For Data Privacy Week, remember that maintaining your privacy is mostly up to you
Data Privacy Day is now Data Privacy Week (DPW). Starting last year, the National Cybersecurity Alliance (NCA) expanded the event “because your data is that important!”
Which sounds like a good thing. What’s not to like about spending seven times as much time raising awareness of what ought to be one of the most important issues in the digital world? Data privacy means personal privacy.
As the NCA puts it, your online data “ranges from your interests and purchases to your online behaviors, and it is collected by websites, apps, devices, services, and companies all around the globe. This data can even include information about your physical self, like health data — think about how an app on your phone might count how many steps you take.”
All true, but it goes well beyond that. Your age, gender, what you buy or sell, where you go, how long you stay, who you see, what you post on social media, what you study, what you believe, what you wear, your relationships, where you work, what you earn, and more — it’s all online. As many privacy advocates have observed, algorithms know you better than you know yourself.
The NCA notes that data is used to “make inferences about your socioeconomic status, demographic, and preferences. Even seemingly innocuous information, such as your favorite restaurants or items you purchase online, can be used to make assumptions about you and your habits.”
All of which means privacy is one of the few things that ought to unite us. It transcends age, gender, race, nationality, and income level.
DPW, which runs Jan. 21–27, is “an extension of Data Protection Day in Europe, which commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection,” according to the NCA website.
And yet every year (and I’ve been writing about it for more than a decade), the state of data privacy seems to be no better, and often measurably worse, than the year before.
There’s gold in data
Speakers at security conferences have called the current era a “golden age of surveillance.” That means golden for those doing the surveillance, not the rest of us.
Indeed, even what is promoted as progress on the privacy front can be illusory. There were flurries of headlines earlier this month about a couple of Federal Trade Commission (FTC) settlements regarding data collection.
In one, InMarket Media is required to stop selling location data collected with apps that according to the FTC “have been downloaded onto over 390 million unique devices since 2017.” That data is then used to build advertising profiles that the company’s customers use to deliver targeted ads in mobile apps.
In another, with data broker X-Mode Social, now rebranded Outlogic, the settlement bans it from “sharing or selling any sensitive location data” — the kind the FTC said the company had been collecting from phone apps “to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”
Which sounds like a win for regular people. But a post in Wired magazine noted that Outlogic hadn’t been required to admit to any wrongdoing.
As writer Dell Cameron noted, the main weapon the FTC has at present is authority to sanction companies that lie to consumers about how their data is being collected and “shared” (sold). In the Outlogic case, “the FTC’s job is to ensure consumers receive ‘notice’ of how their data is being used. But the job is a sham, and everyone who ever clicked ‘I agree’ on a privacy policy knows it,” he wrote.
No privacy by default
That’s because there is no privacy by default. Even when companies do provide notice, the length and language of privacy policies makes them almost impossible to understand.
There have been multiple demonstrations of that reality. The Finland-based cybersecurity company F-Secure famously created a spoof Terms of Service more than a decade ago that required users to turn over their first-born child, and if there were no children, “your most beloved pet will be taken instead. The terms of this agreement stand for eternity.”
Cameron cited a Carnegie Mellon survey that “determined that it would take an average person roughly 76 working days to consume all of the privacy policies they encounter in a year.”
“So ubiquitous now is the technology tracking our movements, in no meaningful sense are people voluntarily accepting the risks of allowing companies to access and share that information,” he added. “It is a matter of participating in society or not, of being employed or not.”
Not all experts think it’s that bleak. James E. Lee, chief operating officer of the Identity Theft Resource Center (ITRC), said the privacy landscape is “clearly better than five years ago,” pointing to comprehensive privacy laws passed in a dozen states as “a great start, with more work to be done.”
And it’s true that government at both the state and federal levels in the U.S. has been involved in data privacy for decades. Among federal laws covering specific sectors is the Health Insurance Portability and Accountability Act, which is intended to protect the privacy of health and medical information. That took effect in 1996.
Comprehensive consumer privacy laws are much more recent. The first and most prominent state law, the California Consumer Protection Act, took effect just four years ago this month. But much more legislation has followed.
According to the National Conference of State Legislatures, at least 40 states and Puerto Rico introduced or considered approximately 350 consumer privacy bills in 2023. Among those were about 60 so-called “comprehensive,” or “omnibus” consumer bills in at least 25 states.
Jumble of laws
Still, those can amount to a “jumble of hundreds of laws,” according to ICLG.com, a global platform for legal reference, analysis, and news. Not surprisingly, laws that don’t align can create confusion and frustration, especially given that the online world doesn’t have state, or even national, borders.
And so far there is no comprehensive U.S. federal law on data privacy similar to the EU’s General Data Protection Regulation, which took effect nearly six years ago, in May 2018.
“The U.S. has in many ways been sluggish in the adoption of consumer-focused data privacy compared to the rest of the western world,” said Andrew Bolster, senior R&D manager, data science, with the Synopsys Software Integrity Group.
But he noted the increasing number of state laws now in effect or pending. “Eight states passed primary legislation in 2023, with five of those laws coming into force in 2024. This year will be the year for businesses to really evaluate the cost of operating within the bounds of these laws,” he said.
Still, privacy legislation can be complicated by issues such as who decides what should be private. Sammy Migues, principal at Imbricate Security, said, “what I consider personal and what the U.S. and state governments consider personal is not the same dataset.”
“I consider my current location to be personal, as well as the number of times I use the toll road by my house, my car GPS data, everything my doorbell sees, the websites I visit, my Amazon purchases, and a thousand other individual things — and then the thousands more inferences that can be made, often very erroneously, from those individual things.”
So while existing laws give consumers some privacy rights, the reality is that your level of privacy depends on how much time, energy, and savvy you have to address it. Because doing so will take a lot of it. The NCA spells out a number of ways to manage privacy.
- Make informed decisions: Is the service, app, or game worth the amount or type of personal data they want in return? Can you control your data privacy and still use the service? Is the data requested even relevant for the app or service — as in, does a Solitaire game need to know all your contacts?
- Don’t keep what you don’t use: If you haven’t used an app, service, or account in several months, consider deleting it.
- Adjust privacy settings: Check the privacy and security settings of every app, account, or device you have. Set them to your comfort level but lean toward sharing less data. Make a habit of adjusting all your settings as soon as you add an app or create an account. The NCA has a Manage Your Privacy Settings page that lets you check the settings of social media accounts, retail stores, apps, and more. It contains direct links to settings for eCommerce sites (10), mobile banking (8), email and voice communication (6), health apps (7), food delivery (10), mobile/location services (12), social networks (10), streaming platforms (15), web browsers (6), music (6), online conferencing (8), online dating (11), photo and video sharing (11), ride share services/scooter rental (8), travel (5), search engines (7), and miscellaneous (11).
- Protect your data: Create long (at least 12 characters that include letters, numbers, and special characters). Use a password manager to store them. Use multifactor authentication where permitted. Turn on automatic device, software, and browser updates. Learn how to identify phishing emails, texts, or direct messages.
This is all good advice. But as Cameron noted, reading privacy policies and adjusting settings can take months, not hours. And it’s not always easy, or even feasible, to tweak privacy settings to cover every eventuality.
“Can you imagine the chaos involved in having a list of hundreds of personal data items and having to choose from the list what you’re willing to share and how you’re willing to let that data be used for each and every interaction you had all day, every day?” Migues said. “It would be a thousand times worse than the current ‘Do you accept our cookies?’ prompts that we deal with dozens of times per day. Everything would grind to a halt.”
Perhaps an easier way to reduce privacy risk is to keep in mind that nobody can collect data that isn’t shared. Migues said Data Privacy Week should remind people that “telling the world on social media the names of their pets, the concerts they went to, that story about their middle name, and their favorite sport in high school is a really bad idea, and so is giving real answers to account security questions.”
No security? No privacy
Beyond all that, the most significant reality of the online world is that there is no data privacy without data security. On that front, the ITRC’s Lee said things aren’t good, but could be much worse. “There were more breaches reported in the U.S. in 2023 than in any year since the first data breach law went into effect in 2003,” he said, “yet there are more breaches reported in the EU in a week than in a year in the U.S.”
That, he added, is in part because “businesses under-report and fail to report. For example, in 2018–20, virtually 100% of organizations issued data breach notices that included actionable information to help consumers and other businesses protect themselves. Since 2021, that has dropped to 54%.”
That could change, thanks to a U.S. Securities and Exchange Commission rule that took effect in December, requiring publicly traded companies to disclose “material” cybersecurity incidents within four days. But the rule is highly controversial and could be overturned by Congress.
That means the classic “time will tell” cliché applies to the future of government regulation of data privacy.
Bolster noted that many interested parties are watching “to see if the Biden Administration will take a step similar to the release last year of the National Cybersecurity Strategy. That strategy signaled that the onus for pervasive, defensive cybersecurity was on industry, rather than on ‘the individual’ or smaller entities. A similar EO [executive order] on data privacy would be consistent with this approach,” he said.
