It’s probably not who, or what, you think
I’ve written several articles discussing various aspects of technological risk to privacy. The computers we use, the systems running them, and the applications and tools we rely on each add risk of some kind to our privacy.
And yet, in my experience, the greatest risk has little do with technology.
It’s a risk we don’t often consider, yet I see privacy compromised more often due to this factor than any other reason.
Become a Patron of Ask Leo! and go ad-free!
The biggest risk to your privacy isn’t technology at all; it’s people. Even then, we worry most about hackers, governments, and the companies we do business with — and yet, they’re not the biggest risk. It all comes back to you: you are the biggest risk to your privacy, and that’s fantastic!
The biggest risk is people
Even with semi-regular news of data breaches, hacking, and other technological intrusions, the single biggest cause for privacy-related damage boils down to nothing more than… people.
I’m certain you’re already making assumptions about which people to be concerned about. I’m just as certain you’re overlooking those who put our privacy most at risk every day.
Let’s review some of the various types of people involved in compromising our privacy.
Hackers, scammers, and other ne’er-do-wells
This is the first thing people think of when it comes to privacy invasions. We hear a seemingly endless stream of news and word-of-mouth reports of privacy hacks every day. It’s easy to think we’re under constant threat from evil villains trying to get at our data.
In a sense, we are. There’s no question that organized crime and other malicious entities have their sights set on gathering personal information and either using it for nefarious purposes directly, or reselling it to those who would.
While your data could fall victim to the individuals in this category, it’s important to realize they’re not interested in you as an individual. They care about gathering as much data as they can, or scamming as many people as they can. They don’t care who those people are — just that they’re vulnerable.
This is also the group of people we can most easily protect ourselves from by using technology and common sense. Security software of various flavors and layers, coupled with skepticism and our own smart habits, are our first, best line of defense.
Governments and government agencies
You may think I’m including this because I’m concerned your government is spying on you.
I’m not.
Oh, it’s certainly possible, and in some countries even plausible, depending on your behavior and “value” to whoever might be watching. Once again, however, I believe strongly that most of us, in most countries, simply aren’t worth the effort for individual government surveillance. We’re just not that big of an individual risk.
No, what makes government one of the largest threats to our privacy are the laws and policies they enact or fail to enact. Weak government policy and enforcement around individual rights and privacy makes it easier for others — in the government and elsewhere — to access and possibly misuse our personal information.
Most people don’t pay attention to this unless they’re already living under an oppressive regime, in which case it could be considered too late. I strongly suggest that paying attention and working within your system to ensure personal privacy rights is an important responsibility.
Employees, technicians, and policy makers
Many people are concerned about big business and corporations collecting and using our personal information.
I’m generally not. Other than making sure government regulations are in place to protect my information, as well as corporate policies that similarly ensure my privacy (whether legally required or not), I’m not that concerned about the information I know is out there about me.
Unless those companies get hacked or otherwise compromised — and that generally comes back to the people involved. I believe the majority of breeches boil down to individual people making individual errors.
One example might be the software engineer who, with little to no security experience, is put in charge of the security of my data. All the good intentions in the world won’t make up for his or her inevitable oversight (which is probably more common than we suspect). Software developers and policy makers operate under a “features first, security later” approach that often pushes service development — and with it, our personal information — beyond acceptable risk. Then, once a vulnerability is discovered, the hackers mentioned earlier swoop in to take advantage of the access to our information.
The most important thing you can do to secure yourself against these types of oversights is to know who you’re dealing with and hold them accountable for the security of your information. Do business with companies with a proven track record. If you find you can’t — if you find you need the services of an unproven entity — be particularly wary of the information you choose to share.
Friends and family, business contacts, and associates
We share a fair amount of information without thinking about the ramifications of exposing ourselves to other people.
Sometimes that can be literal. I frequently encounter individuals who come to me concerned that their video chats might be intercepted by some middleman. As it turns out, it’s not the middleman they need be concerned about when they find themselves being blackmailed by the individual at the other end of the conversation.
The fact is, there’s no technology — none whatsoever — that can protect you from the people to whom you choose to expose your information (or anything else). Any technology can be circumvented in one form or another by the recipient. If it can be seen, it can be copied — even if it’s just taking a picture of the computer screen while your sensitive details are displayed.
And of course, once something is posted publicly (and let’s be clear: all social media is public, regardless of your privacy settings), it cannot be recalled.
This is, perhaps, the single most common cause of privacy violations I’ve encountered over the many years I’ve been doing Ask Leo! — not big business or government, not massive data breaches, not malware, not even ransomware1 — but one-to-one interactions in which individuals share too much and later regret it.
This risk is only growing on social media, which creates an illusion of intimacy and safety while nothing of the sort exists.
You
You are the biggest risk to your own privacy.
By sharing too much on social media, trusting too easily when some stranger calls telling you your computer has a problem, or reaching out to the wrong people in times of technological crisis, the biggest risk of all comes back to you.
And that’s great!
Now, why, after all that gloom and doom about how our privacy can be compromised, am I so excited to point the finger at you?
Because the one thing you have control over is yourself.
You can become more knowledgeable. You can make better decisions. You can take responsibility for your privacy from here on out.
There’s no requirement that you become a Luddite and walk away from technology in general — Lord knows I’ve certainly not done that. What’s required is simple awareness — mindfulness, if you will — of exactly what, where, and with whom you share.
That last one is perhaps the most important: your privacy is all about the people you trust and share with.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: Which is just malware. Particularly destructive, but malware nonetheless.
Long term, I believe the biggest threat to our privacy is the fact that we’re caring less and less about it. We don’t care too much about PRISM, we don’t care too much that companies track us across both websites and devices, we don’t care too much that data brokers build extraordinarily detailed profiles about us and are largely unregulated, and we don’t care too much that algorithms enable connections to be made between data sets, even when both sets are encrypted.
Bottom line: the less we care about our privacy, the more it’ll be chipped away at.
Welcome to the future. So much like many science fiction books predicted.
Remember this?
http://www.dailymail.co.uk/news/article-2102859/How-Target-knows-shoppers-pregnant–figured-teen-father-did.html
I completely disagree with the contention that “they’re simply not interested in you as an individual” – sorry, Leo! On the contrary, I believe that they’re extremely interested in us as individuals. Compiling and crunching enormous amounts of data compiled from multiple sources enables governments and businesses to build very detailed profiles about us which can be used for everything from predicting our behaviour, deciding whether or not to lend us money, deciding whether or not to insure us, etc., etc., etc. Or even just working out whether or not we’re pregnant.
One thing we can agree on: “I believe the biggest threat to our privacy is the fact that we’re caring less and less about it.” Indeed.
Obviously ISPs and large corporations don’t care what you do online as an individual. However, if the corporation is making a profit off your information then they should compensate all of those that it gathers information from. There’s no way to know exactly how much they’re making, or how much the information is making future profits for the company, but they still need to compensate those that it takes the information from. That’s what the big deal is; not the information but how will they compensate.
The best way to counter the corporations is to set your browser to automatically dump all cookies on exit and use a VPN. Until they find a way to fairly compensate their customers for using their information, that’s what I have done and will continue to do.
“While your data could fall victim to the individuals in this category, it’s important to realize they’re simply not interested in you as an individual. What they’re interested in is much broader; what they care about is gathering as much data as they can, or scamming as many people as they can. Particularly when it comes to scams, they don’t care who those people are, just that they’re vulnerable.”
Near as I can figure, this makes cloud storage a risk in and of itself. Your not very interesting or valuable data winds up as ‘by-catch’ as the crooks go after ‘the big score’.
“The biggest risk is people”. Oh, so true.
A company may have the best privacy procedures possible. Yet, the carelessness of one individual could render it useless. When I read the news, I so often remember the movie The Atomic Train. It starts with someone committing three violations to send a nuclear device across the country, and ends with the device exploding. Every bad event in between was the result of noncompliance of individuals.
A common expression says that we are our own worst enemies. We hand out all sorts of information and get upset if someone uses it in a way we did not intend. All the people using this data are doing is connecting the dots between what we freely give.
I subscribe to several survey outfits, so a lot of my personal information is out there. It can be freely obtained by scammers, ad agencies, foreign entities, terrorists – just about everyone (except the US government) – to use as they see fit. I’m not very concerned, though. To most I’m just a number, just part of the background. Since my pre-tax income is out there, they know they wouldn’t make much off me. If they read some of my posts, they know that if I suspect any malware on my computer, I’ll just scrub it and load in my backups. I don’t use social media, so there is no “intimate” information about me (except what someone else may post).
As Leo says – we have the greatest control over our own privacy.
Yep, It’s us people for sure. Human nature.
A few years ago I was in a hospital waiting for open heart surgery and out of boredom and to keep from seizing up I would walk the hallways and this took me by the nurses stations. Naturally I peeked at the computer screens. On night shift the nurses would be surfing the Internet and chatting with friends on facebook and checking their emails and whatever on the hospital computers. One nurse told me it was strictly against the rules.
Management thought that everybody would obey the rules because they said so but in reality most didn’t.
I’m no expert but I was thinking they were putting the hospital computers at risk and wondered why they could even do it.
I didn’t judge them to harshly because if I was in their place I think I would do the same if I couldn’t bring my laptop.
I live in a small town with many people that don’t have their own Internet connection so a few of them use my computer.
I have observed them opening attachments when they didn’t even know who sent them and clicking on everything in front of them.
I have repaired computers that haven’t been virus scanned for over two years.
Many times I get computers that had the original Norton Antivirus expired. When I ask if they have virus protection they say yes it came with the computer.
Some of them have downloaded and installed so much junk that it boggles the mind.
My hobby is starting to get overwhelming. lol
Oh yes it’s the people that are doing it to themselves. The weakest link people.
Hey Leo, Welcome Back to the good fight.
Good point that “Software developers and policy makers [practice a] “features first, security later” approach that often pushes service development – and with it our personal information – beyond acceptable risk”. It certainly applies to private custom-software sources: contract developers, IT departments, smartphone Apps, open source, freeware, and shareware . The user can never really know what exposures creep in from private sources.
Private developers are not bad guys taking extraordinary risks. They are simply meeting a demand from their corporate clients. The developers practice “Features first, security later” because, WE, their clients demand it. Have we ever seen a contract for outsourced software that read “We’ll pay when you’ve delivered all of the function to our satisfaction, but by all means take all the time you need to shake out all possible security issues”? When our bottom line is on the line, our own corporate priorities are “Features first, security later”.
I’m sure there are many people who don’t even know about the companies, and data mining and fact gathering. Ignorance is bliss! One such company is Rapleaf. I won’t profess to know much about them either, except that when you watch the videos (Wall Street Journal), they’re just a little scary. Some of this info is from 2010, and this is 2017. How much have they advanced their mining techniques. Here are several links taht still work. Some articles from WSJ are no longer accessible.
http://www.wsj.com/video/digits-how-rapleaf-mines-data-online/6B7F29FE-4A2C-4619-BCB7-CCCE5EB35F62.html
https://gigaom.com/2010/10/24/what-rapleaf-knows-about-you/
https://gigaom.com/2010/10/18/rapleaf-facebook-privacy/
http://ebiquity.umbc.edu/blogger/2010/10/24/how-rapleaf-is-eroding-our-privacy-on-the-web/
And is it just a coincidence that Rapleaf’s “Opt Out” web page is no longer accessible at https://www.rapleaf.com/opt_out At least I couldn’t access it tonight. These companies are scary. Knowledge about them is a valuable tool.
Another good one to read: DATA RAPE: The New Direct Marketing at http://www.targetmarketingmag.com/article/some-marketers-step-over-line-amount-consumer-data-collected/2/
Learn, and protect yourself!
That brings up a question. I have a friend who loves to download/share pictures/videos with a small group of friends. The videos might be old comedy clips or singers from the 50’s, 60’s. There might be a funny–perhaps risque — commercial. I’ve warned him that he is asking for problems by opening attachments and clicking on links. He ignores me. Am I too Chicken Little about this? Keep in mind that the other people are good/trusted friends of his. But, heck, they could have a computer virus. My friend is not computer savvy and I don’t know about his buddies. Also, sometimes his link is to a youtube video. Is that even safe to click on (I have assumed yes).
Mel
It REALLY depends on where he’s getting these links. If his sources are generally tech savvy, then it’s probably ok. He really DOES need to pay better attention, it sounds like, and I fully expect that at some point he’ll get infected, or worse. Hopefully he’s backing up. In my experience, though, it sometimes takes that experience of being infected to really make the point that, yeah, maybe we shouldn’t click on or open everything that comes along.
As for YouTube: yes, it’s safe, as long as it’s really YouTube. By that I mean that the domain you’re going to is either youtube.com or youtu.be. Scammers can try to trick you into going to what you think is YouTube, but is not.
Absolutely correct that YOU are the source of your privacy leaks. And it doesn’t have to be related to any technology or the internet. An anecdotal example: I had just moved into a house. I was out in the front yard looking over things. My next door neighbor came out of his garage and saw me for the first time. We said hello and starting chatting. At least I thought we were engaging in an initial, meaningless chit chat. This guy gratuitously started telling me everything about himself: his life history, his wife, his work, his politics, his pets, his hobbies, on and on. I’ll bet by the end of the conversation I probably knew some of the answers to his accounts secret questions. As for me, all I ended up telling him was my first name. I’ve also come across this type of full confession on planes, on tour buses, at parties, etc. Leo says “you’re not that interesting”. Apparently, some people think they are that interesting.
It is amazing, the amount of personal information that some people freely give away on social media. You are taking a risk, because you never know who will become upset with you and how upset they will become. This is particularly true if you are discussing controversial subjects such as politics.
Am I worried about breeches? Not at all. That’s why I wear a belt. Oh, typo?
But seriously social media… OMG, what a nightmare. I took one look at Bebo and MySpace way. way back in the early 2000’s that my kids were accessing. One quick look at how it worked and all I could see was potential trouble, trouble and more trouble. And while they may now be gone or pretty much obsolete we now have the infamous Facebook. With all the problems I saw about 20 years ago. Compounded by Twitter, Snapchat etc.
Give me good old email anyday… at least I can see what is happening and if something leaks then it is most likely my fault for sending sensitive information out. Unlike what Facebook etc. do. Data mine and then before you know it something comes back to haunt you. Personally I believe that they should be forced to change their name to what they in fact really are. Fakebook.
Leo, you wrote:
“I strongly suggest that… working within your system to ensure personal privacy rights is an important responsibility.”
Three letters, Leo. Ya’ ready? Here they are: EFF.
As in: https://www.eff.org
Cheers! :)
Been supporting them for some time.
I would specifically point out the medical community as a huge risk. Doctors’ offices, hospitals, even your dentist and optometrist offices have much personal info; all the usual including address & DOB but also insurance info (which *still* may include your SSN). Not only do they have this info, they are notorious for treating it in a lackadaisical manner; forms left out on a desk, PCs left on, questioning patients in public, etc.
I read Kevin Mitnick’s book on hacking and (maybe not so) surprising, he said that most of his hacks were lo-tech, social engineering (phoning or emailing people to get information such as passwords and where a person’s desk was in the office etc. The most common form of social engineering now is phishing which is tricking people to hand over their login information, Social Security numbers, credit card numbers or other information which scammers can use to steal your accounts or cash. My credit card number and CVC code was stolen by a cashier who simply copied the numbers and used them for online purchases. I contacted my bank and they restored my money.