is Public? - Plante Moran

HOW MUCH OF YOUR
PRIVATE INFORMATION
is Public?
BY SAUM IL S HAH
WE ALL HAVE AN INNATE DESIRE FOR PRIVACY
to keep our personal information to ourselves and to a select few friends
and family — yet we repeatedly hand over our civil liberties on a silver
platter. How? Through social networking.
Causes of Concern
I recently created a new account on Facebook with a false identity and
added several random friends; I was surprised to find that most of them
accepted my invitation. It’s like random people ringing your doorbell —
would you invite them in for a free tour of your home?
While social networking sites like Facebook seem to exist to connect us
with friends and family, their main objective is to sell our information to
advertisers. “The company thrives on allowing advertisers to target their
potential customers with pinpoint accuracy and that takes highly personal
data,” reported Web Pro News.
Social networking sites like Facebook, Instagram, Google+, Twitter, and
many others are platforms where we can share our personal information,
make new friends, or keep in touch with old friends. Enjoying those
connections, however, comes with a price: our personal information.
58% |
Business sharing my personal
information with other companies
38% |
Reports of government surveillance
(e.g., NSA’s PRISM program)
TW O
Business IMPACT
Consumer CONCERN
“I avoid doing business with companies who
I do not believe protect my privacy online.”
bankruptcy, reorganization, or sale
of assets — your information may
be sold or transferred to the new
owner. We can only hope that
the new owner will respect and
comply with the privacy policy we
originally signed.
“How often do you worry
about your privacy online?”
2%
8%
9%
26%
89%
AGREE
53%
36%
Yes, we’re notified. There are lengthy
terms, conditions, and privacy rights
we’re required to check that we’ve
read, but how many of us actually
read them? It’s a human tendency to
blindly agree to whatever terms and
conditions the site owner has for the
following three reasons:
92%
WORRY
•
•
2. It’s boring.
•
Social networking companies
will collect usage information
such as your IP address, browser
type, operating system, hardware,
Your name, profile pictures, gender, username, or user IDs will
always remain publicly available.
These websites will collect
cookie information in order to
track your Internet surfing habits,
destroying the whole idea of
surfing online anonymously.
•
Personal information will be shared
with publishers, advertisers, affiliated companies, trusted business
partners, or connected sites in
compliance with the website’s
privacy policy.
•
Personal and non-personal identifiable information will be shared
in response to a legal
request (like a search warrant,
court order, or subpoena) if they
have a good-faith belief that the
law requires them to do so.
WHO GETS ACCESS TO
OUR INFORMATION?
Information that we share can be
accessed by government authorities,
marketing agencies, job recruiters,
and sometimes even the public.
The following are the key things
mentioned in privacy policies that
we should take into consideration:
45%
mobile network carrier, location,
search terms, and the URL that
referred you.
1. We don’t have enough time to
read through the agreement.
3. We trust the website because
millions of others use it.
21%
•
If the ownership of business
changes — or if the website is
involved in a merger, acquisition,
• Companies will use encryption
technology such as TLS/SSL;
however, there are no guarantees
that the data they hold will be
secure, despite their best efforts.
Security breaches and failures
such as the “Heartbleed” bug
can occur at any time due to
circumstances beyond their
reasonable control.
WHAT HAPPENS IF
A COMPANY VIOLATES
ITS PRIVACY POLICY?
As you’re reading this, there are several privacy wars in progress. Below
are some highlights and news stories
on the impact of privacy violation.
•
In January 2014, Matthew
Campbell and Michael Hurley
sued Facebook in the Northern
District Court of California for
allegedly intercepting private
messages, in violation of the
Due to privacy concerns,
consumers are less likely to:
83%
click on an
online ad
80%
use apps
they don’t trust
74%
enable location
tracking
HOW MUCH OF YOUR PRIVATE INFORMATION
is Public?
THREE
Privacy concerns have increased
across all online activities
Electronic Communication Privacy
Act, for purposes including (but
not limited to) data mining and
user profiling.
•
•
•
•
In January 2014, France’s data
protection watchdog CNIL
(Commission nationale de
l’informatique et des libertés)
confirmed that Google ignored
a three-month ultimatum to
comply with the Data Protection
law on tracking and storing user
information after tweaking its
privacy policy in 2012. The CNIL
imposed a €150,000 fine.
In November 2013, the Electronic
Privacy Information Center was
awarded $30,000 by the Federal
Court in a fee dispute with the
Department of Homeland Security concerning the government’s
monitoring of social media.
Starting June 2013, Edward
Snowden, a former CIA employee,
disclosed several Internet surveillance programs such as Tempora,
PRISM, MUSCULAR, DROPOUTJEEP, and XKeyScore run by the
National Security Agency along
with the interception of U.S. and
European telephone metadata.
93% | Shopping Online
90% | Banking Online
HOW DO WE PROTECT
OUR ONLINE PRIVACY?
Starting in February 2013, Guccifer,
a Romanian hacker, infiltrated a
number of high-profile celebrity
Flickr, AOL, Yahoo, and Facebook
accounts by taking educated guesses
on passwords and gathering private
•
Privacy settings: Make use of
privacy settings on social networking websites to lock down
as much information as you can
from the general public.
•
Read privacy policies before
signing up: This may sound
tedious, but just because
the website you’re signing
up with has a “Privacy Policy”
doesn’t mean your information
is protected. While reading the
policy, look for a seal program
that indicates the website in
question follows standards
such as TRUSTe or BBBOnLine.
4%
3%
8%
information found online to answer
security questions. If hackers can
get to them, then they can certainly
get to us, right? Maybe not.
Genuine websites give us some
degree of control over our private information, and it’s our responsibility
to take advantage of it. For example,
websites like LinkedIn, Facebook, and
Google+ give the option of keeping
birth dates hidden or displayed to
only friends or certain groups.
The following are the most essential
steps to take to protect your private
information online:
•
Encrypt all of your data: If you’re
using a cloud-based service such
as Dropbox, OneDrive, or Google
Drive to store files, you might want
to consider encrypting your information using freeware tools like
Boxcryptor or TrueCrypt before
uploading them to these websites.
•
Use a secure connection:
When connecting to the Internet,
especially public Wi-Fi, make
sure all your Internet traffic uses
a virtual private network (VPN).
IPredator and OpenVPN are two
popular VPN choices among
privacy enthusiasts.
In August 2012, Google was
penalized with a $22.5 million fine
over its alleged user tracking in
Apple’s Safari browser.
Use a “pseudonymous”
email address: If you’re sending
emails to unreliable parties,
commenting on a blog post,
using chat rooms, or have a
personal website that displays
your email address, make sure
you’re using a different email
address than your personal,
preferred email address.
4%
90% | Using Social Networks
85% | Using Mobile Apps
•
76% of Internet users are more
likely to check websites and apps
for a privacy certification or seal
HOW MUCH OF YOUR PRIVATE INFORMATION
is Public?
FOU R
•
Enable cookie notifications:
Cookies are used to track your
surfing habits. The amount of
time you spend on a website,
what websites you visit, and
what links you click are all tracked
for marketing and data mining
purposes. While some cookies
are useful, others may put your
privacy at risk. It’s necessary to
take precautions by turning
cookie notices on or using a
cookie management tool to
accept cookies from websites
you trust and reject cookies from
those that are suspicious.
SO WHAT HAVE
WE LEARNED?
In September 2013, Pew Research
Center’s Internet & American
Life Project conducted a survey
concerning anonymity, privacy, and
online security of Internet users.
Listed below are key highlights
and statistics:
• 86% have taken steps online to
remove or mask their digital footprints — ranging from clearing
cookies to encrypting their email.
• 55% have taken steps to avoid
observation by specific people,
organizations, or the government.
• 21% have had someone else
compromise or take over an
email or social networking
account without permission.
• 12% have been stalked or
harassed online.
• 11% have had important personal
information stolen, such as
their Social Security Number,
credit card number, or bank
account information.
74% of Internet users are more
worried about online privacy
than one year ago
confidentiality agreements, and
try harder to leverage the use of
privacy settings offered by websites.
Otherwise, you risk becoming one
of these statistics.
SOURCES CITED:
Documentary film “Terms and Conditions May
Apply” by film maker Cullen Hoback
Privacy Policies from Facebook, Google, Twitter,
Snapchat, Dropbox, MySpace, Instagram, YouTube,
WhatsApp, WeChat, BlackBerry, Apple, Samsung,
Nokia, Yahoo, and Microsoft
• 6% have been the victim of an
online scam and lost money.
• 6% have had their reputation
damaged because of something
that happened online.
• 4% have been led into physical
danger because of something
that happened online.
Like anything else, there’s a right
way and a wrong way to use social
networking websites. To avoid
being a statistic, take the necessary
steps to restrict access to personal
information. Read the privacy and
2014 TRUSTe U.S. Consumer Confidence Index
http://www.truste.com/us-consumer-confidenceindex-2014/
http://epic.org/privacy/socialnet/
http://pewinternet.org/Reports/2013/Anonymityonline.aspx
http://www.webpronews.com/facebooks-privacywoes-continued-to-grow-in-2012-2012-12
http://www.theguardian.com/commentisfree/2013/
jul/14/privacy-in-social-media-age
http://www.presstv.ir/detail/2014/01/05/343838/
us-climate-not-supportive-of-privacy-rights/
http://www.pcworld.com/article/2052813/3-essentialtechniques-to-protect-your-online-privacy.html
http://www.truste.org/
http://www.bbbonline.org/
http://www.eff.org/Privacy/
https://www.privacyinternational.org/
MR. SAUMIL SHAH, CISA, CEH, CCNA
Manager | 248.603.5194 | saumil.shah@plantemoran.com
Saumil has over eight years of information security, control, and
IT audit experience in a number of industries, including financial
institution, insurance, and healthcare. Saumil’s experience includes: reviewing
system configuration (router, switch, and firewall settings, etc.), conducting
web application security and social engineering assessments, and performing
black-box/white-box penetration testing on IT infrastructure components
deployed and managed by the client infrastructure team. He has assisted
with IT general control reviews, SOX 404 reviews, SAS 70 reviews, and
database security audits. Saumil holds a Bachelor of Computer Engineering
from Mumbai University. Saumil is certified in Certified Information Systems
Auditor (CISA), Cisco Certified Network Associate (CCNA), Certified Ethical
Hacker (CEH) and EC-Council Certified Security Analyst (ECSA).