Today is Data Privacy Day, a dedicated to raising awareness of the importance of protecting privacy of personal information online.
We decided to take the opportunity to review what data privacy is, why it’s important, how your data could be compromised, and what you can do to protect yourselves.
Let’s start by breaking down what “private data” means.
Data is information. In the internet age, the amount of existing information readily available continues to grow exponentially.
Privacy is the right to not be seen, under any definition of the term, for whatever reason. It’s a fundamental human need to not be observed, and it’s been scientifically proven that humans behave differently when they know they’re being observed than when they at least feel like they’re alone. That’s a good thing.
Privacy lets you explore thoughts and ideas that you wouldn’t necessarily want the world to know about and elevates moments spent with family or loved ones to cherished memories or creates the safety required to be vulnerable.
Privacy also protects sensitive information that could be used to impersonate you, take your money or your things, or embarrass, humiliate, or blackmail you.
Private data can fall generally into three categories private business data, private customer data, and private personal data.
Private business data might include:
- non-disclosure agreements
- internal company emails, and
- contracts with vendors or customers
Private customer data might include:
- special sales contracts that have security clauses, or
- financial information about transactions
In the case of insurance companies it could include information about policies and claims.
Personal private data could include:
- personal identifying information (your name, address, phone number, email, usernames, and social security number)
- financial information (your bank account number, salary, loans, and tax information)
- communications (chats, phone calls, text messages, social media posts, even private photographs)
- medical data (test results or observations), and
- behavior both online (your search engine or e-commerce searches, or your browsing history) and off (location information from your smartphone).
Why is this information valuable?
Your personal data is, first of all, valuable to you.
Some private data is sensitive and could be used to harm you in some way or another, to steal from you, or embarrass you. Other private data isn’t necessarily sensitive information, but is still information that can be attached to you as an individual but couldn’t necessarily be used against you. Obviously the border between the two can shift over time, but any information that can be considered sensitive can be used to hurt you.
Personal data has been called the “oil” fueling the internet economy. That’s true both with the above-the-board, legal online economy as much as it is with the underground internet economy.
The “above-ground” internet economy mostly uses your personal data to directly advertise to you. That makes your private data value to advertisers. Online tracking lets advertisers target an online ad on a news website you visit to you for the shoe you looked for on an e-commerce site. Ads can also be targeted to you based on the demographic information you provide to social media sites, or based on your previous browsing habits. The more minute information marketers may have about you, the more minutely they can target you with ads. And that may or may not be what you want.
Your private data may be valuable to people who you don’t want to have access to it. If your personal data is stolen, the thieves themselves might use your data, or they could sell it either to marketing companies or to identity thieves, spammers, botnet operators, or even organized crime rings.
Thieves might use your credit card number to make purchases in your name with your money, or your social security number to commit tax fraud, or get a credit card in your name.
Spammers make money by buying lists of email addresses that they send ads to. They get paid per click or per ad impression.
The more information that cybercriminals can collect about you from various sources, the more complete a picture they can get of you, the more damage they can do. They might get your name from one place, your credit card number from another, and your PIN from another source.
Who has your private data and how did they get it?
When you sign up for social media sites or start using a search engine, giving up your private data might be the price you pay to get access. While regulations like CCPA and GDPR help with transparency, a site might require that you accept tracking cookies that record your browsing history in order to use the site.
Any time you create an account or make a transaction online, your private data is also recorded, at least by the company you’re transacting with, if not by a third-party. Likewise, when you use location tracking services on your smartphone or use health or fitness apps, data are being recorded.
Sometimes this might be information that you knowingly share, but many times users don’t understand what information they’re giving. It’s usually obvious that some information is being collected, but exactly what might be buried in terms of service agreements or just not readily visible to users.
In addition to private businesses getting your private information, domestic or foreign governments may also have access or gain access to your private data.
Whistleblower Edward Snowden revealed in 2013 massive global surveillance programs undertaken clandestinely by the United States government that included paying tech companies for access to email accounts, mass tracking of online behavior, and wiretapping based on email address alone. Besides clandestine operations, any data you give to a private website could potentially be requisitioned by a subpoena from a judge.
And beyond “voluntary” and legal forms of acquiring data, there are also illicit ways of acquiring private data as well.
Gaining access to systems and information illicitly is called hacking, and the various tools in the hacker’s toolkit comprise the main means for cybercriminals to acquire your private data.
Hackers have a range of motivations, not just money. Hackers looking for a challenge might target IT security firms. If they want to be famous, they might go for high-profile targets. They might also be just practicing or experimenting, orchestrating a publicity stunt, or seeking to express themselves politically.
Some attacks are targeted, while others are bots released to search for and exploit vulnerabilities. When they are targeted, hackers might use public records and search engine searches to develop a comprehensive picture of their target and their weaknesses.
Hackers can steal your personal private data through phishing and malware. Here’s how:
Phishing is anytime someone pretends to be some trusted entity, like a bank, the government, or a service provider, in order to get your personal data.
Traditionally, this is a fake email that looks legitimate asking you to reset your password, verify your account information, or sign-in to a fake version of a legitimate website, whereby hackers obtain your personal information.
Spearphishing is a kind of phishing that is targeted to specific individuals
This is a type of phishing that takes place over text message
This is phishing but over the phone, like calls claiming to be from the IRS or your bank
Malware is any kind of software that steals your private data. Here’s how:
Viruses hijack a computer system’s core resources.
A worm is a type of virus that filters information back to hackers
Trojans are malware that come wrapped in an innocuous package
Keyloggers track everything you type and where you type it
Malicious mobile apps
Some smartphone apps might ask for permissions that hackers can then use to get data about you like your messages, your contacts, or your personal photos and videos
These are a few common tools, but hackers have many tools at their disposal.
How to protect your private data
Clearly, your private data is valuable. Companies ask (or don’t ask) you for it, governments take it, and criminals steal it. But how can you make sure your private data stays private?
As a business
First and foremost, know what makes your business vulnerable. If you’re a company that’s been around for awhile, you might be using older software that was developed before many of the threats businesses face today were even thought of. Upgrading software regularly is one of the most important things a company can do to safeguard its private data.
Your company might also not put a premium on security. Oftentimes it takes an attack for companies to start to respond to vital security failings. Making sure your management takes security issues seriously is another important step. That can lead to security trainings for employees and security-minded approaches to developing new products and services.
Since hackers can often piece together information from public sources, one way you can anticipate what they know and plug any holes is by researching what’s already available publicly online. If you want to go a step further, hire someone to try to hack into your company’s systems and find your vulnerabilities.
Also be sure to encrypt communications and data as often as possible.
As a customer
As a customer, or just a user, you have a right to know what different online entities are doing with your data. Those that do business in the European Union are covered by the GDPR, and your rights are more clearly defined. If you’re a resident of California, CCPA offers a limited version of GDPR’s privacy rights.
Knowing who has collected what data from you and what they’re doing with it is essential to protecting your private data. Partner with businesses that collect only what they need, are transparent about what they do with them, have good security practices, and rely on strong authentication mechanisms.
As an individual
There’s a lot to do as an individual to keep your data safe from hackers. Here are just a few:
- Avoid public WiFi
- Only provide data on websites secured with TLS
- Encrypt your disks and have your laptop autolock
- Use encrypted communications and data
- Use 2-factor authentication
- Don’t use easy-to-guess passwords
- Don’t leave accounts signed in (on your unlocked computers)
- Keep software updated
- Don’t click suspicious links
- Independently verify emails asking for personal information
- Be careful about what information you share on social media
- Use a VPN to keep data safe
On your smartphone, be on the lookout for apps that request permissions to:
- SMS messaging
- Admin permissions
As a citizen
Finally, you can protect your private data as a citizen. “Privacy” is sometimes a fluid right that’s changed over time. As technology advances, the ability to “listen in” becomes easier and easier, and laws and law enforcement must evolve to catch up with abuses of that technology, whether by private businesses, public entities, or criminals.
Regulatory frameworks like CCPA and GDPR give users more rights to know about what companies are collecting and what they’re doing with it.
For our part, we support initiatives like EFF and Fight for the Future, who advocate for and on behalf of our rights as internet users to have keep our private data private.