During a conference on privacy last week, Kevin Ashton flashed a map on a giant screen showing the addresses where dozens of cats live with their owners in north Scottsdale, within a few miles of the posh resort where the conference was taking place.
The point: to illustrate how much information — some benign, some highly sensitive — is floating around the Internet or contained in databases to which parties from aggressive marketers to outright criminals have access.
Ashton zeroed in on a photo of a black, white and orange feline living in the 10000 block of East Mirasol Circle.
“Does this cat’s owner know that we’re talking about the cat right now?” he asked.
The owner almost certainly had no clue that his calico was the focus of a seminar lecture point, though the owner probably uploaded the photo to a social-media site.
Ashton found the picture on iknowwhereyourcatlives.com, a website run by Florida State University researchers that uses cat photos from around the globe to illustrate how easy it is to access information from the Internet.
People who, like the cat’s owner, post photos from smartphones often share more than just a picture. Many individuals voluntarily provide potentially sensitive personal information in careless chatter. And unless they have turned off the device’s geolocation capability, they might also reveal the time, longitude and latitute coordinates and the type of electronic device used, said Ashton, a British technology entrepreneur and author.
“If you post an image online, you post the data as well,” he said.
That’s the tip of an iceberg that is growing bigger by the nanosecond. Even as consumers try to guard Social Security numbers, credit-card numbers and mothers’ maiden names, they reveal other information about themselves. Some is shared through voluntary social-media discourse. Some is offered up when making online purchases, signing up for apps, responding to marketing pitches and so on. Much of it is fumbled away by businesses or government agencies guilty of sloppy safekeeping.
“We’re all constantly being asked by a lot of organizations to provide a lot of personal data,” said Adam Levin, founder and chairmanof IDT911, a Scottsdale company that provides identity- and data-breach management services. “Some of it is for purposes that are clear; some of it is for purposes that are mysteries.”
More computers watching
The conference hosted by IDT911 involved a sobering recitation of trends on identity-theft risks, data breaches, ineffective government regulation, hacking attacks, unauthorized postings of photos and so on. It also touched heavily on privacy and the assault on it.
Consumers aren’t just putting themselves at risk through careless uploads. They’re also creating unwitting photographic footprints and digital trails through routine activities like shopping, driving or visiting the doctor. Much of what’s recorded is becoming part of a permanent record.
“We live in an age where everything is stored, for the first time in history,” said Mike LeBaron, principal security investigator at Symantec Corp. and another speaker at the conference.
The simple truth is nearly everyone is being monitored, here or there. Geolocation devices in smartphones or vehicles can reveal your location. RFID or radio frequency identification devices — tiny chips with radio antennas — can figure out which appliances are running in your home or when you entered your hotel room. Traffic sensors or security cameras monitor when you drive through an intersection or enter a store. Aerial drones can snap videos of your backyard hot tub and who’s in it.
Last year, 1 billion digital cameras were sold, including those on smartphones, and 1 billion geolocation devices were included in cameras, vehicles, other devices or sold separately, Ashton said. More than 1 million drones are now owned by individual Americans, heading to a projected 12 million within a decade. Most are or will be used for personal spying, he postulated, after showing the photo of a sunbathing woman in Florida whose image was captured by a drone that was retrieved after it crashed into a tree.
Although the information and photos collected by these or other devices might be harmless and of limited scope by themselves, it doesn’t end there. Big-data computer analysis increasingly is being used to distill and make sense of all those pictures, keystrokes and comments, turning them into profiles that show a person’s driving habits, shopping routines, dating preferences and so on.
By the next decade, computers, cameras, sensors and other data-gathering devices will be smaller, less obvious and more numerous, Ashton predicted. More will be able to do their jobs without requiring a human to push a button or open a gate, like automated toll booths and motion-activated cameras already can do. What they collect increasingly will be put on the internet, he said.
Lack of transparency, consent
These and other threats on privacy have been hastened by computerization, including the advent of the Internet and smartphones. Quite a few developments have been ignored or even embraced by a public that’s both fearful of terrorist attacks and enthusiastic about getting coupons or other customized money-saving offers. Amazon and Netflix are among the many retailers that make purchase recommendations based on prior activity, and most customers don’t think twice about these suggestions.
But when transparency is lacking, Big Data analysis can backfire on companies, assuming the word leaks out. For example, Target stepped into a public-relations quagmire when the retailer sent pregnancy-tailored coupons to a high-school student in Minnesota based on an analysis of her shopping activity. This raised the ire of her father, who didn’t know the girl was pregnant until the less-than-discrete ads started to arrive.
Other examples include the recent revelation that Facebook was analyzing user news feeds, without consent, in an attempt to manipulate people’s emotions for a study. Then there was the case where OkCupid steered users of the dating site toward or away from romantic matches, also for the purpose of a study.
“It gives you an idea of how Big Data can be used in mischievous ways,” said David Vladeck, a former director of the Federal Trade Commission’s Consumer Protection Bureau. “And it shows what can go wrong.”
Medical records for sale
Privacy infractions involving medical records are especially worrisome. As it is, personal health data, from prescriptions to insurance claims to information about behavioral-health problems, are routinely sold through legal channels, said Deborah Peel, a physician and founder and chairwoman of Patient Privacy Rights in Austin.
“Every bit of (medical data) is shared, and we don’t know about it,” she said. That also means consumers don’t have an opportunity to correct errors in what’s being brokered.
HIPAA, or the Health Insurance Portability and Accountability Act, provides some privacy safeguards but doesn’t prevent some sharing of medical records. Nor does it require patient authorization to release records in many cases. The act initially required patient consent to transfer personal records, Peel explained, but that safeguard was later removed, allowing a sizable data-brokerage industry to grow up.
In a report this year, the Federal Trade Commission called for more transparency and accountability in the data-collection industry, including that conducted by medical-records firms.
Peel’s organization makes available a “privacy-risk calculator” at patientprivacyrights.org that enables you to understand situations or practices that raise the danger that your records might wind up on the market.
The legal commerce in health records is in addition to medical identity theft — a situation where a crook poses as a legitimate patient to acquire health care using the victim’s name and insurance benefits. One problem here is that treatments received by an imposter can eat into the lifetime coverage limits that people have on their insurance plans. Also, it creates a situation where medical records can get mixed up, such as the substitution of the ID thief’s blood type into your records, said Peel. These concerns are in addition to the obvious breakdown in privacy.
Apathy, then stress
It doesn’t require much thinking to realize that these new threats to privacy are intertwined with assaults on personal freedom. Yet people routinely accept the changes and typically don’t object until and unless they suffer a major privacy invasion themselves. Then things can get nasty.
In the case of identity theft, the financial losses typically aren’t that large. Most credit-card companies will absorb the entire loss from fraudulent transactions. But victims often complain about feeling violated, and the hassle to straighten out compromised records can span many months, if not longer.
Half of all identity-theft victims aren’t able to clean up their records within a year of suffering an attack, said Eva Velasquez, president and CEO of the Identity Theft Resource Center, based on a study the San Diego group conducted. Six percent of victims reported feeling suicidal from the stress, she said.
Yet people often willingly reveal sensitive personal information that can trigger an ID-theft attack, or they fail to safeguard credit cards, smartphones, laptops and other devices. Breaches don’t all derive from Chinese or Russian hackers breaking into the databases of firms like Target, Home Depot, Sony or JPMorgan Chase. Consumers often are the weakest links in the chain.
“So many young people think they’re only talking to friends” on social-media sites, Velasquez said. But if you think you can restrict the flow of information that you post to a circle of your friends, you’re under an illusion, she said.
“If you wouldn’t want to put up a statement on a billboard next to your house, don’t put (the same message) on Facebook,” she said.
If there’s a common theme from experts, it’s that consumers not only must safeguard what they can but also should decline many requests they receive for sharing personal information. And they need to speak up, to elected officials, regulators and businesses they patronize, when they don’t like something.
Lack of oversight
Levin said he would like to see companies required to post a standardized “database-disclosure box” similar to the nutritional guidelines contained on a can of soup. This is where companies might be required to divulge recent breaches they have suffered, summarize what information was compromised and explain how they responded.
Unfortunately, regulatory responses often are lacking and tend to be reactive rather than proactive. The government-oversight environment is “fractured” with no comprehensive federal statute, said Ginger McCall, associate director of the Electronic Privacy Information Center in Washington, D.C. The Federal Trade Commission is the federal agency with the most direct oversight, including over identity theft. “But the FTC is charged with so many duties,” she said.
Privacy enforcement is complicated by the fact that it’s not always clear what constitutes harm, that it’s difficult to determine culpability and that enforcement actions often aren’t easy to implement, said Vladeck, the former FTC official. “After-the-fact remedies for privacy violations are largely inadequate,” he said. “The genie’s out of the bottle.”
Yet the need for caution is real and likely will become more acute. The explosion of tiny computers, smartphones, RFID gadgets and other sensors, traffic and security cameras, drones, smart meters and all sorts of other monitoring and recording devices will make it increasingly difficult to do anything anonymously. Facial- and voice-recognition systems will fill in many of the remaining blanks. Much if not most of the data will find a permanent home on the Internet, putting it within anyone’s reach.
“All of this pales in comparison to what’s coming,” Ashton said.
Reach the reporter at email@example.com or 602-444-8616.
Protecting what you can
Identity-theft risks and privacy threats often stem from the same concerns. Though people can’t erect air-tight defenses, they can take steps to minimize or delay the fallout from being a victim. Here are some precautions suggested by Adam Levin, chairman of Scottsdale-based IDT911:
•Limit the number of credit and debit cards you carry, and never carry your Social Security card.
•Shred documents containing sensitive personal information. If possible, use a cross-shredder.
•Safeguard your smartphone. Treat it as the data-storage device it is, and turn off geolocation tracking features.
•Be wary of supplying personal information to companies, including that requested for coupons, discounts or other money-saving benefits. Question why companies need certain information.
•Protect your computer and use updated security software. Several big data breaches were triggered by company laptops that were stolen or left unattended in public.
•Use strong and lengthy passwords, preferably involving a mix of letters, numbers and special characters. Don’t store usernames or passwords on smartphone apps.
•Make sure you’re dealing with a legitimate website and not a carefully crafted imitation. Be suspicious of unsolicited e-mails asking for money or help or inviting you to click on attachments.
•Sign up for transaction alerts offered by financial companies that will flag large purchases and let you know of requests to change your mailing address — requests you might not have authorized.
•Check important financial accounts on a daily basis, looking for unauthorized activity. This involves extra effort, but it’s nothing compared to untangling your accounts after an ID theft.
•Find out if you have access to ID-theft monitoring services or post-theft damage-control assistance. Your company might offer this as an employee benefit, or your homeowner or auto insurance policy might cover it.