We Don’t Care About Data Privacy

Really. We don’t.

Published: Thursday, April 12, 2018 - 12:03

On April 10, 2018, Facebook co-founder and CEO Mark Zuckerberg testified before Congress regarding the unauthorized sharing of 87 million Facebook users’ personal data, vacuumed up by data research company Cambridge Analytica. There were pointed questions regarding Facebook’s lack of transparency about the incident, a bit of dancing by Zuckerberg, and a lot of apologizing. All in all, it was a boring but fairly honest back and forth about the responsibilities and duties of large corporations when it comes to personal data.

But at the end, we had what? An outwardly contrite Zuckerberg, some political smugness, and just maybe the groundwork for some upcoming privacy laws. After the curtains went down I was still left wondering just how worried consumers are, really, about internet privacy. As far as I know there has been no reduction in how many people use PayPal to buy goods from online stores. We have heard no news of a drastic drop in subscriptions to Amazon Prime, Netflix, Hulu, iTunes, or other online streaming services. Even Zuckerberg said Facebook had seen no impact following what was probably the most egregious infraction of user trust in a social media site we have seen in quite a while.

User reaction? Meh. We still access our banks’ online services over open wifi, and e-tailers continue to collect and store our credit card data and other sensitive information. Doesn’t that make you nervous? Me too. However, I just bought $350 worth of inkjet ink from an e-tailer I have never used before... but they had 4.5 stars, so....

We know that bad things happen to good data. Before Cambridge Analytica there was Yahoo (3 billion names), eBay (145 million names), LinkedIn (117 million names), Equifax (148 million names), and I would go on, but I’ve surpassed this month’s allotment of zeroes.

And forget about leaks or breaches where there is only the possibility that your data will be used in nefarious ways. We have seen a slew of ransomware incidents via Wannacry or SamSam attacks that ground businesses to a halt. The latest being Atlanta’s city government, which was crippled by a ransomware attack that took six days to repair.

A resounding yawn

So with all of this as a background, and Facebook, the behemoth of social media in the foreground, wouldn’t you think that people might want to slow down how much they share their data on the internet?

Of course not, because that would be crazy. We may talk about how worried we are about data breaches, hacks, and unauthorized sharing, but our actions tell the real story. We are not going to abandon the technology that our lives revolve around and our businesses run on. Deciding to stop buying products on Amazon or to no longer FaceTime your daughter (and her adorable baby), is about as likely as deciding to keep all your money under your mattress... well, maybe BitCoin is safer... hm, maybe not... mattress it is....

How crazy are we?

Cybersecurity specialist Martin Voelk is an IT security veteran with more than 20 years of experience in the IT industry, and he’s seen it all when it comes to our laissez faire attitude toward privacy. We just can’t keep ourselves to ourselves. We have to share everything, even if it’s to our detriment.

“Facebook is an addiction for many people,” says Voelk, who spends his time on penetration testing and security audit services to clients all over the world. “They can’t live without checking in numerous times a day. A lot of them just don’t care about security and privacy....  We do a lot of cyber-intelligence services, and what we see from individuals on Facebook is unbelievable.”

Voelk provides a few examples.
• A UK female police officer who shares all her posts with everyone (not just friends), including some half-naked pictures of her drunk at a party
• A bank employee, openly supporting ISIS and sharing propaganda videos
• A school teacher live streaming his house cameras to the whole world on Facebook 24/7
• UK youth live streaming drug parties on Facebook

It would be easy to say those are outliers, and maybe they are… a bit. But I’m pretty sure we all have friends and family who have posted so many “I am soooo wasted” party pictures you wonder how they even make it to work.

And if we don’t care about revealing our naked whatevers to friends and family on social media, we certainly don’t care about revealing something as innocuous as credit card and social security numbers on a web form on an unsecured network.

Privacy law: how much is too much?

So if we don’t care, should the government? That’s the big question, and there is certainly a lot of hand-wringing about privacy laws right now—both for and against. We saw both sides of that argument during Zuckerberg’s testimony. In the United States, those concerned about the dissemination of user data without the user’s consent, including internet activity, want a definitive federal privacy law. Even Zuckerberg suggested the government step in. Others, network providers mainly, see such laws as a business hindrance. We saw this played out when the FCC created a broad internet privacy law toward the end of President Obama’s term, which would have prevented your internet service provider (ISP) from selling your activity data without your consent. This was rescinded in short order by President Trump on April 2, 2018, before it went into effect.

It’s not as though the United States has no privacy laws at the federal level. It’s just that it employs a patchwork of privacy laws spread across multiple sectors (medical, financial, trade). For broader internet privacy laws, you have to look to the states. But contrast this hodgepodge of laws to the European Union, which under past and soon-to-be-released privacy regulations takes internet privacy seriously. In short, the United States at the federal level has a “we’ll worry about it if we need to” approach, while the EU sees privacy as a basic human right and has taken a more broad-based preventive approach called the General Data Protection Regulation (GDPR).

Although it’s largely flown under the radar in the United States, the GDPR, which goes into effect on May 25, 2018, affects all companies, even if they are not located in the EU. According to its website, “The EU General Data Protection Regulation (GDPR)...  was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

Where U.S. privacy laws are shallow and narrow in scope, the GDPR is deep and wide. Really wide. The EU doesn’t want anyone hoovering up and selling EU citizen data. Companies outside the EU, such as those in the United States, must follow GDPR rules if they are marketing to EU users, and those users provide electronic data. For example, a U.S. online retailer marketing silk purses to EU citizens, which collects customer data as part of the online purchase transaction, would be subject to the GDPR. Failure to comply with GDPR could be very expensive—penalties start at €20 million.

But are EU laws too extreme? While on the face of it the GDPR might seem like a step in the right direction for privacy advocates, Voelk says privacy laws in the EU, including the GDPR, have gone too far in the other direction and cites Germany’s NetzDG law, which is aimed at social media companies, as an example.

“In Germany, the leading parties implemented a new law called NetzDG earlier this year, whereby they (the leading parties) define what’s acceptable and what is not. This is troublesome because it’s based on the judgement of the [social media company] staff enforcing these laws and not by a court order.”

Voelk gives some early examples of overreach (as of this writing, NetzDG has been revised to address some of these):
• Any criticism about the administration in Germany and its refugee politics would be branded as hate speech.
• Any article or blog post that is not considered “real news” would be immediately removed from social media.
• The government requires that Facebook, Twitter, etc. shut down accounts of people who post articles that are not mainstream.

The biggest problem with the law is that, barring any guidelines, it leaves the decision of what is hate speech or fake news up to the providers like Facebook, Google, et al, which, not wanting to run afoul of NetzDG (a €50 million fine), are being overly cautious and deleting content that should not have been deleted, even by German legal standards. Even left-leaning groups are worried the Germans may have gone too far.

How about common sense?

So where do we draw the line? How do we balance the needs of businesses like Facebook, or ISPs, or even your own companies to use data for business purposes vs. the need to keep individual’s private business private vs. free speech? Put another way, is it possible to enjoy free information, paid for by advertising dollars, while still protecting data that need protecting and not abridging free speech?

That’s a tall order, and if the United States is too lax, and the European Union has gone too far, maybe New Zealand is on the right track. According to its website, New Zealand’s Privacy Act 1993 deals mainly with the collection and disclosure of personal information. If you read through the act’s 12 principles, you can see that it comes across as flexible, while still providing legal recourse. For the most part, these are non-legally binding guidelines that lay out what providers should do. It gives legal recourse through a complaint system if users feel the provider has broken the guidelines. By giving users a pathway to legal action if they feel their privacy has been breached, while at the same time not trying to legally constrain providers up front (except for certain cases), the guidelines seem to walk that thin line between privacy and censorship.

Our job

In the end, as much as we don’t care, we need to care about our own privacy. It doesn’t take a whole lot of work, but it does take some common sense. Although a certain amount of government regulation may be needed, we can’t count on what or how the government is going to intervene, whether any law will last from one administration to the next, or whether a law will go too far or not far enough. It’s up to us to protect our own privacy. Once your data are out there, they are out there forever.

Here’s the advice that Voelke and other IT specialists tell everyone to observe:
• Don’t share anything you don’t want to be public.
• Lock down your social media so only your real friends can see your posts.
• Learn how to spot phishing mails, and don’t fall victim to them.
• Don’t trust email or messaging apps. Always verify doubtful information either in person or with a phone call.
• Update your laptop, pads, and phones regularly.
• Install antivirus and antimalware on your endpoints.
• Don’t ever use a USB stick you haven’t bought sealed yourself.

Your data are gone, long gone

At this point, the odds are pretty good that your personal data have gone places you don’t even want to think about. It’s too late to worry about it now. It’s gone, gone, gone. Just remember that going forward, and do what makes sense to share only what you need or are willing to share... with the world. And keep this mind: As was very clear from Zuckerberg’s testimony, if you want to get news, video, and social media updates for free, the price is your data or your eyeballs. There is no such thing as free internet.

About The Author

Dirk Dusharme @ Quality Digest

Dirk Dusharme is Quality Digest’s editor in chief.