2019, there was talk in the US from both Democrats
    and Republicans of passing a new federal Internet privacy law.6
    With previous regulations removed a few years earlier and states
    creating a patchwork of regulations, the intent of federal guidance
    would be to create uniformity across the country.7
    But
    efforts to craft a bill stalled, and it is unclear whether progress on
    the legislation is possible in the foreseeable future.

Commercial Uses Create Controversies

Exposures of user data on Facebook have created pushback. “On both
sides of the Atlantic, data protection
authorities are under fresh pressure to enforce existing privacy rules
and better police the digital space,” write Mark Scott and Laurens
Cerulus, describing the political and marketplace climate in the wake
of the Facebook/Cambridge Analytica scandal.8
But Scott
and Cerulus also say that such pressure may not lead to much
change. Despite the pressure, authorities have “doubts over whether
they have the resources, clout and willpower to regulate tech giants
like Facebook.”

Other signs suggest that the use of customer data will expand
to other markets. For example, an analysis by Automotive News
observes that car makers are beginning to have the same incentives to
use customer data as Facebook: “[A]s vehicle technology advances, these
companies may clamor to
monetize the vast amount of data they’ll be able to collect – from the
hotels you like to visit to all the people you talk to on your daily
commutes.”9 

Personal Data Collection
Is a Standard Online Practice

Google,
Amazon, Facebook, and many other sites collect and store in-depth
information
about the ways in which users interact with them. The scope of
this sort of profiling is enormous and the types of information
collected are very broad. Such data gathering can
also be highly controversial. For example, in early 2020, the
state of New Mexico sued Google based on a claim
that the company’s education software and services illegitimately
collected data from children and parents.10 The
suit is significant
because Google is the largest provider of technology to K-12 schools.
Depending on what is revealed about Google’s practices and how the court
rules on those activities, new laws could be passed and new legal
action launched. In 2019, Google settled a similar case
brought by the state of New York.

Technological
development is driving further data collection. An example of how data
could be collected in the near future came in
2016, when a photographer in Russia took pictures of people in
public
and then used the images to identify their social media accounts.11
When applied on a wider scale by major companies, techniques like this
could further increase and widen the gathering of data.

People Aggregators Are in Common Use

Recruiters
and human resources departments are increasingly using tools called
“people aggregators” to find job candidates. Instead of waiting for
applications for a job, people aggregator services search social media
and other online sources to identify potential
employees. These
aggregators have helped to make
the collection of personal data into a massive, streamlined business,
thus increasing security risks. Aggregated data
could be used for identity theft, social engineering, and other types
of attacks. And even the legal, legitimate practices of people
aggregators can
pose a business risk because they look for “passive candidates,” who
are not trying to find a new job but have their career history online.
Enterprises may see some of their employees targeted and lured away,
even if they were not thinking of leaving.

Some of the top people aggregator services include the
following:12

  • Connect6 Group
  • HiringSolved
  • TalentBin

The data
used comes not only from search
engines
and social media, but also from credit
reporting bureaus and supermarkets, which routinely engage in this
practice:

  • Equifax,
    TransUnion, and Experian all sell credit report header
    information, which
    includes startlingly
    complete personally identifying information.
  • Store
    loyalty card programs
    aggregate vast amounts of personally linked purchasing behavior data,
    including
    data from their in-store pharmacies and liquor stores.

Employers
Are Seeking Access to their Employees’ Profiles

Debate
continues
about whether employers can demand that employees share their social
networking passwords. Some organizations have made the case that they
need this information to protect confidential enterprise data and legal
interests. Many state legislatures have taken (or are now
taking)
action to protect employee privacy, however. In 2019 alone, Florida,
Hawaii, Massachusetts, Minnesota, and New York all proposed new laws
restricting employer access to employee social media information, and
many other states have done so previously.13 But
most of these efforts have failed or stalled.14

Regardless
of the outcome of these legislative efforts, it is likely
that the debate will continue regarding the boundaries between
personal and business activities online.

Outlook

[return
to top
of this report]

Organized
identity theft has its roots in online
profiling. This is not surprising because, in an effort to encourage
security breach reporting, there are
virtually no consequences for allowing disclosure of private
individuals’
personal data when breaches do occur. However, for enterprises
as
well as individuals, there has been
significant growth in the scale of the threat, the state-sponsored
nature of
its sources, and the far-reaching potential intents. We have
crossed the Cyber Rubicon, so to
speak, and organized, criminally intent profiling is being used in
service of
new criminal enterprises, some of which aggressively target
enterprises:

  • Medical
    identity
    theft, often a byproduct of poorly implemented attempts to digitize
    existing
    medical records, has allowed impostors to fraudulently co-opt insurance
    coverage
    of legitimate insurance subscribers. In
    addition to financial losses, this can result in co-mingled or
    completely
    corrupted medical records, where key information – like blood types,
    drug
    allergies, and prior conditions – is lost or changed.
  • Insider
    attacks are
    becoming common enough that the FBI has
    warned credit unions and
    banks to be on the lookout for criminal identity thieves attempting to
    target
    and turn employees in sensitive positions. Such attacks can originate
    when
    thieves gain access to the identity of individuals in key jobs, track
    them
    online, and
    discover personal information that can be used coercively.
  • Mobile
    devices are so useful
    that enterprises simply cannot afford not
    to use
    them. However, they are very difficult to
    secure, especially in the common scenario where users run business apps
    on
    personal devices.

Recommendations

[return
to top
of this report]

Consult
Guidance from Privacy Organizations

Users have
few advocates and even fewer legal protections when it comes to online
privacy. But one of the most significant activist voices is the EFF,
which editorializes, organizes,
lobbies, and
sues its way through confrontations with companies and governments over
online
privacy and freedom of speech. EFF publishes both timely alerts and
long white papers about online privacy. It also hosts events.

Other privacy organizations
worth consulting include the following:

  • CyLab Usable Privacy and
    Security
    Laboratory (CUPS)
  • Department of Homeland Security Privacy Office
  • Electronic Privacy Information Center
  • Privacy
    Rights
    Clearinghouse

Guard
Against Insider Threats

Privacy threats come
not only from outside hackers but also from employees and other
insiders. In view
of this, consider implementing these defenses:

  • A large
    share of insider
    attacks
    take place when someone is tricked into infecting systems inside the
    firewall by
    syncing an infected mobile device or forwarding an
    email. There is a cheap, simple defense against this
    gambit: Virus check all internal file transfers, email,
    and stored messaging.
  • Strictly
    monitor all
    access to
    removable
    storage and use two-factor authentication for data
    transfers to mobile and removable devices.
  • Analyze the
    scope of
    existing
    company directories and consider limiting the dissemination of
    information
    about internal reporting structures and job responsibilities.
  • Develop,
    publish, and
    enforce
    polices
    on what information employees can disseminate on social media sites.

References

1 Jaron Lanier. “Who Owns the Future?” Simon
& Schuster.
2013.

2 Issie Lapowsky. “Facebook
Exposed 87 Million Users to Cambridge Analytica.” Wired.
April 4, 2018.

3 Brian Fung. “The
House Just Voted to Wipe Away the FCC’s Landmark Internet Privacy
Protections.” The Washington Post. March 28, 2017.

4 Steve Lohr. “Trump Completes Repeal
of Online Privacy Protections from Obama Era.” The New York
Times.

April 3, 2017.

5 Jeewon Kim Serrato, Chris Cwalina,
Anna Rudawski, Tristan Coughlin, and
Katey Fardelmann. “US States Pass Data Protection Laws on the Heels of
the GDPR.” Norton Rose
Fulbright.
July 9, 2018.

6 David McCabe. “Congress and Trump
Agreed They Want a National Privacy Law. It Is Nowhere in Sight.” The New York Times.
October 1, 2019.

7 Ibid.

8 Mark Scott and Laurens Cerulus.
“Facebook Data Scandal Opens New Era in Global Privacy Enforcement.” Politico.
March 26, 2018.

9 "Facebook’s Privacy Problem
in the Era of Self-Driving Cars.” Automotive News.
April 13, 2018.

10 Natasha Singer and Daisuke
Wakabayashi. “New Mexico Sues Google Over Children’s Privacy
Violations.” The New York Times. February 20, 2020.

11 Rick Falkvinge. “Subway
Photographer Connects Random Photos to People’s
Social Media Profiles.” Private Internet Access.
April 14, 2016.

12 “Top
People Aggregators for Sourcing.” Recruiting Headlines. April 11, 2016.

13 “Access to Social Media Usernames
and Passwords.” National Conference of State Legislatures. March 15,
2019.

14 Ibid.

[return to top of this report]

About the Author

[return to top
of this report]

Geoff
Keston

is the author of more
than 250 articles that help
organizations find opportunities in business trends and technology. He
also works directly with clients to develop communications strategies
that improve processes and customer relationships. Mr. Keston has
worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this report]