One expert suggests ways to reach a happy medium between those who give up sensitive personal information and the organizations that use it.
It might be time to take a long hard look at who gets our personal data according to Ina Miranda, CTO and co-CEO of Treasure.cloud. In the introduction to her Help Net Security article: The obvious and not-so-obvious data you wouldn’t want companies to have, Miranda asks an important question: “What types of data are companies collecting, and when does it stop serving us?”
To start, Miranda suggests it might be best to first understand the different ways we give data away to the tune of 1.7 MB of data/sec per person. Miranda suggests, “Without a doubt, a portion of this data is created—and provided—consciously and voluntarily, such as signing up for a newsletter, posting on Instagram, or allowing cookies when browsing your favorite online store.”
There are two ways to look at the data we voluntarily give:
Is the data used to make a product or service better?
Is the data used in a way harmful to those providing it?
Miranda stresses that voluntarily providing data is about value exchange. If personal data is used to make a product or service better, that might be beneficial. However, when it comes to third-party advertising or data brokerage, users should expect more value in exchange. Miranda mentions, “When there’s no value, or when the value fails to match the sacrifices we make in the process, that is when the data becomes something we wouldn’t want companies to have.”
Digital data exhaust
Most tech media outlets focus on the voluntary providing of personal data; Miranda warns there is another way personal data is captured—digital data exhaust:
“Data exhaust refers to the data generated as trails or information byproducts resulting from all digital or online activities. These consist of storable choices, actions and preferences such as log files, cookies, temporary files and even information that is generated for every process or transaction done digitally. This data can be very revealing about an individual, so it is very valuable to researchers and especially to marketers and business entities.”
Put simply, it is data generated in the background as individuals interact with the internet. The data, in and of itself, seems harmless, but combined is another story. “Together they can produce uniqueness and even work to create a more comprehensive digital image of a user,” explains Miranda. “Combining this with voluntary data brings a whole new dimension—profiling data that distinguishes your interests and behaviors.”
Ability to combine disparate data sets
Personal information—including names, physical and IP addresses, contact information, and birthdays—has significance. However, that data becomes even more valuable when combined with tracking data, which is now possible with the advent of sophisticated data analytics.
Sadly, this compiled data can do many things, from causing embarrassment to people losing jobs. It’s nearly 10 years old, but Charles Duhigg’s New York Times article “How Companies Learn Your Secrets,” is relevant today, as many are still unaware of what’s possible regarding data analytics.
Earlier, two ways of looking at the data we voluntarily give were mentioned. Let’s try again in a more refined manner:
If we knew our personal data would be truly anonymized and help cancer treatment research, most of us would be okay with that.
Some organizations use personal data for nefarious reasons, and with complex privacy policies, users can only hope their personal data will not be misused.
What is the answer?
Miranda wants to flip the model around, placing the responsibility on companies. She asks what businesses can do to improve the state of consumer security? “In 2021, user trust is essential when growing a company. Businesses need to shift the onus from users to themselves and, by default, offer products and services that respect user privacy,” suggests Miranda. “By adopting privacy by design, processes prioritize privacy in all stages—architecture, design and building a product.”
Let’s not forget that full disclosure about personal information a company collects and for what purpose goes hand-in-hand with what Miranda suggests. Some examples would be updating privacy policies to be transparent and incorporating notifications directly in the user interface.
As mentioned in the beginning, now seems like a good time to figure out a way to keep personal information private, yet useful.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays