Data Privacy Explained

data privacy poster stuck on lamp post with bokeh city lights in background

What is Data Privacy?

A. Simply put Data Privacy is just privacy … all be it, the modern updated version of privacy, but still just privacy. Just a short time ago the concept of privacy was limited to having some quiet alone time, free from being spied on while you are in compromising states of partial apparel, or not being vulnerable to the aggressive intentions of people trying to obtain our attention.

This type of privacy was and still is a cherished attribute in our society that consumers seek when buying houses, planting bushes, building fences, tinting windows, parking off street, going on vacation, lowering the shades, and most people aren’t truly comfortable without at least a modicum of this treasured state somewhere in their lives.

How is our privacy threatened? 

A. The peeping toms of the world are now on the internet and have upped the ante. Cyber peepers now have something like x-ray vision that can peer right through our seemingly carefully crafted privacy shrubbery and collect data on us from afar and effectively learn enough about us to violate our privacy in numerous ways.

It’s still our good old fashion privacy that is being broken, but this new type of invasion redefines the scope of privacy and necessitates new deterrents in this arm’s race of spying. Upgrading to lead curtains may stop x-rays but will do little to stop cyber criminals from prying into our lives.

Originally we thought that surfing the Internet gave us a view into the world, now it appears as if using the internet gives the world a view of our private lives. If a consumer or citizen or employee or business wants to maintain some of that good old fashion privacy, they are going to have to adopt a new rigor that includes sheltering every aspect of our lives physical and virtual from public viewing. Privacy shrubbery just got a lot more complicated.

What can we do to protect our privacy?

A. These days it is not only important to screen your garbage, making sure that nothing with personal identifiable information (PII) is cast into the public refuse domain, but also we must adopt a new vigil around maintaining the privacy of our cyber identity from the public cyber domain, from both cyber criminals and cyber corporations.

We are best advised to not allow any personal identifiable information to go public: bills, meetings, vacations, grades, car repairs, … almost anything can be used by clever criminals or relentless companies to steal our money or get us to spend our money.  

Why is privacy important to people?

A. Even more fundamentally then just taking our money, is the sense of violation that accompanies a Data Privacy breach. Some people may ask, “Why do I care if they learn about my water bill?”

Let me partially answer that by asking “Why were we so nervous about being spotted in our jammies?” It’s because privacy is ancient, it’s in our evolutionary foundation, it is a core primitive urge … We want to choose when to reveal ourselves and when to conceal ourselves. We own our privacy, and we want to control it.

When our trash is picked through or our mobile phone is sniffed, we are no longer deciding what will be revealed about ourselves, not to mention what will be done with that data.

Why is there so much confusion around privacy?

A. As we know some people are not bashful about the being caught lederhosen-less by the mailman, an incidental moment of nudity doesn’t phase them, but if that same exact exposure were purposefully taken by a voyeur, then most people would be quite alarmed because there was no consent.

In our collective sense of justice, we get to decide our privacy. We can decide to give it away whimsically or enforce it rigidly. By definition, we surrender some privacy to family and friends, but even that is on a well understood basis of consent.

When little brother reads big sister’s diary, there is no confusion about the law being broken, but when Big Brother collects data tib bits around every transaction, consumption, and display of preference there is an enormous and deliberate cloud of confusion over what, why, and when laws are being broken. Are we collecting data to deliver comprehensive service or harvesting data to sell downstream.

Where is the line of privacy?

A. Consent. The way corporate America would like to spin it is that they are so conscientious about your consumer needs they are willing to gather this data in order to better serve you … we all know very accurately that this is bullshit, the facts are that corporate American is milking you, and when they claim otherwise they are adding a lie on top of the thievery.

Gathering data without consent and without a clearly stated, limited, and required purpose is unwanted surveillance, nothing less. This is spying and spying is stealing data. When it’s done via an outhouse knot-hole we call it a perversion, when it’s done via Google cookie they call it marketing.

No one would agree to being spied on if they knew what Big Brother was actually doing. They have their best interests in mind, not yours. So why do they keep doing it, if no one wants it? Two reasons: 1) Because they can; 2) Money.

Who are the culprits?

A. In much of the cybersecurity marketplace we are preparing for attack from a criminal adversary, a hacker, who wants to maintain their anonymity and steal from us. They are ruthless, persistent, and very dangerous, but some-how we understand their motives.

When it comes to Data Privacy, we have the same threat actors, the hackers, trying to assume our identities, proxy as us, and steal something, but we also have a new villain, by no means new to crime, but freshly exposed in their newest crime spree: Corporations.

Corporations don’t bother to hide who they are or what they are doing. They gather data right out in the open, not necessarily being straightforward about it, but not hiding much either, and they gather as much as they can, wherever they can, and in many cases they don’t even know why.

It is simply understood that if you have a lot of data, you might be able to extrapolate something monetizable from it. Here’s how it goes: If somehow the manufacturer of something as inane as brassieres can figure out that a potential customer is in a probabilistic region of needing or interested in a new bra, either by that webpage they dwelled on, the purchase date of their last bra, their new Tai Bo membership, vacation, weight gain, maturity, or even projected elasticity expiration, perhaps even before they do, then the vendor can focus advertise “attack” them, and win that bra sale. That simple. All in software, under the radar, automatically, incognito, with a coupon, and without a salesman. This is business magic, and the corporations are never going to let go of this winning end game mind-control technique, because it works, unless of course, we beat the vendors with a stick and even then we need to make sure we are beating the actual CEO, CFO, COO, CMO, CIO, CSO, CTO, CRO, not to mention the CPO (Chief Privacy Officer).

I would say, that Corporations would stop at nothing to maintain this type of manipulation, but unfortunately the corporate world has already won the war. The battle for privacy is lost.

Consumers are now postwar refugees and many of us are in Stockholm syndrome, sycophantically in sync with our captures, enthusiastically self-enslaved themselves, others, like us Cyber Exiles, are rebels, that refuse to be harvested for data.

What is the stick that will restore Data Privacy?

A. The stick that we intend to beat the C-levels with is the still emerging and notoriously late to the battle: Data Privacy Regulations. OK, not really a proper stick fit for beating a malicious exec with, more like twig, but with a good arm and aim we may get a face shot, maybe even a couple of stitches.

The Data Privacy Stick is a set of regulations that govern how data is collected, shared, and used. In general, we can say we want 4 main concepts from our Data Privacy Regulations:

  1. Transparency: Clear and concise information about the data practices of companies you interact with, and easy access to the information they have about you.
  2. Data use rules: Standards to ensure that companies use your data only for the things that you have agreed to let them do.
  3. Data minimization rules: Requiring companies to collect only data that’s needed to make the product or service work correctly, to protect that data with basic security measures, and to safely destroy it after use.
  4. Enforcement: A privacy regulator with the power to enforce the rules.

Too much to ask for? I don’t think so. Number 4, Enforcement, is my favorite, because without serious enforcement nothing will change.

We need to treat deliberate breaches in Data Privacy for what it really is: a white collar crime that deserves putting C-levels in jail for long periods of time. Now this won’t be easy, remember they have already won the war.

We have two things on our side, more like one and a half: the population of Planet Earth that does not want to be spied on and the government. As many of you know, GDPR, the data attempt at Data Privacy Regulation is only applicable in Europe, but offers guidance and inspiration to US regulators and the CCPA is only applicable in the other Europe (California), but we now have a toe hold on this continent and CCPA represents a great example for an eventual federal law.

In the first 20 months on the books the GDPR reported 160,000 data privacy breaches and US$126 M in fines. The largest fine was $57M was on Google, for lack of transparency. But there is a $238M fine against British Airways still in the courts. Also GDPR contains a concept called Data Subject Access Request (DSAR) which gives individuals the capability to write to a company and request all of the data that they have on the requestor. This is the first time anything like this has been given a legal framework.

In the US, Agencies such as FTC and NIST are making efforts but generally done nothing big so far. The US is the only large nation that has no comprehensive Data Privacy Regulations and it’s still open season on data harvesting in the USA. In the 1980s a Supreme Court Nominee’s video rental history was leaked to the press so we got the Video Rental Privacy Act out of that one, a good baby step. In the 1990’s we were lucky enough to get HIPAA passed so that Medical Records can’t be mined for profit, but it’s more about Medical Insurance Coverage than privacy.  

Since then congress has played with some bills but there is nothing major to report. Senator Mark Rubio claimed to be sponsoring a Privacy bill at one point, but in standard Republican misdirection, it was only aimed at preventing the government from collecting data and if it were passed it would terminate all of the existing State Privacy Regulations in California, Utah, Vermont, Washington, and New York. In reality, the Rubio bill would have weakened already weak Privacy Regulations, thanks for nothing Republican Senator Rubio. I’m sure his data mining donors were thrilled for a while.

For some strange reason Republicans don’t seem to like privacy, but then again, Republicans are fairly consistent in voting against themselves. Maybe they think their handguns are going to protect their data?

Why is this so hard?

A. Beside the policy battle between Corporations and Citizens and between Republicans and informed voters, there is still a very hard problem to solve that makes the solutions for Data Privacy so elusive. It seems like there is a clear inverse relationship between convenience and privacy.

In order to use our data and to enjoy all the conveniences associated with on-line, instance, and mobile transactions, data must be exposed and whenever exposed it is susceptible to unwanted sharing. If we make the Data too private or lock it up too much the convenience starts to degrade. At some point the only truly safe data is on a locked up and powered down disk drive. All forms of making data useful involve exposure. So how to solve this conflict between using and securing data.

First, of course there is technology. Let’s tech our way out, let’s get the right type of encryption and authentication, make it easy to use, cheap to consume and thwart the criminals. I believe in this route, I am a technologist, but I know it wont be a single invention or new product that changes everything, it will be a process that never ends, a cyber arms race in perpetuity.

However good that might be for my career, I don’t wish that result upon our civilization. I prefer, however unlikely it may be, a more noble solution, and that is for Corporations to stop being crime syndicates. Simply stop chasing the paradigm of “profit at any cost”. By the way, this would simultaneously solve 6 or 7 of our top ten planetary issues.

If corporations would simply stop trying to exploit the public for corporate gain, then we could start to trust them. If we trusted corporations, then we could focus crime fighting to just criminals. Cybersecurity practices could be simplified because the business world on the side of fairness and the betterment of humanity… yeah I guess not, better stick with technology.

What technology is available for helping protect privacy?

Virtual Private Network (VPN). It is a good practice to always have a VPN active on your small business or home network traffic. It uses a technology that stops parties other than the one you are actively communicating with from seeing the data. It’s the computer equivalent of a privacy envelope in the traditional mail instead of a post card.  

Don’t use Public Wifi to share private information such a banking or other personally identifiable information.  A protective step you should take on any public wifi is use a VPN Client on your PC, Tablet, and Mobile phones. Launch it as soon as you connect or pass their log in credentials.

Be careful with your browser choice and consider using an application such as Ghostery.

Think about the information you are sharing and who with. For example the internet meme that asked you to upload a picture of you now and one of you from 10 years ago is providing facial recognition data as well as how you have aged to a 3rd party. Ask yourself do you really need to fill in this form, share favorite whatever and other things that help identify you and your likes and dislikes.

Make sure you have up to date Anti Virus and End point protection (preferably not from McAfee)

Don’t reuse passwords and make sure the passwords you do use are not things like the street you live in, your maiden name, your pets name. Passwords need to be complicated to be safe.   

Avatar

Cybersecurity Architect / Evangelist Elliott has 30+ years of experience as an IT Manager/Engineer across a broad spectrum of technologies and roles. He writes here on Cyber Security and Data Privacy.

2 thoughts on “Data Privacy Explained”

  1. Pingback: Your Promiscuous Data - Data Privacy - Tim Kubiak

  2. Pingback: A Data Privacy Conversation Episode #5 - Tim Kubiak

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.