Internet Privacy and ID Protection Remain a Big Problem—but at Least Things Are Improving

Posted on by Robert Ackerman

A year ago, I wrote a column for RSA Conference that said, in effect, that there was no such thing as privacy on the internet—and that this was degrading our way of life.

Facebook and Google may know more about you than you do, I added, also quoting a succinct remark by Bruce Schneier, a computer security professional and fellow at the Berkman Klein Center for Internet & Society at Harvard University. His eight-word comment said it all: "Surveillance is the business model of the Internet," he proclaimed.

There were plenty of reasons for concern. Former Facebook director Roger McNamee excoriated the company for serial violations of user privacy. Google had just admitted that it had exposed the private data of hundreds of thousands of users of its now-defunct Google+ social network. A survey by found that many top sites claimed that personal information wouldn’t be shipped to third parties—but did just that anyway.

Happily, however, the backdrop today is changing for the better—and this includes security and identity protection, as well as enhanced privacy safeguarding. And this isn’t merely opinion. It’s based on hard facts, including these examples from the past few months alone:

YouTube announced that, starting this month, it will limit the data it collects on videos designed for children. Specifically, Google will stop showing data-driven personalized ads on videos for children. In addition, Google won’t allow comments or other features that can boost child viewership, such as pop-ups suggesting additional content to watch.

– Apple’s® new iPhone iOS 13 operating system, released last September, regularly provides users with pop-up notifications for each app that tracks location while not in use. Each notification gives users the option to let the app use their location data only when it is in use. Already, tens of millions of iPhone users have blocked the ability of apps to track location when not in use, according to Location Sciences, a company that verifies mobile location data.

Among new California laws that became effective January 1 is one offering first-of-its-kind online consumer privacy protections. This law—the California Consumer Privacy Act—gives consumers the right to request that companies collecting their personal data delete the information and stop selling it. Google, for one, has already reworked some of its practices to comply.

This law was designed to make data-trafficking companies and tech giants such as Amazon, Google parent Alphabet and Facebook more transparent about how they handle user data. But the law applies to any for-profit business in California with annual revenue exceeding $25 million or that holds personal information on at least 50,000 consumers.

This is good news for both privacy and security, which are intertwined. Privacy relates to any rights you have to control your personal information and how it is used. Security, by contrast, refers to how your personal information is protected. Different data about you resides in multiple places for virtually everyone online regularly, challenging your privacy, as well as security. Some people consider privacy and security as pretty much the same thing, but, while similar, they are different.

The aforementioned positive developments shouldn’t suggest, even for a moment, that internet users still don’t have to be concerned about and wary of security and privacy violations. Fact is, your digital identity has three layers, and online users can protect only one of them.

What folks do control is the first layer, which consists of data you feed into social media and mobile applications. Included, among other things, is what you have included in your profile information, your public posts and private messages, your “likes,” search queries, uploaded photos and websites you’ve visited, among other things.

What you do not control is the second and third layers. The second layer is composed of behavioral observations—not the choices you make per se but the metadata—data about other data—that gives them context. These observations include things you probably don’t want to share with everybody, such as detailed data about your relationships and your real-time location. Also tracked, among other things, is when you’re online and offline, content you’ve clicked on, how much time you’ve spent reading it, and your shopping patterns.

The third layer encompasses interpretations of the first and second layers. Your data is analyzed by various algorithms and compared with other users’ data for meaningful statistical correlations. This layer infers conclusions about not just what people do but who they are, based on their behavior and metadata.

Folks should also be mindful of identity theft, which typically results from online data theft or credit card fraud and has become a borderline crisis because of ubiquitous corporate data leaks. According to the 2019 Identity Fraud Study by Javelin Strategy & Research, the number of American consumers victimized by identify theft fell to 14.4 million in 2018, the latest figure available, down from a record-high 16.7 million in 2017. But identify fraud victims in 2018 bore a heavier financial burden. Some 3.3 million people were responsible for some of the liability of the fraud committed against them—nearly three times as many as in 2016.

When an imposter uses a victim’s identify to buy something and skips out on the bill, the headache can last for years. Unpaid bills leave a big blemish on your credit report, which, for example, can prevent you from buying a home. It can even hurt your job prospects, because many employers now routinely look at credit history when assessing job candidates.

The good news regarding identify theft and security and privacy issues writ large is that consumers have the power to enhance their security and privacy.

Among other things, they should regularly change default passwords, use strong, hard-to-guess passwords, turn off location services on smartphones when not needed, and consider using a more secure virtual private network. People should also make a point to sidestep phishing scams and refrain from using public and “eavesdroppable” Wi-Fi networks as much as possible.

Last, it may also make sense to take more drastic steps, such as avoiding the use of highly scrutinized Gmail and Google, possibly replacing the later with DuckDuckGo, a rival website search engine that doesn’t track you or your searches. Internet users should also refrain from signing on to a new website with a “Sign in with Facebook” shortcut button, which enables companies to track you on other sites.

The upshot of all this? Companies, either voluntarily or forcefully, have begun taking important steps to improve online security, privacy and identity. And this is an extremely positive development.

But it has a long way to grow and evolve. So internet users are well advised to continue to share the burden of improving their online security and privacy by elevating the number of steps they already take. 

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs