The 5 biggest online privacy threats of 2013

Your online life may not seem worth tracking as you browse websites, store content in the cloud, and post updates to social networking sites. But the data you generate is a rich trove of information that says more about you than you realize—and it’s a tempting treasure for marketers and law enforcement officials alike.

Battles have long raged over how third parties can access and use your data. This year, your online privacy faces new threats, as a result of emerging technologies and new regulatory efforts that could affect how your Web-based life is protected... or exposed.

The nature of online activity compounds the privacy problems we already experience in the material world. Every move we make on our PCs, smartphones, and tablets turns into a data point that trackers can easily collect and share. And you effectively agree to such collecting and sharing whenever you sign up for an online service and accept its privacy policy.

“There’s a pretty big disparity between what folks think their privacy rights are online and what they actually are online,” says legislative counsel Chris Calabrese of the American Civil Liberties Union. “They mistake a privacy policy for meaning that they have privacy. That policy is frequently a way to describe the rights you don’t have.”

Federal law may or may not mitigate the privacy threats. Efforts to update the Electronic Communications Privacy Act (ECPA) aim to make your online data harder to collect and share. Meanwhile, proposed legislation called the Cyber Intelligence Sharing and Protection Act (CISPA) could make it easier to obtain.

As you watch your privacy being kicked around like a football in a scrum, pay close attention to the following five major threats.

#1: Cookie proliferation

The invisible cookie software agents that track your browsing habits and personal data are likely to multiply in 2013. Advertising networks, marketers, and other data profiteers depend on cookies to learn more about who you are—and what you may be interested in buying. Unless legislation imposes legal restraints on Web-browser tracking, your system is likely to accumulate more cookies than you’d find in a box of Chips Ahoy.

Cookies have been proliferating at a rate that would impress epidemiologists. “Five to ten years ago, if you opened NYT.com in your browser, you’d get a cookie from the New York Times, maybe a couple, and that would basically be it,” says staff technologist Dan Auerbach of the Electronic Frontier Foundation. “Today you get probably on the order of 50 cookies from all sorts of third parties: ad servers, data brokers, trackers. They can build up this big profile about your browsing history.”

The worst part, says EFF’s Auerbach: “It’s totally invisible to users. They have no idea what’s happening.”

Marketers say that they keep user data private by viewing it only in aggregate, but the sheer volume of data a cookie can collect about any one person can enable the cookie’s owner to infer a surprising amount about the individuals being tracked. As a 2010 report by Gartner found, “the more that personal information can be correlated, the less it is possible to completely anonymize.”

cookies
Browser cookies are proliferating, with dozens lurking on a typical webpage.

But while cookies appear to be going viral, help may be on the way. In 2012, the Obama Administration proposed a Privacy Bill of Rights that would include Do Not Track legislation, so that consumers could choose whether and when to be tracked. Do-not-track mechanisms are being built into major Web browsers, such as Mozilla’s Firefox. The Do Not Track concept still has no legal support, however. Marketers, many of whom claim that tracking data is essential to their business, remain free to ignore Do Not Track efforts—or build ways around them.

“Do Not Track has no teeth right now,” says EFF’s Auerbach. “If you set it in your browser, you should not expect to gain significant privacy.” Nonetheless, John M. Simpson, director of the Privacy Project at Consumer Watchdog, sees promise in new legislative efforts—specifically, the Do-Not-Track Online Act of 2013. “I think this may be the only way to get meaningful protection for consumers,” says Simpson.

#2: Seizing cloud data

You love how easy it is to grab data from the cloud—and so do law enforcement agencies. And there’s only going to be more of that data to love in coming years: Gartner predicts that 36 percent of U.S. consumer content will be stored in the cloud by 2016.

But whether you use a Web-based email service, keep files in Google Drive, or upload photos to Shutterfly, everything you write, upload, or post gets stored in a server that belongs to the online service, not to you. And because of outdated rules enumerated in the ECPA, this cloud-based data is vulnerable to a privacy loophole so big that a Google self-driving car could roll through it.

Data stored in the cloud isn’t legally protected in the same way that it would be if it were located on a storage device you own.

“A huge concern about using the cloud is that your data does not have the same Fourth Amendment protections that it would have if it were stored in a desk drawer or even your desktop computer,” says Consumer Watchdog’s Simpson.

One key reason that privacy advocates and some legislators are trying to update the ECPA this year is that the current law treats data stored on a server for more than 180 days as abandoned. This statutory assumption is a vestige of a time when servers held data only briefly before shunting it off to a local computer. Furthermore, the law’s definition of such data is vague enough to cover not just email messages—a popular target of law enforcement agencies—but (potentially) other kinds of data stored on servers. Now that so much data resides on servers owned by cloud-based services, and so many people keep content in the cloud for years, a lot of long-stored files that people haven’t abandoned could be fair game for Big Brother.

Law-enforcement agencies are requesting cloud-based data with increasing (and unsettling) frequency. Google’s Transparency Report graphs a 70 percent increase in such requests over a span of three years, from 12,539 requests in the last six months of 2009 to 21,389 requests in the last six months of 2012.

Cloud services aren’t just rolling over, though. For example, Google might comply with a subpoena to reveal the name, contact information, and login records of a Gmail subscriber. But Google would insist that the requesting authority obtain a court order requiring Google to provide greater levels of detail, such as the mail header for a message. In addition, Google would demand to see a search warrant before giving government investigators access to actual email content. Tellingly, the percentage of information requests that Google has fulfilled has dropped slightly over time, from about 75 percent in 2010 to about 66 percent in 2012. Twitter’s transparency reporting site offers similarly enlightening reading.

Law-enforcement interests have scuttled past attempts to update ECPA, so it’s hard to say whether the current efforts will get any farther. “The only true protection is to understand that anything you put up there can be accessed by somebody else,” says Consumer Watchdog’s Simpson. “If you don’t want that to happen, don’t put it in the cloud.”

#3: Location data betrayal

Call it the end of the easy alibi: Location data will make it increasingly difficult for you to wander around the world without someone knowing exactly where you are at any given time. Your cell phone is the primary tattletale, but the location data you post to social networking sites are revealing sources, too. Pinpointing your whereabouts will get easier still as other location-beaming devices come online, from smarter cars to smarter watches to Google Glass.

“When you leave your house and go to a friend’s house, run errands, go to work, visit a lover—whatever it is you do—if your geolocation is tracked and recorded, that’s a lot of information about you,” says senior policy analyst Jay Stanley, of ACLU’s Speech, Privacy and Technology Program.

Armed with this data, advertisers might (for example) send you promotions for nearby businesses, wherever you are. The result could be a nice surprise—or not. According to a 2011 report by Gartner, “forty-one percent of consumers say they would be concerned about privacy if they were to use mobile location services so that they can receive more targeted offers through advertising or loyalty programs.”

Your cell phone is a prime source of personal location data.

You’d be even less pleased if law enforcement officials, your employer, or your ex-spouse’s private detective used location data to keep tabs on you. Lillie Coney, associate director of the Electronic Privacy Information Center, points out that an employer-owned device “lets your employer track you, on and off the job. What kind of consequences and profile data are based on your geolocation, based on the course of your time in or out of work, where you are, how late you are?”

And as with cloud-based data, the legal requirements for obtaining location data from your mobile service provider are not terribly stringent. According to EFF staff attorney Jennifer Lynch, “It’s pretty easy for the government to get access to the location data, and very hard for users to prevent that data from being gathered.”

There may not be much you can do about your employer. EFF’s Lynch says that reining in the government’s zeal for location data may be tough as well. “It’s such a useful tool for law enforcement to get access to this info, there’s a lot of pushback,” Lynch says.

Calabrese of the ACLU says that updating the ECPA is a crucial step in making location data less open to scrutiny. “A lot of location info is flying around, and that’s why it’s so critical to get legal protection. You should be able to use a cell phone without worrying about being tracked.”

Subscribe to the Security Watch Newsletter

Comments