Who Is Watching You Right Now?
In today’s digital era, the use of computerized systems to provide services and store information is prevalent in both the public and private sectors. The public sector uses computers to better serve the public, while private companies use them to improve business agility through better management of available resources. In addition, individuals use computing devices heavily in their daily lives; it is seldom to see a person who is not dependent on some form of computing device to organize his or her digital data or to communicate with others.
Cybersecurity threats and incidents have increased lately, leading to significant economic and social consequences for business organizations and individuals. Nowadays, cybersecurity and digital privacy are high priorities in all developing countries. Our society is being exposed to greater security threats as devices get increasingly connected. Developing skills around Internet privacy and safety is crucial to protect our nation and welfare.
Most computer users—and even some businesses—will not think about computer security until a problem arises. At this point, a breach in security can cause huge and potentially harmful problems to your business and/or your customers. For individuals, the risk of breach can cause serious damage to personal reputations (you may remember the iCloud leaks of celebrity photos in 2014) and even to lives. To survive in today’s digital world, it is essential to make sure that the information held in your computers and that travels the Internet is safe and secure. Please note that the information stored in your computing device can be either persistent data or fragments (remnants of data left after processing it). Destroying remnant data is equally important as protecting the primary data storage units; such data may contain confidential data and can be recovered using a variety of techniques without your consent.
Recent events have focused an intense spotlight on online privacy and security. Yahoo announced that more than 1 billion user accounts were hacked in August 2013. The data stolen included the username, e-mail, password, phone number, and date of birth for each hacked account. This is considered the largest cyber-attack ever recorded. 1 Yahoo is not the only one that has faced such a breach; the international press announces such news almost daily.
As we become more dependent on the Internet, the threat of cyber-criminals and other intruders increases rapidly. In contrast, most people still have a limited understanding of the security and privacy implications when using the Internet in their daily lives. To understand Internet risks, you need first to categorize them according from where they first emerged.
You should work on two levels to increase your computer system’s resistance against cyber-attacks.
The first level is to fight against outside attackers such as cyber-criminals , black hat hackers, identity thieves, mass surveillance programs, and any outside party trying to invade your personal data. This type of attack presents the greatest risk that any computer user or business faces when going online.
The second level is related to inner attacks. This level is mostly concerned with attacks that come from within a business organization, such as from an employee. Protecting sensitive business data by setting different security access permissions for each user group and updating them continually is the first defense against such risks. Individuals also can become targets of internal attacks. For example, using the same PC at home or work by more than one user can lead to inner privacy violations.
Types of Attacks
Cyber-attacks come in two main forms: passive attacks and active attacks.
Passive Attack
In a passive attack, an intruder monitors a system and network communications and scans for open ports and other vulnerabilities (for example, an unpatched system). The intruder will try to collect as much information as he or she can to use it later to attack the system or network; this type of attack is also known as footprinting and is used to gather intelligence about the target system to attack it in a later step. An example is when an intruder records network traffic using a packet analyzer tool (such as Wireshark) for later analysis. Installing a keylogger is also a kind of passive attack where an intruder waits for the user to enter his or her username and password and records them for later use.
Active Attack
An active attack involves using information gathered during a passive attack to attack a user or network. There are many types of active attacks. In a masquerade attack, an intruder will pretend to be another user to gain access to the restricted area in the system. In a reply attack, the intruder steals a packet from the network and forwards that packet to a service or application as if the intruder were the user who originally sent the packet. Other kinds of active attacks are denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, which work by preventing authorized users from accessing a specific resource on a network or the Internet (for example, flooding a web server with more traffic than it can handle).
To counter these Internet attacks, individuals and companies deploy a set of defenses to protect their digital assets; however, despite your precautions, it is always possible that your system will get breached. This book will present you with a wide array of techniques and tools that teach you in detail how you can assure your privacy and security are at the highest level. Following the steps in this guide, not only will you learn how to protect your private data, but you will also become computer security literate, meaning you will be able to understand what current and future risks you are facing online and how to counter them. You will also learn how an intruder, whether a person or an entity, can invade your PC and what best practices should be implemented when using the Internet in your daily communications.
The majority of Internet users, especially nonprofessionals, do not consider Internet privacy an issue! For this reason, we will start by talking about who wants your private data when you are surfing online. Later, we will show how outside observers can benefit from the accumulated information by exploiting it to draw a complete picture about all your life’s aspects.
We Live in a Dangerous World
Technological developments since the Cold War, during which espionage and the monitoring of civilians were widespread, have increased the intrusiveness and the power of surveillance. The ability to monitor the communications of entire groups and nations on a mass scale is now a technical reality. This poses great concerns about abusing such techniques and violating human rights.
Effectively, anything you do online is monitored and recorded! This sentence may not seem realistic at first, but, unfortunately, this is the truth.
In this section, we will briefly introduce you to the topic of global surveillance. Knowing who is involved in monitoring people’s activities online is essential to being careful when using many services, applications, and other digital products.
Historical Background
Global surveillance is defined as conducting a mass surveillance of the entire population across national boundaries. The modern term comes from the 1950s, when the United States and United Kingdom collaborated to exchange the information collected from their spying activities. Later, many countries joined this collective, forming what is known as the Five Eyes.
The Five Eyes began making cooperation agreements with other nations, eventually forming a huge spying network that has the codename Echelon according to many sources from both the European Union and United States.
Echelon is a global network of spy stations and spying satellites that can eavesdrop on telephones, faxes, and all digital communications and satellite transmissions. Echelon has the ability to sniff Internet traffic on a global level. In addition to this, many sources have accused it of planting underwater devices to monitor transcontinental fiber-optic phone cables, giving its operators a greater ability to record all online communication and then filter the data using advanced artificial intelligence technology in voice recognition and keyword matching to extract useful information.
Echelon is not the only global surveillance system; there are many domestic and even continental networks. However, Echelon is the most famous because of resources and global coverage.
Five Eyes’ Global Surveillance
The Five Eyes (FVEY) alliance is a secretive, global surveillance arrangement of countries comprised of the United States, United Kingdom, Canada, Australia, and New Zealand, originally gathered to monitor the communications of the socialistic mass. Nowadays, its main focus is on monitoring digital communications across the globe.
After the September 11, 2001, attacks on the United States and the ongoing war on terror since 2001, FVEY further expanded its surveillance capabilities, with much emphasis placed on monitoring the Internet. In an interview, former National Security Agency (NSA) contractor Edward Snowden once described Five Eyes as a “supranational intelligence organization that doesn’t answer to the known laws of its own countries.” Documents leaked by Snowden in 2013 revealed that FVEY have been spying on one another’s citizens and sharing the collected information with each other to circumvent the restrictive domestic regulations on the surveillance of citizens.
FVEY has made partnership agreements with many countries (termed third-party partners) to share intelligence information.
9 Eyes: This includes the countries in FVEY plus Denmark, France, the Netherlands, and Norway.
14 Eyes: This includes the countries in 9 Eyes, with the addition of Germany, Belgium, Italy, Spain, and Sweden.
41 Eyes: This includes all of the above, with the addition of the allied coalition in Afghanistan.
The majority of information about mass surveillance programs remains top secret; however, the recent revelation of the Snowden documents cast light on the underground world of mass surveillance programs and their huge impact on each citizen’s privacy.
Most Recent Surveillance Laws
Despite the existence of many domestic and international surveillance programs controlled by both superpowers and national intelligence agencies, the government surprises us continually with new bills (mainly issued in western democratic countries) regarding the monitoring of online communications. We cannot understand why democratic nations try to issue such restrictive bills while they already have their own shadow surveillance programs that do not adhere to the law. We think the driving force beyond such bills is that these countries are afraid of disclosing information about their illegal monitoring activities on their own citizens and others, so they work to govern their surveillance activities with laws.
In this section, we will talk about the most recent bills and other actions concerning user privacy.
UK Investigatory Powers Act 2016
This bill will become a law after receiving the royal assent in November 2016. This law will legalize the UK’s global surveillance program, which intercepts communications from around the world. It will also introduce new domestic terms to access any citizen’s Internet connection records without a warrant or judicial oversight. UK security services will be empowered to hack individuals, Internet infrastructure, and even whole cities—if the government deems it necessary.
As the United Kingdom has legalized the most extreme surveillance in the history of western democracy, we can expect to see similar bills in the future in different countries around the world.
U.S. Government Starts Asking Foreign Travelers to Disclose Their Social Media Accounts
The U.S. Customs and Border Protection has started demanding that foreign travelers hand over social media information upon entering the country. U.S. officials say this policy will help them to counter future terrorist threats by denying entrance to any foreigner who is involved in, or supports in any means, foreign terrorist groups.
This act is still voluntary, and it targets only those travelers who come through the visa-waiver program; nevertheless, it soon may become a law that would be enforced on all travelers.
With the rise of terrorism threat, you can expect that the United States and other countries may enforce this policy on all travelers reaching their borders. This raises serious privacy concerns for people traveling to such countries. The amount of information that can be collected is tremendous and will certainly contain highly sensitive information about each traveler’s opinions, beliefs, identity, and community.
Internet of Things Security
Mass surveillance goes beyond communications surveillance. As we move toward “smart” devices and cities, more and more of our activities will be collected and analyzed. Smart cities track individuals and vehicles using cameras and sensors; effectively enables authorities to draw a diagram of the entire population’s movements daily. Many cities are expanding the network of free Wi-Fi in public spaces, allowing government to collect a wealth of information from the connected devices including their geolocation.
The term Internet of Things (IoT) is used to describe any device that can connect to the Internet and that has the ability to collect and exchange data. The list of devices includes cell phones, coffee makers, washing machines, headphones, lamps, wearable devices such as watches, security systems including alarms, Wi-Fi cameras, baby monitors, smart refrigerators, smart TV sets, smart air-conditioning systems that can adjust the heat remotely, and almost anything else you can imagine and can be connected to the Internet and controlled remotely.
The analyst firm Gartner forecasts that 8.4 billion connected “things” will be in use in 2017, which is up 31 percent from 2016. 2 Gartner also estimates that by 2020 more than half of major new business processes and systems will incorporate some element of the Internet of Things. 3
In addition to Internetworking devices, the IoT includes human. This makes the relationships in the IoT network become human-to-human, human-to-things, and things-to-things.
Apparently, the IoT offers wide possibilities for improving our future lives, but this comes with a price. The biggest risk is the danger of abusing IoT devices or an intruder hacking IoT devices.
Warning
Talking toys can spy on your family. The IoT includes vast categories of Internet-enabled devices, and talking toy are among them.
Many toy firms manufacture specific types of toys that can understand and respond to your children in real time about almost anything. A baby can ask this toy about herself, people, places, and other things, and it will respond instantly. This is an impressive invention, but what is the privacy implication of it?
Most of these toys are connected to smartphone apps using Bluetooth or have a Wi-Fi connection that links it to a router directly and hence to the Internet. To understand the things your child is saying, this toy needs to record his or her voice and send the recording to company servers in order to interpret it and respond. Apparently, this toy will record not only your kid’s voice but also everything around it; in addition, the server where the recording is sent for interpretation could belong to a third-party company that is responsible for voice recognition. This means your sensitive information could be spreading all over the world without your consent or even knowledge!
On October 21, 2016, a series of distributed denial-of-service (DDoS) attacks caused widespread disruption of legitimate Internet activity in the United States. This type of attack targets the Domain Name System (DNS) , which is used to route Internet users to the right address. The attack lasted for several hours and caused major web sites like Twitter and PayPal to stop working.
This attack was mainly caused by exploiting a weakness in a large number of unsecured Internet-connected digital devices, such as home routers and surveillance cameras. The attacker performed a global scan to find unsecured devices (for example, devices with the default password and username); then the attacker targeted these unsecure devices with malware, making the device act as a botnet. Botnets are collections of millions of infected computers (or any IoT device) that are used maliciously for attacks. Any unprotected Internet-enabled device can be used to create a botnet by an intruder.
This massive DDoS attack shows clearly the risks of exploiting unsecured IoT devices to conduct cyber-attacks on an international level.
The attacks on privacy stemming from the IoT can be serious. The following are some examples:
Exchanging private data between IoT devices and unsecured servers: Imagine a case where a health-related IoT device is exchanging your health information with an unsecure server that gets breached by outside attackers.
Hacking webcams to spy on people inside their homes: The next step could be conducting a crime or a robbery.
Hijacking IoT devices to plant and spread malware or to conduct a DDoS: The previous example from 2016 is this type of attack.
Taking control of some connected devices to gain access to property for a robbery: For example, an attack could hack an IoT door to gain physical access or switch alarm devices off remotely.
Hacking and stealing vehicles: For example, an attacker could break in and steal a car that has an IoT-enabled key system.
This list of examples is not exclusive because more are emerging continually, according to the pace of technological development. In the next chapter, we will talk about how you can mitigate the IoT risks on your privacy and security.
Note
Shodan , a search engine for the IoT, crawls the Internet at random looking for unprotected IoT devices to add to its list. Shodan can be abused to exploit unsecure IoT devices easily; however, the main purpose of creating it was to shed light on the unsecure nature of such devices if left without proper security configuration.
Printers, webcams, power plants, and more, many of them unprotected or minimally protected, have been found over time, and the revelations have changed the way security and privacy on the Internet is perceived. Shodan has already seen TVs, cell phones, traffic lights, industrial controls, infrastructure plants, and various home appliances pop up in the search results, and more of these IoT devices are added each day as the world is becoming more connected.
You can find Shodan at https://www.shodan.io .
What Is Digital Privacy?
In a nutshell, digital privacyis the protection of personal data when using the Internet.
As a broad term, digital privacy is concerned with any identifying information furnished online when conducting personal or business communications over public networks. Historically, the debate about digital privacy was concentrated on privacy concerns with social networking services, as viewed from within these services. The revelation of the Edward Snowden documents about mass surveillance programs fueled the public debates about the importance of legalizing surveillance activities and raised the public awareness about the importance of protecting their personal data when working online.
For example, when you conduct a search using Google, your search keyword, date/time of search, and your Internet Protocol (IP) address can be tracked back to you. The majority of Internet users do not know that their browsing activities and online habits are logged to formulate a complete profile about their online activities. Such precious information can be later sold to third parties for different purposes.
To better understand the term digital privacy, you need to know the types of information that distinguish each person online. Later we will talk about information types and the different parties interested in acquiring it.
Classification of Personal Information
When working online, there are two types of information can be collected from your activities.
Personally identifiable information (PII) or sensitive personal information (SPI)
Anonymous information
PII is any information that can be used on its own or with other information to identify or locate a single person. It includes name, Social Security number, passport number, date/time, place of birth, gender, father and mother names, biometric records, or any other detail that uniquely belongs to you and is personally identifiable.
The advance of computing technology and the popularity of social sites make it easy to harvest a large volume of PII about any Internet user. In fact, open source intelligence techniques (OSINT) tools and methods have matured and become widely available for free. A normal computer user can use OSINT tools to gain access to any published data about any connected user. Non-Internet (offline) users can also suffer from problems when their PII gets breached by black hat hackers invading private and public service organizations. Advertisement companies and giant corporations are thirsty to own more PII about their customers to better target them with customizable products and services. Black hat hackers, on the other hand, want to get PII about specific people to steal their identity or to aid them in the planning of future criminal acts.
As a response to these threats, the majority of countries worldwide regulate the gathering of PII about their citizens. Currently, all reputable web sites mention clearly in their “privacy policy” agreement what PII is collected, how it is saved/processed, and the duration it will remain stored. Lawmakers have also enacted legislation to govern the gathering and distribution of PII.
On the other hand, there is a type of information that cannot be related to your personality. For example, your browser type and version, operating system types and version, connected device type, area code, city, country, school or university name, current location, and anything else shared among more than one person cannot be considered personally identifiable. Maybe you think this type of anonymous information is trivial and not worth protecting. We’re afraid you are wrong. Such anonymous information when combined with other information can create a unique digital fingerprint of your connected device that can distinguish you among millions of connected users online. This information can be combined with other details related to you, making it personally identifiable information, as you are going to see later.
Things You Want to Keep Private
When working online, you should keep many types of information private to protect your digital privacy and prevent identity theft. Here is a list of information that you may want to keep private:
Contact information: This includes your full name, phone number, e-mail address, and work and home addresses. Some may argue that such information is already available on the majority of business cards, but did you ask yourself the following question: do you hand your contact business card to anyone?
Private and family information: This includes your marital status, your wife’s name, your parents’ names, your age, children’s names, children’s age, children’s school/university, and anything that is privately related to you and your close family. Unfortunately, the majority of Internet users already have such information published online (for example, on Facebook). This kind of information is dangerous to reveal as it may help outside observers hack into your online accounts, kidnap your children, and even impersonate you (identity theft ).
Location information: As computing technology advances, the majority of smartphones (and many IoT devices) have location sensors connected to different satellite services such as GPS or Glonass; others devices can determine location based on the cell tower network. (Giant companies such as Google and Apple already have large databases of cell towers and Wi-Fi access points that can identify and track a user’s current location.) When enabled in smartphones and computers, location services can record your current location and all the places you were in, and Google has a facility (named Google Maps) that can draw a complete map of the places you’ve been and the routes you’ve traveled. Although this feature is private by default, we cannot guarantee that it really is. Not all users prefer to reveal their location to the public (although many already do in Facebook); however, when using some apps (for example, using an app to find the nearest restaurant or gas station nearest your current location) that need location services to be turned on to work, they can record your physical location and use it later for different purposes without your explicit consent.
Healthcare records information: This includes your physical characteristics such as your height and weight, eye and skin color, past illness history, medicine taken now and in the past, previous surgery, blood group, and anything that is recorded when you visit your doctor or hospital. Such information is important, and it must be stored on computer records somewhere. Imagine if a security breach occurred and this information gets revealed and viewed by your insurance company or employer. What will be the consequences?
Criminal records: If you have a past criminal record, what will be the consequence if it gets revealed to the public?
Financial information: This includes your bank account details, bank transactions, financial partners, how much money you earn, tax statements, and anything else related to your financial condition.
Purchase information: When you make an online purchase, you are using your credit card to pay for it. Both credit card companies and banks will see your previous purchase history. This is something you cannot hide, and it is attached to your identity (you cannot open a bank account without showing them a valid government ID). If a security breach occurs and your purchase history is revealed, do you have any concerns about what you have already bought in the past from being publicly discovered?
Web surfing history and communications log: When you visit a web site, the pages you visit, the amount of time you view each page, the links you click, the searches you make, every video you watch, every file you download, and the things that you interact with will be collected and recorded by this web site to create a “profile” that links to your web browser. This data is stored somewhere on your computer or mobile phone (using cookies or caches) or somewhere on outside servers like the visited web site server or other third-party server. Once you visit a web site, it is nearly impossible to avoid leaving a digital footprint. Nevertheless, during this book you will learn how to minimize and anonymize your digital fingerprint to avoid being tracked online.
Communication logs: Communication logs are also important; they include all your e-mail messages, Facebook and Twitter private messages, and any other activity conducted on a similar social networking web site. Even after you delete your previous messages, you cannot guarantee that they have been completely deleted from all locations. The main principle here is that what goes online never dies. Although this may be an overstatement in some cases, you should avoid posting or sending anything online that may lead to personal or legal problems if discovered someday.
Maybe after reading the list of information types that you should keep private, you are wondering what you can publish online about yourself! Actually, this question is dependent on each user case; some people may not have a problem revealing a lot of information about their private lives. However, the majority of people care about protecting their private data. The many global surveys already done about the digital privacy issue conclude that the majority of Internet users care about their privacy and are willing to have laws that protect their private data and prevent privacy invasion when going online.
Who Needs Your Personal Information?
Exchanging PII data online is not a problem on its own. We all need to send private e-mails to our friends and family. Many of us send personal pictures using e-mails or cloud storage services when they are on a vacation. We may want to send medical information about our health status to our doctor or hospital (some IoT medical devices do this automatically). We are also used to checking our bank transactions online in addition to making online purchases. All these actions will not impose any problem for our personal data. The problem occurs when such information gets revealed publicly without our consent or simply gets hacked or intercepted by outside parties for different purposes.
There are many people and entities that want private information about you. In this section, we will list them and explain what motivates them to perform such actions.
Online Advertising Companies
Almost all free online services contain ads. You cannot read the news, watch YouTube movies, use Facebook, or conduct Google searches without seeing advertisements.
Web sites need advertisements to fund themselves, so when using a free e-mail service, it is ordinary to see ads. Some e-mail providers even send promotional ads with every sent e-mail to generate some profits. The ads constitute the main stream of money that the web site can exploit to stay in business.
A report conducted by PwC Advisory Services (PwC) shows that Internet advertising revenues in the United States totaled $59.6 billion for the full year of 2015, with Q4 2015 accounting for approximately $17.4 billion and Q3 2015 accounting for approximately $14.7 billion. Revenues for the full year of 2015 increased 20.4 percent over 2014. 4
Online advertising is a broad term used to describe the paid advertising that publishers put on their web sites or apps to enable them to provide you with content and services for free. But what most people see is a specific type of online advertising that is tailored to your likely interests by companies promoting their products or services. This is known as Interest-based advertising (IBA). 5
To distinguish between the two entities, please note that the advertiser is the one who pays the money to get advertisements shown, while the publisher is the one who gets the money for showing the ads. The publisher could be a web site or application owner or anyone who has a digital channel to put ads on.
Advertisers are interested in profiling and tracking online users to target them with customized ads. We will cover online tracking and behavioral profiling in the next section.
Intelligence Agencies
Security services are interested to know anything about you and your habits, previous purchases, political opinion, location, and even health status. One of the major works of any intelligence agency is to gather as much information about its citizens, but the problem arises when a nonauthorized person or entity views this information or when it gets hacked by an outside party.
We already talked about the recent act imposed by the United States that certain travelers must reveal their social networking accounts. If, for example, you made a joke about something (political, economic, or military news) and post it to your Facebook account, this joke may be interpreted differently (understand it with a different meaning) by the security officer who is investigating your account before granting you access to cross the border. They can effectively deny your visa and maybe offer you a place in jail!
As we mentioned, the revelation of the mass surveillance programs of the NSA and its global allies beginning in 2013 showed clearly that the intelligence services were collecting data on a global scale to monitor their citizens and also other nations’ citizens. This was going on for a long time without following a legal framework that governs access to such data, and such activity will continue in the future, maybe even increasing to counter emerging terror threats spreading all over the world.
Big Data
As the world becomes more technology dependent, the volume of digital data produced globally is expected to have explosive growth. Digital information from cell phones, Internet communications, IoT devices, cloud storage, satellite sensors, social networking, and other countless digital sources, which produce both structured and unstructured data, are forming what is known today as big data.
Intelligence services around the globe are eager to develop new capabilities to manage and exploit big data. CIA chief technology officer Ira “Gus” Hunt appreciates the importance of big data gathering for his agency by saying, “It’s the CIA’s job to leverage the world of big data, find out what actually matters, connect the dots, and figure out what our adversaries are intending to do.”
Big data can be analyzed for different purposes. For example, advertisers can use such data to profile and target users with customized ads, and security services can use it to extract a wealth of economic, security, and political information about any nation to make future predictions.
Black Hat Hackers
Some intruders may want to target you for fun; others may want to steal your data and money (stealing credit card and bank information). These latter intruders are called black hat hackers. There are many methods that can be employed to steal your confidential data. You will learn about them during this book and learn some mitigation strategies beginning in Chapter 2.
Black hat hackers usually target people who know a good number of details about them, which is why you should publish only a small amount of private information about you, your family, and work online to avoid becoming an attractive target.
People Who Know You
Your relatives, work colleagues, ex-wife or ex-husband, and any individual you have problems or a legal dispute with can use your personal information against you in some context.
Other Parties
There are additional groups of people who might become interested to know your private information. For example, your future employer may seek to know information about you before signing a contract with you. If you, for example, have pictures of yourself on your Facebook profile that can give a sense about you that you are an unreliable person, this may reduce your chances of landing a new job.
Insurance companies also have great interest in gaining private information about their clients. If you post your picture to your Facebook account while you are in the hospital, this can give a negative sign to your insurance company about your current health condition and may raise your health insurance rate.
Banks also need private information about their clients. If you need a loan, your bank will need to know as much information about you as it can. If, for example, the bank discovers while searching in your social networking activities things that may make it see you as an unreliable or untrusted person, the bank will refuse to give you the loan.
As you can see, different parties are interested in your private information. Even the smallest detail about your life can be exploited and merged with other trivial details to form a picture about your personality and social behavior.
If everything mentioned up to now did not scare you, continue to the next section.
Invading Personal Privacy Through Online Tracking and Behavioral Profiling
Online behavioral advertising (OBA) describes a set of techniques used by advertisement companies to show customized ads to online users based on their browsing activities and online habits. Social networking sites and other online merchants also engage heavily in collecting data about their users to achieve a higher return from the delivery of advertising tailored to their specific needs.
Although the majority of data collected for OBA is considered nonidentifying information, it can be easily combined with other sources to become PII, making it a real invasion of user privacy. For instance, data collected for OBA can include the following:
Age
Gender
Country and city where you live
Purchase interest (for example, shoes, tea, fiction books, and so on)
Behavioral marketing can be used on its own or in conjunction with other forms of targeting based on factors such as geography, demographics , or contextual web page content. It’s worth noting that many practitioners refer to this process as audience targeting. 6
For example, say you are searching the Internet for a cheap flight ticket to Hawaii. After browsing a few web sites to find the cheapest one, you decide to stop and go read your favorite news web site. There you see advertisements about what you were looking at few moments ago. To make things more interesting, you then go to your account on Facebook and see the same advertisements about cheap airplane tickets to Hawaii!
Advertisers need to generate profits from their advertisements, and this can happen only if they target the correct customer. In the previous example, the advertiser knows you were searching for a ticket to Hawaii (using some techniques mentioned next), so the advertiser instantly targets you with similar ads because you are highly likely to buy a ticket, which will result in a sale and, consequently, generate a profit for the publisher and for the web site owner who displays this ad (the advertiser could be the publisher and the web site owner at the same time).
Targeting customers is not limited only to what they search for or watch online; tracking users across many web sites can help advertisers to formulate a profile about each one, thus suggesting products and services that you may not ever think about but may be interested in once you see it in front of you.
A new study in Psychological Science, a publication of the Association for Psychological Science, suggests that advertisements can be more effective when they are tailored to the unique personality profiles of potential consumers. 7
Online trackingis defined as the process of collecting and processing data acquired from Internet users’ devices (computers, tablet, and smartphones). There are two kinds of online tracking: direct tracking and third-party tracking. In direct tracking, the tracking is conducted by the web site or application the user is accessing. In third-party tracking, there is a third party (other than the web site/application the user is accessing) that tracks user-browsing activities over multiple web sites (the user is the second party). A tracking log can be stored either on the user computer (for example, using cookies) or on the third-party server.
This kind of tracking is dangerous to privacy because it can link your browsing and searching activities and tie them to your real identity. We’ll show an example to demonstrate this idea.
The majority of web sites have Facebook Like and Share buttons among other social networking symbols (like the Tweet button from Twitter). For example, if you are reading an article on my blog at www.DarknessGate.com and you like it, you can click the Like button, which exists on each article page, and this post title will appear on your Facebook news feed. It will also appear in various places on your friends’ and followers’ newsfeeds and tickers, as the Facebook algorithm sees fit. Up to now everything is normal. The problem of privacy is that whenever you visit a web site that has the Facebook Like or Share button, Facebook will know that you were visiting this web site even if you did not click this button. At the beginning of October 2015, Facebook began to feed users’ web browsing habits collected from these Like and Share buttons into the company’s ad targeting systems. By doing this, Facebook not only can target its users with customized ads but also can link their browsing habits and search activities to their real identities on their Facebook accounts.
In June 2016, Facebook announced it will be expanding its tracking activities (to target people with better customized ads) to include non-Facebook users. In the past, Facebook collected information about its registered users’ tastes and online behaviors and targeted them with customized ads when using its service or visiting any of its third-party-affiliated web sites. But now it is aiming to track all online users, even non-Facebook users, through its Like and Share buttons and then target them with customized ads according to their online preferences. 8
Andrew Bosworth, vice president of ads and pages at Facebook, said, “Our buttons and plug-ins send over basic information about users’ browsing sessions. For non-Facebook members, previously we didn’t use it. Now we’ll use it to better understand how to target those people.”
Personalization technologies offer powerful tools for enhancing the user experience in a wide variety of systems, such as finding the best product/service and price combination, but at the same time personalization technologies raise new privacy concerns if they get revealed publicly or combined with other information about you to formulate a complete profile about your online habits attached to your real identity. The dangers of online tracking and user profiling will be covered thoroughly next.
The Danger of Online Tracking
In this section, we cover the main dangers and examples of the risks associated with online tracking.
Mass Surveillance
We’ve already talked about how Facebook collects different information about its users (and also non-Facebook users) to target them with customized ads. Let’s focus on the user who already has a Facebook account. Facebook has the ability to maintain a complete log of online activities about each user. This log will be connected to a user profile on Facebook (usually his or her real identity). This is a large amount of personal information stored in one place about each user. Let’s now consider the consequences on this privacy; what will happen if the Facebook servers get hacked by an outside party (Russia or China, for example)? What if Facebook hands this information to a security service agency?
We are focusing on Facebook because it is a giant among other social networking web sites, but do not forget the rest of the major social networking web sites that definitely suffer from the same privacy and security issues.
Note
Remember that the Yahoo hacking case revealed in 2016 that information from 1 billion user accounts had been hacked.
Service/Price Discrimination
Using profiling and tracking techniques, companies can customize service and price discrimination to each individual. In other words, people can be charged different prices based on a certain demographic factor, including location and/or socioeconomic status.
For example, if you seem like a well-educated professional searching for luxury items using the latest iPhone device, this tells the merchant or the advertiser that you might be willing to pay more than average for some items.
The same applies to many services; if you continually search for medicine or natural products, this may indicate that you suffer from a health problem. Such information may disqualify you, if your future employer or insurance company knows about it.
Note
If you suspect that you are a victim of price discrimination /differentiation, try this test: set up a proxy server or virtual private network (VPN) to obfuscate your IP address (an IP address is used to determine your current physical location) and visit the same item page of your preferred merchant. Check the item price before and after obscuring your IP address to see whether the price changes. In the coming chapters, we will teach you how to anonymize everything you do online.
Content Personalization Risks
As we already talked about, user profiling helps a service provider (whether it is a merchant or a free online service) personalize its content to users.
Content personalization can be embraced in many ways. For example, when searching for sexual items, Facebook will show related ads on your Facebook profile, and the same will appear on search engine result pages.
Search engines also track and profile users according to their previous searches. This is not always good because it will return homogeneous results and even discard some. Such results can also be biased in some way.
When you search an online merchant for some products, it will continually display ads that are related to your previous searches or saved profile, thus eliminating many results that may be of interest to you.
The examples of the danger of content personalization are endless, but the greatest danger is related to ordinary individuals who are unaware of personalization’s risks; the majority of people do not understand the context within which data collection and algorithms operate.
Slowing Page Load Time
This is not a privacy risk. Instead, it is a technical issue but is worth mentioning. A web site that utilizes social sharing tools like AddThis or ShareThis and other social networking widgets can load slower than the web sites that do not utilize such tools. This because upon loading the page with social networking tools, it will wait for responses from the third-party web sites (like Facebook and Twitter) affiliated with it. This will effectively increase the loading time.
Benefits of Online Tracking
Actually, we do not consider user tracking to be a completely bad practice. For instance, direct tracking conducted by web site owners is beneficial to customize the user experience across sessions (for example, saving user theme customizations and preferences). Besides, many e-commerce web sites need to track users to keep their shopping cart contents while they browse different pages/web sites.
Online tracking is also used to fight against online fraud. It is used to detect online payment fraud by looking at some technical indicators that may raise suspicion.
When the billing country and the IP country (IP determines physical location) do not match
When a proxy server is used to change the user’s real IP address
If your connection originates from a high-risk country
Personalizing content is beneficial in many cases, especially for ordinary Internet users, as people with average Internet literacy may not be able to find content easily online, and this selective content is more likely to be of relevance to them.
Online tracking is used extensively in web analytics and measurement techniques. Such techniques are used for analyzing web site data such as number of visitors, their origin country, which pages they visit, and how long they stay on each page. The compilation of this data helps web site owners to better develop relevant and effective ad campaigns in addition to identifying key performance to achieve the highest return possible.
Web site owners (first-party trackers) can develop their own analytical techniques. However, the majority prefers to use third-party services like Google Analytics, Alexa, and Bing Webmaster Tools, to name a few. Web analytics track users online using different techniques (described next) and store their browsing activity across many web sites. This information helps them to create aggregated statistics to measure the effectiveness of their advertisements and to optimize web site contents accordingly.
Finally, web tracking is also beneficial to stop certain kinds of attacks against web sites, for example, to stop a particular machine (or machines) from launching continual brute-force attacks or to recognize attackers when they return.
How Online Tracking Works Technically
In this section, we will delve into the technical side of online tracking and behavioral profiling to describe how outside observers can track your online activities and what techniques they deploy to profile and predict your future activities.
The Concept of an IP Address and Its Role in Tracking Users Online
You cannot consider an IP address as PII , but if combined with other information or used to build a profile about a specific person, it will become PII regardless of whether the individual’s name is known. It is essential to understand the concept of an IP address and how devices are connected to the Internet because the majority of anonymizing techniques work by obscuring your real IP address to avoid tracking. Besides, you cannot protect your digital privacy without knowing how Internet devices are connected in today’s digital world. For this reason and more, we will dedicate this section to describing the IP addressing scheme and how different laws perceive it in relation to user privacy.
What Is an IP Address?
An Internet Protocol address is a unique address that computing devices such as PCs, tablets, smartphones, or anything that can connect to the Internet use to identify themselves and communicate with other devices in the IP network. No two devices can have the same IP address on the same IP network. You can describe the IP address as like your telephone number (including its international code) in that it is used to uniquely identify you globally.
There are two standards of IP addressing already in use. The IPv4 standard, which is the most used one, is already supported everywhere on the Internet and can accommodate a maximum of 4.3 billion addresses. Apparently, this number of addresses is not enough in today’s digital world, especially after the explosive growth of IoT devices. This resulted in another standard being developed named IPv6, which can accommodate more than 7.9×1028 times as many as IPv4.
IPv4 addresses consist of 4 bytes (32 bits), while IPv6 addresses are 16 bytes (128 bits) long. Up to now, the majority of online services are still using IPv4, and the adoption of IPv6 is still moving slowly.
When connecting to the Internet, you either use the same IP address each time (static IP) or use a different number each time (known as dynamic IP).
A static IP address is an address assigned by your Internet service provider (ISP) and does not change over time; you can consider it like your phone number, which remains fixed (until the provider withdraws it from you). Static addresses are usually used by businesses, public organizations, and IT companies that offer IT services to individuals and the private sector. For example, a server hosting web sites or providing e-mail services needs a static IP address. To use a static IP address, you need to manually configure your router or server to use it. 9
By contrast, a dynamic IP address is assigned dynamically by your ISP whenever you connect to the Internet. It uses a protocol called Dynamic Host Configuration Protocol (DHCP) to assign you a new IP address every time your computing device or router gets rebooted. Some ISPs may allocate the same IP number previously assigned to you many times, but this is not a rule of thumb.
To determine whether you are assigned a dynamic or static IP address, disconnect your Internet connection from your computing device (you can also reboot your router), reconnect, and then check your IP address again. Another method is to use the command-line prompt in Windows, as shown in Figure 1-1. Find the line containing DHCP Enabled under your current network connection; if DHCP Enabled is set to Yes, then you most likely have a dynamic internal IP address.
Figure 1-1. Determine whether your PC is using a dynamic or static IP address. In this case, we’re using a dynamic IP address.
You can also check what your IP address is by going to https://www.dnsleaktest.com .
IP addresses come in two types: public and private IP addresses. A public IP address is the one that allows direct access over the Internet. For example, an e-mail server needs to have a public IP address to access it directly. The public IP address is unique globally.
A private IP address is a non-Internet-facing IP address on an internal network and is used to assign a private number to your computing devices in your home or office network to avoid exposing them directly online. For example, you can have one public IP address assigned to your router on your office network, and each of the computers, tablets, and smartphones connected to your router (via wired or Wi-Fi) get a private IP address from your router via DHCP.
Note
DHCP is a network protocol used on IP networks. It works by dynamically allocating IP addresses to a set of connected hosts based on a preconfigured pool of addresses.
How an IP Address Is Used to Track You Online?
Whenever you visit a web site, your current connection’s IP address will be available to it. Most web sites record all IP addresses visited by default; they also record the date/time of each visit in addition to other information, such as what pages you have been visiting and the time spent on each one.
Your ISP will also record your web browsing activities and will save them in a log attached to your real identity (the majority of ISPs need a valid government ID to give you Internet access). Even if you are using a dynamic IP address or connecting from behind a Network Address Translation (NAT) device, your browsing activities can still be tracked back to you because your ISP knows what IP was allocated to each user and when. Users connected from within local area networks (LANs) and sitting behind a router that offers NAT service can also be tracked back (but this is technically more difficult) because the router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine the private address on the internal network to which to forward the reply.
By knowing your IP address, outside trackers can determine your ISP and current location including your country and city. Bear in mind that the location information based on the IP address alone is not always correct. An ISP can own a pool of addresses allocated to different countries around the world; it may assign your computer an IP address that is registered in the United States while your physical location could be in the United Kingdom. 10
There are different laws globally regarding how to handle users’ IP addresses. Currently, there is no clear law that overtly states that an IP address is considered PII. It seems not all countries handle this issue the same; many of them judge it on a case-by-case basis.
The Information Commissioner’s Office (ICO), the United Kingdom’s data protection watchdog, declared to Out-Law.com, “If an individual can be identified from an IP address, then it would be personal data, but that would not always be the case and ‘needs to be judged on a case-by-case basis.’ As part of the analysis, organizations need to assess how specific an IP address is to the device or user.” 11
The following is according to the advisory guidelines (revised in December 2016) issued by the Personal Data Protection Commission in Singapore about the issue of whether an IP address is PII:
“An IP address, or any other network identifier such as an IMEI number (used to identify phones), may not be personal data when viewed in isolation, because it simply identifies a networked device.” 12
The United Kingdom and Singapore seem to use the same approach to handle the dilemma of whether an IP address is considered PII; however, after the recent judgment issued by the European Court of Justice (ECJ) on October 19, 2016, that rules IP addresses are PII, 13 this will create problems for a lot of companies that record users’ IP addresses for different reasons, as they must treat this information according to privacy rules that govern PII data.
In the future, you can expect EU countries and maybe soon the United States to follow the ECJ rule when considering IP addresses as PII.
Online Tracking Techniques
The IP address is not the only thing used to track your online activities. Actually, most online tracking and behavioral profiling methods work by using other techniques. In this section, we give examples of these techniques.
Cookies
Cookies are small text files usually stored in the client computer’s browser. They often come encrypted (only the web site that creates the cookie can read it) and contain information that distinguishes the client computer. The main components of a cookie are the cookie web site name and user ID in addition to the cookie expire date. Cookies are downloaded when you visit a web site for the first time. When you visit the same web site again, your browser will send the cookie information to the web site. This allows web site owners to offer a customized experience, among other things, to their visitors.
In addition to tracking user movements across the web site that planted it (some types of cookies can track you across many domains), cookies are widely used to remember user login credentials, save the user theme (page layout) preferences, maintain your shopping cart while browsing the web site for items, and enable advertising technology.
There are two main types of cookies: session cookies and persistent cookies. A session cookie (also called a transient cookie) is stored in a temporary location in the client web browser and erased when the user closes the web browser or logs out. This type of cookies does not record information about the user’s activities or computer and does not have an expiration date. A famous example of session cookies is shopping cart functionality for e-commerce web sites that allows users to add items to their shopping carts while browsing different item pages.
Persistent cookies (like Flash and evercookie cookies) raise serious privacy concerns. Half of a cookie’s contents are first-party and belong to the site you are visiting, and half are third-party and belong to partners, services, or advertisers working with the site. Third-party cookies are used to track activity (across multiple web sites) and recognize frequent and returning visitors, to optimize advertising, or to improve the user experience by tailoring the content or offers based on that cookie’s history.
HTTP Cookies
HTTP cookies are what the majority of people mean when talking about web cookies. An HTTP cookie is a simple text file used for tracking user visits to the web site that deployed it. HTTP cookies without an expiration date are automatically deleted when the browser is closed. However, expiration dates can be many years into the future.
Flash Cookies
A Flash cookie (also known as a local share object [LSO]) is a collection of cookie-like data that a web site running Adobe Flash can place on your hard drive. Like regular cookies, Flash cookies contain information about when you visited the site and may contain tracking and settings information. Flash cookies are stealthier than regular cookies. Flash can install cookies on your computer without your permission by default. 14
Flash cookies are more persistent than HTTP cookies. While HTTP cookies are stored inside browser files and have a size limit of 4 kilobytes. Flash cookies have their own folder on the disk drive, which is not deleted when you use the standard “remove cookies” browser function. Flash cookies have a default size of 100 kilobytes, allowing them to store more tracking information and other settings. Flash cookies are managed through Adobe Flash Player settings, which can be accessed via Control Panel ➤ Flash Player (applicable to all Windows versions).
Some types of Flash cookies have the ability to re-create HTTP cookies after the user deletes them. Flash cookies also have the ability to access multiple browsers on the same computer, allowing them to monitor all online activities on a computer. 15
FlashCookiesView ( www.nirsoft.net/utils/flash_cookies_view.html ) is a small utility created by NirSoft that allows you to display a list of Flash cookies that exist on your system and delete them.
Evercookies
According to its developer Samy Kamkar, an evercookie is a JavaScript-based cookie that can survive even after the user deletes HTTP and Flash cookies from his or her machine. It accomplishes its persistence by storing its data in several locations on a client browser/machine (for example, in an HTTP cookie, Flash cookie, HTML5 local storage, web history, Silverlight). If one of these locations is deleted, for example, by the user, the evercookie will detect this and regenerate itself. 16 Thankfully, the browsers and anti-malware software that exist today are now able to block or detect evercookies.
Note
Flash and evercookies are also known as supercookies.
ETags
ETags are another way of tracking users without using cookies (both HTTP and Flash), JavaScript, HTML storage, or IP addresses. This technique has been used by many web sites, but few people know about it. The ETag, or entity tag, is part of a Hypertext Transfer Protocol (HTTP) mechanism that provides web cache validation and is intended to control how long a particular file is cached on the client side.
ETags help a web browser to avoid loading the same web resources twice, such as when a user visits a web site that plays music in the background that changes according to a user’s local time. On the first visit, the web server will send an ETag along with the audio file to the client browser, which will download the audio file and cache it. When the user visits the same web site again, the web server will inform the client browser that the audio file has not changed. As a result, the browser will use the local copy in cache, saving bandwidth and speeding load time. If the ETag is different, then the client browser downloads the new version of the audio file.
ETags can be exploited to track users in a similar way to persistent cookies, and a tracking server can continually send ETags to a client browser, even though the contents do not change on the server. By doing this, a tracking server can maintain a session with the client machine that persists indefinitely. To get rid of ETags, you must clear the browser cache content.
Digital Fingerprinting
A browser fingerprint is the set of technical information about a user’s system and browser that can distinguish his or her machine online. This information includes the following: browser type, operating system (OS) version, add-on installed, user agent, fonts installed, language settings, time zone, screen size, and color depth, among other things.
Fingerprinting allows trackers to distinguish a user’s machine even though cookies and JavaScript are disabled. A fingerprinting-specific browser is stateless and transparent to the user and machine.
The information collected from a digital fingerprint may seem generic and not enough to identify an individual machine online among millions of connected devices; however, if this information is combined, you can draw a comprehensive unique picture about each user machine, and later, this information can be linked to a real identity if combined with other PII data. This should effectively allow different outside parties to easily profile people without using traditional tracking techniques such as computer IP addresses and cookies.
The Electronic Frontier Foundation (EFF) published an excellent study in May 2010, detailing some of the various methods of fingerprinting a browser. See www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick . The result concludes that the majority of Internet users can be profiled and tracked online using only minor technical information from their browsers. Although the study was conducted in 2010, its results are still valid now because of the transparent way fingerprinting occurs in digital devices.
There are two main types of device fingerprinting: script-based techniques and canvas.
Script-Based Fingerprinting
The majority of online trackers, especially the old-school ones, use this script-based technique in fingerprinting users’ browsers. It works by loading a script (generally JavaScript) into the user’s browser. Once the script is loaded successfully, it will execute to extract a wide array of technical information about the current browser and system configuration. The information extracted includes user agent, add-on installed, fonts installed, screen resolution, time zone, operating system type and version, CPU type, and many other details about the targeted system. A hash is then made based on the information the script has collected. That hash can help identify and track your computer like an IP address would.
You can use Flash, Silverlight, or a Java applet to perform the fingerprinting instead of JavaScript; they will all return the same result. The main defense against this technique is to disable JavaScript in your browser. However, this approach is not practical and may result in breaking a large number of web sites (the majority of web design frameworks are based on JavaScript to deliver functionality). Disabling Java will not cause problems like disabling JavaScript. In Chapter 4 we’ll cover how you can fight against all types of browser fingerprinting.
Canvas Fingerprinting
Canvas is an HTML5 element originally developed by Apple; it is used to draw graphics (lines, shapes, text, images) and animation (e.g., games and banner ads) on web pages using a JavaScript API. Apart from web development, canvas features can be exploited by advertisers to fingerprint browsers and profile people accordingly.
Canvas fingerprinting is a new method for tracking users’ online activities. It simply works by drawing an invisible image on the user’s client browser. This image will be different for each user, and once drawn on the client browser, it will collect different technical information about the user’s browser and machine. A hash is then made based on the information the canvas has collected. This hash will be consistent across all the web sites the user visits (the hash is generated from the canvas data); this will effectively record a user’s browsing history. 17
Although the collected information from canvas fingerprinting cannot be used alone to identify users, this fingerprint can be combined with other sources to identify you completely.
Browser fingerprinting is a powerful tool for tracking users along with IP addresses, cookies, and supercookies . This type of tracking (also known as stateless tracking) raises serious privacy concerns since it is hard to detect. In Chapter 4, we will show you mitigation strategies against all types of tracking techniques.
HTML5
HTML5 is the latest version of the Hypertext Markup Language (HTML) specification. HTML is used to define how browsers present web sites on their devices. HTML5 comes with new components that can threaten user privacy.
The HTML5 support for media, especially its ability to grant access to device microphones and webcams, can be exploited by outside intruders to invade your personal privacy. The HTML5 Geolocation API realizes location-based services via the Web by granting web sites the geographical location information of user devices. HTML5 expands the number of methods given to a web application to store information locally on the user machine and increases the size of data stored using a new feature called Web Storage as an alternative to cookies .
Search Engines
Search engines have the ability to track users’ searches and tie it to their dedicated online profile. Information acquired by search engines can reveal a great number of details about its users and can easily become PII after combining it with other sources. For example, when a user uses Google to search for something while logged on to a Gmail account, the user’s activity can be easily recorded and linked to the user’s real identity. Nevertheless, even if the user is not logged into a Gmail account, Google can still link search terms used to a user’s real account by using the IP address or any of the tracking techniques already mentioned. Please note Google offers a way to delete your previous search history and stop saving the new one in your account. Configuring Google for better privacy will be covered in Chapter 4.
For instance, keep in mind that normal search engines (which are not privacy oriented) can know a great number of details about your personality and habits from your searched terms, in addition to their ability to track your location. In Chapter 4, we will show you how to use different anonymous search engines.
Social Networking Web Site Tracking
We already covered how Facebook uses its Like button to track users online. Twitter does the same things with the Tweet button and so does Google+. You don’t even have to be logged into your social network account for the tracking to occur.
BuiltWith found that 2,360,275 web sites are currently use the Facebook Like button. 18 In the same period, there are 1,372,583 live web sites using Twitter’s Tweet button. 19
Social networking web sites are considered a great source of information for both security services and advertisement companies. Their ability to track a user’s actions across multiple web sites in addition to monitoring their habits, online friends, private messages, location, and all searches they conduct online imposes a great danger on a user’s privacy.
Mobile Device Tracking
The majority of smartphones come equipped with different sensors such as a camera, microphone, and GPS . With the advance of technology, the computing power of smartphones has increased rapidly. Today, it is usual to find a smartphone with computing power that exceeds some laptops or tablet devices. This makes the smartphone act as a mini computer for a large number of users, where they store their personal e-mail, friends list, social networking accounts, phone log, personal pictures and video, and all sorts of personal data that comes in digital format, in addition to mobile device–specific information such as the IMEI number (which is used to distinguish the phone globally).
Location-based services (LBSs) are popular personalized services that are tightly associated with user privacy. Examples of LBSs include navigation services, local search services, traffic alert services, and localized weather services, in addition to many more that are especially useful for mobile device users.
In today’s digital age, individuals are fond of their mobile devices because of their ability to simplify and socialize their daily lives. Individuals can share real-time and historical location information online to facilitate a social interaction or event, play games with other people around the globe, and purchase items online. Among other benefits, these mobile services also can quickly enable consumers to locate nearby stores and restaurants, find the nearest cash machine or gas station, share their current location by “checking in” at venues, and navigate to a desired location.
Imagine the amount of information that can be collected from your mobile device interactions, especially after combining the data with your real identity, which can easily be done on smartphones by their network operators.
It is important to understand what your mobile app or service is sharing about you before using its service; you must read its privacy policy agreement or other related disclosures that clearly state how location data and other information is collected and whether it is going to be handed to third-party affiliates.
Mining Big Data
Big datais defined as the gathering of a vast volume of data that is being exchanged over a digital communications medium like the Internet and GPS. The amount of big data is huge and cannot be handled by normal computers. Thus, it is stored on giant server-system databases. The data is then analyzed by scientists using specialized data-mining software that interprets and categorizes this data (e.g., according to user demographic and trends).
Giant companies like Google and Facebook are collecting such data to feed their ad network systems with customized user profiles in addition to predicting future trends. Intelligence agencies are also interested in big data to understand future world development directions and counter any risk toward national security before it happens. The NSA surveillance program named Skynet has been using big data–mining techniques to extract information about possible terror suspects. Skynet 24 applies complex combinations of geospatial, geotemporal, pattern of life, and travel analytics to identify patterns of suspect activity. 20
E-mail Tracking
E-mail tracking is a technique for monitoring the delivery of e-mail to the intended recipients. Most tracking technologies utilize certain features such as web beacons or digital time-stamped records to reveal the exact time and date that an e-mail was received or opened, in addition to the open rates, the volume of clicks on links in e-mails, and the number of downloads of e-mail attachments, as well the IP address of the recipient.
Some e-mail clients such as Microsoft Outlook and Mozilla Thunderbird have a read-receipt tracking mechanism. The sender needs to activate this option before sending an e-mail; however, the recipient has the option to either notify the sender that the message has been read or simply ignore sending the read request. In addition, not all e-mail applications or services support sending read receipts.
Many organizations employ an e-mail tracking mechanism to study recipient behavior on their advertisement e-mails. Marketers usually use cookies and web beacon techniques to track e-mail. For instance, if the e-mail sent is a graphical HTML message, the tracking software will embed a tiny, invisible tracking image (usually 1 pixel in size) within the content of the e-mail. When the recipient opens the e-mail, the tracking image will execute some code and send it back to the tracking software server, which will record user actions (whether an attachment was opened, whether any links were clicked, the IP address and country where the e-mail was opened, the number of times this e-mail was read) and store the information in a single database that allows marketers to collect each user action and profile it accordingly.
Please note that e-mail tracking cannot always be considered an accurate indicator that a message was opened or read by the recipient because of many technological considerations.
Open Source Intelligence
Open source intelligence (OSINT) refers to all data that is publicly available. This data can be used by different parties to gather intelligence about a specific target (the target can be a person, a company, or a nation).
OSINT includes all publicly accessible sources of information, such as the following:
The Internet, which includes the following and more: forums, blogs, social networking sites, video-sharing sites like YouTube.com, wikis, Whois records of registered domain names, metadata and digital files, Dark Web resources, geolocation data, IP addresses, people search engines, and anything that can be found online
Traditional mass media (e.g., television, radio, newspapers, magazines)
Specialized journals, conference proceedings, companies profile, annual reports, company news, employee profiles, and résumés
Photos and videos including their metadata
Geospatial information (e.g., maps and commercial imagery products)
OSINT techniques and tools have rapidly developed with the advance of computing technology; nowadays, OSINT is used extensively by intelligence agencies to gain insight about future events to make their country’s foreign-policy decisions.
OSINT is also used by business organizations to monitor trends on a global level and to gather competitor intelligence in order to become more effective.
Most OSINT tools and techniques are freely available online, and from a privacy perspective, such techniques can be exploited to gather data about a specific person or entity (also known as footprinting). This imposes a high security risk because anything published online will remain stored or hidden somewhere online even after deleting it, and the OSINT techniques will simplify extracting it.
To get some practical experience about how OSINT can be used to gather intelligence, visit the OSINT framework at http://osintframework.com . The OSINT framework focuses on gathering information from free tools or resources. The intention is to help people find OSINT resources that return free information.
We will not delve into OSINT techniques because the topic deserves a book on its own, but it is necessary to know about it and how it works to avoid posting sensitive information about yourself publicly. In Chapter 2 you will use some OSINT tools to learn your online exposure level.
Regulatory and Legislative Approaches Concerning Online Privacy
Data protection laws are commonly defined as laws designed to protect your personal information, which is collected, processed, and stored by automated means or intended to be part of a filing system. 21 Data protection laws cover safeguarding personal information stored in physical or electronic records.
Data protection laws are important in today’s digital world. As the majority of people begin to shift many of their activities online, you can expect to have a large volume of personal data generated by their online tracks. Business organizations also record key information about their clients, staff, and business partners. All this data should be handled and stored according to strict rules to ensure that people’s private information is kept safe.
Data protection laws are not alike in all countries. For example, EU laws are different from those implemented in the United States. Actually, even in the United States, there is no one rule that governs data protection across all states. Some states have stricter laws than others (California is an example). Despite these differences, a set of general protection principles must be ensured by business organizations globally to keep personal information secure.
Collect only the data allowed by the laws (e.g., there’s no need to request the customer’s age if the law does not allow you to ask for it).
Do not collect more information than you actually need for your purpose (e.g., there’s no need to ask the user for his or her religion as a part of free e-mail service registration).
Do not keep the data for longer than you need.
You must assure that the information stored can be made available instantly on request, and the owners (the personal information owners) can access it to view, update, and delete their information.
Ensure that staff members who handle user personal information are well trained to avoid any errors that may lead to a security breach of a user’s PII.
Make sure that personal information is stored in an encrypted format (for electronic data) and that it will be accessed only for legitimate purposes; you must also assure that the accessing of personal data by staff members is logged and stored for future audits.
Large business organizations usually have a special department to manage data protection issues, and small businesses can benefit from hiring consulting companies to stay in-line with data protection laws currently implemented. Data protection rules are usually enforced by a regulator or authority, often called a privacy commissioner (or information commissioner). Some commissioners work closely with government bodies; others do not. These commissioners have the ability to conduct investigations (in case of a data breach) and impose fines when they discover an organization has broken the law.
In this section, we will provide an overview of the major data protection laws issued globally and how they interact to safeguard your personal data on a global level. Links to external resources are offered at the end of the chapter to enrich your thinking about data protection laws globally.
Privacy Laws in the European Union
The Data Protection Directive (or Directive 95/46/EC) is an EU directive adopted in 1995 that regulates the protection of individuals with regard to the processing of personal data and to the free movement of such data within the EU countries. Despite its importance as a legal framework for protecting an EU citizen’s privacy and human rights, it has been implemented differently in each EU country, according to its local jurisdiction. This led to the fragmentation of this law, making it less effective.
This directive covers all companies that do work in EU countries. It also applies to companies that are located outside the European Union and process data related to EU citizens. The directive can be found at www.wipo.int/wipolex/en/text.jsp?file_id=313007 .
The General Data Protection Regulation (GDPR), adopted in April 2016, will replace the Data Protection Directive and is planned to be enforceable across Europe starting on May 25, 2018.
The GDPR’s focus is on the protection of natural people with regard to the processing of personal data and to the free movement of such data within the EU countries. This regulation will unify data protection laws across the EU countries, forcing all companies that work (or aim to work) within Europe to follow strict rules when gathering or processing private information about EU citizens and residents.
As we already said, the GDPR will apply to all companies that offer goods and services to EU citizens. This includes companies that work outside EU countries and hold/process personal data of data subjects (whether they are individuals or companies) in EU countries.
For individuals younger than 16 years, online services will require parental consent before processing their personal data.
In the United Kingdom, the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The regulation will not apply to the processing of personal data used for protecting national security or law enforcement activities.
You can find more information about the protection of personal data in the EU on the European Commission web site ( http://ec.europa.eu/justice/data-protection/index_en.htm ).
Privacy Laws in the United States
The lack of comprehensive U.S. data privacy legislation has placed the Fourth Amendment at the heart of much privacy litigation. Privacy advocates and defense attorneys alike seek to uphold “probable cause warrants” as the baseline requirement for any searches of personal data records, but judicial interpretation of the Fourth Amendment has been hard to predict in cases where personal information is processed in digital form, outside the home, or by a third party (Pell and Soghoian, 2015). 22
The U.S. legislative framework for the protection of personal information is still not harmonized across all the U.S. territories. For instance, there are about 20 national privacy or data security laws regulated primarily by industry, on a sector-by-sector basis. Many of the 50 U.S. states have passed laws mandating stronger protection of PII than the federal government requires. California, which is considered a pioneer in protecting user privacy, has six major privacy protection laws that cover all areas of user privacy such as protecting health information, identity theft, unsolicited commercial communications, and online privacy, in addition to general privacy laws.
At the federal level, the Federal Trade Commission (FTC) is the primary federal privacy regulator in the United States. It has the authority to enforce its privacy laws over the majority of organizations in the business sector across the United States. The main privacy regulations enforced by the FTC to protect consumer data in the United States include the following:
Children’s privacy: This act is called the Children Online Privacy Protection Act (COPPA). It prevents commercial entities from collecting PII about children without their parents’ prior consent.
Consumer privacy: This monitors online businesses to assure that their work does not violate their published privacy policy statement in terms of protecting a consumer’s personal information.
Fair Credit Reporting Act: This makes sure that consumer credit reports are not misused by companies in an unfair way to measure the trustworthiness of consumers when doing business or applying for jobs.
Data security: This makes sure that any PII of consumers or employees stored by a business organization is protected well and used only for the purpose that it was gathered for. Companies should dispose of this data later securely and must give data owners the ability to access and modify these data upon their request. The FTC gives many free resources for businesses to comply with these rules ( https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security ).
Red Flags Rule: This requires some businesses to enforce an identity theft prevention program in their companies to detect any identity theft in their work and to report it instantly.
Privacy Shield: This is a legal framework between the United States and the European Union to protect EU citizens when doing business or using services offered by U.S. companies.
Tech companies: The FTC gives resources and advice for technology companies involved in the design and development of computer systems and mobile applications, web sites, or any software that is used to process or store consumer data to consider the privacy and security implications when designing these products or services.
To stay up-to-date with the most recent privacy laws in the United States, you can always check the State of California’s Department of Justice site for the major privacy protection laws at the federal level ( https://oag.ca.gov/privacy/privacy-laws ) and the Federal Trade Commission portal ( https://www.ftc.gov ).
DLA Piper has issued an excellent guide about global data protection laws named “Data Protection Laws of the World Handbook,” which is available for download as a PDF at https://www.dlapiperdataprotection.com/index.html#handbook/world-map-section .
As we have mentioned, the European Union and the United States have different privacy laws. The United States has always been criticized for not having one federal law that governs data protection activities across the entire states. This makes making cooperation with outside countries more difficult to achieve. However, at the beginning of 2016, officials from both the European Union and the United States agreed on a new framework for transatlantic data flows called the EU-U.S. Privacy Shield.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the EU commission to provide a legal mechanism for companies processing the personal data of EU citizens to comply with the legal requirements of privacy laws in the European Union.
This act will govern how non-EU companies (from the United States only) can gather, store, and process an EU individual’s personal data and will determine in what cases the U.S. government can have access to this data. It also includes close cooperation between U.S. government and EU data protection authorities (DPAs) through an annual joint meeting to monitor the implementation of this agreement. In the United States, the Privacy Shield Framework is administered by the International Trade Administration within the U.S. Department of Commerce, which took responsibility of enforcing this act among U.S. companies doing business with EU countries that acquire personal data from EU citizens. An overview of this act is available at https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/fact_sheet-_eu-us_privacy_shield_7-16_sc_cmts.pdf .
In the future, we expect to see more cooperation on the data protection laws between different countries around the globe, especially between the United States and EU countries because of the increased number of companies that offer products/services across national borders.
Privacy Laws in Other Countries
As you saw, we have limited the discussion about privacy laws to the European Union and United States. These two are the greatest democratic blocks on Earth that already have—and are continually developing—strict rules to protect their citizens’ private data. Of course, there are other countries that have their own laws that govern how a user’s private data can be accessed and used. Singapore, Malaysia, and Canada are examples.
In Singapore, data is protected under the 2012 Personal Data Protection Act (PDPA). This act establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes. 23
We can’t cover data protection laws of all countries around the world in this book; however, the rule of thumb is clear regarding this issue. Whenever you want to travel to a country, you should check its privacy laws before reaching it. You can search online about this easily; the phrase privacy laws in Canada should return some results about private and public bodies that govern privacy laws in Canada. Autocratic nations usually do not have privacy laws, and even if they have one, they use it only for decoration. For instance, the majority of Arab states, Iran, China, and Pakistan do not respect the privacy of their citizens and visitors, so always make sure to leave all sensitive information at your home when traveling to such places!
Privacy Policies of Web Sites
Privacy policies are agreements where you need to specify what personal data you collect from your users and what you do with that information. It is common for any web site to post a privacy policy agreement when collecting data that can be used to identify an individual.
In the United States, there is no general law that mandates the existence of a privacy policy agreement on each web site or app. However, the majority of state laws insist on this issue either directly or indirectly. There are also some federal laws that govern the privacy policies in specific circumstances such as the following: 24
The Children’s Online Privacy Protection Act (COPPA)
The Gramm-Leach-Bliley Act
The Health Insurance Portability and Accountability Act (HIPAA)
In California, which is considered the strictest state in the United States in implementing privacy policy regulations, there is a law called CalOPPA, which mandates the existence of a privacy policy agreement on all web sites or online services that collect “personally identifiable information through the Internet about individual consumers residing in California.”
In the European Union, the Data Protection Directive and the ePrivacy Directive are regulating how to handle private users’ data. They state that a privacy policy agreement must exist when a web site or a mobile application uses the personal data of individuals/users.
Please bear in mind that despite the majority of countries around the world mandating the existence of a privacy policy agreement on any commercial web site, app, or online service that collects personal information about their citizens, this does not mean that companies that have a privacy policy agreement will respect users’ private data! A policy can contain many terms that violate a user’s right to privacy (e.g., some web sites’ privacy policy agreements mention that they have the right to give your non-PII to third-party companies for advertisement purposes). Unfortunately, the majority of users do not read privacy policy agreements because they are long and contain legal terms that may not be well understood by casual users.
Do Not Track
Do Not Track (DNT ) is a web browser setting that requests that a web application disable its tracking of an individual user. When you choose to turn on the DNT setting in your browser, your browser sends a special signal to web sites, analytics companies, ad networks, plug-in providers, and other web services you encounter while browsing to stop tracking your activity.
It is not mandatory to obey DNT when enabled in browsers by websites owners and advertisers; till now there is no mandatory regulation that enforces implementing it.
To enable DNT in the Firefox browser, select Tools ➤ Privacy and check the option Use Tracking Protection in Private Windows (see Figure 1-2).
Figure 1-2. Enabling tracking protection in the Firefox browser
Opt Out
The term opt out refers to several methods by which individuals can avoid receiving unsolicited product or service information. This ability is usually associated with direct marketing campaigns such as e-mail marketing or direct mail.
In e-mail marketing, the concept of opt out is quite simple; when you receive a commercial or promotional e-mail that promotes services or products that you already subscribe to receive information from, the e-mail must contain a link to unsubscribe yourself from the marketer’s e-mail list. All reputable companies include such a link in their e-mails and allow up to two business days to remove your e-mail completely from their list upon subscription. Users should be careful when clicking the Unsubscribe link. They should first check the e-mail carefully to see whether they have really subscribed to this service previously because some spammers may send such e-mails to a large number of automatically generated e-mails. When a user clicks the Unsubscribe link, the spammers will know that this e-mail is valid and they will target it with further unsolicited e-mails.
There are a number of different laws that guide the use of e-mail for commercial marketing purposes. In the United States, it’s the CAN-SPAM Act ( https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business ). In Canada it’s the CASL laws ( http://crtc.gc.ca/eng/internet/anti.htm ), while in the United Kingdom it’s a set of laws known as the Privacy and Electronic Communications Regulations of 2003 ( https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing ).
All of these laws stipulate that your e-mail campaigns must include a clear and conspicuous mechanism for opting out of receiving e-mail from you in the future, so it is mandatory to put an Unsubscribe link in every marketing e-mail. In addition, when your web site uses cookies for tracking, you must tell visitors to your web site how your site uses cookies and ask if they want to accept them. The information should be easy to understand by any user, as shown in the following quote for the LinkedIn web site:
This LinkedIn website uses cookies and similar tools to improve the functionality and performance of this site and LinkedIn services, to understand how you use LinkedIn services, and to provide you with tailored ads and other recommendations. Third parties may also place cookies through this website for advertising, tracking, and analytics purposes. These cookies enable us and third parties to track your Internet navigation behavior on our website and potentially off of our website. By continuing your use of this website, you consent to this use of cookies and similar technologies.
What Is Anonymity?
Internet anonymity refers to conducting your online activities without revealing your true identity. This effectively means concealing your real IP address and prevents others from tracking you online in any method to reveal your true identity.
Anonymity can be used for good and bad purposes. An example of good anonymity is when using it by journalists in third-world countries to avoid being tracked and captured by their local authorities. On the bad side, criminals can use anonymity to conceal their criminal activities from law enforcement authorities.
We can differentiate between many kinds of online anonymity, such as using anonymous payments , sending anonymous e-mails, surfing the Web anonymously, and anonymous web hosting and blogging. Generally speaking, anonymous online services include all services that do not reveal the true identity of its users.
What Is the Difference Between Privacy and Anonymity?
Privacy and anonymity are two different concepts; however, both are essential in today’s digital world. Privacy means that online communications are confidential and no third party is allowed to intercept them in any way. Following this definition, the main concern of privacy is to keep the content of the online communication private. For example, when sending an encrypted e-mail, you are assuring your privacy by encrypting the e-mail content.
Protecting the privacy of your online communications is easier than staying anonymous online. As we already said, privacy is concerned with keeping communication content private. This can be mainly done through applying strong encryption to contents and keeping the encryption keys in a safe place. Anonymity is more difficult to achieve and needs good experience in Internet technologies in order to apply it successfully.
To transfer top-secret information online, the best solution is to use a combination of both. Anonymizing your Internet connection will make tracking you difficult—and even impossible—while encrypting your messages (or files) using strong encryption algorithms and complex passwords will make it impossible to read your content if your e-mail gets intercepted in one way or another. In this book, you will learn everything you need to implement this combination effectively to protect your confidential communications.
Entities That Promote and Help People Retain Privacy Online
There are many organizations that are fighting to protect your right to privacy. Table 1-1 lists the most popular ones around the globe.
Table 1-1. Global Nonprofit Entities That Promote a User’s Right to Privacy
No | Name | Web Site (URL) |
|---|---|---|
1 | EPIC | |
2 | EFF | |
3 | Privacy Alliance | |
4 | Privacy International (PI) |
Summary
In this chapter, you discovered various parties interested in having your private data, and the motivation behind them, which include the following:
Advertisement companies
Law enforcement and intelligence agencies
Web analytics
Basically, there are two types of information generated by online traces: personality identifiable information (PII) and anonymous information . PII contains information that is strictly related to your personality such as name, e-mail, age, and the like. The other type is the anonymous information that contains data such as your IP address, web browsing history, and previous searches. Anonymous information can become PII when combined with other details (e.g., combining a user’s IP address with his or her browsing history and Facebook account).
Web tracking technologies are used to collect, store, and connect user web browsing behavior records. Advertisers are continually adopting unique methods to track a user across many web sites so they can know a user’s habits in order to predict future actions (mainly future purchases). Other parties also gather information in bulk, such as intelligence services and giant IT companies (Facebook and Google).
Different regulations exist to protect users against the invasion of their online privacy. The European Union has a more uniform legal framework to handle consumer privacy issues. However, the same is not available in the United States, which still has many privacy regulations adopted across its states.
In this first introductory chapter, you learned who is gathering your online information and what they are doing with it. We also talked about how this might affect you. For the rest of the book, we will cover the last question: how do you stop it?
Bibliography
Carly Nyst and Anna Crowe, “Unmasking the Five Eyes’ global surveillance practices.” Global SocietyWatch, 2014. https://giswatch.org/en/communications-surveillance/unmasking-five-eyes-global-surveillance-practices .
Brian Buntz, “The World’s 5 Smartest Cities.” Internet of Things Institute, May 18, 2016. www.ioti.com/smart-cities/world-s-5-smartest-cities .
Notes
Sam Thielman, “Yahoo Hack: 1bn Accounts Compromised by Biggest Data Breach in History.” The Guardian, December 15, 2016. https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached .
Gartner, “Gartner Says 8.4 Billion Connected ‘Things’ Will Be in Use in 2017, Up 31 Percent From 2016.” February 7, 2017. www.gartner.com/newsroom/id/3598917 .
Gartner, “Gartner Says By 2020, More Than Half of Major New Business Processes and Systems Will Incorporate Some Element of the Internet of Things.” January 14, 2016, https://www.gartner.com/newsroom/id/3185623 .
PWC, “IAB Internet advertising revenue report 2015 full year results.” https://www.iab.com/wp-content/uploads/2016/04/IAB-Internet-Advertising-Revenue-Report-FY-2015.pdf .
Network Advertising Initiative, “Understanding Online Advertising.” https://www.networkadvertising.org/understanding-online-advertising/what-is-it .
Jianqing Chen and Jan Stallaert, “An Economic Analysis of Online Advertising Using Behavioral Targeting.” MIS Quarterly 38, no. 2 (2014): 429-449.
Association for Psychological Science, “Marketing Is More Effective When Targeted to Personality Profiles.” May 21, 2012. https://www.psychologicalscience.org/news/releases/marketing-is-more-effective-when-targeted-to-personality-profiles.html .
Jack Marshall, “Facebook Wants to Help Sell Every Ad on the Web.” The Wall Street Journal, May 27, 2016. www.wsj.com/articles/facebook-wants-to-help-sell-every-ad-on-the-web-1464321603 .
IP Location, “What is the difference between a static and dynamic IP address?” https://www.iplocation.net/static-vs-dynamic-ip-address .
Katriina_M, “Why does my IP address seem to be in a different country than expected?” F-secure, February 6, 2017. https://community.f-secure.com/t5/F-Secure/Why-does-my-IP-address-seem-to/ta-p/66063 .
Kathryn Wynn , “Treating IP addresses as personal data is best approach for businesses, says expert.” Out-Law.com, March 9, 2016. www.out-law.com/en/articles/2016/march/treating-ip-addresses-as-personal-data-is-best-approach-for-businesses-says-expert -/.
Personal Data Protection Commission, “Advisory guidelines on the pdpa for selected topics.” Chapter 7, December 20, 2016. https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines---selected-topics/ch-7---online-activities-(201216).pdf?sfvrsn=2 .
InfoCuria, “Case-law of the Court of Justice, (Reference for a preliminary ruling — Processing of personal data — Directive 95/46/EC — Article 2(a) — Article 7(f) — Definition of ‘personal data’ — Internet protocol addresses — Storage of data by an online media services provider — National legislation not permitting the legitimate interest pursued by the controller to be taken into account).” http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1406323 .
Piriform, “Cleaning Flash cookies.” https://www.piriform.com/docs/ccleaner/ccleaner-settings/cleaning-flash-cookies .
Techtarget, “Flash cookie.” October 2014. http://whatis.techtarget.com/definition/Flash-cookies .
Samy Kamkar, “Evercookie.” September 20, 2010. http://samy.pl/evercookie/ .
Browserleaks, “Canvas Fingerprinting.” https://browserleaks.com/canvas .
BuiltWith, “Facebook Like Button Usage Statistics.” https://trends.builtwith.com/widgets/Facebook-Like-Button .
BuiltWith, “Twitter Tweet Button Usage Statistics.” https://trends.builtwith.com/widgets/Twitter-Tweet-Button .
The Intercept, “SKYNET: Applying Advanced Cloud-based Behavior Analytics.” https://theintercept.com/document/2015/05/08/skynet-applying-advanced-cloud-based-behavior-analytics/ .
Privacy International, “Data Protection.” https://www.privacyinternational.org/node/44 .
Stephen Cobb, “Data privacy and data protection: US law and legislation.” 2016. www.welivesecurity.com/wp-content/uploads/2016/04/US-data-privacy-legislation-white-paper.pdf .
Personal data protection commission Singapore, “Legislation and Guidelines.” April 10, 2017. https://www.pdpc.gov.sg/legislation-and-guidelines/overview .
Children’s Online Privacy Protection Rule (COPPA). https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule .