Is it a data leak if you give consent?

Facebook is under scrutiny again, this time for its ethically questionable "research project" that involved releasing a data mining app to consumers that was intended for internal corporate use under Apple's licensing agreement. The company states that it did nothing wrong because all users, including kids as young as 13, signed an agreement that allowed tracking of their online habits to take place, and the users were compensated for the access. The situation resulted in Apple rescinding their Enterprise certificate.

This isn't the first time the company has been taken to task for how they access and distribute user information. Their defense is that it's in an effort to provide their customers with a better, more personalised experience. However, Facebook's millions of account holders aren't really the customers; they're the product.

Although people claim to be concerned about online privacy, too many allow corporations access to their data freely without realizing the implications. Each and every time you electronically sign a user agreement or otherwise authorise access to the information on your phone and online activity, you potentially grant unfettered intrusion into your personal life.

Is it a data leak if companies have permission to access and distribute the information?

Data mining is nothing new. Companies have studied consumer trends since long before the internet was a thing. Big data analysis is how marketers and business owners gain insight into customer behavior so they can retool their advertising and outreach efforts. It's only when it's done on a grand scale or in a seemingly nefarious manner that people protest.

This leads us to two questions: When does a corporation's right to customer information end and your right to privacy begin? Do you absolutely forfeit that right when you click the box on a user agreement?

What is data mining?

Data mining is an automated system of using artificial intelligence (AI) and machine learning to extract and analyse information. It's meant to help everyone from IT teams to researchers gather meaningful data from large or unorganised collections of information and identify useful trends and patterns. Performed correctly, it can enhance security and streamline business functions.

In a perfect world, companies would use data mining responsibly in an effort to become more productive and efficient. Machine learning algorithms are also used to probe for security vulnerabilities and anticipate problems proactively. However, when the motive behind data collection and analysis becomes too focused on profit, the question of ethics and legality arises.

When is a data leak a data leak?

The internet was intended to provide a platform for those who use it to freely distribute and share information. Due to the borderless nature and logistics of electronic mediums and data transfer, lawmakers have been at a loss as to how to handle privacy issues. That leaves it up to companies and service providers to devise a system of notifications and choices before you download a program, open an account, or purchase a product online.

That's how the user agreement came to be, and companies have no incentive to change their practices or policies. It saves time and money when customers willingly offer their identities, whereabouts, habits, and friends. For them, data isn't about privacy, it's about control and who has it. It's a commodity that's for sale to the highest bidder.

You can say that a person can't be exploited if they give consent. That's the type of defense offered up by those who take advantage of someone who's intoxicated. Data leaks or breaches are the accidental release or intentional leaching of information without the knowledge or consent of those who legally own or hold such information. Badly worded or unread user agreements often amount to theft by misinformation.

With the Facebook terms of service (ToS) clocking in at 3,200 words and a privacy policy that's 2,700 words long, who's really reading these agreements - or understanding the legal doublespeak contained therein - before signing up for an account?

Unintended consequences: the ethics of high-tech data collection

If you think about it, user agreements protect companies from legal liability while putting the onus for privacy protection on those whom they're attempting to manipulate. You do their market research for them, and they use what they learn through data mining to try to influence what you buy or even how you vote.

By putting the notion of choice in the account holder's hands, they fool people into thinking they have control over how much they share and with whom. However, when they say they need permission to access your friend list, contacts, or photos, or they claim to need your whereabouts and phone number "for your protection," they're really asking for permission to snoop. Too many people are too anxious to download the next big app or share photos of their lunch to think about the deeper implications.

But, they've informed you and gotten your permission first, so they're covered, legally.

Data Privacy Trends That Will Affect You in the Future

Due to increased scrutiny, and in an effort to tame the monster they created, companies are developing products to boost online privacy and security. For example, Google's cyber security company, Chronicle, offers a cloud-based security capsule called Backstory. They're not the only ones attempting to offer solutions.

A recent poll conducted by the data protection company Commvault discovered that 80% of IT professionals are concerned about their company's compliance with privacy regulations, and nearly 40% feel that more regulations are needed. If you're concerned about data security, there are several data privacy trends you should be aware of:

  • The growth of consumer activism surrounding privacy issues
  • The lack of a unified global approach to privacy regulations
  • The increased concern over the ethics of automated data collection

How You Can Protect Your Information

As someone trying to exist in the information age, you're exposed to threats to your privacy and security every time you give someone your information; you don't even have to go online yourself when your data is stored in an accessible database. The dangers range from hacking to viruses to social engineering. Aside from simply opting out of overly complicated or intentionally confusing ToS and privacy agreements, there are some concrete things that the average person can do to protect themselves and their information.

1. Choose security best practices like creating complex passwords that are different for each account, refuse to provide personal information or access on social media platforms, and use two-factor authentication to access accounts. Password managers offer an additional layer of security protecting devices from keystroke loggers and other malicious malware.

2. Store sensitive information in an encrypted, cloud-based storage facility.

3. Foil snoopers with a virtual private network (VPN) that masks your online activity, location, and identity. This service is quickly gaining acceptance, having gone from almost unheard of a few years ago to use by 26% of those who go online today. Activate your VPN on every device, each time you go online.

Online security is everyone's problem. But, until more is done to provide a viable, uniform solution from the corporate and government side of the equation, it's up to you to safeguard your information.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies