Our short lived privacy

Privacy (1948 – 2025?) was the most exotic human right. We gave it up in favor of convenience.

Officially born in 10 December 1948 at the Palais de Chaillot, Paris, France, when Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly:

Article 12.

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Of all the human rights, privacy was perhaps the most difficult to define and circumscribe.

Privacy was mostly about the following old fashioned aspects, now all of them obsolete:

  • Information Privacy, this was about the rules governing the collection and handling of personal data such as credit information and medical records;
  • Bodily privacy, this was about the protection of people’s physical selves against invasive procedures such as drug testing and cavity searches;
  • Privacy of communications, this was about the security and privacy of mail, telephones, email and other forms of communication;
  • Territorial privacy, this was about setting of limits on intrusion into the domestic and other environments such as the workplace or public space.

Some visionaries considered privacy an anomaly long time ago, an anomaly “which has emerged out of the urban boom coming from the industrial revolution” (1).

Most of the expert participants in a research (2) conducted back in 2014 did not believe that “an accepted privacy-rights regime and infrastructure would be created in the coming decade“.

They were right and privacy slowly died, bit by bit, personal data by personal data.

Personal data are the raw material of the knowledge economy. Capturing personal data lies at the heart of the business models of the most successful technology firms. Governments’ default assumptions about citizens – don’t trust them – also helped.

The so called “Internet of Things” was the perfect tool to invade the human body,  the workplaces,  the domestic and public spaces with data collecting devices. This omnipresent surveillance system covers and penetrates all aspects which were defining the defunct privacy. It is the default and convenient way to solve our problems.

Some of us, old enough to remember the “golden years of privacy”, feel we missed to do the right things in the right time to preserve our privacy. We should have taken our security blanket more seriously.

 

1. Google’s Cerf Says “Privacy May Be An Anomaly”. Historically, He’s Right. – http://techcrunch.com/2013/11/20/googles-cerf-says-privacy-may-be-an-anomaly-historically-hes-right/

2. PEW Research: Privacy in 2025: Experts’ Predictions – DECEMBER 18, 2014 – http://www.pewinternet.org/2014/12/18/privacy-in-2025-experts-predictions/

Build your tolerance matrix

Where is the fine line which separates acceptable personal information loss from the unacceptable one?

To respond this question first establish a simple value scale for personal information, based on the consequences of the loss. Losing a piece of personal information may have these consequences for the owner:

  1. The lost personal information may help somebody or something to identify the owner;
  2. The lost personal information may be embarrassing to the owner;
  3. The lost personal information may put the life of the owner in danger or may jeopardize his/hers properties;

Some examples:

  • John Smith used his real name to subscribe to an online magazine. Being one of the many John Smith’s in the country this voluntary name disclosure should not have consequences – at least at first look.
  • Nude pictures of a celebrity du jour were stolen and published on sites accessible to anyone. The consequences may cover a large spectrum, from causing small embarrassment up to gaining more popularity.
  • A person had his email account breached by hackers who managed to sell a house situated in a foreign country, house belonging to the victim of the breach.

And because most of people have a family, let’s extend the value scale to this form:

  1. The lost personal information may help somebody or something to identify the owner;
  2. The lost personal information may help somebody or something to identify a family member of the owner;
  3. The lost personal information may be embarrassing to the owner;
  4. The lost personal information may be embarrassing to a family member of the owner;
  5. The lost personal information may put the life of the owner in danger or may jeopardize his/hers properties;
  6. The lost personal information may put the life of a family member of the owner in danger or may jeopardize his/hers properties;

Now let’s see who can be the recipient of the accidentally disclosed or stolen personal information:

  • The personal information owner himself / herself – this is necessary because there may be information unknown to the owner at a given moment.
  • A member of the close family (a spouse, a child, a parent, a sibling).
  • A member of the large family (an aunt, a grandfather, a brother-in-law, etc).
  • Friends, coworkers, business partners.
  • Friends of friends.
  • The rest of the world.

Next step is to build a “tolerance matrix” expressing the personal information owner’s appetite for risk.

Owner Close Family Large Family Friends Friends of Friends Rest of the World
Identify the owner Acceptable Acceptable Acceptable Acceptable It depends Not acceptable
Identify a family member of the owner Acceptable Acceptable Acceptable It depends Not acceptable Not acceptable
Embarrass the owner Acceptable Acceptable It depends It depends Not acceptable Not acceptable
Embarrass a family member of the owner Acceptable It depends It depends Not acceptable Not acceptable Not acceptable
Endanger the owner It depends Not acceptable Not acceptable Not acceptable Not acceptable Not acceptable
Endanger a family member of the owner Not acceptable Not acceptable Not acceptable Not acceptable Not acceptable Not acceptable

This is only an example and should be treated as such.

Some judgement examples based on this table:

  • The personal information owner considers ACCEPTABLE disclosing ANY personal information which allows IDENTIFYING the owner to family members of any degree and to friends. Some personal information may be disclosed to friends of friends, but no personal information should be disclosed to the rest of the world.
  • The personal information owner considers ACCEPTABLE disclosing ANY personal information which may EMBARRASS the owner to the close family members. Some embarrassing personal information may be disclosed to the larger family or to friends, but no embarrassing personal information should be disclosed to friends of friends or to the rest of the world.

Lets’ see how to apply the  “tolerance matrix” to various categories of personal information:

Owner Close Family Large Family Friends Friends of Friends Rest of the World
Owner’s home address Acceptable Acceptable Acceptable It depends Not acceptable Not acceptable
Owner’s email address Acceptable Acceptable Acceptable Acceptable Not acceptable Not acceptable
Owner’s bank account ID Acceptable It depends Not acceptable Not acceptable Not acceptable Not acceptable
Owner’s child school address Acceptable Acceptable It depends It depends Not acceptable Not acceptable
Owner’s bad habit Acceptable Acceptable It depends It depends Not acceptable Not acceptable
Owner’s child bad habit Acceptable It depends It depends Not acceptable Not acceptable Not acceptable
Owner’s allergic profile Acceptable Acceptable It depends Not acceptable Not acceptable Not acceptable
Owner’s child allergic profile Acceptable Acceptable It depends Not acceptable Not acceptable Not acceptable

Repeat this exercise with various type of personal information categories.

Knowing where to draw the limit of “Not acceptable” helps in developing healthy habits in protecting personal information. And these habits are components of the ‘security blanket’.

The ‘security blanket’ cook book

 

Is there a clear and all-inclusive cook book for ‘security blanket’?

Privacy Rights Clearinghouse (PRC) had already published one for us – they are maintaining a comprehensive online document entitled “Privacy Survival Guide: Take Control of Your Personal Information“.

These are the main sections of this impressive cook book:

  • Order Your Free Annual Credit Reports
  • Consider Restricting Access to Your Credit Report
  • Opt Out of Pre-approved Unsolicited Credit Card Offers
  • Reduce Unwanted Telemarketing Phone Calls
  • Protect the Personal Information on Your Smartphone
  • Secure Your Computer and Portable Devices
  • Understand How Your Personal Information is Revealed Online
  • Be Aware of Data Brokers
  • Stay Safe When Using Social Networking
  • Don’t Use a Debit or Check Card
  • Reduce Your Junk Mail
  • Safeguard Your Social Security Number (SSN)
  • Protect Your Financial Privacy
  • Understand Your Right to Access Your Medical Records
  • Be Aware of CLUE and Other Specialty Consumer Reports
  • Handle Your Personal Information Carefully to Avoid Identity Theft

And each section begins with some basic advises and send you to another document with more details.

Let’s explore now just one section, “Understand How Your Personal Information is Revealed Online“.

After acknowledging that being online means almost constantly giving information to others, the following basic rules are mentioned:

  • Configure the browser’s privacy and security settings – like disable 3rd party cookies.
  • Log out of all accounts – mail, social networking, picture sharing, etc. – before visiting other sites or doing searches.
  • Use different accounts for different sites.
  • Use strong passwords unique to each account.

To learn more about this subject Fact Sheet 18” is provided  – a 26 page long printable document with more than 10.000 words, including many links to other documents and sites. It also includes extensive information about cloud computing and it’s risks.

Use this ‘security blanket’ cook book according to your needs and tastes. This is a cook book everyone should read entirely at least once and then use the applicable ‘recipes’ to build and maintain the personal ‘security blanket’.

How comfy is our ‘security blanket’?

 

Does our ‘security blanket’ working? Does it protect our private data from being stolen?

What do people think about the current state of their privacy and security?

According to a global survey (1) from 2014 Q4, this is the situation:

CIGI1

Two thirds of people are more concerned about their online privacy and only a third of people thinks its private information on the Internet is very secure.

CIGI2

Majority of people are concerned about their online data being stolen by hackers and their online activity being monitored by foreign government agencies.

Other findings from this survey:

  • 37% of users share personal information with private companies online all the time and say “it’s no big deal”
  • 74% of users are concerned about companies monitoring online activities and then selling that information for commercial purposes
  • 72% of users want their online data and personal information to be physically stored on a secure server in their own country

The survey’s results don’t answer the question from the title, but they show an improvement in understanding our role in creating and maintaining an efficient ‘security blanket’.

 

 

(1)  CIGI-Ipsos Global Survey on Internet Security and Trust, undertaken by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, reached 23,376 Internet users in 24 countries, and was carried out between October 7, 2014 and November 12, 2014.

 

The beautiful breaches of 2014

In the previous post about Sony employees’ nightmare, David McCandless’ “Information is beautiful” blog was referred.

David’s “World’s Biggest Data Breaches” post is a very nice, up-to-date data visualization tool which makes easy comparing data breaches with more than 30.000 records lost.

In the default view the filter is shown, just click the “Hide filter” button for now.

The data breach bubbles carry the name of the victim companies and are ordered by years, the most recent data breaches are at the top. The companies are listed alphabetically from left to right. The size of the bubble reflects the number of data records stolen, while the bubbles for “interesting stories” are colored in gold.

Bubbles

Each bubble reveals further details about that particular data breach. Hovering the mouse over the “Sony Pictures” blue bubble – apparently not an “interesting story” – the bubble expands and reveals that 100 TB of data were lost, at least this is the amount claimed by the hackers. And clicking the expanded Sony bubble, further details are listed: what kind of data has been stolen, who is the alleged attacker, etc. And a final click on the last sentence of the text opens up a page with even more details about this case.

Lot of breaches from 2014 have an  “interesting story” (gold bubbles) and the media was covering extensively these breaches during the year. And still, clicking through the bubbles, some details are shocking:

  • “the hack began in month X but was not discovered until month X+1″ – JP Morgan Chase,
  • “hackers accessed a database containing all user records” – eBay,
  • “malware installed on cash registers in thousands of shops siphoned credit card details” – Home Depot,
  • “millions of names, addresses, social security numbers were stolen” – Community Health Systems.

Or are these details not shocking at all? Was 2014 a “special” or a “normal” year?

Not “special” at all, 2014 was like the previous years present in this data visualization. Just click on the “Show filter” button and select the financial organisations, then click the “Hide filter” button. Scroll back in the past and check all the financial organisations which suffered data breaches since 2004. Repeat this exercise with other type of organisations, like retail, telecom or other types. There were data breaches all over the last years. And some organisations had several breaches.

And what about the causes of the breaches? Just click on the “Show filter” button and select all organisations, then click the “Hide filter” button. Now select the “Method of leak” button near the bubble color option, above the diagram.

Wow, what are all these purple bubbles? Click on the “Show filter” button and check the “Method of hack” legend. Yes, purple means “hacked”. Scrolling down in the past shows that hacking was the most important cause of data breaches in the last years.

Or was it really? Maybe the data is skewed and companies didn’t made public such breaches in the past? But this is subject of another blog post. For now play with this data visualization tool and enjoy the beautiful breaches of 2014.

Sony employees lost their security blanket

First-hand tale from a Sony employee about living during and after  Sony Pictures was seriously breached.

“The Monday before Thanksgiving, we all came to work. Some people had turned on their computers and were working. At around 8:15 a.m., that black screen of death came on.”

A week passed:

“It wasn’t until Monday or Tuesday of the following week when we realized the extent of it.”

Still in the second week after the breach:

“Around Wednesday or Thursday, people started saying: call your bank, change your passwords, set up a new checking account.”

Lack of internal communication:

“And the blogs were the ones giving us all the information. We got more information from blogs and websites than we did from Michael [Lynton, CEO of Sony Pictures Entertainment] and Amy [Pascal, co-chair of Sony Pictures Entertainment].”

Taking the first personal protection measures:

“That [second] weekend, I set up alerts on all my bank accounts and credit cards. I get a text message about every transaction, and the [smartphone] apps send me notifications on my home screen anytime there’s a charge.”

And taking further measures to restore the personal security blanket:

“I changed every single password. Five for banking and credit cards. Then for my 401(k), health insurance, three email accounts, and Facebook. I changed them for Amazon, eBay, PayPal, and other shopping sites. In all, it was probably 25 to 30.”

Employee’s conclusion:

“I decided that I’m never going to access any of my financial accounts on my work computer ever again. If I need to do something urgently, I’ll use my smartphone, or I’ll go home and do it. It’s not worth the risk.”

And the post-breach trauma lasts forever:

“You read all these reports about morale being low. I wouldn’t say it’s low. You chug along. But it is like, wow, you always have to look over your shoulder. This is forever.

But this “forever” is shorter than you imagine. We will forget this high profile case, like we did with many others. And we’ll happily continue to mix personal and business life on all our devices.

Read the whole story.