is Public? - Plante Moran
Transcription
is Public? - Plante Moran
HOW MUCH OF YOUR PRIVATE INFORMATION is Public? BY SAUM IL S HAH WE ALL HAVE AN INNATE DESIRE FOR PRIVACY to keep our personal information to ourselves and to a select few friends and family — yet we repeatedly hand over our civil liberties on a silver platter. How? Through social networking. Causes of Concern I recently created a new account on Facebook with a false identity and added several random friends; I was surprised to find that most of them accepted my invitation. It’s like random people ringing your doorbell — would you invite them in for a free tour of your home? While social networking sites like Facebook seem to exist to connect us with friends and family, their main objective is to sell our information to advertisers. “The company thrives on allowing advertisers to target their potential customers with pinpoint accuracy and that takes highly personal data,” reported Web Pro News. Social networking sites like Facebook, Instagram, Google+, Twitter, and many others are platforms where we can share our personal information, make new friends, or keep in touch with old friends. Enjoying those connections, however, comes with a price: our personal information. 58% | Business sharing my personal information with other companies 38% | Reports of government surveillance (e.g., NSA’s PRISM program) TW O Business IMPACT Consumer CONCERN “I avoid doing business with companies who I do not believe protect my privacy online.” bankruptcy, reorganization, or sale of assets — your information may be sold or transferred to the new owner. We can only hope that the new owner will respect and comply with the privacy policy we originally signed. “How often do you worry about your privacy online?” 2% 8% 9% 26% 89% AGREE 53% 36% Yes, we’re notified. There are lengthy terms, conditions, and privacy rights we’re required to check that we’ve read, but how many of us actually read them? It’s a human tendency to blindly agree to whatever terms and conditions the site owner has for the following three reasons: 92% WORRY • • 2. It’s boring. • Social networking companies will collect usage information such as your IP address, browser type, operating system, hardware, Your name, profile pictures, gender, username, or user IDs will always remain publicly available. These websites will collect cookie information in order to track your Internet surfing habits, destroying the whole idea of surfing online anonymously. • Personal information will be shared with publishers, advertisers, affiliated companies, trusted business partners, or connected sites in compliance with the website’s privacy policy. • Personal and non-personal identifiable information will be shared in response to a legal request (like a search warrant, court order, or subpoena) if they have a good-faith belief that the law requires them to do so. WHO GETS ACCESS TO OUR INFORMATION? Information that we share can be accessed by government authorities, marketing agencies, job recruiters, and sometimes even the public. The following are the key things mentioned in privacy policies that we should take into consideration: 45% mobile network carrier, location, search terms, and the URL that referred you. 1. We don’t have enough time to read through the agreement. 3. We trust the website because millions of others use it. 21% • If the ownership of business changes — or if the website is involved in a merger, acquisition, • Companies will use encryption technology such as TLS/SSL; however, there are no guarantees that the data they hold will be secure, despite their best efforts. Security breaches and failures such as the “Heartbleed” bug can occur at any time due to circumstances beyond their reasonable control. WHAT HAPPENS IF A COMPANY VIOLATES ITS PRIVACY POLICY? As you’re reading this, there are several privacy wars in progress. Below are some highlights and news stories on the impact of privacy violation. • In January 2014, Matthew Campbell and Michael Hurley sued Facebook in the Northern District Court of California for allegedly intercepting private messages, in violation of the Due to privacy concerns, consumers are less likely to: 83% click on an online ad 80% use apps they don’t trust 74% enable location tracking HOW MUCH OF YOUR PRIVATE INFORMATION is Public? THREE Privacy concerns have increased across all online activities Electronic Communication Privacy Act, for purposes including (but not limited to) data mining and user profiling. • • • • In January 2014, France’s data protection watchdog CNIL (Commission nationale de l’informatique et des libertés) confirmed that Google ignored a three-month ultimatum to comply with the Data Protection law on tracking and storing user information after tweaking its privacy policy in 2012. The CNIL imposed a €150,000 fine. In November 2013, the Electronic Privacy Information Center was awarded $30,000 by the Federal Court in a fee dispute with the Department of Homeland Security concerning the government’s monitoring of social media. Starting June 2013, Edward Snowden, a former CIA employee, disclosed several Internet surveillance programs such as Tempora, PRISM, MUSCULAR, DROPOUTJEEP, and XKeyScore run by the National Security Agency along with the interception of U.S. and European telephone metadata. 93% | Shopping Online 90% | Banking Online HOW DO WE PROTECT OUR ONLINE PRIVACY? Starting in February 2013, Guccifer, a Romanian hacker, infiltrated a number of high-profile celebrity Flickr, AOL, Yahoo, and Facebook accounts by taking educated guesses on passwords and gathering private • Privacy settings: Make use of privacy settings on social networking websites to lock down as much information as you can from the general public. • Read privacy policies before signing up: This may sound tedious, but just because the website you’re signing up with has a “Privacy Policy” doesn’t mean your information is protected. While reading the policy, look for a seal program that indicates the website in question follows standards such as TRUSTe or BBBOnLine. 4% 3% 8% information found online to answer security questions. If hackers can get to them, then they can certainly get to us, right? Maybe not. Genuine websites give us some degree of control over our private information, and it’s our responsibility to take advantage of it. For example, websites like LinkedIn, Facebook, and Google+ give the option of keeping birth dates hidden or displayed to only friends or certain groups. The following are the most essential steps to take to protect your private information online: • Encrypt all of your data: If you’re using a cloud-based service such as Dropbox, OneDrive, or Google Drive to store files, you might want to consider encrypting your information using freeware tools like Boxcryptor or TrueCrypt before uploading them to these websites. • Use a secure connection: When connecting to the Internet, especially public Wi-Fi, make sure all your Internet traffic uses a virtual private network (VPN). IPredator and OpenVPN are two popular VPN choices among privacy enthusiasts. In August 2012, Google was penalized with a $22.5 million fine over its alleged user tracking in Apple’s Safari browser. Use a “pseudonymous” email address: If you’re sending emails to unreliable parties, commenting on a blog post, using chat rooms, or have a personal website that displays your email address, make sure you’re using a different email address than your personal, preferred email address. 4% 90% | Using Social Networks 85% | Using Mobile Apps • 76% of Internet users are more likely to check websites and apps for a privacy certification or seal HOW MUCH OF YOUR PRIVATE INFORMATION is Public? FOU R • Enable cookie notifications: Cookies are used to track your surfing habits. The amount of time you spend on a website, what websites you visit, and what links you click are all tracked for marketing and data mining purposes. While some cookies are useful, others may put your privacy at risk. It’s necessary to take precautions by turning cookie notices on or using a cookie management tool to accept cookies from websites you trust and reject cookies from those that are suspicious. SO WHAT HAVE WE LEARNED? In September 2013, Pew Research Center’s Internet & American Life Project conducted a survey concerning anonymity, privacy, and online security of Internet users. Listed below are key highlights and statistics: • 86% have taken steps online to remove or mask their digital footprints — ranging from clearing cookies to encrypting their email. • 55% have taken steps to avoid observation by specific people, organizations, or the government. • 21% have had someone else compromise or take over an email or social networking account without permission. • 12% have been stalked or harassed online. • 11% have had important personal information stolen, such as their Social Security Number, credit card number, or bank account information. 74% of Internet users are more worried about online privacy than one year ago confidentiality agreements, and try harder to leverage the use of privacy settings offered by websites. Otherwise, you risk becoming one of these statistics. SOURCES CITED: Documentary film “Terms and Conditions May Apply” by film maker Cullen Hoback Privacy Policies from Facebook, Google, Twitter, Snapchat, Dropbox, MySpace, Instagram, YouTube, WhatsApp, WeChat, BlackBerry, Apple, Samsung, Nokia, Yahoo, and Microsoft • 6% have been the victim of an online scam and lost money. • 6% have had their reputation damaged because of something that happened online. • 4% have been led into physical danger because of something that happened online. Like anything else, there’s a right way and a wrong way to use social networking websites. To avoid being a statistic, take the necessary steps to restrict access to personal information. Read the privacy and 2014 TRUSTe U.S. Consumer Confidence Index http://www.truste.com/us-consumer-confidenceindex-2014/ http://epic.org/privacy/socialnet/ http://pewinternet.org/Reports/2013/Anonymityonline.aspx http://www.webpronews.com/facebooks-privacywoes-continued-to-grow-in-2012-2012-12 http://www.theguardian.com/commentisfree/2013/ jul/14/privacy-in-social-media-age http://www.presstv.ir/detail/2014/01/05/343838/ us-climate-not-supportive-of-privacy-rights/ http://www.pcworld.com/article/2052813/3-essentialtechniques-to-protect-your-online-privacy.html http://www.truste.org/ http://www.bbbonline.org/ http://www.eff.org/Privacy/ https://www.privacyinternational.org/ MR. SAUMIL SHAH, CISA, CEH, CCNA Manager | 248.603.5194 | [email protected] Saumil has over eight years of information security, control, and IT audit experience in a number of industries, including financial institution, insurance, and healthcare. Saumil’s experience includes: reviewing system configuration (router, switch, and firewall settings, etc.), conducting web application security and social engineering assessments, and performing black-box/white-box penetration testing on IT infrastructure components deployed and managed by the client infrastructure team. He has assisted with IT general control reviews, SOX 404 reviews, SAS 70 reviews, and database security audits. Saumil holds a Bachelor of Computer Engineering from Mumbai University. Saumil is certified in Certified Information Systems Auditor (CISA), Cisco Certified Network Associate (CCNA), Certified Ethical Hacker (CEH) and EC-Council Certified Security Analyst (ECSA).