Authored by Tony Anscombe, Chief Security Evangelist at ESET
“The lampposts are listening to me; I am sure that the adverts I see online are from a conversation I had walking down the street”. Yes, someone I know claims this is happening to them.
If you are in some way related to the cybersecurity and/or privacy industries, then you will have heard similar claims, and when you try to explain how companies may have collected the data being used for advertising, it’s dismissed as it requires people to understand they most likely willingly, but maybe unknowingly, allowed their data to be collected and used.
The process is often invisible, with data covertly collected from the actions that we take and the snippets of information that we openly disclose. Companies then use technology to make “intelligent” deductions about our preferences.
Use a GPS map app to find a restaurant that specializes in a certain cuisine and the search provider can ascertain that you eat out, what day of the week you eat out, possibly how frequently, how far you are prepared to travel, possible food preference, the time of day you eat, etc. In this case the snippet of data was just the name of the restaurant, yet the resulting information that can be deduced from the action can be significant.
Go back to my friend who thinks lampposts are listening to them, a walk down the street discussing whether to go out for an Indian or a Chinese tonight, later in the day they jump in the car and use their phone to navigate to the restaurant. When they see an advert next week for restaurants similar to their choice, was it the lamppost or from data they freely handed over?
Understanding how data is collected and the conclusions that can be drawn is complicated, and likely a topic that is interesting when someone explains it but probably too complex for any actions to avoid collection. I would hazard a guess that even those in the know, so to speak, likely give away more information than they realise.
Educating consumers on the value and importance of their personal data is the very reason that back in January 2008, the US and Canada created Data Privacy Day. It’s an extension of the Data Protection Day marked by European countries since 2006. The day itself, January 28th, commemorates the 1981 signing of Convention 108, an international treaty dealing with privacy and data protection.
In the US, the day has evolved into a week, giving greater opportunity for events and engagement. Since its inaugural event, the world of data and privacy has changed significantly. The value of data is now recognised by companies and governments, thus leading to the significant capturing of personal data. This has driven the need for legislation , such as the General Data Protection Regulation (GDPR) in the EU and the California Privacy Rights Act (CPRA), providing some protection to individuals wishing to control the use of their personal information.
Awareness-driving activities such as Data Privacy Week are important, as they drive conversations between individuals, businesses and governments. However, is the appreciation of data and privacy more important than to leave it to chance that you might engage with the topic during an annual event?
In my opinion, the answer is “Yes, the concepts of what personal data is, the value it holds, the risk of it being abused, or even just used”, should be a topic that everyone is taught during the course of their standard education, and start before they operate their first “smart” device. This needs to include an understanding of the rights that privacy legislation affords the individual, the right of deletion, modification, to request that data, and so on.
Own your privacy
Without understanding the importance of the personal information being collected and the value it holds, or the rights of the individual to manage their data, people are likely to go about their daily business blaming the lampposts for the adverts they see next week.