and Online Profiles
Services. All Rights Reserved.
Publication Date: 2004
Report Type: TUTORIAL
The privacy of online profiles has come into focus after
personal information from millions of Facebook accounts was
acquired through a deceptive app. But Facebook is just one of
the many online platforms that collect and store explicit
user queries, Web
travel, and social graphs. The
unprecedented scale and precision of this sort of profiling has long
been a concern to privacy advocates, but now enterprises, governments,
general public are
taking notice too.
[return to top
of this report]
tools and social media sites collect users’ personal data so that they
advertising to them and predict their
Sites that offer “free”
services or shopping typically make a business of capturing user
with data from other tracking sources, and then selling or
of it. Such data collection creates a security threat to enterprises,
whose employees are increasingly using online services for a variety of
minimum, enterprises should make employees aware of the degree to which
identifiable Internet activities are subject to potential
disclosure. Such activities include buying anything, selling anything,
media, submitting medical information, or making
financial transactions. This information is being aggregated
legally, and databases of it can be
purchased for as little as $65 per 1000 names. The data has no
expiration date and correcting erroneous information distributed in
this fashion is almost impossible.
should be educated about the
using the Web for sensitive communications and interactions,
mobile devices or when connecting through public wireless networks.
[return to top of this report]
A Digital Footprint
services such as search
social networking sites collect, analyze, and share vast amounts of
data. Collectively, this correlated information creates a
“digital footprint.” The importance of surveillance and data collection
pointedly by computer scientist Jaron Lanier in his book Who
Owns the Future?: “Because spying on you is, for the moment,
the official primary
business of the information economy, any attempt to avoid being spied
on … can seem like an assault on the very idea of the Internet.”1
Such handling of data worries
whose employees are using these
are no significant controls over the use
information gleaned by online surveillance. User agreements spell this
few people read them and even fewer are deterred by their sweeping
personal privacy rights. Also, as shown by the incident in which as
many as 87 million Facebook users had their data taken under false
pretenses by an app, user agreements cannot prevent unauthorized
accessing of data.2
Further, when a company’s employees use mobile
to communicate with corporate Internet points of presence,
their online activities can be tied to a specific physical
location. While there
few tactics to limit the access of such trackers, defending against
them is difficult and the available shields are limited in their
boundaries around personal information and behavior.
Sources of Threats
There are two
common types of tracking – cookies and
Web beacons – that are widely used for both legitimate and
nefarious purposes but that, in either case, ultimately have the effect
are files that are stored on a client computer by Web sites. A cookie
information, both during and between a user’s visits, allowing the site
page views quickly, remember where a user was, and alert people to
likely to be of particular personal interest. For example, a travel
use stored location and browsing history data to automatically provide
fares for flights that depart from the airports a person typically
a cookie is being sent. In practice, however, Web commerce applications
are so reliant on this form of state storage that many will not work
without them and most users would find it impossibly tiresome to supply
the same information again and again.
sites that are often visited by an individual have the opportunity to
develop a cookie jar
information about them, all of which
inferred through a savvy reading of stored data.
typically reside in a “public” directory (with loose permissions) on
a Web client machine, which makes them vulnerable to disclosure and
Web beacons (also called “Web bugs”) are
images, usually minimally visual, that are used to monitor access to
content and validate addresses in bulk email lists. A tool often
spammers, online marketers, and snoops, they take their name from the
familiar spycraft device used for electronic eavesdropping.
Web beacons work as
follows: HTML pages or email can embed references to images
same server as the one sending the body of the page or the mail
the page is loaded or the email is opened, the user’s browser sends a
request to the server where the image is stored. The request includes
address of the client device making the request (in other words, the
computer a person is using), a timestamp, type of browser, and
the existence of cookies left on the client device by the server that
Web page body or email message. This can be insidious for two reasons:
image is often either completely
transparent or a 1×1 pixel .gif, so it is unlikely to be noticed by the
user. If the email contains no embedded advertising, it is unlikely
that the bug will be detected by mail filters.
- Web bugged email messages
reveal personally identifying
information, as well as specifics about how an email message was
routed, whether it went to a mailing list, and valid email addresses
for all of the recipients.
information is very useful to spammers and identity thieves because it
them to validate email lists, to find out what mail is beating spam
to know who read what messages, when, and on what computers. It is
possible to undermine Web beacons by configuring email clients to not
HTML email where the image is denoted by a URL. Gmail, Yahoo, Mozilla,
Opera provide this capability, as do a number of other open source and
proprietary email clients.
rise of user-supplied mobile devices in the workplace, enterprises have
many new and complex security issues – many fairly obvious,
subtle but still extremely serious. Most enterprises observe best
in validating mobile user access to backend
encrypting all enterprise data stored on mobile devices is also worth
consideration for the following reasons:
app hacks, affecting all major brands of smartphones, are
common. Insecure BYODs have been implicated as key factors in
enterprise privacy breaches, and they are particularly susceptible to
snoopers when used on public networks, passing and storing unencrypted
devices used for business typically contain company
names, phone and email contact information, reporting relationships,
This is a virtual map for spies plotting an attack.
[return to top
of this report]
Governments Push in Opposite Directions
In Europe and America, governments have recently pushed in opposite
directions over security:
- In 2017, the Trump administration approved a Congressional
to eliminate some Internet privacy regulations. The
restrictions had put checks on how ISPs can collect and use
consumer data. With this relaxation of consumer protections, ISPs may
be able to sell data such as “customer browsing habits, app usage
history, location data and Social Security numbers.”3
As a result, ISPs
might look to make money from targeted ads, as many Web sites do. Even
though data is collected online in many ways,
allowing ISPs to collect it has raised new concerns. ISPs could
potentially gather a wider range of information because they control a
person’s entire access to the Internet. Also, while someone could
feasibly choose not to use a particular Web site, there is less
competition among broadband providers, so consumers have less choice.
Explaining the difference between allowing Web sites to collect data
and allowing ISPs to do so, Dallas Harris of consumer advocacy group
Public Knowledge says that “You can live without Google or
Facebook … It’s pretty difficult to walk away from internet service
- In 2018, the European Union put into effect the General
Data Protection Regulation (GDPR), which imposes strict and sweeping
regulations on how user personal data is handled. The GDPR even impacts
companies and organizations outside of Europe, depending on the data
they receive and transmit. And many US states have passed laws
strengthening protections for user data. Recently, the following states
have made their relevant laws at least slightly stricter or broader:
Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South
Carolina, South Dakota, Vermont, Virginia.5
- In early 2019, there was talk in the US from both Democrats
and Republicans of passing a new federal Internet privacy law.6
With previous regulations removed a few years earlier and states
creating a patchwork of regulations, the intent of federal guidance
would be to create uniformity across the country.7
efforts to craft a bill stalled, and it is unclear whether progress on
the legislation is possible in the foreseeable future.
Commercial Uses Create Controversies
Exposures of user data on Facebook have created pushback. “On both
sides of the Atlantic, data protection
authorities are under fresh pressure to enforce existing privacy rules
and better police the digital space,” write Mark Scott and Laurens
Cerulus, describing the political and marketplace climate in the wake
of the Facebook/Cambridge Analytica scandal.8
and Cerulus also say that such pressure may not lead to much
change. Despite the pressure, authorities have “doubts over whether
they have the resources, clout and willpower to regulate tech giants
Other signs suggest that the use of customer data will expand
to other markets. For example, an analysis by Automotive News
observes that car makers are beginning to have the same incentives to
use customer data as Facebook: “[A]s vehicle technology advances, these
companies may clamor to
monetize the vast amount of data they’ll be able to collect – from the
hotels you like to visit to all the people you talk to on your daily
Personal Data Collection
Is a Standard Online Practice
Amazon, Facebook, and many other sites collect and store in-depth
about the ways in which users interact with them. The scope of
this sort of profiling is enormous and the types of information
collected are very broad. Such data gathering can
also be highly controversial. For example, in early 2020, the
state of New Mexico sued Google based on a claim
that the company’s education software and services illegitimately
collected data from children and parents.10 The
suit is significant
because Google is the largest provider of technology to K-12 schools.
Depending on what is revealed about Google’s practices and how the court
rules on those activities, new laws could be passed and new legal
action launched. In 2019, Google settled a similar case
brought by the state of New York.
development is driving further data collection. An example of how data
could be collected in the near future came in
2016, when a photographer in Russia took pictures of people in
and then used the images to identify their social media accounts.11
When applied on a wider scale by major companies, techniques like this
could further increase and widen the gathering of data.
People Aggregators Are in Common Use
and human resources departments are increasingly using tools called
“people aggregators” to find job candidates. Instead of waiting for
applications for a job, people aggregator services search social media
and other online sources to identify potential
aggregators have helped to make
the collection of personal data into a massive, streamlined business,
thus increasing security risks. Aggregated data
could be used for identity theft, social engineering, and other types
of attacks. And even the legal, legitimate practices of people
pose a business risk because they look for “passive candidates,” who
are not trying to find a new job but have their career history online.
Enterprises may see some of their employees targeted and lured away,
even if they were not thinking of leaving.
Some of the top people aggregator services include the
- Connect6 Group
used comes not only from search
and social media, but also from credit
reporting bureaus and supermarkets, which routinely engage in this
TransUnion, and Experian all sell credit report header
complete personally identifying information.
loyalty card programs
aggregate vast amounts of personally linked purchasing behavior data,
data from their in-store pharmacies and liquor stores.
Are Seeking Access to their Employees’ Profiles
about whether employers can demand that employees share their social
networking passwords. Some organizations have made the case that they
need this information to protect confidential enterprise data and legal
interests. Many state legislatures have taken (or are now
action to protect employee privacy, however. In 2019 alone, Florida,
Hawaii, Massachusetts, Minnesota, and New York all proposed new laws
restricting employer access to employee social media information, and
many other states have done so previously.13 But
most of these efforts have failed or stalled.14
of the outcome of these legislative efforts, it is likely
that the debate will continue regarding the boundaries between
personal and business activities online.
of this report]
identity theft has its roots in online
profiling. This is not surprising because, in an effort to encourage
security breach reporting, there are
virtually no consequences for allowing disclosure of private
personal data when breaches do occur. However, for enterprises
well as individuals, there has been
significant growth in the scale of the threat, the state-sponsored
its sources, and the far-reaching potential intents. We have
crossed the Cyber Rubicon, so to
speak, and organized, criminally intent profiling is being used in
new criminal enterprises, some of which aggressively target
theft, often a byproduct of poorly implemented attempts to digitize
medical records, has allowed impostors to fraudulently co-opt insurance
of legitimate insurance subscribers. In
addition to financial losses, this can result in co-mingled or
corrupted medical records, where key information – like blood types,
allergies, and prior conditions – is lost or changed.
becoming common enough that the FBI has
warned credit unions and
banks to be on the lookout for criminal identity thieves attempting to
and turn employees in sensitive positions. Such attacks can originate
thieves gain access to the identity of individuals in key jobs, track
discover personal information that can be used coercively.
devices are so useful
that enterprises simply cannot afford not
them. However, they are very difficult to
secure, especially in the common scenario where users run business apps
of this report]
Guidance from Privacy Organizations
few advocates and even fewer legal protections when it comes to online
privacy. But one of the most significant activist voices is the EFF,
which editorializes, organizes,
sues its way through confrontations with companies and governments over
privacy and freedom of speech. EFF publishes both timely alerts and
long white papers about online privacy. It also hosts events.
Other privacy organizations
worth consulting include the following:
- CyLab Usable Privacy and
- Department of Homeland Security Privacy Office
- Electronic Privacy Information Center
Against Insider Threats
Privacy threats come
not only from outside hackers but also from employees and other
insiders. In view
of this, consider implementing these defenses:
- A large
share of insider
take place when someone is tricked into infecting systems inside the
syncing an infected mobile device or forwarding an
email. There is a cheap, simple defense against this
gambit: Virus check all internal file transfers, email,
and stored messaging.
storage and use two-factor authentication for data
transfers to mobile and removable devices.
- Analyze the
company directories and consider limiting the dissemination of
about internal reporting structures and job responsibilities.
on what information employees can disseminate on social media sites.
1 Jaron Lanier. “Who Owns the Future?” Simon
& Schuster. 2013.
2 Issie Lapowsky. “Facebook
Exposed 87 Million Users to Cambridge Analytica.” Wired.
April 4, 2018.
3 Brian Fung. “The
House Just Voted to Wipe Away the FCC’s Landmark Internet Privacy
Protections.” The Washington Post. March 28, 2017.
4 Steve Lohr. “Trump Completes Repeal
of Online Privacy Protections from Obama Era.” The New York
April 3, 2017.
5 Jeewon Kim Serrato, Chris Cwalina,
Anna Rudawski, Tristan Coughlin, and
Katey Fardelmann. “US States Pass Data Protection Laws on the Heels of
the GDPR.” Norton Rose
Fulbright. July 9, 2018.
6 David McCabe. “Congress and Trump
Agreed They Want a National Privacy Law. It Is Nowhere in Sight.” The New York Times.
October 1, 2019.
8 Mark Scott and Laurens Cerulus.
“Facebook Data Scandal Opens New Era in Global Privacy Enforcement.” Politico.
March 26, 2018.
9 "Facebook’s Privacy Problem
in the Era of Self-Driving Cars.” Automotive News.
April 13, 2018.
10 Natasha Singer and Daisuke
Wakabayashi. “New Mexico Sues Google Over Children’s Privacy
Violations.” The New York Times. February 20, 2020.
11 Rick Falkvinge. “Subway
Photographer Connects Random Photos to People’s
Social Media Profiles.” Private Internet Access.
April 14, 2016.
People Aggregators for Sourcing.” Recruiting Headlines. April 11, 2016.
13 “Access to Social Media Usernames
and Passwords.” National Conference of State Legislatures. March 15,
[return to top of this report]
About the Author
[return to top
of this report]
is the author of more
than 250 articles that help
organizations find opportunities in business trends and technology. He
also works directly with clients to develop communications strategies
that improve processes and customer relationships. Mr. Keston has
worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.
[return to top of this report]