Social security, part 2
04/03/2008
As Google, Facebook and other companies continue to draw attention over privacy concerns, what steps, if any, should be taken to protect our privacy online?
Applications guru
Roger Greene
Ipswitch
I tend to agree with those who advocate that users should own and control their data, with the right to decide who has access to it. We’re far from that point. Today we have islands of data kept by many vendors, and users have very little control over how it’s used, or how accurate it remains in each island. Opt-out works much better than it used to, which is good, but that’s more about when a company contacts you than what information they keep. A problem is that user data is increasingly valuable to companies, so there will be more tension between users (who will become more vocal about protecting their privacy) and companies (who want to make use of all of that data to sell more).
Europe is far ahead of the US in protecting users’ privacy, and the rest of the world should look there for guidance. I think it will need to come down to governmental regulation, which will probably require a user rebellion in the States, given how much power vendors have here. Thus far, in the US, the convenience of the internet has trumped concerns about privacy. I think that will change, but probably only after one or a few major incidents that vividly show the public the perils of a casual approach to privacy. Statistics about identify theft, for example, haven’t been enough to get a strong, widespread reaction.
Roger Greene is founder and CEO of Ipswitch, developers of innovative IT software.
Social media and comms expert
Rachel Hawkes
Elemental Communications
We need to educate ourselves, and start implementing a level of caution before we go ahead and plug our details into another social network or upload photos of our niece’s ninth birthday party.
We are quite often contradictory when it comes to our own privacy. We will happily add all our personal information to Facebook, yet we will complain about the invasion of CCTV.
As individuals, we must stop relying on the government to implement control measures to protect our privacy – hell, they can’t even do it themselves (I’d refer you to HMRC). The general rule of thumb should be, “If I wouldn’t hand out my mobile number, pictures of my family, address and drinking habits to the person next to me on the tube, then I shouldn’t upload it."
We must presume that all information we enter online is fully indexed and available to anyone who should be interested. Education of the MySpace generation is paramount: the majority think nothing of the potential long- term consequences of their online behaviour and are too freely sharing their lives.
As technology continues to advance at a scary rate, facial recognition search will quickly become part of our day-to-day online lives: this is indeed a scary prospect. To put that statement in context, if I look ahead to five years’ time and Joe Bloggs is applying for his dream job, a quick search by the prospective employer will not only return his MySpace, Bebo and Facebook profiles (fully visible to the general public) but also compromising photos he uploaded to Adult FriendFinder in a late night moment of boredom four years prior. Although his CV is excellent, he doesn’t get the job because the would-be employer judges his character to be in conflict with her own values.
As for social networking sites, online publishers et al, they should more clearly communicate their privacy statements and give us, their consumers, their bread and butter, better control of what information we share and how, when and whom we share it with.
Rachel Hawkes is co-founder and editor of the Social Media Portal (www.socialmediaportal.com) and account director at Elemental www.elementalcomms.co.uk), the media communications consultancy.
Ecommerce specialist
Chris Barling
Actinic
My son has just beaten off an attempt to sue him over a car accident. He simply pointed out that according to Bebo, the seriously injured person had not only been out partying every weekend since the crash, but had also been headbutting people.
It’s an interesting story that illustrates a few of the pros and cons of showcasing your life online. When it comes to personal privacy, people tend to fall into one of two camps – those who care about their privacy online, and those that don’t. Those who don’t care, such as Jeremy Clarkson, either don’t understand the risks, or are too young to care.
I’m not a privacy nut myself, but I do take care to protect my identity, and would advise others to do the same. For that reason, I try to keep a strict separation between my work and personal life. While I promote my business, I try not to make myself vulnerable to identity theft.
The good news is that this isn’t hard. With just a few clicks you can change your profile on sites like Friends Reunited to make them slightly more vague. You can remove dates of birth and the first line of your address from services such as Skype. Offline, risks can be mitigated by having an ex-directory phone number.
If you want to go mad, you can even check your credit rating regularly and opt out of the electoral roll. But be warned. There is a potential downside because the less information there is about you in the public domain, the harder it becomes for people to verify your real identity. Go too far and you run the risk of having your own online orders flagged up for potential fraud!
So, as with pretty much everything in life, it’s all about balance. The good news is that there is plenty of low hanging fruit out there for organised crime to feast on. So long as you do the basics well, you will make your own risk very small.
Chris founded the well-known ecommerce software development company Actinic in 1996.
Hosting specialist
Neil Barton
Hostway UK
There has been a great deal of debate over data privacy in the last 12 to 18 months, particularly with the recent lost laptop/disc fiascos, as well as the now-shelved Beacon concept from Facebook, which would have shared data about user activity on external websites on the Facebook minifeed. One of the main problems with consumer privacy is that sites like Google, Facebook, MySpace and Bebo all record a large amount of personal information entered by the user, frequently for the express purpose of (albeit limited) sharing. However, on the flipside, many websites depend on advertising to exist, and while content tailored to the user is more likely to generate clicks, it also runs the risk of violating user privacy.
I do believe that a balance needs to be found, and this balance must be somewhere between ‘reasonable use’ and ‘reasonable intelligence’. The Data Protection Act states that user data can only be used for the purposes for which it was collected, and this implies “reasonable use”. After all, there is an expectation of trust when a person sends an email – you do not expect the content to be shared with spammers and advertisers, and the same is true for the data on social networking sites. On the other hand, users must be aware that when they don’t tick the “you may not pass on my details to affiliates” box, they will get spam, and when they leave their Facebook profiles public with their personal phone number on the page, the next caller won’t necessarily be someone they know.
These conditions do put onus on both the user and the website in question. However, balancing the triple scales of privacy, funding websites via advertising and presuming a certain level of user intelligence is definitely more easily said than done.
Neil is the director of Hostway UK, which provides hosting services in the UK and abroad.
Media & PR expert
Tim Gibbon
Elemental Communications
Users need to understand what their rights are, what information they’re giving up, the implications of this and how to protect them. Surely it’s a site owner’s responsibility to ensure that its users can easily locate privacy information and that it’s written in a way that you don’t need a law degree to understand – particularly important should there be any breaches. They also need to offer advice on staying secure on their site, and any other for that matter.
Sites need to be sensitive to why their users signed up and wanted to use the service in the first place. Owners need to explain in a simple way what
their privacy policies are (in a plain and transparent way) and keep the users abreast of the latest privacy changes. You may wish to chat to your
friends online but not be processed with sophisticated technology to point tailored advertising at you – so you need to know in order to make a decision
whether you are OK with it (or not).
Ultimately, users need to be vigilant and protect their online privacy as much as they are able, and not rely upon corporations or governments to take
sole responsibility. The Electronic Frontier Foundation (EFF) published these top 12 ways to protect your online privacy by EFF Technology Director,
Stanton McCandlish (http://w2.eff.org/Privacy/eff_privacy_top_12.html) back in 2002, and they still offer great advice for any web user now.
Quite simply, the basics are:
- Choose a variety of usernames and passwords that are alphanumeric and personal to you and can’t be guessed by individuals that may know, or learn a little more about you (for instance, no pet, kids or spouses names).
- Don’t pass any personal information across the web or digital channels (mobile) eg Instant Messenger (IM), email, social network email systems and so on.
- Do not display personal information in social network profiles – for example, email address, date of birth or more importantly a combination of these.
A good rule of thumb is to treat personal information online and elsewhere as you’d do with a bank or similar.
Users need to understand the repercussions of giving out personal information and how it can (potentially) be used against them, whether it’s in an off or online environment. Current advertising and information for identity theft needs to incorporate the precautions we need to be taking online.
Associations, corporations, the legal system (including law enforcement) and media need to work together to reduce risk and highlight areas. We need to keep users up-to-date on the latest developments. Fortunately, we are being informed, but perhaps not as quickly as we’d like (or in fact, as quickly as we should be).
The recent HMRC data loss and the Royal Navy laptop thefts are just a few examples where it in fact took weeks for the enormous lapse in security to come to light. This clearly highlights that once your data is entered online (or your information is collated into an online system), then it may be transported or processed in other ways that are completely out of our control, so we are totally reliant upon the organisations that we entrust it to.
We can reduce risk and address the above, but the likelihood of the systems not breaking down again are remote; we just need to be prepared.
Tim is founder and director of Elemental Communications, a media comms consultancy that caters for traditional and digital media
Content specialist
Slim Vips
Modera
There are many steps to be taken to protect your privacy online. The best technology can help internet users to protect themselves, but if personal information is handed out so easily and without thinking about the consequences, these precautions become practically useless.
It’s always the weakest link in a chain that can expose you – which in reality can be the very organisation that you submit data to in good faith – so we all need to take every precaution. Consider the information that you share about yourself with your friends, family and now potentially everyone else, especially due to the proliferation of social networks and related technologies (if you use them). In being open and sharing yourself with the world, are you in fact being too open, leaving personal information available to be pieced together by those with criminal or malicious intent?
Topline advice is: never use the same usernames and passwords on all sites you are using; instead, use more challenging alphanumeric combinations that will help you to memorise them. And you also ought to refrain from writing them down, leaving them in reach of idle hands, or in a password document sat somewhere accessible on your machine – an absolute gem for the mischievous.
These are the basics that every user should use. Business users should be even more vigilant in that their information can be more sensitive; I wouldn’t recommend sending important information over public wireless networks, because you never know if there’s someone sitting nearby and collecting the 0s and 1s and later on processing the information back to original format.
It’s great having the choice of the ever growing Wi-Fi networks from coffee house to restaurant, but how safe are they? I always initiate an encrypted VPN channel before I start using a wireless network and I think that an internet privacy lesson should be mandatory to anyone before they access the web everywhere. A simple warning that you can be sharing information isn’t enough; there should be a heads up as to what the threats are and guidelines on how to make systems more secure.
There are procedures and techniques that you can do and you should do protect your online privacy and to remain vigilant. It’s never going to be 100 per cent safe, but you can make the life of the abusers more difficult. Get Safe Online (www.getsafeonline.org) is a good resource to start to learn more.
Siim Vips is a software development and content management specialist at Modera.
Interactive media
Colm Brophy
Conchango
Users need to be better educated about how privacy works (clicking an “I agree” button at the end of a legal document doesn’t count!). Websites should have a clearly explained policy and abide by the spirit of that policy rather than the legal minimum requirements. Flickr has a great record for this.
There’s a huge difference between real privacy or data protection and the perception of privacy; the number of sexual harassment cases and terminations due to breaches of usage agreements where internet records or email have been used as evidence should be testament enough to this.
The big question for users is “Can these companies be trusted with my information?” and there is no single answer to this. Google, for example, has a good track record of protecting their users and fighting hard to prevent governments from getting hold of such information. Facebook has had a less friendly approach towards its users. Facebook Beacon displayed users’ purchases (made on exterior sites) to their friends, initially without any option for the user to opt out.
The worrying truth is that in most cases your privacy is an illusion. While companies like Facebook, which has very explicit user data that the user has entered themselves may get the most headlines, data gained in more surreptitious ways, such as Google’s Double-Click, is potentially more harmful and more valuable to advertisers.
Colm Brophy is an Information Architect in Conchango’s IM team.
Security expert
Greg Day
McAfee
There are really two aspects that we must consider going forwards, these are how we disclose our personal data online and how others store and use our data online.
People are more trusting online than in their physical, non-virtual lives, and many people are happy to disclose their personal information when it is requested. As we grow up, we are told not to trust strangers, but on social networking websites it’s all about meeting strangers, building relationships and sharing experiences.
The challenge we face is building trust. In the physical world we usually learn to use our senses to make initial snap judgements about people. However, online most of us have to rely on the information people post about themselves and we have a limited number of ways to really validate their claims. Equally, many of us are over-willing to post information about ourselves – much of which, I suspect, we would not give out so easily if we were talking to someone on the high street. But the technology excites us into sharing this online and we feel removed from the reality of the level of interaction online.
One problem lies in the fact that the information we do disclose paints our digital persona, much of which can be used to gain access to the personal, secure data we have online. For example, information that people post about themselves can make it easy for others to guess their passwords (pets’ names, favourite celebrity/sports team, etc). Equally, the data people post can be enough often to mimic that person for some online activities such as opening bank accounts, applying for banks loans etc.
What most people also fail to realise is how that information accumulates. Our brains leak information so we only retain a portion of our knowledge over the longer term, but once we post it to the web, it has the potential to live forever. As such, every time we add a little more information about ourselves on the internet, our digital fingerprint grows. It does not matter that we post it to different sites as there are tools and organisations that can collate it together, either to use themselves, often maliciously for financial gain, or to pass onto others, whether that is a legitimate marketing company that wants to know our preferences to better market to us or the more malicious cyber criminal.
In the last year, it feels as though barely a week has gone by without some alarming media story of yet another worrying loss of data. The Data Protection Act has been in place for a number of years, but the recent disclosure laws in the US have started a trend of organisations having to make public any loss of customer information. Both the UK government and the EU are looking at similar laws in the future. These can only be positive steps for the public in terms of improving confidence in how their data is kept safe by third parties. While it’s vital that we take personal action to keep our digital identity secure, we must also be able to rely on those we share it with to keep it safe. In the meantime, we should all be asking the right questions of those with whom we share information, to understand how it will be stored and used.
Readers could follow the tips below to protect their privacy online:
If you are a regular user of social networking websites, only disclose a limited amount of personal information about yourself as you do not know who can view this information or the true identity of other users, although you should adjust any security settings that enable you to limit those who can see these details. It is important to be aware of how much information is available about you online, as a cybercriminal could gather information about you from a number of sources. A good guide here is to only give the information you would give to a stranger in the street, so your name and the town you live in are fine but you shouldn’t go as far as sharing your full address, place or birth or mother’s maiden name, as these are often used as security details.
Be extremely wary of people requesting personal information. People wouldn’t usually ask for usernames, passwords, credit card or National Insurance numbers. You should never provide personal data online unless you’ve initiated the contact yourself. Clever identity thieves may also pose as bank agents, phone companies and even government agencies, so before sharing personal information in such circumstances, confirm the organisation is legitimate by calling them directly using the number listed on your account statement or in the telephone directory.
Remember, what you post today will be online forever. Once you add content to the internet you must view it as being in the public domain from that moment on and it can be very difficult to remove it. That applies to your personal information but also to things that you may think to be far less significance – pictures of you drunk at a party or any strange habits listed to amuse yourself of others may come back to haunt you later. Employers today will often use the web to reference potential employees.
When signing up for a website, newsletter or filling in other online forms, don’t feel that you have to complete every field when registering your details, as many are optional. People often feel obliged to complete all of the available fields, which leads to us posting too much data about ourselves.
Be selective when sharing your email address. Only family and friends should have your personal email address and you should not post it on web sites, forums or in chat rooms. If you do that, you’re just asking for a deluge of spam and risking your email being passed onto others.
Be wary of people that send across files for you to download – especially in online forums or social networking sites. Unless you are 100 per cent sure that you know who has sent you the file, you should avoid directly downloading from other users online.
Install comprehensive security software, and keep it up to date. Some email messages contain harmful software that can damage your computer or track your internet activities without your knowledge. Anti-virus and anti-spyware software and a firewall will protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications that contain these malicious files, while a firewall protects both the inbound and outbound connections to your computer. A firewall is particularly crucial if you have a broadband or DSL connection that leaves your computer connected to the internet 24 hours a day.
Greg is a Security Analyst for McAfee and speaks at events worldwide, promoting awareness of today’s broader security and malicious code problems.
