by Reese Kimmons, MS ISA
More than 20 years ago, when far less personal data was being collected and made available online, a Carnegie Mellon University researcher showed that a very limited “anonymized” Census dataset could be used to personally identify 87 percent of Census respondents.
What this means is that, even if websites, services and vendors claim that any information they gather about you can not be attributable to you, individually, chances are very good that it can and will be.
Consider the rapid advance of digital technology and communication technology in the last two decades. There are now plenty of public record resources available where data miners, including “people search” sites, can gather information on individuals, such as their names, addresses, home ownership information, phone numbers, political party preferences and more.
Add to this the fact that tracking cookies, your Internet service provider, the sites on which you shop, social media, smart gadgets, and, in many cases, even your employer monitor and collect information about what you do online, and you’ll find that personal privacy has to some extent become a thing of the past.
So in the current Information Era, what can you do about it?
The Carnegie Mellon Study
In 2000, Latanya Sweeny of Carnegie Mellon University examined U.S. Census results from 1990 and found the following:
- Using records that included only ZIP code, sex, and date of birth, 87 percent of U.S. residents could be individually identified. At the time, that came out to 216 million of 248 million Census respondents.
- Broadening the criteria using records that included only city, town, or municipality along with sex and date of birth, 53 percent of individuals could be identified.
- Further widening the geographical area to counties, Sweeny found that 18 percent could still be individually identified using only their counties of residence, sex, and date of birth.
Sweeny’s complete report is available at DataPrivacyLab.org/projects/identifiability/paper1.pdf.
The research shows that even if a site, service provider or other collector of personal data claims that the information gathered and shared has been anonymized, it can often be de-anonymized and used to positively identify the individuals from whom it was gathered.
You’ve likely noticed the addition of banners on the websites you visit that ask you to accept their cookie policies. The use of these banners stems from a European Union directive dating back to May of 2011 requiring sites to give their visitors the ability to refuse permission for the sites to drop tracking cookies onto their personal computers.
These cookies gather information about visitors’ online activities, share it with third parties, and/or use it to target site visitors with ads.
Even your Internet service provider (ISP) is likely tracking what you do online and engaging in personal activity analysis. ISPs have been found to be gathering and sharing information about the TV programs their subscribers watch, the music they listen to, where they shop, the websites they visit, and more.
Data brokers gather data from tracking cookies, public information sites like tax and real property records, and third-party sellers. Just as Sweeny used anonymized records to positively identify individuals, data brokers use bits of information they collect along with the IP addresses of individuals’ devices to build personal profiles.
These anonymized profiles can often then be matched to public information sources like tax and real property records, thereby allowing them to be de-anonymized. Once data brokers have names, addresses and other identifiers, they can expand personal profiles to include information like arrest records, phone numbers, names of neighbors and family members, and even information about sexual preference and religious affiliations.
The extensive profiles compiled by data brokers are made available to anyone who wants to purchase them via people search sites. In addition to being valuable to marketing firms and retailers, this type of profile information can be extremely valuable to criminals like identity thieves, stalkers and other ne’er-do-wells.
Additionally, if your children have online presences, the data they share or leave behind as a result of their activities could make them vulnerable to predators. Identity thieves love to target children because they have clean credit slates. Criminals can often use their identities for extended periods of time before their activities are discovered when the child grows up, applies for credit, and learns that his or her identity was stolen years earlier.
Internet of Things (IoT) Devices
Years ago, it was revealed that a popular robot vacuum was measuring rooms, detecting and identifying different home furnishings, and reporting its findings to the manufacturer. The manufacturer then sold the information to home furniture companies and others so that they could target users of the vacuum with ads.
More recently, utility companies began offering incentives in the form of discounts to their customers who installed smart thermostats that were on pre-approved lists of devices. Customers later began to discover that without their knowledge, their thermostats were being remotely adjusted by their utility providers in order to reduce demand during times of peak power usage.
Further investigation revealed the fine print in customer agreements that allowed this practice to occur. In some instances, individuals affected had medical conditions that made them vulnerable to the higher temperatures they experienced as a result of their thermostats being remotely manipulated during the cooling season.
Other examples of IoT devices “spying” on their owners include children’s toys with cameras and microphones sharing information with third parties, personal assistant devices recording their owners’ conversations and transmitting them back to their manufacturers (allegedly so that they could be reviewed to improve voice recognition capabilities), and devices in vehicles that track locations and monitor driving habits.
Protecting Yourself in the Information Era
Short of losing yourself in a wilderness somewhere and never using connected devices again, there is no way to stop all data collection. There are, however, steps you can take to minimize the amount of data gathered and shared, and to get rid of a great deal of the personal information about you that is already being offered for sale online.
People Search Site Removal
You can start the purge of personal data by searching “remove myself from people search sites.” Your search will reveal some informative how-to articles for finding and removing yourself from these profile-building information brokerage sites.
This process will take some time. There are many sites, and each has a different process you’ll need to follow to remove your data and opt out of future data collection. As you go through the process, you’ll probably be a bit shocked at the volume of information they’ve collected about you, your family members, and even your neighbors.
If you’d like to stop your ISP from tracking your online activities, you can make use of a free domain name service (DNS) like Quad9 or OpenDNS. A DNS is what matches website names to their IP addresses and routes your traffic accordingly. Without a DNS, you would be forced to enter the numeric address (IP) rather than the site name, like Google.com.
High-quality, privacy-based DNS services allow you to go where you need to go without tracking you and selling your data. They’re also easy to configure and simply involve changing your device’s network settings.
A virtual private network (VPN) application will encrypt and secure the data sent from and received by your device and can help protect you from hackers and other cyber criminals. A VPN will also mask your device’s IP address, the identifier used to track your online activities.
Do your research before choosing a VPN. There are free options, but those can have performance issues. Some have even been found tracking their users. Look for reviews from trusted sources before making your final selection.
Private Search Engines
Using a privacy-based browser and search engine will help you to minimize tracking and block cookies. The free Brave browser that comes with the private DuckDuckGo search engine is a good combination. Brave will keep stats and display them so you know how many trackers it has blocked and how much bandwidth and time you’ve saved as a result.
Private Email Services
If you have Gmail, you’ve probably noticed that your messages are being scanned. If you get an email regarding a bill coming due, you’ll likely get a reminder from Google the day before the due date listed in the email. That’s because Google’s algorithms “read” your emails and look for certain kinds of information.
Free privacy-based email services like ProtonMail and Tutanota can put a stop to email scanning. They offer end-to-end encryption to protect your privacy.
When considering whether to add IoT devices to your home, ask yourself whether the convenience factor outweighs privacy concerns. Carefully read the terms and conditions. You may also want to disable any microphones or cameras on children’s toys and other IoT devices when they are not in use.
The Information Era: In Closing…
The information provided in this article is but the tip of the iceberg when it comes to threats to personal privacy and the gathering and use of personal data in the Information Era. Even if you take all of the steps recommended, you cannot eliminate all risk.
Your personal information is only as secure as those who store it. For example, the data of an estimated 47 million T-Mobile customers were exposed in a recent breach. When you buy a car or open a credit account, you must give up control of sensitive personal information that may eventually be compromised.
What you can do, however, is minimize the attack surface by taking steps to prevent the collection and sharing of your data to the extent possible. Most of these recommendations can be implemented at no cost and could end up saving you and your family a great deal in the future.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese has earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.
- How Secure is Your Car? Tips to Stop Car Key Fob Hacking - December 17, 2022
- Cybercriminals Raking in Millions with “Hi Mom” WhatsApp Scam - December 17, 2022
- EU Websites Charging Visitors to Reject Tracking Cookies: A Practice Expected to Spread - December 17, 2022