The 5 biggest online privacy threats of 2013

Your online life may not seem worth tracking as you browse websites, store content in the cloud, and post updates to social networking sites. But the data you generate is a rich trove of information that says more about you than you realize—and it’s a tempting treasure for marketers and law enforcement officials alike.

Battles have long raged over how third parties can access and use your data. This year, your online privacy faces new threats, as a result of emerging technologies and new regulatory efforts that could affect how your Web-based life is protected... or exposed.

The nature of online activity compounds the privacy problems we already experience in the material world. Every move we make on our PCs, smartphones, and tablets turns into a data point that trackers can easily collect and share. And you effectively agree to such collecting and sharing whenever you sign up for an online service and accept its privacy policy.

“There’s a pretty big disparity between what folks think their privacy rights are online and what they actually are online,” says legislative counsel Chris Calabrese of the American Civil Liberties Union. “They mistake a privacy policy for meaning that they have privacy. That policy is frequently a way to describe the rights you don’t have.”

Federal law may or may not mitigate the privacy threats. Efforts to update the Electronic Communications Privacy Act (ECPA) aim to make your online data harder to collect and share. Meanwhile, proposed legislation called the Cyber Intelligence Sharing and Protection Act (CISPA) could make it easier to obtain.

As you watch your privacy being kicked around like a football in a scrum, pay close attention to the following five major threats.

#1: Cookie proliferation

The invisible cookie software agents that track your browsing habits and personal data are likely to multiply in 2013. Advertising networks, marketers, and other data profiteers depend on cookies to learn more about who you are—and what you may be interested in buying. Unless legislation imposes legal restraints on Web-browser tracking, your system is likely to accumulate more cookies than you’d find in a box of Chips Ahoy.

Cookies have been proliferating at a rate that would impress epidemiologists. “Five to ten years ago, if you opened NYT.com in your browser, you’d get a cookie from the New York Times, maybe a couple, and that would basically be it,” says staff technologist Dan Auerbach of the Electronic Frontier Foundation. “Today you get probably on the order of 50 cookies from all sorts of third parties: ad servers, data brokers, trackers. They can build up this big profile about your browsing history.”

The worst part, says EFF’s Auerbach: “It’s totally invisible to users. They have no idea what’s happening.”

Marketers say that they keep user data private by viewing it only in aggregate, but the sheer volume of data a cookie can collect about any one person can enable the cookie’s owner to infer a surprising amount about the individuals being tracked. As a 2010 report by Gartner found, “the more that personal information can be correlated, the less it is possible to completely anonymize.”

cookies
Browser cookies are proliferating, with dozens lurking on a typical webpage.

But while cookies appear to be going viral, help may be on the way. In 2012, the Obama Administration proposed a Privacy Bill of Rights that would include Do Not Track legislation, so that consumers could choose whether and when to be tracked. Do-not-track mechanisms are being built into major Web browsers, such as Mozilla’s Firefox. The Do Not Track concept still has no legal support, however. Marketers, many of whom claim that tracking data is essential to their business, remain free to ignore Do Not Track efforts—or build ways around them.

“Do Not Track has no teeth right now,” says EFF’s Auerbach. “If you set it in your browser, you should not expect to gain significant privacy.” Nonetheless, John M. Simpson, director of the Privacy Project at Consumer Watchdog, sees promise in new legislative efforts—specifically, the Do-Not-Track Online Act of 2013. “I think this may be the only way to get meaningful protection for consumers,” says Simpson.

#2: Seizing cloud data

You love how easy it is to grab data from the cloud—and so do law enforcement agencies. And there’s only going to be more of that data to love in coming years: Gartner predicts that 36 percent of U.S. consumer content will be stored in the cloud by 2016.

But whether you use a Web-based email service, keep files in Google Drive, or upload photos to Shutterfly, everything you write, upload, or post gets stored in a server that belongs to the online service, not to you. And because of outdated rules enumerated in the ECPA, this cloud-based data is vulnerable to a privacy loophole so big that a Google self-driving car could roll through it.

Data stored in the cloud isn’t legally protected in the same way that it would be if it were located on a storage device you own.

“A huge concern about using the cloud is that your data does not have the same Fourth Amendment protections that it would have if it were stored in a desk drawer or even your desktop computer,” says Consumer Watchdog’s Simpson.

One key reason that privacy advocates and some legislators are trying to update the ECPA this year is that the current law treats data stored on a server for more than 180 days as abandoned. This statutory assumption is a vestige of a time when servers held data only briefly before shunting it off to a local computer. Furthermore, the law’s definition of such data is vague enough to cover not just email messages—a popular target of law enforcement agencies—but (potentially) other kinds of data stored on servers. Now that so much data resides on servers owned by cloud-based services, and so many people keep content in the cloud for years, a lot of long-stored files that people haven’t abandoned could be fair game for Big Brother.

Law-enforcement agencies are requesting cloud-based data with increasing (and unsettling) frequency. Google’s Transparency Report graphs a 70 percent increase in such requests over a span of three years, from 12,539 requests in the last six months of 2009 to 21,389 requests in the last six months of 2012.

Cloud services aren’t just rolling over, though. For example, Google might comply with a subpoena to reveal the name, contact information, and login records of a Gmail subscriber. But Google would insist that the requesting authority obtain a court order requiring Google to provide greater levels of detail, such as the mail header for a message. In addition, Google would demand to see a search warrant before giving government investigators access to actual email content. Tellingly, the percentage of information requests that Google has fulfilled has dropped slightly over time, from about 75 percent in 2010 to about 66 percent in 2012. Twitter’s transparency reporting site offers similarly enlightening reading.

Law-enforcement interests have scuttled past attempts to update ECPA, so it’s hard to say whether the current efforts will get any farther. “The only true protection is to understand that anything you put up there can be accessed by somebody else,” says Consumer Watchdog’s Simpson. “If you don’t want that to happen, don’t put it in the cloud.”

#3: Location data betrayal

Call it the end of the easy alibi: Location data will make it increasingly difficult for you to wander around the world without someone knowing exactly where you are at any given time. Your cell phone is the primary tattletale, but the location data you post to social networking sites are revealing sources, too. Pinpointing your whereabouts will get easier still as other location-beaming devices come online, from smarter cars to smarter watches to Google Glass.

“When you leave your house and go to a friend’s house, run errands, go to work, visit a lover—whatever it is you do—if your geolocation is tracked and recorded, that’s a lot of information about you,” says senior policy analyst Jay Stanley, of ACLU’s Speech, Privacy and Technology Program.

Armed with this data, advertisers might (for example) send you promotions for nearby businesses, wherever you are. The result could be a nice surprise—or not. According to a 2011 report by Gartner, “forty-one percent of consumers say they would be concerned about privacy if they were to use mobile location services so that they can receive more targeted offers through advertising or loyalty programs.”

Your cell phone is a prime source of personal location data.

You’d be even less pleased if law enforcement officials, your employer, or your ex-spouse’s private detective used location data to keep tabs on you. Lillie Coney, associate director of the Electronic Privacy Information Center, points out that an employer-owned device “lets your employer track you, on and off the job. What kind of consequences and profile data are based on your geolocation, based on the course of your time in or out of work, where you are, how late you are?”

And as with cloud-based data, the legal requirements for obtaining location data from your mobile service provider are not terribly stringent. According to EFF staff attorney Jennifer Lynch, “It’s pretty easy for the government to get access to the location data, and very hard for users to prevent that data from being gathered.”

There may not be much you can do about your employer. EFF’s Lynch says that reining in the government’s zeal for location data may be tough as well. “It’s such a useful tool for law enforcement to get access to this info, there’s a lot of pushback,” Lynch says.

Calabrese of the ACLU says that updating the ECPA is a crucial step in making location data less open to scrutiny. “A lot of location info is flying around, and that’s why it’s so critical to get legal protection. You should be able to use a cell phone without worrying about being tracked.”

#4: Data never forgets a face

Posting and tagging photos online may feel like innocent fun, but behind the scenes it helps build a facial recognition database that makes escaping notice increasingly difficult for anyone.

“Most consumers are already in the largest facial recognition database in the world, and that’s Facebook,” says EFF's Lynch. Indeed, the immense quantity of photos uploaded to Facebook makes it the poster child—or rather, giant—for the privacy issues surrounding this technology.

In testimony before the Senate Judiciary Committee in July 2012, Lynch described how Facebook users were, at the time, uploading about 300 million photos to the social networking site every day. Facebook uses the tags associated with those photos to build ever-more-detailed “faceprints” of what you and your friends look like from every angle.

Facebook is a generous source of face-recognition data, and now Facebook home, announced last Thursday, could spill even more location data than in the past.

If Facebook used this data strictly to help you find other people you know on Facebook, it might be okay. But Lynch says that when Facebook sells user data to third parties, photo data may be included—and the sanctity of the data afterward is uncertain. “Facebook says it takes care to protect the data, but we don’t know how they do it,” she says.

Lynch’s 2012 Senate testimony also noted that the government has reviewed or requested Facebook data for purposes as varied as citizenship applications, criminal cases, and security checks. “We know that law enforcement asks for this information from Facebook,” Lynch said recently. “They don’t just ask for your post, but all photos you’ve been tagged in.” Access to Facebook data allows law enforcement officials to move beyond the blunt instrument of a mug shot or a driver’s license photo to find people much more easily.

And Facebook isn’t the only source of facial-recognition data. Companies such as Google and Apple have facial-recognition technology built into some of their applications, too—most notably online photo sites. According to John Simpson of Consumer Watchdog, “Someone can take a photo of you and then track you down based on other identified photos of you that may have been posted on the Web. It’s scary and opens very real dangers of being stalked.”

The future of facial recognition offers scant comfort. Continued advances in surveillance technology, including drones and super-high-resolution cameras, will make identifying individuals in public places easier than ever, especially if the entity doing the surveillance has a nice, fat, facial-recognition database to consult. As in connection with other cloud-based data, revisions to the ECPA could boost privacy protections for digital photos—depending on what gets enacted. Says Lillie Coney of EPIC: “If they’re not locked down, photos could be part of our information economy that can be generated into revenue, sold, traded, used. You don’t know where they are.”

In her Senate testimony, Lynch proposed that private-sector databases such as Facebook’s should be required to obtain consent or an opt-in from consumers to any facial recognition system.

#5: Scanning in the name of cybersecurity

You may not be a malicious hacker, but that doesn’t mean your online activity won’t be scanned for telltale signs of cybercrime. The federal government has made cybersecurity a high priority, as concerns grow about over the vulnerability of the nation’s infrastructure to a computer-based attack.

The Presidential Policy Directive concerning cybersecurity lists business sectors that the Administration considers critical—and therefore, in need of online watchdogging. Some sectors, such as “Commercial Facilities” and “Critical Manufacturing,” lend themselves to broad interpretation.

“The definition is still in flux, so there’s a question about what ‘critical infrastructure’ will ultimately encompass,” says EPIC’s national security fellow, Jeramie Scott. A recent article by Reuters indicates that the government plans to expand its scanning of Internet traffic from three defined sectors: financial institutions, utilities, and transportation companies. Collectively, that covers a lot of consumer activity.

Your online activity could be scanned for telltale signs of cybercrime.

Even though the data is supposed to be scanned only in aggregate (so as not to pinpoint individuals), the methodology used in choosing and storing the data raises additional privacy issues. “The executive order on cybersecurity called for protections based on the FTC’s Fair Information Practice Principles, but it doesn’t mean the companies doing the scanning are abiding by these principles,” says Scott.

The proposed CISPA, reintroduced in February, reopens many issues around cybersecurity and privacy. “CISPA would allow companies to share much more detailed information than the aggregate data that is planned to be shared now,” says EPIC’s Scott.

Privacy threats could be solved

This year’s online threats to privacy will continue to grow unless Congress and other decision-making bodies offer some meaningful support for privacy. Witnessing the conflict between privacy and civil liberties advocates (on one side) and business and law-enforcement interests (on the other) may seem a bit like watching a particularly nasty tennis game, but it all boils down to a matter of openness versus secrecy.

Privacy advocates see Do Not Track as a no-brainer fix for the many privacy issues related to cookies. Marketers point to the ongoing success of data-driven, targeted Web advertising, which cookies make possible, as an indirect endorsement of their methods.

Consumer behavior might be sending conflicting signals, but nonpartisan research suggests a need for more, not less, protection. According to Mary Madden, a senior researcher for the Pew Research Center’s Internet & American Life Project, “Privacy concerns do have an influence on user behavior.” Studies conducted by Madden and her colleagues indicate that cell-phone users are likelier to discard an app if they don’t like the way it uses their personal information.

Trevor Hughes, who looks at privacy from an organizational perspective as CEO of the International Association of Privacy Professionals, says, “The one thing that can threaten big data is getting privacy wrong and screwing up consumer trust. The companies that miss that message are going to suffer.”

One thing is certain: Resolving online privacy issues will be essential as new devices—smart cars, watches, Google Glass, and more—add to the growing data stream. “Make no mistake, everything we touch that is digital in the future will be a data source,” says the IAPP’s Hughes. “I can imagine lots of great things emerging from this. But the privacy things have to be fixed.”

Subscribe to the Security Watch Newsletter

Comments