Expecting privacy in an online world is silly
but that doesn’t mean you have to be reckless
By Lawrence Cummer
February 25, 2011
February 25, 2011
You’ve knocked a couple of items off the to-do list and it’s time for a break. Like many online Canadians you pop over to your favourite social networking site. While skimming updates on your brother-in-law’s virtual farm you ignore the small advertisements at the top of your screen.
The problem: those ads are not harmless. In the background, your browser has reached out to an external site (a data aggregator for advertisers), updated a tracking cookie and sent the site unique identifiers that can be traced back to your social networking profile. Without knowing it, the information you’ve made public on your social network can be coupled with a profile of your online behaviour that the advertiser has been collecting for years.
Like many users, you haven’t bothered to find privacy controls on your social network, let alone change them. This means your online behaviour may now be tied with your name, location, employer, maybe year of birth. This delivers targeted advertisements to you, potentially better serving your needs, but the dark side is you really have no idea who knows what about you. Maybe you didn’t want your insurance company to know about that health care Web site you visited yesterday.
The default is public
Balachander Krishnamurthy is a researcher at AT&T Labs Research, focused on Internet privacy, online social networks and Internet measurements. He and research partner Craig Wills, a computer science professor at the Mass.-based Worcester Polytechnic Institute, are concerned about the information “leakage” you just experienced. This can happen, they said, through cookies, but also via the request uniform resource identifier or the referer header used by third-party online advertisers on social networks.
While only the data users leave public are shared, the result is more than many users would welcome. “The advertisers not only could have that public information about you, but they can now link that with the set of sites you’ve visited, so they also have some sense of your browsing behaviour,” Wills said.
And a great deal of information may be made public by you. In a study of 12 online social networks, the researchers found that name and location were always publicly available on five of the 12 sites, gender on four, and age or birth year on two.
Krishnamurthy said a bigger danger is that only half of users bother to change their default settings, and that the defaults fall on the side of sharing. For example, defaults on 10 out of 12 of the social networking sites studied share friends lists, and name, gender and employer are shared in the default settings of half the sites.
In early 2010 the Privacy Commissioner of Canada launched a probe—her second in a year—into the privacy-related practices of social networking provider Facebook after a user complaint suggested the default privacy settings make user information more readily available than before. The site has since updated its privacy controls.
Becoming you
Information made public puts users at risk of identity theft, said John Lenardon, president of Data Cyber Labs and author of Identity Theft Toolkit: How to Recover From and Avoid Identity Theft.
Lenardon calls identity theft the fastest growing crime in North America and said very little personal information is actually required to start. A phone book plus a social network profile with the default settings enabled may be all that is required.
“If I (as an identity thief) know the city you live in and I know your name, if I can get as much as a phone number, I can find other pieces of information and compile more and more data,” he said.
And the Web never forgets: bits and pieces of personal information left on the Web over years in a variety of locations can be pulled together to fill in a person’s identity. The solution is not to withdraw from using social networking and the Web, but for users to create alter egos.
“Don’t post real information on Facebook. Your friends know who you are, (so) come up with an alias. There’s no way on Earth you can protect the information and even something as simple as a birth date is terribly problematic.”
And the issue is not limited to social networks. Lenardon recommends using post office boxes for addresses with retailers and not disclosing personal information even to bricks-and-mortar businesses, unless it’s really necessary. He said information breaches at a number of retailers prove you can’t trust your information will stay safe.
Talking ’bout my generation
Lenardon said it is especially important to educate youth as they join social networks, but according to Mike D’Abramo, privacy has a dual meaning for many young Canadians. D’Abramo is a strategist for Toronto-based research firm Fresh Squeezed Ideas and has spent 15 years researching the behaviours of youth.
He says studies conducted by Youthography—a market-research firm at which he was previously director—found privacy was important or very important to more than 60 per cent of young people. “But when you probe further you find the things they want to protect are things like their banking information, their social insurance numbers. It’s not things like ‘who is my girlfriend’ and ‘where did I go drinking last night.’”
D’Abramo suggests distinguishing between types of privacy is based on a general move to greater “casualness” in society and business. “We get into these discussions on privacy and (act) like someone threw a switch and, honestly, we’ve been eroding what we consider traditional mores or standards for a generation. It permeates everything: Sex and the City used to be on cable TV at 10 o’clock and now it’s on regular TV at 7 o’clock at night.
“So, while that doesn’t have anything directly to do with privacy, this casualness is what makes young people ask, ‘why can’t I put up pictures of myself getting drunk at a bar on my Facebook page?’” D’Abramo said.
This approach isn’t limited to the younger crowd, since the fastest growing English-speaking group on Facebook—which he calls “the network that is almost defining the casualness”—is people older than 40.
None of these problems will be solved by the user community, Krishnamurthy said. “I believe that relying on the user to fix the problem is a non-starter. I strongly believe that users should be informed and educated so that they can understand, [but] you cannot expect people who spend 20 to 30 minutes each day on a social network to be aware of what each of their actions is going to trigger and, as we know, on the Internet nothing is forgotten.”
However, social networks like Facebook and MySpace should simplify privacy controls and better promote their use, so users can safeguard privacy without “having to turn off all technical devices, disconnect entirely from the Internet and move to a remote island.”
SIDEBAR
Definitions
COOKIE: a small text file stored on a Web site and a personal computer that records surfing activity, such as pages visited and information entered.
Illustration: gavinorpen.com
The problem: those ads are not harmless. In the background, your browser has reached out to an external site (a data aggregator for advertisers), updated a tracking cookie and sent the site unique identifiers that can be traced back to your social networking profile. Without knowing it, the information you’ve made public on your social network can be coupled with a profile of your online behaviour that the advertiser has been collecting for years.
Like many users, you haven’t bothered to find privacy controls on your social network, let alone change them. This means your online behaviour may now be tied with your name, location, employer, maybe year of birth. This delivers targeted advertisements to you, potentially better serving your needs, but the dark side is you really have no idea who knows what about you. Maybe you didn’t want your insurance company to know about that health care Web site you visited yesterday.
The default is public
Balachander Krishnamurthy is a researcher at AT&T Labs Research, focused on Internet privacy, online social networks and Internet measurements. He and research partner Craig Wills, a computer science professor at the Mass.-based Worcester Polytechnic Institute, are concerned about the information “leakage” you just experienced. This can happen, they said, through cookies, but also via the request uniform resource identifier or the referer header used by third-party online advertisers on social networks.
While only the data users leave public are shared, the result is more than many users would welcome. “The advertisers not only could have that public information about you, but they can now link that with the set of sites you’ve visited, so they also have some sense of your browsing behaviour,” Wills said.
And a great deal of information may be made public by you. In a study of 12 online social networks, the researchers found that name and location were always publicly available on five of the 12 sites, gender on four, and age or birth year on two.
Krishnamurthy said a bigger danger is that only half of users bother to change their default settings, and that the defaults fall on the side of sharing. For example, defaults on 10 out of 12 of the social networking sites studied share friends lists, and name, gender and employer are shared in the default settings of half the sites.
In early 2010 the Privacy Commissioner of Canada launched a probe—her second in a year—into the privacy-related practices of social networking provider Facebook after a user complaint suggested the default privacy settings make user information more readily available than before. The site has since updated its privacy controls.
Becoming you
Information made public puts users at risk of identity theft, said John Lenardon, president of Data Cyber Labs and author of Identity Theft Toolkit: How to Recover From and Avoid Identity Theft.
Lenardon calls identity theft the fastest growing crime in North America and said very little personal information is actually required to start. A phone book plus a social network profile with the default settings enabled may be all that is required.
“If I (as an identity thief) know the city you live in and I know your name, if I can get as much as a phone number, I can find other pieces of information and compile more and more data,” he said.
And the Web never forgets: bits and pieces of personal information left on the Web over years in a variety of locations can be pulled together to fill in a person’s identity. The solution is not to withdraw from using social networking and the Web, but for users to create alter egos.
“Don’t post real information on Facebook. Your friends know who you are, (so) come up with an alias. There’s no way on Earth you can protect the information and even something as simple as a birth date is terribly problematic.”
And the issue is not limited to social networks. Lenardon recommends using post office boxes for addresses with retailers and not disclosing personal information even to bricks-and-mortar businesses, unless it’s really necessary. He said information breaches at a number of retailers prove you can’t trust your information will stay safe.
Talking ’bout my generation
Lenardon said it is especially important to educate youth as they join social networks, but according to Mike D’Abramo, privacy has a dual meaning for many young Canadians. D’Abramo is a strategist for Toronto-based research firm Fresh Squeezed Ideas and has spent 15 years researching the behaviours of youth.
He says studies conducted by Youthography—a market-research firm at which he was previously director—found privacy was important or very important to more than 60 per cent of young people. “But when you probe further you find the things they want to protect are things like their banking information, their social insurance numbers. It’s not things like ‘who is my girlfriend’ and ‘where did I go drinking last night.’”
D’Abramo suggests distinguishing between types of privacy is based on a general move to greater “casualness” in society and business. “We get into these discussions on privacy and (act) like someone threw a switch and, honestly, we’ve been eroding what we consider traditional mores or standards for a generation. It permeates everything: Sex and the City used to be on cable TV at 10 o’clock and now it’s on regular TV at 7 o’clock at night.
“So, while that doesn’t have anything directly to do with privacy, this casualness is what makes young people ask, ‘why can’t I put up pictures of myself getting drunk at a bar on my Facebook page?’” D’Abramo said.
This approach isn’t limited to the younger crowd, since the fastest growing English-speaking group on Facebook—which he calls “the network that is almost defining the casualness”—is people older than 40.
None of these problems will be solved by the user community, Krishnamurthy said. “I believe that relying on the user to fix the problem is a non-starter. I strongly believe that users should be informed and educated so that they can understand, [but] you cannot expect people who spend 20 to 30 minutes each day on a social network to be aware of what each of their actions is going to trigger and, as we know, on the Internet nothing is forgotten.”
However, social networks like Facebook and MySpace should simplify privacy controls and better promote their use, so users can safeguard privacy without “having to turn off all technical devices, disconnect entirely from the Internet and move to a remote island.”
SIDEBAR
Definitions
COOKIE: a small text file stored on a Web site and a personal computer that records surfing activity, such as pages visited and information entered.
Private eyes staking out Google
Corey Smith is president of Forensics Investigations Canada in Edmonton. His company performs surveillance for insurance companies but does not handle domestic files (such as spousal surveillance). He said social networks can be useful, but a simple Google search might also deliver valuable leads. “Doing a Google search and finding that an individual who claims he can’t work is advertising services as a roofer, for example. Or, if [someone claiming a back injury] pops up as the winner of the Toronto marathon.
“Those might be used as aids to point us in the direction of where we might need to do surveillance.”
Smith said stricter regulations have changed his business somewhat. These include very specific PIPEDA (Personal Information Protection and Electronic Documents Act) requirements around covert surveillance. Private investigators can only access and collect information that is made publicly available.
“That’s something people in the privacy world and Canada continue to wrestle with: what constitutes publicly available? For example, if a Facebook profile is open is it publicly available? If it’s closed is it private?”
“Don’t post real information on Facebook. There’s no way on Earth you can protect the information and even something as simple as a birth date is terribly problematic.”
Illustration: gavinorpen.com
