Data mining is now viewed as a serious security threat, but with all the hype, should you be afraid?
Here’s a scenario many people are familiar with. While searching for flights using one window of your laptop, your Facebook page pops out flight deals as advertised items in another. It’s arrived on screen, entirely unsolicited.
Here’s another scenario. You go to a supermarket in the morning. You return that afternoon and it’s unrecognisable. What happened? Using collated data from beacon technology – a large store may set up 10 or 15 beacons – the supermarket has restocked and reconfigured itself to suit the afternoon demographic. Different times, different customers, different store.
Welcome to the world of track and trace technology where your every step is known, and may even be predicted.
The first example is common. Companies establish an agreement with an online publisher (Facebook, Amazon, Google), which places a piece of code on the participating client’s website. As you browse, the browser cookies that record your clicks within a website start to amass a large body of information. Social media companies use this to watch what you buy, what areas take your fancy and what you search for. This data starts building a bigger picture and sooner or later you are hit with targeted ads.
The second example, using beacon technology, has been trialled in Japan. Beacon is a new word for old-style Bluetooth radio frequency identification technology. It’s part of how mobile phones pop up location-based shop alerts when there are special sale items in nearby stores, and it also helps you make payments through your mobile phone at the point of sale.
Even EXIF metadata from your camera can be tracked back to you.
Apple has placed its trademarked iBeacon in iOS 7 devices, but the technology is only in its infancy. Infosys digital strategist George Eby Mathew says it’s just the start.
“Retailers will be able to connect the end consumer directly to the back-end supply chains. They will get to know what kinds of people are shopping, what they want and when, before shoppers even enter,” he says.
As the internet gets to know you better, it will get smarter about you. The more that ad-supported online sites know about us, the more valuable their ad space becomes. The fear is the more we sign on to mobile applications and online services, the hungrier these sites will be for phone numbers, home addresses, birthdates, interests, political views and medical history – all of which can be redistributed and sold on to other apps and sites.
"[The cloud] is a terrible idea if you find out that your cloud host has multiple servers in a county where organised crime gangs will pay hundreds of dollars for each credit card and supporting information." – Nigel Morris-Cotterill
The more you surf the net, the more digital crumbs you drop.
So how much data does Big Brother want?
In October, Google executive chairman Eric Schmidt described his company’s policy as “getting right up to the creepy line and not crossing it”. Schmidt even mentioned the possibility of a Google implant – a chip under your skin that would track you and provide easy web access. Even he admitted that this was probably going way over “the creepy line”.
But Schmidt hardly sounds repentant: “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”
Without tracking your location, your Google Map app could not tell you the traffic conditions for the day. Similarly, you would never be targeted for that great home and contents deal if nobody knows your insurance needs.
It’s the big trade-off – your personal preferences and information in exchange for consumer heaven. Which path do you take?
It seems online users are split. In 2013 a survey commissioned by Infosys of 5000 people across five countries [Australia, France, Germany, the UK and US] found that 39 per cent thought data mining was invasive. But about half of those surveyed were prepared to share their preferences and online shopping behaviour with retailers if they could get ads and promotions better targeted to their interests and needs.
The conditions users agree to when they access websites and apps may contain a good deal of “wiggle room”, says Gavin Cartwright, Deloitte Australia’s lead partner in Security and Resilience. Perfectly compliant privacy policies might not specify all the countries where a business’s cloud servers operate. Many are also unclear about data use.
“They might say they use the data only to provide you with ‘better value’ or ‘additional services’, using language which allows a lot of room to move.”
As an example, Twitter added a new feature in November called “app graph”, which gathers a list of all the other apps you have on your smartphone. Twitter intends it “to help build a more personal Twitter experience”. What it really means is it will deliver better targeted advertising for its clients.
As mobiles move from being phones to digital assistants and also payment card devices, the data stored on the phone, or accessible through it, becomes ever more valuable, says Nigel Morris-Cotterill, who heads the Anti Money Laundering Network.
“History shows the hacking will happen sooner rather than later. Devices can be cloned or used as a slave to access your data. Near Field Technology – the trick you use to wave your phone at a reader to pay for things? It’s already been hacked.”
If information can be stored, analysed and sold to data brokers, are we not building a hackers’ paradise? The cloud’s a great idea, says Morris-Cotterill, if you worry that valuable data might be lost in a fire.
“But it’s a terrible idea if you find out your cloud host has multiple servers in a country where organised crime gangs will pay hundreds of dollars for each credit card number and supporting information.”
Even our photos are fair game. Tyler Cohen Wood, of the US Defense Intelligence Agency, writes in her recent book Catching the Catfishers, that if the EXIF metadata in your camera is turned on when you take a photo, that data is often accessible once uploaded to social media: “It contains information such as where the photograph was taken (with exact GEO coordinates), what camera (including its serial number) took the photo, and many other details that give away information about you.”
In the end it comes down to the person, says Deloitte’s Cartwright.
“Many of us want organisations to anticipate our needs but you still have to ask yourself why any online company might need anything more than an email address. Ask yourself why they want it, how it could be used and if you want to share it. It’s no different to buyer beware.”
An introduction to big data and business analytics using Excel (recorded webinar): learn how to connect your enterprise databases, analyse data, create advanced reports and prepare dashboards using Microsoft Excel Power Pivot.
In late October 2014, the Australian Government introduced legislation requiring telcos to keep metadata logs pertaining to email, internet, mobile and landline use, as a means to crack down on potential terrorist activity, cyber threats, child exploitation and other crimes. It’s an example of the trend for governments around the world to retain more internet data.
Australian internet service providers would have to hold the data for up to two years, and many are despondent about the changes. Steve Dalby, iiNet’s chief regulatory officer, says it is among the most unworkable pieces of legislation ever introduced.
“They are asking for information – such as MAC addresses [media access control addresses, which identify devices hooked to modems] – which we don’t even keep,” says Dalby.
“We can collect them, but we will have to develop new storage and collection systems to do so.”
As the government has made no move to pay for this, it’s likely customers will have to foot the bill.
“Our customers will have to pay for something we don’t want to do or offer them – it’s a surveillance tax which won’t even deliver surveillance,” Dalby insists.
Dalby also says many of iiNet’s internet subscribers use apps or social media rather than email to communicate with each other, and these services are based offshore so are technically not covered by Australian legislation.
“Facebook messaging, WhatsApp, Skype, Viber, Hotmail and Gmail – none of these are on the list. If you’re a bad guy trying to evade detection, just use these apps and you’ll go under the radar,” Dalby says.
“We’ll be forced to collect squillions of bytes of data, and the law enforcement agencies will have no way of interrogating that data – they’re not adding any additional IT resources. I’ve heard of no extra funding and no extra people with special skills being added for this task.”
Companies such as AOL, Yahoo, Facebook and Google are capable of collating and cross-referencing data, matching emails with browsing history, working out locations and identifying devices. So how do you avoid leaving digital footprints?
How to outwith the snoopers
Be stingy with your information:
Shuey Shujab, who heads digital agency WhiteHat Agency, says users need to interrogate what apps and sites are requesting – that is, what exactly do these sites mean by using third-party data. You should read the privacy policies and assess a business’s transparency around data use.
“If it’s vague, then put up minimal information on yourself. Beware that many incentivise the giving of extra information,” he says.
Reject website cookies:
Use the private mode on your internet browser to prevent your browser history being leaked. When this mode is activated, tracking cookies are deleted once you close your browser, but this will not conceal your IP address. To do this you would need to connect to a virtual private network, which encrypts all internet traffic between a user and the server. The best known of these is the Tor browser.
Change your email:
If you do web searches on Google, don’t use the associated Gmail. There are email services such as Hushmail, Riseup and Zoho Mail which advocate no snooping. You can even register your own domain or set up your own email service.
Keep mobile calls private:
For telephony, there’s always voice over IP services such as Skype. Shujab also recommends a series of so-called “silent apps” such as RedPhone, which encrypts mobile calls, and TextSecure, which encrypts text and chat messages.
There are also so-called “unhackable” phones. Probably the best known is the Blackphone with its Silent Circle encrypted communication system, developed by former US Navy SEAL Mike Janke and cryptography specialist Phil Zimmermann.
Change your cloud storage:
Shujab advises internet users to jettison the ubiquitous Dropbox as their cloud service provider and use another called SpiderOak. With its double-sided encryption security, SpiderOak claims even its employees can’t access users’ information.
Don’t share your location:
Keep your position in the world private by switching off location services on your mobile device. (But remember, you won’t be able to use Google Maps if you do.)
In iOS 7 go to Settings > Privacy > Location Services and swipe the slider to off. In Android, go to App Drawer > Settings > Location > Google Location Settings tap Location Reporting and Location History, and switch the slider to off for both. There’s a quick guide at http://bit.ly/locationoff
This article is from the February 2015 issue of INTHEBLACK.