Today is Data Privacy Day, an initiative that seeks to raise awareness of the importance of respecting privacy, safeguarding data and enabling trust. It also brings privacy professionals together globally to celebrate the first international treaty on the protection of personal data, Convention 108, which was adopted on 28 January 1981.
In recent times, print newspapers and online news sites have been rife with stories about major and minor privacy violations. The stories that make the news are often the result of those with nefarious intentions having gained unauthorised access to systems storing enormous masses of personal data, and at other times they may be the result of human error or bad luck, as with the 2016 incident in Denmark, when CD drives containing the medical records and names, addresses and personal identification numbers of five million Danish citizens ended up being delivered to the Chinese Visa Application Centre instead of Statistics Denmark. The CDs had been sent via the postal service as recorded delivery. While the general conclusion was that the information contained on the CDs had not been accessed by any third parties, the contents were not encrypted, and the outcome could have been significantly worse for a large number of Danes.
This is not the first time that data stored on physical media has become misplaced. The UK has experienced a spate of similar incidents over the last decade – from the loss of media containing the personal data of 7.25 million families in receipt of child benefits to the personal data of more than half a million people who had applied to join the navy, marines and air force being stolen, government computer system passwords being found in a pub car park, and the loss of a memory stick with information about every single prisoner in England and Wales.
In theory, these incidents should have resulted in better security, better use of encryption and the implementation of better procedures. Technological advancements mean that data is now increasingly stored in computer systems that are accessed via the Internet.
Personal data has become valuable currency for a vast number of corporations, and more and more data is being collected about each and every one of us. This data is also attractive to those with malicious intent, and we should be concerned about the vast volumes of data stored in online systems.
In 2016 there was a spate of privacy violations which sent shockwaves through the online world. WhatsApp, which once prided itself on privacy, was acquired by Facebook, and soon started sharing information with its parent company. Uber was found to track user locations even when the app was not being used. The algorithms used by social media sites and search engines were found to manipulate news feeds rather than being used for real-time content, and the very same social media sites were called out for racial profiling and user surveillance. Yahoo suffered a major breach, with the data of 500 million user accounts being compromised and accessed by unauthorised parties, 2017 was no better for online privacy…
Privacy concerns in 2017
The following provides a very small snapshot of the many privacy issues that came to light last year.
After choosing to be a sitting duck for more than two months, Equifax had to admit that it had failed to take precautions that would have otherwise safeguarded the personal data of 143 million people from exposure. Hackers exploited a vulnerability in the Apache Struts web application to gain access to Equifax’s systems, where they were presented with a smorgasbord of data comprising names, addresses and dates of birth, as well as, in some cases, credit card numbers.
In July last year, my colleague Rick Falkvinge blogged about the Swedish Transport Agency having exposed and leaked a myriad of top secret databases as part of its attempt to move all its data to the cloud. Sweden ended up having to scramble to try to contain the political fallout after this massive breach, in which the identities of undercover operatives were believed to have been disclosed. In this case, the breach was not the result of hacking or malice, but was caused by a lack of proper safeguards and oversight.
In September 2017, the Spanish Data Protection Authority alleged that Facebook had been breaking privacy regulations on multiple counts through the way the social media giant uses people’s personal data for advertising purposes. Facebook was fined $1.4 million after the Spanish Data Protection Authority called it out over the way in which it collects data on everything from ideologies to beliefs, sex and personal preferences – both from its own services and services provided by third parties – without properly explaining how this information will be used.
Uber sued for ‘Failure to Encrypt’ and Exposing Driver’s License Details of 600k Drivers and 57 Million Passengers
A suit filed in the Los Angeles Federal Court states that ‘Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,’ according to Bloomberg. The data Uber failed to encrypt and later saw stolen included the names, telephone numbers and e-mail addresses of more than 57 million passengers and drivers around the world, as well as driver’s license information for more than 600,000 Uber drivers in the USA.
The US Justice Department is investigating whether Uber has illegally used software to track drivers operating for its competitor, Lyft. The FBI and US Attorney’s office in New York are trying to determine whether the software used to create fake customer accounts has broken any federal laws. The probe is focusing on internal Uber software known as ‘Hell’. A San Francisco Lyft driver alleges that Uber developed the ‘Hell’ spyware for the purpose of posing as Lyft customers in order to gain access to Lyft’s data, including Lyft identification numbers used to track driver locations.
A Brief Primer on Privacy.
1. Be conservative when filling out social media profiles. Remember that the more information you share, the easier it will be for others to access. Consider whether they really do need to know your date of birth, e-mail address, full name and telephone number.
2. Lock down your hardware. Configure your computer and other devices to require a password when booting up or waking from hibernation. You might trust the people with whom you share a home, but what if your device is lost or stolen?
3. Use a strong password and a password vault to generate and remember unique passwords. We all know not to reuse the same password for multiple sites, but it is difficult to remember different passwords for the multitude of online services we rely on. Using a password manager allows you to generate strong, unique passwords that it will remember and use to auto-populate login fields with a simple click of a button.
4. Use two (or more!) factor authentication. 2FA allows you to lock down your accounts, requiring you to also enter a special code to login. This makes your account less at risk of compromise.
5. Fib when choosing password security questions. “What is your mother’s maiden name?” is a question frequently asked for the purpose of keeping your account safe. But if someone wanted to gain access to your account, they could easily determine the answer to this and other security questions through some simple research.
6. Enable private browsing. The private browsing setting can be found in most web browsers and deletes cookies, temporary Internet files and your browsing history when you close the window.
7. Use a VPN. Hide your IP address and surf the Internet anonymously by routing your traffic through a series of servers.
Layers on which your data can be compromised:
1. Device: Choose your hardware with care. Some devices are known to pass user data to manufacturers or government agencies, and others are likely doing the same without yet having been exposed.
2. OS: Research the operating system you are running. Many operating systems will gather user data for undisclosed purposes or sell such data on to third parties, some may even include backdoors for their own or government use.
3. Apps/Programs: Few of us read end user license agreements, and few of us think about the permissions we are granting when it only requires a quick press of a button to authorise an app, but this action can often have drastic effects on where your data ends up. Read up and carefully consider the permissions you are granting.
4. ISP/Carrier/Wi-Fi hotspots: The company that you use to access the Internet wields a great deal of power over you. Be cautious about where you access the Internet and the provider you are connecting through. Always use protection.
5. Viruses/Scripts: Pay attention to the software and scripts you are installing, inspect the source code where possible, or make sure to carry out research to make sure that you do not fall victim to malignant software.
6. Social Engineering: Know what websites you are accessing or who you are communicating with. The use of fakery and subterfuge is extremely common, especially in the corporate world. Social engineering is one of the main ways in which identity theft is perpetrated.
7. Data Breaches: By this point in time, many people will have fallen victim to a data breach. Data breaches can affect anyone from retailers like Target to tech giants such as Equifax, Microsoft and Sony. Data breaches are common and their frequency is on the rise. Be aware of what data you are sharing with companies.
8. Unauthorised Sharing: Be careful about what you are posting. Anything you post publicly or semi-publicly on the Internet may be enshrined in perpetuity, even if originally shared only with a small group of people. Be prepared for your posts to be copied and redistributed, screenshotted and shared.
Our data should be valuable to us all as individuals, not only to the corporations who can profit from access to it.
The GDPR: A Positive Move for Privacy
We are mere months away from the EU General Data Protection Regulation (GDPR) coming into force in Europe. The new regulation will apply to all companies worldwide that process the personal data of EU citizens. The new regulation broadens the definition of personal data, and businesses need to ensure that they comply with the new regulation as it comes into force this April.
One of the key aspects of the new GDPR is that it is tightening the rules concerning valid consent for the use of personal data, requiring companies to use layman’s terms to obtain consent for the collection of personal data, and being clear about how the collected data will be used. Certain organisations are also required to appoint a data protection officer. Privacy Impact Assessments must be conducted by data controllers where there is a considerable risk of breaches, in order to minimise the risk to data subjects, and the new regulation also introduces a common breach notification requirement, harmonising the various data breach notification laws that currently exist in the European Union.
The GDPR also introduces the right to be forgotten, a data minimisation principle that requires organisations to not hold onto data for any longer than absolutely necessary, and not to amend the use of data from the purpose for which it was originally collected, while also requiring organisations to delete any data held, upon request from the data subject.
The GDPR also increases liability beyond just the data controllers, covering any organisation that deals with personal data. All software, systems and processes must comply with the principles of data protection under the new GDPR.
And while I very much welcome the new data protection regulation as a step in the right direction, I remain concerned about the data currently held by organisations, I remain concerned about the data that is yet to be collected, I remain concerned about mass surveillance and Internet censorship. I remain extremely concerned about our digital liberties, about our privacy.
What does the future hold?
I believe that 2018, like 2017 and every other year in recent memory, will continue to highlight the importance of privacy and why we must continue to fight for this basic right as more and more data breaches and mass surveillance efforts come to light.
Privacy is rarely about needing to hide, but often about being able to find a space where you can open up without having your words, your thoughts and your actions put under constant scrutiny. Privacy is also highly subjective and it should be up to us, as individuals, to decide how much of our private life we choose to make available to others and what we choose not to share should be our choice alone.
In conversations with fellow activists, colleagues, friends and with corporations, policymakers and civil society, I am constantly reminded that privacy is paramount and a basic right that we need to continue fighting for.
For this reason, I am extremely glad that we stand shoulder to shoulder with an array of outstanding activists, dissidents, journalists and civil society organisations who fight tirelessly for our digital rights.
And you can stand with us too, there are several organisations working to protect and promote our civil liberties and digital rights. Some might have a local chapter where you can get involved, some might be working mainly online but looking for more people to volunteer time and expertise, or perhaps you would prefer to make a small monetary donation.
At the forefront of the fight for privacy
I am privileged to have the opportunity to work with and support several organisations that work to preserve and improve our digital rights, and who fight any attempt to limit our freedoms and curtail our privacy.
Based out of Canada, OpenMedia works to keep the Internet open, affordable, and surveillance-free. The organisation creates community-driven campaigns to engage, educate and empower people to safeguard the Internet. I have chosen to highlight OpenMedia in this article, not only because of the excellent work they do, but because their views align so incredibly well with my own. Like me, and like PIA, OpenMedia believes that the Internet was created for sharing, collaborating and communicating – not for censorship or surveillance.
“It’s been proven time and time again that when people know they are being watched, they act differently. Privacy affords us the ability to be ourselves. Privacy means that we can escape the worries of what others think, how our actions or words could be misunderstood, and can just be. The ability to think, learn, and communicate privately is what helps us create our sense of self. It’s how we grow.” – Laura Tribe, OpenMedia Executive Director.
Open Rights Group
Here in the UK, the Open Rights Group is working on several campaigns to protect digital rights. ORG is concerned with issues ranging from Internet filtering and web blocking, online freedom of speech, the worrisome Espionage Act that could see journalists and whistleblowers facing serious prison time for exposing corruption and government wrongdoing, the Investigative Powers Act that is set to provide the police and GCHQ with even more invasive surveillance powers, through to the Digital Economy Act which compels pornography websites to implement age verification checks that could lead to porn companies building databases of the population’s porn habits, making them vulnerable to Ashley Madison style hacks.
“Age verification risks failure as it attempts to fix a social problem with technology. In their recent manifestos, all three main political parties called for compulsory sex and relationship education in schools. Sex education would genuinely protect young people, as it would give them information and context.” – Jim Killock, Executive Director of the Open Rights Group
The Open Rights Group website contains information about their campaigns, and some excellent resources for those wanting to read background information about the issues that ORG works on. You can also become a member or donate to support ORG’s work here.
Freedom of the Press Foundation
The Freedom of the Press Foundation works to help support and defend public-interest journalism focused on exposing mismanagement, corruption and law-breaking in government. It also works to preserve and strengthen the rights guaranteed to the press under the First Amendment through crowdfunding, digital security and internet advocacy.
“Strong privacy protections are increasingly critical to literally billions of global citizens whose entire lives rely on the Internet. There are several small but practical things everyone can do to protect their personal information, even in the face of governments and corporations attempting to collect, exploit, or profit off our data. It’s never been more important for everyone to fight for their own privacy rights, both by pushing our politicians to strengthen existing laws and using technology to fill in the gaps where laws fall short.” – Trevor Timm, Co-Founder and Executive Director of the Freedom of the Press Foundation
The work undertaken by the Freedom of the Press Foundation to protect journalists and whistleblowers is incredibly important, and more so in the current era. As such I would urge you all to visit their website and read more about the work they do and find out how you too can support them.
Do some research today, find an organisation that aligns with your ideals. Local, national or international. Consider getting involved, consider giving your support – whether that be through time or money. The PIA website lists some of the organisations that we support or partner with.
Take a moment to think about and talk about privacy on this Data Privacy Day. Privacy is very much a social issue. Take this opportunity to spend some time to learn, share information and educate, and help someone close to you to be more aware of their privacy and how they can look after it.
On this Data Privacy Day, I would like to thank my colleague Isaac Rockett for his invaluable feedback and input on the creation of this article, and I would also like to thank my other colleagues here at PIA, and my fellow activists within the digital rights sphere for always bringing challenges, different perspectives and a great deal of learning to the table.