data protection

August 21, 2019

Why Data Breaches are so Damaging and how the Law has Failed Consumers

Very few times in history have a group of people sat down with the purpose of writing a set of new laws to improve society. Instead, what usually happens is that laws are written to solve specific problems. This leads to a litany of laws piling up over the decades. While it could always be debated how effective a particular law might be at accomplishing its goal, the rapid pace of technological advancement over the past 20 years – especially as compared to the pace of the lawmaking process – has introduced new challenges as laws become quickly outdated, sometimes even by the time they take effect.

The results of this are acutely apparent in the cross-section between the fields of cybersecurity and consumer protection, namely data breaches.

The magnanimity of consumer protection laws in the United States were written for a society concerned with immediate product safety and compensation for resulting injuries, not for the nebulous and incalculable injuries that may be sustained by potential millions when private records are exposed.

Why are data breaches so damaging?

The unique problem of data breaches stems from the fact that the breach of privacy carries in of itself no specific harm. Instead, it is the later misuse of information that has been breached that may lead to ensuing harm. However, with data breaches occurring on a near-daily basis, the causality of specific financial or reputational damage is nigh impossible to link to a single breach causally; with our laws written around the concept of calculable damages being the source of justified remuneration, we are left constantly and increasingly victimized but unable to seek just compensation.

Some would argue that even more problematic is the irreparable nature of many of the most severe data breaches. Once a name and social security number are leaked, that identity is permanently and irreversibly at risk for being used fraudulently. While one could always apply for a new social security number, the Social Security Administration is extremely reluctant to issue new identities, and while that is a debate for another time, it goes to show just how difficult it can be to recover from a breach. Victims are permanently marred and at increased risk for future injuries resulting from a single breach, no matter how much time has passed.

Because of the damage resulting from a data breach being so far removed temporally and causally from the actual breach itself, adequate compensation is rarely won, if it is even sought. Was it the Equifax breach, the MoviePass breach, or one of the innumerable other breaches this year that resulted in your identity being stolen and used to take out fraudulent loans a decade from now?

Moreover, even if you should find that it was MoviePass’ negligence that leads to your identity being stolen, what compensation can you seek from a company that has been defunct for years? Our laws were not written to address these issues adequately. Our legal system often does not ponder questions of uncertainty and possibility, and that’s the perfect summary of what victims face in the aftermath of a breach; uncertainty and possibilities.

For all the uncertainty victims face, the solutions going forward as a country are equally opaque.

It would be easy to write some draconian law to punish companies for exposing private data, but as is often the case, that could have unintended consequences, such as pushing data overseas where even looser security and weaker privacy laws may exacerbate the problem. Instead, it’s going to take a significant shift in our collective-consciousness over how data is handled.

Laws written for managing telecommunications and transmissions in that era are being used to handle complex cybersecurity and data privacy cases.

This can’t come just from one party though; companies need to seriously consider what data they need to collect, and what information needs to be retained on a long-term basis. Consumers have to take ownership of their data and demand a higher quality of service from corporations and governments over how their data is collected and used.

As a whole, we must recognize the value of data, and the dangers we expose ourselves to by collecting it (and why it might even be best to not collect data at all in many circumstances).

Just like holding valuables such as gold and art entails a security risk, so too does data. If people started treating data like the digital gold it really is, maybe then we could all come together to work out a solution.

But until then, I’ll be keeping my data to myself.

August 19, 2019

Projects We Love: PrivacyWall

This is part of our series highlighting startups who share our mission of trying to bring data privacy back to users.

You’ve had a rough week, maybe it’s a relationship or health problem, but either way, you’re feeling down. Fortunately, your family is there for you, and reach out to console you through a few private messages on social media.

Mom: “I know it’s expensive, I’m sorry your health care doesn’t cover it, we’ll do what we can to help you pay.”

Dad: “Don’t worry sport, she’s just going through a phase, I’m sure you guys will work through it.”

Friend: “Hey man, let’s meet up for a drink this weekend, cheer up!”

After reading your messages, you lay down in bed to rest and start scrolling through social media to pass the time until you fall asleep, and you’re astounded by what you find.

Ads.

But not just the usual ads for food, or some new tech gadget.

“Lower your healthcare costs now! Save 20% off market rate plans!”

“Relationship trouble? Local family counseling is available!”

“Cheapest beer in town, and half-price shots on Fridays!”

Maybe it’s just coincidence, or maybe every single thing you say or do online is being tracked and sold to advertisers… That “free” social media website has to make money somehow.

And that’s where PrivacyWall comes in- a startup that is returning data privacy and security to users. By blocking unwanted data collection by everyone from Facebook to Google, PrivacyWall puts you back in the driver’s seat.

Why PrivacyWall?

Every website you visit, every search you type in, every message you send and photo you post, it’s all tracked, recorded, and monitored. PrivacyWall is the “off” switch we’ve been waiting for.

By blocking over 3,000+ trackers from many of the largest tech companies in the world you can once again browse the internet without fear of being tracked like the target of a CIA investigation. We expect privacy in our homes, and we should get the same treatment on the internet.

PrivacyWall even blocks Facebook Connect from building a shadow profile of your online activity when you are not on Facebook. If you didn’t know, that convenient “log-in with Facebook” turns that account you just signed up for into another data collection point for Facebook to build a profile on you.

If you didn’t know that, you aren’t alone. And that’s exactly why PrivacyWall blocks threats you don’t even know about yet. Because you shouldn’t have to become a security expert and worry about your private information being leaked just because you used Facebook to sign-up for a food delivery app, or a dating site, or anything.

You deserve privacy, and PrivacyWall is a step towards a more private world.

August 21, 2018

The Hidden Danger of Virtual Worlds

On a summer afternoon, a number of Microsoft employees were invited to attend a training seminar.

But, instead of grabbing a pen and heading to the boardroom, they plugged themselves into a set of headphones and fired up Second Life.

This online social “game” was huge for a number of years in the early 00s, mainly because it offered average, everyday citizens an escape from the monotony of real life. Through a digitized landscape, users could create new “lives” that were as hedonistic as they chose.

For Microsoft employees, the pixelated replica of the Microsoft building was the location of their training seminar. But it wasn’t just Microsoft that jumped on the bandwagon – big-name rock stars lined up to perform virtual gigs and real-life travel companies sent correspondents into the melee to report on the latest developments.

For all intents and purposes, Second Life was real life – except you could enjoy it from the comfort of your own home.

The “game” (a term which should be used loosely in this context because, well, there’s actually no way to win at Second Life) was inspired by Snow Crash, the 1992 novel by Neal Stephenson. In the book, citizens navigate around a digital world created and run by independent entrepreneurs – a concept that’s becoming more and more real by the day.

The purpose of Second Life isn’t to gather as many gold coins as possible or figure out a mission set by a wiry old wizard. Instead, it is simply a digital escapist fantasy that allows users to be whoever they want and do whatever they want away from the restrictions of the real world.

While the possibilities were (and still are) endless in Second Life, one phenomenon was quick to surface; that normal people submersing themselves in the game were acting pretty much the same as they would in real life. This made it a fascinating environment to study the social behaviors of people in a pre-built stage.

Sure, stories emerged of people having affairs on Second Life that affected real-world marriages but, for the most part, people used it to escape reality and… do pretty much the same as they were doing in their real lives.

What is the Metaverse?

Let’s backtrack for a minute.

The Metaverse is a term that dates back to Stephenson’s sci-fi novel. It was the name given to the virtual world in which the characters interacted and lived, and it’s now the term being given to a blockchain project that essentially aims to replicate the real world in a digitized format.

In Snow Crash, “players” moved around as Avatars while the central strip – known as “the Street” – could be built on by developers, creating an even more entangled version of reality.

The goal of the Metaverse project is to build an entire universe where digital assets and digital identities are the basis of transactions to create a new kind of ecosystem that has the potential to completely change human society.

Even back in 1992, Stephenson had an insightful eye into what the future might hold for humanity. Today, our lives resemble those of the characters in the book – our work and lives are becoming more and more digitized, with people spending more time online than offline.

The way we communicate has undergone a complete transformation, where we now send clipped messages via the internet rather than having to face talking to real people. Soon, we might see even more transfers – both human and asset based – taking place on the blockchain which will shift the entire economic world.

It can be a hard pill to swallow, but some might argue we’re already halfway there. Enter the New Reality.

With people increasingly living their lives out online, there’s one big elephant in the room that keeps bubbling away below the surface – data privacy.

The Metaverse and its Effect on Data Privacy

In the real world, we don’t have to enter a username and a password to wake up in the morning and, when we pass people on the street, our full names and addresses aren’t typed out in a bubble above our heads.

Online it’s a different story. And, in fact, with the likes of Second Life and social platforms like Twitter and Facebook, users seem to be actively willing to hand over their information to access their feeds.

This raises the question of whether privacy will soon be regarded as an outdated social need or whether it will evolve into something else entirely. At the moment, the rules of the online world are considerably more open and vague than those in the real world, but this might have to change when the Metaverse comes into play.

Why?

Because so far, most virtual reality games and landscapes are built in a “walled garden” format. They run behind corporate firewalls and aren’t interconnected in any way. When you enter one world, you’re essentially caged in and avatars can’t travel between two different digital worlds. In this case, security isn’t necessarily a priority, because data isn’t being transferred from the hands of one corporation to another.

The problem arises when virtual worlds are built on open source software. This means avatars can travel between different virtual landscapes. And, for now, the majority of these platforms are built by developers in their spare time, which means that security is a low priority for them.

Take OpenSimulator, as an example. This software powers over 300 different public worlds and even more private ones, covering an area of 15,000 square kilometers. The software means anyone can set up a virtual world via the Oculus Rift without having to break the bank.

MOSES, one of the worlds built with OpenSimulator, is owned by the US Army, and the problems with security are already doing the rounds. At the moment, it’s difficult to know how to go about addressing data security issues when this new digital landscape is so new (despite its fictional origin in the 90s).

For now, it seems, the Metaverse is an experimental place to dabble in the future of humanity. The fresh excitement of it and the relatively unknown future it holds means security isn’t necessarily a priority for developers.

But soon, when more and more people start venturing into their online lives, we’ll have to sit down and seriously think about what data privacy means in this new landscape, particularly when it comes to things like authentication, content protection, and secure communications.

But, if Second Life is anything to go by, the population of people who are ready and willing to escape reality and immerse themselves in an online parallel universe are more concerned with who they will be there than who will take their information.

July 19, 2018

Protect Data Privacy by NOT Collecting Data at All

In Hansel and Gretel, the two siblings sprinkle breadcrumbs as they venture into the woods in order to find their way home.

When we browse the internet, we sprinkle metaphorical breadcrumbs of information about ourselves as we go. Unlike the fairytale, where Hansel and Gretel knew what they were doing, the vast majority of internet users are unaware of just how much information they’re giving away on their journey around the web.

Unless you’ve got blockers installed up to your ears, the tracking starts as soon as you open up an internet browser. From that moment, your digital footprints carve a route around the web that can be traced back to you at any moment.

Sites you visit can use these footprints (or breadcrumbs, if we’re sticking with the fairytale theme) to recognize who you are and serve you a more personalized experience.

That sounds great, right?

In one study, 71% of consumers said they’d prefer a personalized experience with ads, while some even expected it from brands. And the easiest way for sites to personalize those experiences is to track the interests and online behaviors of visitors.

From that perspective it works; the consumer gets a personalized experience and brands get to give their customers what they want. It’s a win-win situation.

But is it really that simple?

I mean, we’re not talking epic government data mining expeditions here; we’re simply talking about brands using specific information to better target content to their users. It’s all above board and totally legal.

So what kind of data can these companies get from you?

It can be anything from your current location and the device you’re using to specific links you’re clicking on and the actions you take on certain sites. It all starts with your browser and your IP address – the moment you pop up online, a unique number that identifies the device you’re using is recorded, marking the moment you entered the internet and where you were when you went online.

At the same time, your browser is logged as well as other uniquely identifying information like the system you’re running the browser on, the display resolution, and even the battery level of your device. Even if you haven’t clicked your mouse or typed anything in yet, you’re already being tracked.

Who Benefits from Collecting Data?

I mentioned earlier that data collection can be mutually beneficial. Consumers don’t have to see ads that they’d never buy from in a million years, while websites can get more information on their visitors to make experiences more personalized and, therefore, get more sales.

But who is it really more beneficial for? If we really get down to the bottom of it, who is really getting the most out of the dissemination of data?

Personalized experiences are nice, right? But are they worth the data breaches that happen and the inevitability that brands will sell that data to completely unrelated companies just to make a quick buck?

Let’s face it: most sites are eager to scrape as much information as they can about their visitors with the sole purpose of making more money. Sure, the thought process might be there to make experiences more enjoyable by personalizing them, but really the goal here is to target more.

Look at Facebook. The data it collects as you browse the site can determine when you’re expecting your firstborn, the exact names and addresses of the companies you’ve worked for in the past, and even your political leaning.

And guess what?

It doesn’t just collect this data to get to know you better as if you’re on some kind of weird, digital first date. It collects it to sell to companies to make money through advertising.

So yes, there are benefits to the consumer; you might not have to pick a particular city every time you want to get the weather because it’s remembered your past choices, or you might not have to shop again for those items you left in your online basket last week, but these benefits are minor compared to the massive benefits companies and sites get from tracking your every move.

Where the Lines Get Hazy…

Of course there are browser security protocols in place that mean sites can’t just go around scraping all sorts of stuff about you. In fact, for the most part, sites can only access the data they’ve collected – as in, they can only see the information you’ve “given” them while you’ve been on their site.

However, something called third-party cookies muddy the waters. These aren’t associated with any particular site, but instead get spread across a number of different pages in, say, an ad network.

Princeton University ran a study that found cross-site trackers embedded in 482 of the top 50,000 sites on the web. It might not seem like a lot in the great scheme of things, but once these third-party trackers have consumer information they can then sell it to even more people.

While the most sensitive data is redacted from these apps, consumers are still having to put their trust into a nameless, faceless brand.

But what about the data that consumers are handing over willingly?

Things like Google searches and checking into venues on Facebook?

While sites might be collecting information like which browser you’re using and what your shopping preferences are, you’ve probably handed over more sensitive information like your birth date and exact location without even giving it a second thought.

Does the Future Lie in NO Data Collection?

In May this year, the GDPR (General Data Protection Regulation) came into play in Europe. It means that brands now have to explicitly state to their users exactly what information they are collecting and exactly what they will be doing with it.

Users now have to actively opt-in to providing their information; sites can’t just take it for nothing. Already countries outside of Europe are considering this new method because, well, it just seems like the right thing to do.

But what does it mean for the future of data collection?

Now that users are more aware of their rights when it comes to data collection and have to actively “opt-in” with their information, they are becoming less and less inclined to do so.

If there’s an option to not sell your firstborn, it’s kind of a given that you’re going to go for that, right?

In this instance, the future of data collection looks bleak – especially for sites and brands. If their users aren’t giving up the goods, they’ve got nothing to work with and essentially have to go back to the drawing board.

This might invite new ways of collecting data or a more collaborative approach between consumers and brands so that information can travel between the two in an open and honest way.

The future of data privacy is uncertain for now, especially so soon after GDPR has risen its head. What we do know is that the power will be distributed more evenly between internet users and brands, and sites will no longer be able to take, take, take without building more of a relationship with their visitors.

It sounds quite nice, actually.

But would a world without any data tracking or collection be good? If every person who went online immediately went incognito, leaving not a single trace of who they are or what they’re doing, how would the digital world evolve? How would companies know what their consumers want? How would internet users cope with having to start from scratch every time they went back online?

The questions remain endless, but it’ll be interesting to see which path data collection goes down from here on out.