CyberSecurity - Privacy vs Disclosure. What will you Compromise?

What is privacy?

Is privacy a tool, a technique or a legal provision? Does privacy mean not sharing anything with anyone?

Privacy is a human right protected by law. For the individual, it is the right to be left alone. It is being able to control what we are sharing, to whom we are sharing it, and when we are sharing it. But in order for people to function in society, they tend to disclose information about themselves. This enables building relationships, engaging in social networks, etc.

Privacy and Disclosure are two sides of a coin i.e. opposing forces in a balancing act. We need to disclose information about ourselves in our everyday lives. Disclose privacy to participate in society, to form personal relationship or develop co-operation and collaborations. We need to have the ability to decide what we share, whom to share and how to share. Privacy is a personal concept and privacy requirements vary between individuals. It varies because it is influenced by ones beliefs, opinions and attitudes. Also, each individual has rights to make decision about what information they want to reveal and what they want as private.

Privacy also depends on context. Let's take a simple example: You have recently been appraised in work. You may be happy sharing this information (with the amount been appraised) with your family but not with work colleagues. Privacy has a variety of dimensions including informational, physical and social. Informational privacy refers to control over information. It describes the ability to determine for oneself when, how and to what extent information about oneself is communicated to others. This includes both information shared online and offline.

How concerned are you about privacy?
Different individuals have differing concerns for privacy. Taking into account the response of individuals they can be divided into three category

1. privacy fundamentalist: individuals who are ‘distrustful of organisations that ask for their personal information, worried about the accuracy of computerised information and additional uses made of it, and are in favour of new laws and regulatory actions’.
2. privacy pragmatist: practical individuals who ‘weigh the benefits to them of various consumer opportunities and services, protections of public safety or enforcement of personal morality against the degree of intrusiveness of personal information sought and the increase in government power involved’.

3. privacy unconcerned: individuals who are ‘trustful of organisations collecting their personal information, comfortable with existing organisational procedures and uses and are ready to forego privacy claims to secure consumer-service benefits’.

Privacy online and offline

Every day we have to choose what to disclose and what to share. But how is online privacy different?

Theoretically, online privacy is different from offline privacy, especially for the person exercising their privacy. This is because in an online situation, companies are involved. Companies need to be involved because, to provide us with quality services, they retain information about us, sensitive or personal information. They have to process the information and store it around on servers, etc. So compared to the offline situation where we can just pull up the curtains in our home or we can drop out of a conversation or have an emotional response to protect our privacy, we cannot do that online. And also, we cannot depend on people to forget what we've told them yesterday or the week before as well, because information is stored forever anyway.

Who controls what companies hold about us and what can companies do? 

Companies have a duty of care towards their customers to protect their privacy. They have to abide, for instance, by the UK data protection law or the EU regulations. They employ security controls, conduct privacy impact assessments to verify their systems. But still, there might be intentional attacks from outsiders, to hack into their systems or unintentional mistakes by insiders, employees, forgetting to log out of a system or losing equipment, for instance. So that means that sensitive and personal information of the customer is still at risk in a way.

How to improve the situations?

The situation can be improved via different facets. One of them is new policies and regulations, such as the right to be forgotten. And secondly, via research. There are currently lots of research looking into the technical aspects of improving privacy mechanisms, privacy tools online. But there is also new research looking into how human beings interact with privacy systems, what makes them take certain decisions, and what drives them to respond in a certain way and disclose or share information.

 

 Some examples of what can go wrong have been very much advertised in recent years. And this happens by security attacks resulting in huge privacy breaches. We all know of the scandalous cases, for example, of WikiLeaks a few years ago. Apart from that, we have the situation of Adobe, where hackers raided a backup server containing customer information. Then we have the situation of Snapchat, where hackers wanted to expose Snapchat's poor cybersecurity practices. And to do that, they exposed customer details online, personal information and sensitive information. Another scenario is the EBay situation, where hackers gained access via employee login credentials. And again, there were sensitive and personal information of customers exposed, including physical addresses and date of births.

What value do businesses get from our personal data?

The ‘free’ service we receive from many companies such as Facebook or Google is not actually free.

From the company perspective, we, the users, willingly decide to give them data about ourselves in exchange for the service they provide.

One thing these companies have in common is that advertising accounts for the much of their revenue.

In order to make profit from advertising, companies need us to spend more time on their platform - even if we’re actually looking at different websites. Once you have logged in on Facebook, Google, or Twitter, if you stay logged in then you can be tracked when you visit another site with a Facebook like button, Google’s +1 button, or Twitter share button. Even if you do not click on those buttons, Facebook, Google, or Twitter get notified so they know which websites you visit. That’s why many ad blockers provide the possibility of disabling social media buttons by default and re-enabling them only if you actually click on them.

Think about the amount of information these companies have about us: 

• who your friends are
• what products you like to buy
• which places you have visited and when
• who you contact (message, email) and how frequently
• where you live and which banks you have accounts with.

 

 Any one of these is enough for a so-called ‘market research’ study. When combined, they provide even more information about demographic and geographic preferences and market trends. Organisations specialising in market research make hundreds of millions of dollars each year. You can now imagine the value of all the information we decide to disclose about ourselves online.

Now, consider loyalty cards. If you have one of these cards, you’ll get, say, 10% discount on your purchases from a retailer, such as a supermarket chain. A loyalty card might make us more likely to choose a particular supermarket over others when we decide to buy something, but the real value to the supermarket is that it now has information about our individual buying habits and history regardless of which method of payment we use to make our different purchases.

This purchase history has a value. Let’s say an individual purchase history is worth 5% of the amount of purchases we make at the supermarket. Scaling this up, we can see that this information alone is worth 5% of the turnover of the supermarket chain. Remember, we are not talking about the profit they make, but the total turnover they have.

 

  In both of these cases, we can see that our personal data is of huge value to companies. In return for allowing the companies to have the data, we gain something:

• the convenience of online interactions
• discounts on shopping
• suggestions for purchases that are tailored to our own buying history.