The Obama administration has unveiled its Cybersecurity Executive Order and Congress is considering the Cyber Intelligence Sharing and Protection Act (CISPA), which worries a lot of privacy advocates because it allows companies to share information about cyber attacks that some say could include users' information. But, whatever the government ultimately decides, everyone -- including individuals -- has an important role to play when it comes to both security and privacy.
Things we can and can't control
When we're online, there are things we can control and things we can't. For example, we can control the passwords we use and what we say in social media. But sometimes we're victims of other people's carelessness or malice, such as when a service or a retailer gets hacked or a government employee loses a briefcase containing a laptop with people's unencrypted personal information.
And then there are those other privacy breaches that result from deliberate policies of service providers and advertising networks to harvest user information for a variety of purposes, ranging from targeting advertising to conducting market research.
Still, there are things that individuals, companies, the tech industry and government can do to increase privacy and security.
We're not in complete control
When it comes to trying to protect ourselves from companies and agencies being hacked or losing data, we're pretty much like passengers on a plane. We have to trust that the organizations we're dealing with are doing all they can but there's not a lot we can do. Obviously it makes sense to only provide personal information to trusted organizations. But when hacking victims include the likes of Sony Network, Target, Wal-Mart and universities, there isn't a lot we can do. I was reminded of this several years ago when my son got a letter from UCLA saying that the database containing his admission application had been hacked, and I was reminded again last week when I got an email from Twitter saying it had been hacked and data from 250,000 accounts -- including those of journalists like me -- may have been compromised. Government played a role in at least informing us of those breaches. California was one of the first states to require companies to disclose data breaches to anyone who might be affected.
Things we can do
While we can't prevent such attacks, we can protect ourselves to a degree. One precaution is to use strong passwords and make sure we don't use the same password for each of our accounts. I know that's hard, but there are ways to make it easier. One option is to use a password safe like RoboForm or Lastpass that will remember and enter passwords for you. They will even generate random passwords that are very hard to crack. Another option is to use the first letter of each word in a phrase that you can remember but others can't guess, and to include numbers and symbols.
It's also important to assure that our devices are secure and protected from malware. Not only does that help protect our own privacy and security but others too. An infected device can be used by hackers to invade other systems so everyone has a role to play in helping to protect the nation's (and world's) infrastructure by protecting our own.
Privacy and security go had in hand. By now you've heard plenty of warnings about being careful what you post on Facebook, Twitter and other social networks. But based on what I've discovered since I started using Facebook's graph search, a lot of people aren't heeding those warnings. Graph search, which is being rolled out gradually to Facebook users, enables people to search for information or pictures, including things people post to "public" and things that they make available to "friends" or friends of friends. Friends of friends can be a lot of people, when you consider that the average Facebook user has 245 friends. If each of those friends also has 245 friends, an extended network could easily exceed 6,000 people.And it's not just regular folks who can access that information -- it's easy pickings for employers, college admissions offices and even law enforcement and government agencies seeking information about you.
In my searches, I've found all sorts of things people might want to reconsider. I've also found a few things I posted and long forgot about that I decided to delete or make more private (you can change privacy settings for any post or photo at any time). Facebook's online privacy setting, which lets you choose the audience for each post, can help but it's a double-edged sword. Whatever setting you select remains in effect until you change it, which means that if you post something to the "public," the next item you post will also be public unless you remember to change it.
Still another issue are those marketing related privacy invasions like tracking cookies or online profiles. Some people are bothered by them and others accept them as the price we pay for all these great free services. I recently researched a trip to Argentina and keep seeing ads for trips to that country. It's a little creepy but at least there's a chance some of them might be relevant.
Google's Doubleclick and other ad networks that serve these ads swear that they're not collecting personal information. But even though I believe there's not a printed list anywhere with my name and the word Argentina, it's clear to me that there are servers out there that know something about my recent travel. Whether these ads are fair game continues to be fodder for regulators in the United States and elsewhere. In the mean time, browser makers are developing ways that you can opt out if they really bother you.
Role of government and industry
The tech industry can play a role by creating transparency and simple to use features to allow users to opt out of anything that makes them uncomfortable, including tracking cookies and profiling. In addition to the steps outlined in the president's cyber security framework, government can also play a role by helping to educate the public, by protecting its own infrastructure and by assuring that companies disclose any potential privacy or security threats and adhere to their stated policies. It can also set a good example by applying good privacy practices and due process before trying to access citizen's personal information. The president's plan to share information with the private sector is also important as is its encouragement of "best practices" and its stated commitment to respect privacy. While it's true that over-regulation or dumb laws can stifle innovation and sometimes cause unintended consequences, it's also true that ignoring the problem or assuming that the marketplace can solve all problems is equally irresponsible.
Privacy risks largely within your control
- Responding to social engineering
- Talking on cell phone in public
- Failing to shred paper documents
- Saying the wrong things on social media
- Posting inappropriate photographs
- Clicking on shortened links
- Donating to a political campaign and having that made public
- Being photographed in compromising situations
- Entering contests
- Failing to log out when accessing service on public computer
- Banking or shopping on unsecured Wi-Fi networks
- Not understanding the disclosures or privacy settings of services and apps
- Failing to password protect phone or computer or encrypt files
- Using weak passwords & same passwords on multiple sites
- Failing to password protect devices
Privacy risks largely out of your control
- Government subpoenas & warrants
- Good companies becoming evil
- Individuals affected by a data breach outside their control
- Insurance companies that know too much
- The lending industry -- ever look who's looking at your credit report?
- Aggregation: Weaving information from different sources to create a profile
- Being spied on when travelling, especially in totalitarian countries
- Publicly available data such as home address and taxes you're paying
- Privacy laws and policies that do more harm than good
This article is adapted from one that first appeared in the San Jose Mercury News and my talk at the 14th Annual Privacy & Security Conference . I am co-director of ConnectSafely.org, a non-profit Internet safety organization that receives financial support from Facebook, Google and other technology companies.