This week on Sunday January 28th was Data Privacy Day. Here are my thoughts about digital privacy in 2018.
What Is Data Privacy Day?
Data Privacy Day in the US started initially with a non-binding resolution by the US House of Representatives in 2014 .
Who Cares? Nobody is After My Data.
I wish that were the case but there is great interest and efforts made from different organizations and individuals to gather, store, analyze, and implement actions based on the data you share, generate, or is otherwise collected about you.
How Is My Private Data Being Collected?
Your data is collected in ways both simple and elaborate. Look at this infographic about privacy in a growing internet of me. It shows a few common items that many people own/use and some basic information they are able to surmise. It is a short jump away to creating a realistic and actionable personal profile of you.
Online Tracking and Targeted Ads
Sometimes it is done through online tracking and targeted ads. Browsers store cookies with info about your web browsing habits and are read by the different sites you visit. Device fingerprinting can uniquely identify a browser based on its configurations and settings – no cookie needed. Web beacons, invisible images used to monitor online behavior, can be used with cookies.
Try this – visit Amazon and browse for some item. You will notice days later you get ads of that item on various pages you visit. Sometimes the info is used for targeted ads by the site and other times it is sold to other companies who want to target specific people for their products.
A report by the Online Trust Alliance states the number of cyber incidents targeting businesses has almost doubled from 2016 to 2017. Ransomware was the most newsworthy attack but not alone. Targeting corporate email can yield a treasure trove of information that can be used for nefarious means.
When was the last month you didn’t read about a huge data breach?
The full report: Cyber Incidents & Breach Trends Report
Internet of Things
IOT devices are being adopted in greater numbers. From smart televisions, Amazon Echo, wearables, speakers, cameras, cars, to various sensors placed in the house there are many devices gathering data about you and reporting it back.
All of the bits of information you share on Facebook, Twitter, Instagram, etc are stored and mined. You’d be surprised what can be derived from your tweets, photos, posts, likes, etc.
How To Assert My Right To Privacy?
McAfee published a report recently from people they surveyed in a study of data privacy. It shows some interesting things about identity theft, family security, and home network security. Here are some key findings:
- 43% feel they lack control over their personal information
- 33% are unsure they can control how companies collect their personal information
- 37% of individuals use an identity theft protection solution
- 67% check accounts to prevent ID theft
- 37% use credit monitoring services
- 33% of parents do not monitor their child’s connected device usage
- 79% have talked to their kids about online safety
- 33% admit they don’t know the risks well enough to explain the dangers
- 52% were unsure of how to secure connected devices and apps
- 59% change the default password on devices right away
- 63% worry about ID theft from a home network breach
- 66% limit those who can access their home network
In general, one option is to opt out whenever you can. It may take some looking for but you can sometimes stop it here.
Understand that your data is valuable and treat it like it is. Find your comfort level with information sharing online.
Logins and Passwords
Any logins you have must be secured. Most people have terrible passwords that are easily guessable or broken with ease via brute force attacks. The proliferation of accounts we all maintain now doesn’t make it easier. Your memory is not the tool for this job. You need a password manager system like 1Password, LastPass, or Keepass.
Keep these key points in mind:
- Get and use a password manager. Seriously.
- Consider a paper copy (ex. a notecard) that contains the master password.
- Longer passwords are better than complex passwords
- Change all default passwords
Password Length > Password Complexity
NOTE: you can (and should) use complex passwords for your secret questions. If you don’t believe me look at Troy Hunt’s remarks before the US Congress last year.
Guard Your Smartphone
Protect your smartphones. There are some privacy settings you should use:
- Use a passcode or biometric
- Grant applications only what they need to have – nothing more
- Be mindful of location tracking services – use judiciously
For most people this is 2FA. It boosts the security of your login credentials because it combines something you know (password) with something you have (an external value).
Google Authenticator is widely used for this. I need to shout out Authy as being a better alternative – it can be used anywhere Google Authenticator can be used (even if it doesn’t say).
If you can enable 2 Factor Authentication – please do so! Facebook, Gmail, Dropbox, Evernote, and many others offer it.
Virtual Private Network
It is quite affordable to purchase a VPN for personal use. The key benefits are that it encrypts your internet traffic, routes through its DNS servers, and for some they don’t keep logs of your activity. My recommendation is Private Internet Access VPN – their prices are reasonable and services are solid.
Definitely get a VPN if you travel or use public WiFi!
Read the Privacy Policies
These can be cryptic and long to read but reveal a lot you might not assume about your data collection and usage. UsablePrivacy.org put together a site to analyze privacy policies and teach you about them.
In the US we don’t have much of a framework for this contemporary hot topic. One possible way to mitigate abuses toward privacy is to enact legislation.
The International Safe Harbor Privacy Principles suggest some starting principles to implement:
- Notice – Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
- Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity – Data must be relevant and reliable for the purpose it was collected.
- Access – Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
- Enforcement – There must be effective means of enforcing these rules.
Read more about it at the Privacy Shield Framework.
The European Union (EU) has the rollout of GDPR coming this year. Consequently, it will be interesting to see how it works and the impacts it has both good and bad.
Don’t Give Up
Be inspired by children’s drawings about their understanding of privacy. This was put together by the CMU CyLab.