Privacy is not dead - you're just doing it wrong

Filed Under: Data loss, Featured, Privacy

dpd_english170Security and privacy are often conflated, and in many ways the two concepts do overlap, but they differ in an important way.

Security is about being free from danger or threats. Privacy is about controlling what information about you is known and who you want to know it.

Data Privacy Day occurs every year on the 28th of January and is intended to remind us to more carefully consider our privacy choices throughout the year.

This year, I ask you to think about your privacy choices next time you create a new online profile, load an app on your phone, or sign up for a frequent shopper card at your favourite retail establishment.

When you sign up for an online profile, you are usually trying to connect with like-minded individuals on a hobby forum or find friends and family on social media.

These sites ask for a lot of personal details to "help" you: name, country, city, where you went to school, gender, birthdate and even whether you are in a relationship.

The more information you provide, the richer experience you will have using the service, right?

For each of us the information we choose to divulge will differ. Many of these pieces of information are likely optional to provide and we should carefully weigh the benefits of sharing them.

It's essential to remember that, while passwords can be changed, our birthdates, national identification numbers (SSNs, SINs, NI numbers, etc.) and other personal details cannot.

shutterstock_BigData170And with the big data movement hellbent on collecting as much information about us whenever possible, apparently innocuous or unimportant details can be pieced together in new and surprising ways.

Phone apps are another story. An enigma. A mystery. Any company with a bit of cash can commission an phone app to make it easier to do business with them, but is it safe?

Research shows that what is going on under the hood is often far more dangerous than you might imagine.

Apps often ask for a bevy of permissions without any guarantee that these permissions won't be misused. My advice is to try and break the app addiction. Wherever possible, use your mobile device's browser instead.

Lastly, we should reconsider our relationships with retail establishments.

Does your coffeeshop need to know your birthdate for you to join their cup-a-day club?

Is it worth disclosing your household income, address, favorite cereal, and postal code to join your supermarket's points program?

Most often it is as simple as questioning whether it is needed or desired.

Do you require my phone number or simply wish to have it? Can I buy an item without telling you my postal code?

What is your organization's plan to protect this information if I choose to share it with you? Is it legal for you to ask me for this information?

That last question is the toughest one, and we can't easily provide you with a guide.

Each jurisdiction has different privacy laws that explain the data that a company must collect, what it may ask for, and - importantly - what it is legally forbidden to request.

If you are concerned, you need to know your rights.

Look into the laws where you live and don't be afraid to challenge companies overstepping their bounds in asking for your personal information.

shutterstock_ILoveMyPrivacy170I believe this isn't just about slowing down the erosion of our privacy: I honestly believe we can build it back up.

If it feels wrong, it is wrong, so privacy is defined by each of us.

Some of us want to air every detail of their lives, while others are willing to forgo some conveniences to keep life more private.

Don't be bullied: Ask questions and get informed. Your privacy is only gone if you stop caring.

You can make a positive change to your privacy today by taking our 3-Step Privacy Plan Diet.

Freedom isn't free - you have to make an effort!


I love my privacy and big data images courtesy of Shutterstock.

, , , ,

You might like

10 Responses to Privacy is not dead - you're just doing it wrong

  1. Thomas · 85 days ago

    Well put. Now what was your phone number again?

  2. Anonymous · 85 days ago

    It's usually legal to ASK. (Can't think of a case where you're not even allowed to ask.) The question if it's legal to require an answer. For example, in many countries, a business can ask what race you are for their "demographic statistics" but can't require you to answer.

    • Paul Ducklin · 85 days ago

      I'm pretty sure that in some countries - UK, for example, you aren't allowed to ask if someone has "spent" criminal convictions. (This avoids the possible misinterpretion of the answer "no" versus the answer "blank". It also avoids the case where someone decided to say "yes" because they feel some pressure to do so. )

      So IIRC the straight question "have you ever been convicted of a criminal offence" is not a lawful one.

      Same goes for asking "are you intending to become pregnant in the next N years." None of your business, so don't ask.

  3. Ellis · 85 days ago

    I spoke to LG customer service yesterday, and was asked for volumes of personal info. They said their questions were for "Data Protection" ??? I stated "I'm asking the questions, and I'm protecting my data" ...they weren't best pleased - stick to your guns!

  4. Anonymous · 85 days ago

    My senior cat holds all the preferred customer cards for the family. Junior cat holds our "public" FB and Twitter accounts. They each have their own email accounts.

    Demographic/Security questions only require a memorable answer, not necessarily a correct one. Strangely enough, my mother's maiden name is often the same as the store asking.

    If a big data committee ever tries to assemble my profile, they are going to find a camel, or at least a zebra, not a horse.

    ,,,/Glitch

    • Rosco P Coltrane · 84 days ago

      If you are giving the store name as a security validation question, that sounds a lot less secure than if you were to give an answer that only you know.

      • Andrew Ludgate · 84 days ago

        The store name as a security validation answer is actually pretty secure as long as you pad it with something memorable only to you -- it's generally a good idea to never answer the question asked with a valid response. So your answer to "Mother's maiden name" might be "Amazon wants my mother's maiden name!!!~" -- which is easy to remember, hard to guess (assuming they're properly hashing and salting the answers) and doesn't waste your own personal information. It also means that each place that asks for "mother's maiden name" will get a different response.

        But you're right -- answering with a randomly-generated string of characters from a password manager would be even better -- assuming that the string of characters is something you could provide over the phone if needed.

    • @Roscoe & Andrew

      I should note that this technique is just for sites/stores that may give me some discounts or other service I desire, those that seem to ask for more info than the service would seem to require.

      If any are compromised, I don't think the gleaned info would be useful in breaking in my other accounts.

      For my "important" accounts (eg bank, brokerage, Gmail, etc.), these get the full paranoid treatment including unique complex passwords maintained in a password manager.

      Still, even in the latter, my mother has an identity crisis ;)

      ,,,/Glitch

  5. Andrew Ludgate · 84 days ago

    It is really important to know the laws governing your area (and any area you may visit) with regards to privacy. British Columbia, Canada's Privacy Act can be found here: http://www.bclaws.ca/Recon/document/ID/freeside/00_03063_01 and is quite readable.

    In many places it is legal for a company to ask you any personal questions they want -- a response of "no thank you" is usually enough to skip the questioning but retain the service. I have had a few instances of store clerks saying "But you MUST give me that information -- our computer system won't let me do anything without it!" at which point I politely inform them that if this is actually the case, then their store is in direct contravention of the privacy act. It has usually turned out that there was an easy override and the employees just hadn't been trained how to do it (only the managers).

    Unless you assert your rights to privacy, most people will not be aware that you even have those rights. So asserting your rights is also one of the best ways to educate others.

  6. NIgel · 84 days ago

    Most of the article's recommendations are spot on, and they fit the general rule, "Less information disclosed = more security and privacy". In fact, I was easily following (comprehending) them until I got to the part that says "Is it legal...?"

    Huh...? Who knows? I'd bet that most of the website owners who ask for such information don't even know whether it's legal. How can anyone know? The politicians and bureaucrats are constantly meddling with everything everyone does, and it usually diminishes everyone's freedom of action. What is "legal" and what is right often do not coincide.

    Anyhow, all of the article's other recommendations are based on common sense and rationality.

    For example, I never disclose my true date of birth (D.O.B.) unless it is absolutely necessary for some kind of legalistic identification purposes. My D.O.B. is nobody else's business. Anyone who thinks it's smart to broadcast that information to the universe at large obviously has never been a victim of identity theft.

    I have been, and it took me eight years to clean up the mess. There were bills for things I never bought, hits on my credit, notices from collection agencies...a nightmare. When they finally caught the jerk who was guilty, I found out that he started out using one piece of correct information: my date of birth.

    I don't even know how he got it, but that was before the Internet was ubiquitous, and before Faceblat was an "indispensable" part of life for billions of people who post enough personal information to make themselves easy targets. I suspect they'll have to learn their security and privacy lessons the hard way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.