The 5 biggest online privacy threats of 2013
#4: Data never forgets a face
Posting and tagging photos online may feel like innocent fun, but behind the scenes it helps build a facial recognition database that makes escaping notice increasingly difficult for anyone.
“Most consumers are already in the largest facial recognition database in the world, and that’s Facebook,” says EFF's Lynch. Indeed, the immense quantity of photos uploaded to Facebook makes it the poster child—or rather, giant—for the privacy issues surrounding this technology.
In testimony before the Senate Judiciary Committee in July 2012, Lynch described how Facebook users were, at the time, uploading about 300 million photos to the social networking site every day. Facebook uses the tags associated with those photos to build ever-more-detailed “faceprints” of what you and your friends look like from every angle.
If Facebook used this data strictly to help you find other people you know on Facebook, it might be okay. But Lynch says that when Facebook sells user data to third parties, photo data may be included—and the sanctity of the data afterward is uncertain. “Facebook says it takes care to protect the data, but we don’t know how they do it,” she says.
Lynch’s 2012 Senate testimony also noted that the government has reviewed or requested Facebook data for purposes as varied as citizenship applications, criminal cases, and security checks. “We know that law enforcement asks for this information from Facebook,” Lynch said recently. “They don’t just ask for your post, but all photos you’ve been tagged in.” Access to Facebook data allows law enforcement officials to move beyond the blunt instrument of a mug shot or a driver’s license photo to find people much more easily.
And Facebook isn’t the only source of facial-recognition data. Companies such as Google and Apple have facial-recognition technology built into some of their applications, too—most notably online photo sites. According to John Simpson of Consumer Watchdog, “Someone can take a photo of you and then track you down based on other identified photos of you that may have been posted on the Web. It’s scary and opens very real dangers of being stalked.”
The future of facial recognition offers scant comfort. Continued advances in surveillance technology, including drones and super-high-resolution cameras, will make identifying individuals in public places easier than ever, especially if the entity doing the surveillance has a nice, fat, facial-recognition database to consult. As in connection with other cloud-based data, revisions to the ECPA could boost privacy protections for digital photos—depending on what gets enacted. Says Lillie Coney of EPIC: “If they’re not locked down, photos could be part of our information economy that can be generated into revenue, sold, traded, used. You don’t know where they are.”
In her Senate testimony, Lynch proposed that private-sector databases such as Facebook’s should be required to obtain consent or an opt-in from consumers to any facial recognition system.
#5: Scanning in the name of cybersecurity
You may not be a malicious hacker, but that doesn’t mean your online activity won’t be scanned for telltale signs of cybercrime. The federal government has made cybersecurity a high priority, as concerns grow about over the vulnerability of the nation’s infrastructure to a computer-based attack.
The Presidential Policy Directive concerning cybersecurity lists business sectors that the Administration considers critical—and therefore, in need of online watchdogging. Some sectors, such as “Commercial Facilities” and “Critical Manufacturing,” lend themselves to broad interpretation.
“The definition is still in flux, so there’s a question about what ‘critical infrastructure’ will ultimately encompass,” says EPIC’s national security fellow, Jeramie Scott. A recent article by Reuters indicates that the government plans to expand its scanning of Internet traffic from three defined sectors: financial institutions, utilities, and transportation companies. Collectively, that covers a lot of consumer activity.
Even though the data is supposed to be scanned only in aggregate (so as not to pinpoint individuals), the methodology used in choosing and storing the data raises additional privacy issues. “The executive order on cybersecurity called for protections based on the FTC’s Fair Information Practice Principles, but it doesn’t mean the companies doing the scanning are abiding by these principles,” says Scott.
The proposed CISPA, reintroduced in February, reopens many issues around cybersecurity and privacy. “CISPA would allow companies to share much more detailed information than the aggregate data that is planned to be shared now,” says EPIC’s Scott.
Privacy threats could be solved
This year’s online threats to privacy will continue to grow unless Congress and other decision-making bodies offer some meaningful support for privacy. Witnessing the conflict between privacy and civil liberties advocates (on one side) and business and law-enforcement interests (on the other) may seem a bit like watching a particularly nasty tennis game, but it all boils down to a matter of openness versus secrecy.
Privacy advocates see Do Not Track as a no-brainer fix for the many privacy issues related to cookies. Marketers point to the ongoing success of data-driven, targeted Web advertising, which cookies make possible, as an indirect endorsement of their methods.
Consumer behavior might be sending conflicting signals, but nonpartisan research suggests a need for more, not less, protection. According to Mary Madden, a senior researcher for the Pew Research Center’s Internet & American Life Project, “Privacy concerns do have an influence on user behavior.” Studies conducted by Madden and her colleagues indicate that cell-phone users are likelier to discard an app if they don’t like the way it uses their personal information.
Trevor Hughes, who looks at privacy from an organizational perspective as CEO of the International Association of Privacy Professionals, says, “The one thing that can threaten big data is getting privacy wrong and screwing up consumer trust. The companies that miss that message are going to suffer.”
One thing is certain: Resolving online privacy issues will be essential as new devices—smart cars, watches, Google Glass, and more—add to the growing data stream. “Make no mistake, everything we touch that is digital in the future will be a data source,” says the IAPP’s Hughes. “I can imagine lots of great things emerging from this. But the privacy things have to be fixed.”