What do Top Ten lists of Internet Privacy Threats have in common with US FBI Ten Most Wanted lists? Both attempt to keep the public aware of current, most egregious offenders. While these forms of warnings are helpful, they are limited in at least two ways.
Top Ten lists call attention to a small number of suspicious or bad actors. This may be effective in the case of fugitives or terrorists, but it is dangerously misleading for Internet threats, where privacy abuses are as prevalent among small time actors as any online presence that is visible enough to make the top ten. Simply put, when you tell Internet users “here are the folks to worry about”, you risk having them fail to consider the thousands of online presences where collection, misuse or mishandling of personal information is as much of a threat if not more so.
More importantly, Top Ten lists set users up to micro-manage privacy threats. Such lists distract Internet users from considering the meta-issue. They list the privacy concerns for social networks, mobile operators, subscription portals, emerchants and clouds. They explain in some detail how to opt-out, filter, restrict access, etc. This has the unintended consequence of convincing Internet users that protecting personal information involves a unique effort for each site they visit. The scaling properties of this kind of solution are poor for automation, and worse for the Human OS.
Teaching Internet users how to mitigate threats at a micro-level is useful. Offering Internet users first principles regarding privacy threats is essential.
Let's look at these more closely:
Any non-government, commercial, not for profit, free or for fee site operator that posts or collects any information that is personal or sensitive in nature is a potential privacy threat. Only some of the private sector collects location, behavioral, or personal identifying information for the purpose of influencing or tracking you in some manner.
Any government agency that collects or publishes any information that is personal or sensitive in nature is a potential privacy threat. Government agencies may be more tightly regulated with respect to collection, storage, and sharing of personal data; however, regulations vary across governments and certain agencies within governments may have considerably more license to access personal data than others.
You are ultimately responsible for containment or leakage of data. Consider the following as a first principle for protecting your personal data:
Whether private and public sector actors, it’s important to recognize that (i) each stores personal data you disclose, (ii) you have little insight into how competently they protect your personal data, and irrespective of what filters or restrictions you may apply through some user interface, (iii) you don’t always know exactly how and with whom they share your data, and (iv) policies change.
Set aside the public outrage and clamor for better privacy controls, more transparency and accountability. These are important issues, but they won't help you on a day by day basis. Apply this principle each time you have a choice to share or disclose anything you consider personal or sensitive. Using the best information available, judge whether you are truly comfortable how a site measures up to (i)-(iv). You won't achieve perfect privacy but you may have fewer moments of regret or embarrassment, and you may avoid falling victim to online predators.
If the best choice seems to be to not share or disclose, it probably is...
You raise an important point. FB, Twitter, and other social networks can also track your browser activities from pages that have "like", "+1" and "Tweet" buttons. There are sufficient passive collection techniques to go well beyond presuming one's existence.
Bear in mind that I've tried to lay out a "first" principle, i.e., what you should assume before you even begin to use other techniques to protect your privacy. And I'm not suggesting that this is all you should do, or that private/public sector actors shouldn't be obliged to meet stronger accountability and transparency standards than they do today. Non disclosure is indeed not sufficient. It's the starting point.
Posted by: The Security Skeptic | Thursday, 20 October 2011 at 02:50 AM
Whether you like it or not when you have been pinged by enough other people they can presume your existence. Non disclosure is not sufficient.
Posted by: Brendan | Wednesday, 19 October 2011 at 10:11 PM
There is only ONE true Internet privacy threat. Corporate greed.
Posted by: Renee Marie Jones | Saturday, 15 October 2011 at 09:29 AM