What Are Threats to Personal Data Privacy in the Information Age?

Privacy concerns existed before technology became an issue. It seems, however, that privacy concerns are more urgent now because of advances in technology. This is because people often have very little control over how their data is collected, used, and shared electronically. People are concerned about how much information is collected about them and how their data will be used later. The rise in electronic communications makes people wonder how private their lives truly are. This section discusses some of today’s privacy concerns.

Technology-Based Privacy Concerns

Technology-based privacy concerns are caused by advances in technology. These concerns arise because of the types of data that can be collected with various technologies.

Spyware

Spyware, a type of malware, is any unwanted software that secretly gathers information about a person or system and shares it with an unknown third party. Spyware poses a threat to personal data privacy because of the nature of the information and the secret manner in which it collects that data. Spyware can easily record very personal information such as account numbers, usernames, and passwords. These programs also can record internet search queries and other personal data.

FYI

Twenty states have laws that specifically address spyware.²⁴ Utah was the first state to enact an anti-spyware law, which was quickly challenged by an advertising company that argued the law unconstitutionally limited its right to advertise. A court granted an injunction, a formal order for someone to stop doing something, in the case. In this case, Utah was prohibited from enforcing its new anti-spyware law.

Utah legislators then worked to revise the state anti-spyware law. Current Utah law prohibits pop-up advertising that uses spyware to target the ads that users see on their computers. The law authorizes the Utah attorney general to prosecute violations.²⁵

Adware is software that displays advertising to a user. It can display banner advertisements, redirect a person to other websites, or display pop-up advertisements on a person’s computer that open a new web browser window to display ads. Some types of adware are also spyware. This adware displays targeted advertisements based on secretly collected user information.

Cookies, Web Beacons, and Clickstreams

A cookie is a small string of text that a website stores on a user’s computer. Cookies contain text—you cannot execute them the way you do a program file. Cookies are not considered spyware because they are not executable. A cookie by itself is not dangerous or a privacy threat. However, other individuals and companies can use cookies in ways that invade your privacy.

There are two kinds of cookies:

• First-party cookies—Exchanged between a user’s browser and the website the user is visiting.
• Third-party cookies—Set by one website but readable by another site.

  Third-party cookies are set when the web page a user visits has content on it that is hosted by another server.

Cookies are used for many things that most computer users consider beneficial. For example, they can be used by a website to remember information about visitors to the site. They also can save your settings if you “personalize” a web application that you regularly use.

However, advertising companies that sell content and advertising to companies with a web presence often use third-party cookies. Advertisers can track their cookies over several websites and use the tracked information to create a profile of each user’s browsing habits. They then direct targeted advertisements to the users. This is a privacy concern.

A web beacon is a small, invisible electronic file that is placed on a web page or in an email message that counts users who visit a web page. A web beacon, also called a web bug, can tell if a user opened an email message and took some action with it. It can also monitor user behavior. A clear GIF (Graphics Interchange Format) is a type of image format that is often used as a web beacon because clear GIFs are invisible and very small.

Web beacons recognize several different types of data. When you retrieve a web beacon, it recognizes your computer’s IP address, your browser, and the time you retrieved the beacon. Web beacons usually track users by a random identification number that contains no personally identifiable data.

Spammers sometimes use web beacons to verify whether an email address is valid. If a recipient opens a spam message with a web beacon, information is returned to the spammer, which shows that the message was opened. An opened email message generally indicates a valid email address, which is valuable to a spammer. That way, they can send the email address even more junk mail.

Web beacons cause privacy concerns because they secretly monitor user behavior as well as internet browsing patterns. Web beacons let website operators know which pages a user looks at. They also disclose the order in which the pages are viewed. Information tracked by web beacons and cookies, when combined, can potentially identify a computer user, which is a privacy concern.

A clickstream is the data trail that an internet user leaves while browsing. Movements are recorded as a user moves through a website and clicks on links to request information. A clickstream is essentially a set of digital footprints that track an internet user’s steps.

Clickstream data, which can be recorded by websites and ISPs, helps webmasters learn how computer users are using their sites. For example, clickstream data can be used to determine the order in which users click on web pages or links on web pages. Clickstream data can be collected and stored. It can act as the basis for modifying websites for better user experience. Clickstream data also can make online advertising more effective.

Many of the technologies described so far are used to create an online profile for a user. Online profiling is the practice of tracking a user’s actions on the internet to create a profile that contains information about the user’s online habits and preferences. It can be used to direct targeted advertising toward a specific user. Targeted advertising is advertising that is designed to appeal to a consumer’s specific interests.

A profile can contain very detailed information about the user’s online habits. One concern with online profiles is that they might contain PII. Many people believe their online actions should be private. Data for online profiles is often gathered without the user’s knowledge or consent, which is a privacy concern.

Wireless Technologies

We use several different wireless communication systems every day. In fact, many adults carry smartphones that incorporate two or more wireless technologies. The term wireless is used generally to refer to several different technologies that allow devices to connect to one another without wires. These technologies include:

• Radio Frequency Identification
• Bluetooth
• Near Field Communications

Radio Frequency Identification (RFID) is a technology that uses radio waves to transmit data to a receiver. It is a way to identify unique items using radio waves. The main purpose of RFID technology is to allow “tagged” items to be identified and tracked. Sometimes you will hear devices that use this technology called a RFID tag or chip.

You can incorporate RFID tags for many different uses:

• To track pets—A veterinarian inserts a small tag under the skin of a household pet. You can then identify and track the pet if it becomes lost.
• To track inventory—The anti-theft tags attached to clothing in department stores are RFID tags that can be used to catch and deter shoplifters. A librarian can place RFID tags in books to ensure that they do not leave the library without proper checkout.
• To track people or their trips—Some proximity card readers use RFID tags to “unlock” doors to allow the person carrying the card to enter secure areas. E-ZPasses used by many states to collect tolls on roads and bridges use this technology.

Most RFID tags do not contain a battery. Instead, the tags are activated when a receiver is within range and sending out radio waves. The receiver initiates communication with the tag, which responds with self-identifying data. It is possible for unauthorized persons to read the information that the tag sends if transmission between the receiver and tag is not secured or protected.

Individuals have very little control over the information contained on an RFID tag. RFID technology poses privacy concerns in that it can track a person’s movements and daily habits. You do not need an RFID tag inserted under your skin to be tracked by RFID technology. Cell phones, purses and briefcases, and driver’s licenses or credit cards can be equipped with RFID tags as well. This tracking can be completely secret if you do not know that the items you are carrying contain an RFID tag.

Information exposure is also a concern. Information contained on an RFID tag can be exposed to unauthorized individuals if the communication channel between the tag and receiver is not secure. Individuals usually have no control over these channels and are unable to take steps to secure them.

Bluetooth, a short-range wireless communication, was designed to replace data cables that connect devices to one another. Bluetooth connectivity can be found in many different devices such as laptop computers, cell phones, speakers, fitness trackers, and headphones. As long as devices are Bluetooth compatible, they can “pair” or connect to one another. They do not need Wi-Fi or cellular data networks to connect. However, Bluetooth devices must be near one another to connect. Once devices are connected, they can share data quickly with one another.

Similar to RFID, information tracking and exposure is a concern with Bluetooth use. In addition, Bluetooth connections are often visible to other Bluetooth users in the vicinity. This can make Bluetooth devices easily identifiable targets for hackers.

Near Field Communication (NFC) is a short-range wireless technology that works only when two electronic devices are about 5 centimeters apart. Similar to Bluetooth, NFC does not need to use Wi-Fi or a cellular network. Because devices have to be very close together for NFC to work, concerns about information exposure are somewhat mitigated. NFC is used for tasks such as making mobile payments from a mobile device.

GPS Technology

A global positioning system (GPS) uses satellites above the Earth to compute the location of a GPS receiver. GPS receivers can be incorporated into many devices and use several different satellites to calculate time and location. For example, they are used in automobile navigation units. Runners use GPS receivers built into heart rate monitors to help measure the distances that they have run. GPS units are built into many cell phones to help locate cell phone users in an emergency. Cell phone applications also use GPS technology to track other users and family members.

GPS technology raises many of the same issues as RFID technology. GPS technology precisely tracks a receiver’s every step. Thus, a person with GPS technology enabled on a cell phone can be tracked every minute of every day. GPS units also are placed in cars. Individuals may not know that their cars or cell phones have GPS units that track their every move. People have very little control over the location information that a GPS unit can track and provide.

In 2012, the U.S. Supreme Court held that installing a GPS unit on a car is considered a search under the Fourth Amendment to the U.S. Constitution.²⁶ In U.S. v. Jones (2012), the government initially got a search warrant to install the GPS device on the defendant’s car. However, government agents did not follow the terms of that search warrant when they installed the device. The Court held that, for the installation of the GPS unit to be valid, police officers must get a search warrant and execute it properly.

Security Breaches

The Privacy Rights Clearinghouse maintains a list of U.S. security breaches that involve records that contain personal information. The clearinghouse began collecting this data in January 2005. As of October 2019, the site reported that over 10 billion records have been involved in security breaches. The list is available at https://privacyrights.org/data-breaches.

A security breach is a compromise of any security system that results in the loss of PII. After a breach, unauthorized individuals potentially can access data in the system. Any organization can experience a security breach. Security breaches can be caused by direct external attacks, poor internal safeguards, or both. Breaches can occur within computer systems, as well as when physical security systems, such as a perimeter gate or fence, are compromised.

Security breaches are a large privacy concern. Organizations store vast amounts of personal information. One security breach has the potential to expose the personal information of a large number of people. This data can be used to commit identity theft and other types of fraud. Most people are upset when organizations entrusted with their personal information experience a security breach. Every U.S. state has a breach notification law that requires organizations to notify customers in the event of a breach. Customers can then monitor their financial accounts and personal data to protect them from misuse.

People-Based Privacy Concerns

People-based privacy concerns are caused by people’s actions. These concerns are raised when people compromise others’ privacy. They also are caused when people take actions that compromise their own data privacy. Many information security attacks can also result in privacy violations. They include:

• Phishing—Phishing is a form of internet fraud in which attackers attempt to steal valuable information, usually via email. Phishing scams are a privacy concern for both individuals and organizations. For the individual, a successful phishing attack can result in the loss of personal information. For organizations, if an employee responds to a scam with username and password information, the organization can experience a large data breach. That breach can involve customers’ personal information.
• Social engineering—Social engineering attacks rely on human interaction. They involve tricking people to gain sensitive information.
• Shoulder surfing—Shoulder surfing occurs when an attacker looks over the shoulder of another person to discover sensitive information.

In each of these types of attacks, attackers are trying to get data they do not have permission to have, often in an attempt to get PII to exploit. Chapter 1 discusses these information security attacks further.

Dumpster diving, another threat to data privacy, involves sifting through trash to discover personal information. It is an issue because individuals and organizations dispose of personal information in unsecure ways. Thieves then steal PII to commit identity theft. Shredding documents before placing them in the trash is a safe disposal method.

In May 2009, a New York law firm was preparing to move. The firm hired a document destruction company to help it dispose of old client files, many of which contained PII on clients. The personal information included medical records, SSNs, and other personal data. Six dumpsters full of intact client files ended up on the street. Media outlets reported that several people were noticed rummaging through the bins and looking at documents.

Social Networking Sites

Personal data privacy is not compromised just by the actions of third parties. People can harm their own privacy by participating in online social networks, which have the potential to expose a lot of personal information. Social networking sites are website applications that allow users to post information about themselves. These sites promote interaction between people.

Some social networking sites are employment-based and promote professional networking. They allow users to post their work history and information and connect with other users in the same industry or across industries. Other social networking sites are purely social. They allow users to share snapshots of their lives with family and friends. Users often share large amounts of highly personal data on social networking sites. Some social networking sites are hobby-based and allow users with similar interests to share information. Common social networking sites include Facebook, Twitter, LinkedIn, Instagram, and Pinterest.

Social networking has two main privacy concerns:

• Information (over) sharing
• Security

Information (Over) Sharing. On social networking sites, users share lots of information about themselves in a virtually unlimited forum, such as details about their daily schedules, finances, and family members. Some social networking sites, particularly those that are hobby-based, allow for very detailed sharing about specific topics. For instance, genealogy platforms often contain a social networking function that can allow users to share ancestry and even genetic data. Oversharing can put people and their safety at risk. Thieves can use this information to stalk them, steal from a person’s home, or target them for identity theft.

Most social networking sites allow users to control some privacy settings. However, users may not be knowledgeable about all of the settings. Sometimes the privacy settings on social networking sites are difficult to understand. If they are hard to understand, users may not use them. People often do not realize how much information is available on the internet through social media sites and that other users have access to that information.

A fugitive from New York State was caught in Terre Haute, Indiana, in February 2010. Police tracked him down because he posted his workplace on his social networking profiles. Police arrested him at his job, then posted this message on his Facebook account: “It was due to your diligence in keeping us informed that now you are under arrest.”

Security. Another privacy concern about social networking sites is their security. Many sites allow users to add applications (called “apps”) and other third-party software to their profiles. These applications enhance the social networking experience through providing games and ways to connect with other users of the same social network. If these applications do not use proper security practices, personal information can be exposed. A compromise in an application can disclose data stored on a user’s profile. Social networking users often have little control over information used or shared by these types of applications.

In 2018, the Cambridge Analytica scandal showed that the relationship between social media users, social media platforms, and applications on social media platforms can be particularly complex. In the scandal, data-analysis firm Cambridge Analytica was accused of improperly acquiring and using the data of 50 million Facebook users without the users’ consent. Cambridge Analytica got the Facebook user data in 2014 through an app called thisisyourdigitallife. The terms of service for the app said that personal information was not collected, but that was a lie. The collected data was then later used by Cambridge Analytica to provide voter profiling and targeted advertising services during the 2016 U.S. presidential election. Cambridge Analytica was able to access the data by taking advantage of the access permissions that Facebook granted to applications.

Because of the scandal and its fallout, Cambridge Analytica went bankrupt. In addition, the U.S. Federal Trade Commission (FTC) investigated Facebook. In 2019 the FTC imposed a $5 billion penalty on Facebook for violating consumer privacy.²⁷ The FTC also filed a complaint against Cambridge Analytica. You can read more about the scandal in the FTC’s December 2019 opinion, located at https://www.ftc.gov/enforcement/cases-proceedings/182-3107/cambridge-analytica-llc-matter.

Online Data Gathering

The internet has made it much easier to learn personal details about people. People can search the internet for data on their neighbors, coworkers, family members, prospective dates, and public figures. Almost every person has some sort of digital presence. Social networking sites, personal web pages, media websites, and government public records databases can be easily reviewed for personal information. Although there are legitimate uses for viewing online personal data, it also can be used to harass and threaten victims.

Many of the privacy concerns discussed in this section existed before the internet. They just did not exist on the same level as they do now. Today it is trivial to discover personal information about other people. Identity theft is one of the fastest-growing crimes, because it is becoming easy to find and misuse others’ personal information. Identity theft occurs when a person’s PII is used without permission to commit other crimes.