Common Sense Privacy

07 Mar Common Sense Privacy

Here I am, writing down my personal information to an online service that I heard from my friend. I’ve gotten familiar with the brand new online service (year 2000) and products they sell, and as it happens, I do need to buy something they have a great offer on. Common sense privacy sense tells me that it should be fairly ok to hand over my personal information to the online shop selling child care products as I’ve just become a father of twin girls and I need a special trolley to transport them around the city, and trying to get them to sleep in sync.– 17 years ago, using one of the first online shops for baby products in Finland.

My question is – how sharp are your common sense privacy antennas?

Not all data attributes are created equal

We are comprised of attributes of various nature in the digital world. We have mundane attributes and private attributes. It’s also about our personal perception of what attributes we count as private. But it’s the external perception we are most concerned about. How will others see me if they know of this private thing about me? The scale of our identity information and its privacy need is individual, and the range can be quite expansive. From mundane to the most private – we evaluate our privacy needs from a personal perspective, so sometimes it’s good to stop and think about common sense privacy.

Association

Even non-sensitive personal data can become highly toxic by association. If the online resource you’re signing up to use is related to something that you think is very private or personal in nature, a mere association of your name to the online service can create a combination that can become very embarrassing for you. And you should know already where I’m heading with this. The Ashley Madison breach is a perfect example when simple, trivial personal date can become toxic. The problem with this particular breach was not with the registered users and the data breach, it was about the credit card data, because you could’ve registered to the service as Donald Duck Grey – but if you wanted to use any of the paid services, your true identity was recorded – and eventually it was exposed.

Every digital service can be breached. Every. One. If there’s a determined party with sufficient resources, a service will be breached. But – the low hanging fruit theory works here. The services that are negligent of their security will draw the bad guys easier. If you’re worried about problems arising from association to a particular service here’s the first rule:

1. Do not ever use your real identity attributes.
2. If you absolutely have to use your real identity attributes, look for information about the services information security management. If they e.g. say that they are ISO27001 certified, it means that they are paying attention on protecting your data.
3. The one remedy for e.g. credit card payments is tokenization. If the site supports this kind of functionality it means that your real life identity and association to the site should be safe(r).
4. But, if in doubt – just don’t.

Investigate

The second rule of common privacy sense is to – yes – google. If you are about to tell some obscure service something about yourself, try to discover through a simple google search if you can dig up any dirt on the service. If you do – that should be a warning sign. However, the ultra competitive online world has good examples where rivalling companies have infested search results and reputation of each other. So – keep your head cool and dig a little deeper if you need. But remember that the orange flag is up.

httpS?

Thanks to browser developers and certificate authorities working together, the identity of an online site can be verified – to a certain degree. If you look closely to the upper left corner of this blog entry, you’ll see the green lock symbol and the company name, and that the URL (web site address) starts with https. It usually means that the site owner / company operating the site really exists.

But… there’s a but here. Just recently, well at least in human time perception, one of the largest certificate authorities granting the certificates (a certificate is kind of like a digital identity document for the online service issued by a third party, the certificate authority) was found to be quite relaxed in its procedures when issuing these digital identity documents to the online services [http://www.zdnet.com/article/google-reveals-plan-to-distrust-symantec-certificates-in-2018/]. What this means is that the certificates issued by this third party cannot be trusted. For the average user, relying on common sense privacy instincts, it is too much to ask for them to investigate the digital identity document. The good thing here is that the browser developers will take care of this and will stop you from going to sites that have a shady digital identity issued with them. If your browser does halt you when you’re trying to access an online resource, the common sense thing is to move away.

The secondary purpose (or primary, depending on your perspective) for the S in the http is to encrypt the data you are exchanging with the online service. That’s a good thing. It keeps your data secure when it’s traveling through the Internet.

What comes after the https?

A very common practise for stealing personal data and other secret information is to lure the user to click a link that very closely resembles the site you might want to go. The common sense privacy rule number 3 is to check that the whole site name after the https actually is correct. This should become a reflex to you, not just when submitting your personal data to an online site but each and every time you follow a link. Receiving an e-mail from a friend with a link “https://iwilltell.allyoursecrets.totheworld.com” should raise some flags (you can choose the colour).

GDPR to the rescue?

EU citizens are becoming more and more aware of their privacy rights. In the near future they will be exercising those rights. But will it be the thing that saves you from all the trouble if the brown substance hits the air impeller? It will not. The common sense privacy rule number 4 is to not to trust blindly on rules and regulations that are created to force online services towards privacy by design. I would argue that come May 25^th, when the General Data Protection Regulation will be enforced we will be as safe and secure as today. So, obey and observe the first three rules.

Common Sense Privacy Rules

1. If you don’t want association of your personal data to an online service – use nonsense data and tokenized payment. Or don’t use the service at all. Find a secure alternative if you must.
2. Investigate before submitting.
3. Read what it says on the browser address bar – carefully.
4. Laws and regulations won’t save you.

With these simple rules you should be safer. Not 100% safe, safer. And here’s the prime directive for common sense privacy overriding all the rules:

• If there is something that you need to keep private for all eternity – Do. Not. Submit. It. In any shape or format – anywhere. Except maybe to your loved one(s). Verbally. Whispering. When they sleep. Or are on another continent. It’s really up to you. Use your common sense.

For organisations looking to build privacy by design online services, a key technology should be Customer Identity and Access Management (CIAM). It provides your customers a single point of access to their own data, transparency, proper consent management and will increase trust, not to mention compliance to the GDPR. CIAM will also allow you to put proper security controls in place and provide convenience through Single Sign-On and so, so much more. It will move your service from the lower branches of the fruit tree to the top. Contact us now to hear more.