AXEL.org

data collection

Why Data Breaches are so Damaging and how the Law has Failed Consumers

Very few times in history have a group of people sat down with the purpose of writing a set of new laws to improve society. Instead, what usually happens is that laws are written to solve specific problems. This leads to a litany of laws piling up over the decades. While it could always be debated how effective a particular law might be at accomplishing its goal, the rapid pace of technological advancement over the past 20 years – especially as compared to the pace of the lawmaking process – has introduced new challenges as laws become quickly outdated, sometimes even by the time they take effect.

The results of this are acutely apparent in the cross-section between the fields of cybersecurity and consumer protection, namely data breaches.

The magnanimity of consumer protection laws in the United States were written for a society concerned with immediate product safety and compensation for resulting injuries, not for the nebulous and incalculable injuries that may be sustained by potential millions when private records are exposed.

Why are data breaches so damaging?

The unique problem of data breaches stems from the fact that the breach of privacy carries in of itself no specific harm. Instead, it is the later misuse of information that has been breached that may lead to ensuing harm. However, with data breaches occurring on a near-daily basis, the causality of specific financial or reputational damage is nigh impossible to link to a single breach causally; with our laws written around the concept of calculable damages being the source of justified remuneration, we are left constantly and increasingly victimized but unable to seek just compensation.

Some would argue that even more problematic is the irreparable nature of many of the most severe data breaches. Once a name and social security number are leaked, that identity is permanently and irreversibly at risk for being used fraudulently. While one could always apply for a new social security number, the Social Security Administration is extremely reluctant to issue new identities, and while that is a debate for another time, it goes to show just how difficult it can be to recover from a breach. Victims are permanently marred and at increased risk for future injuries resulting from a single breach, no matter how much time has passed.

Because of the damage resulting from a data breach being so far removed temporally and causally from the actual breach itself, adequate compensation is rarely won, if it is even sought. Was it the Equifax breach, the MoviePass breach, or one of the innumerable other breaches this year that resulted in your identity being stolen and used to take out fraudulent loans a decade from now?

Moreover, even if you should find that it was MoviePass’ negligence that leads to your identity being stolen, what compensation can you seek from a company that has been defunct for years? Our laws were not written to address these issues adequately. Our legal system often does not ponder questions of uncertainty and possibility, and that’s the perfect summary of what victims face in the aftermath of a breach; uncertainty and possibilities.

For all the uncertainty victims face, the solutions going forward as a country are equally opaque.

It would be easy to write some draconian law to punish companies for exposing private data, but as is often the case, that could have unintended consequences, such as pushing data overseas where even looser security and weaker privacy laws may exacerbate the problem. Instead, it’s going to take a significant shift in our collective-consciousness over how data is handled.

Laws written for managing telecommunications and transmissions in that era are being used to handle complex cybersecurity and data privacy cases.

This can’t come just from one party though; companies need to seriously consider what data they need to collect, and what information needs to be retained on a long-term basis. Consumers have to take ownership of their data and demand a higher quality of service from corporations and governments over how their data is collected and used.

As a whole, we must recognize the value of data, and the dangers we expose ourselves to by collecting it (and why it might even be best to not collect data at all in many circumstances).

Just like holding valuables such as gold and art entails a security risk, so too does data. If people started treating data like the digital gold it really is, maybe then we could all come together to work out a solution.

But until then, I’ll be keeping my data to myself.

Do Your Apps Know Too Much About You?

Two years ago something incredible happened.

A simple computer game brought the world together and got gamers out and about into the big wide world. But after the immediate rush of excitement about “catching ‘em all”, users started to realize something a little more sinister about the Pokemon Go app.

As well as letting them throw imaginary Pokeballs in real-life locations, the iOS version of the app was caught accessing almost all of users’ Google account information – everything from emails down to photos.

Two years later, Mark Zuckerberg made a statement about the vague data collection techniques apps were using through Facebook. He was keen to iterate that Facebook does use sound clips from videos recorded directly onto Facebook to serve relevant ads after questions around this became louder and louder.

But his statement wasn’t exhaustive enough in covering what exactly our apps know about us.

This is because of the ambiguous nature of app permissions.

They tend to be oversimplified so as not to overwhelm the user, but below the simple sentences and soothing reassurances they can gather a huge amount of data with every single interaction.

Of course, some data collected is absolutely necessary for the apps to work in the first place. For example, a photo app won’t work if it can’t access your photos, and Uber needs your location information so it can pick you up in the right place – duh.

But once you give apps that need information access to your data, they can start to worm their way under the surface to dig out more and more information about you and your behavior.

Take location access as an example.

Once you give away your location, app makers are then able to use that information to figure out what floor of a high-rise you live on or the places you visit the most.

Why Apps Want Your Data

Data is gold for app makers. With information about their user base, apps can perform all sorts of other actions, like:

  • This is the key activity app makers do with the data they’ve gathered. Knowing everything about you means they can serve up relevant ads and charge advertisers more and more for being so highly targeted.
  • Curated content. This keeps users sticking around for more. If they’re seeing more of what they like, they’re more likely to engage with the content and keep coming back for more.
  • App development. Data can be really useful for knowing what users do and don’t like, which can be used in the future to improve the app or make another app altogether.

A whopping one-third of consumers don’t think advertisers collect data from them.

App Permissions: What Do Your Apps Know About You?

Now you know why your apps might want to scrape together the digital breadcrumbs of you, let’s take a look at what they actually know about you, because it can be easy to jump to conclusions and envision a Big Brother type scenario which often isn’t the case.

Your smartphone is actually packed full of sensors which can decipher your whereabouts, what speed you’re traveling at (including what form of transport you’re traveling on), and which way up you’re using your phone.

But you’re not completely powerless.

This is where app permissions come in, a.k.a. the “barrier” between app makers and the data stored in your phone. When a pop-up shows up on your phone with a permission request, it’s up to you to decide how much data you pour into the hands of the app maker.

However, this is easier said than done, and that’s because very few apps give detailed explanations about what information they’re going to collect and use.

Many app makers do this in the interest of their users; they don’t want to overwhelm them with technical drivel, so they keep it simple. But this means that a lot of users don’t actually know the full extent of what they’ve agreed to.

If you want to know exactly what an app can and can’t see about you, there’s a way.

On an Android device:

  • Open the settings app
  • Go to the Apps & Notifications center
  • Choose an app and click Permissions

On an iOS device:

  • Go to the Settings app
  • Choose an app
  • See the Permissions that are listed

On both kinds of devices, you can usually switch off permissions with a toggle button to pick and choose what data can and can’t be collected (though bear in mind that some apps need certain permissions in order to run).

And, though this is a good starting point to find out what your apps know about you, it doesn’t always give you the full story.

Take the incident with Uber recently, where it was discovered that the app was secretly recording screen activity on iPhones. The company hit back that this was to improve functionality with the Apple Watch app, but it just goes to show that even if you think you know what an app can find out about you, there might be something more sinister going on.

How Are Things Changing When It Comes to Apps and Data?

Phone providers are now cracking down on what app makers can and can’t do when it comes to permissions – particularly location permissions.

When requesting location access, app makers now have to adhere to the “only when using the app” rule, which means they can’t track users when they’re not inside the app.

But while control settings are getting tighter, they’re also getting more and more convoluted. App makers are starting to bundle permission choices together and still aren’t quite there with letting their users know exactly what they’ll be using data for.

Apps that require users to “unlock” a particular permission in order to use the app as it’s supposed to be used are doing so without giving away whether they might share it with marketers and advertisers too.

What it boils down to is this: people have every right to choose what they do and don’t want apps to access, but there’s not much they can do if the app in question needs their location or access to their photos to work as they’re supposed to.

In these instances, it’s up to the user to decide whether they want to continue to use the app or give it up entirely.

And, until app makers get clearer with what they use data for, many users will remain in the dark about what data app companies are collecting about them and what they’re doing with that information.