Since the industrial revolution, humans have imagined fantastical future worlds enabled by powerful technologies. But these utopian visions have also sparked doubt in the more cautious among us, who ask, “At what cost do we achieve these brave new worlds that are supposedly free from toil?” Recently, it appears that losing our personal privacy may be the price we pay. Although many see this as a negligible loss given the benefits of technical progress, it may prove a Faustian bargain to give up an intangible, yet invaluable, personal attribute like privacy.
Data breaches expose privacy risks
“The privacy threat is related to the data flows. These new technologies create mountains of data about an individual’s usage patterns, transactions, and daily habits,” says Steve Wilson, a VP and Principal Analyst at Constellation Research who focuses on digital identity and privacy.
Breaches are a clear and constant danger as cybercriminals become more sophisticated and companies stumble in their efforts to keep their data secure. The hackers who breached Equifax got everything necessary to open new loans or access existing accounts for more than half of all adult Americans. Data stolen from the Office of Personnel Management’s background checks included fingerprints, psychological evaluations, and health histories of current, past, and prospective federal employees and contractors, and the people who live with them. Yahoo has also suffered from repeated security breaches, but minimized the damage through appropriate data collection—most records included only the username, email, and perhaps a hashed password—data that Yahoo needed to provide its service.
“In the wake of Equifax and Office of Personnel Management breaches, the big question is, why are businesses holding so much excessive data? Think about the risks and liabilities, think about whether a regular business is up to the task of resisting organized criminal attacks on their databases,” says Wilson.
Microchipped for potato chips – data privacy at work
The Wisconsin-based company Three Market Square recently developed a radio frequency identification-enabled (RFID) subdermal employee microchip to replace its company key card, which is used to unlock doors in secure areas of the building, log in to computers, and purchase snacks at office vending machines. Current technology can only collect limited data directly related to the functions of the chip, but the future possibility of tracking employees’ after-hours locations and activities has some people so alarmed that legislation has already been proposed to protect workers from having to submit to microchipping.
“Be wary of things like biometrics and microchipping. Once you agree to these things, they’re really hard to withdraw from. And, specifically, do not let an employer chip you. There are too many unknowns. It’s unlikely that the company has thought things through, or has complete control over how the tech providers are using the data,” warns Wilson.
Electronic tolling – data privacy in your car
Thirty-four states in the United States have toll roads, and at least 23 of them use some type of electronic tolling. Instead of toll booths, gantries above the roadway automatically detect transponders that are attached to the cars, and deduct the tolls from the drivers’ accounts. Cameras also photograph the license plates, so that the tolling agencies can mail bills to drivers who don’t have accounts.
Governments love electronic tolling for the cost savings—it eliminates hundreds of full-time jobs and save millions in infrastructure costs for toll plazas, bathrooms, and break rooms. Eliminating toll plazas improves safety by reducing both crashes and gridlock, and subsequently, also lowers fuel use and greenhouse gas emissions. But what happens to the data gathered by these systems?
“I am aware that the tradeoffs can be fair and mutually beneficial. It’s largely about transparency: it’s OK to trade our data for services and benefits if, and only if, the bargain is transparent and negotiable,” says Wilson. Too often, excitement over the benefits of a new technological application causes people to rush in before defining the deal. Massachusetts was still working on regulations for the deletion of driver data and appropriate use of a “hotlist” of suspect vehicles only weeks before implementing its new electronic tolling system in 2016. In fact, Massachusetts still has no training documents or written procedures on the use of the hotlist, and a consultant was discovered accessing unauthorized data. In New Jersey, where the law requires a subpoena in order to release personal toll data, the governor and port authority officials have used supposedly secure personal travel data to attack political opponents.
TSA Precheck and Global Entry – data privacy while you travel
If you’ve ever worried about missing a flight while shuffling in your socks along a tortuous route toward body scanners and surly TSA agents, you may have considered buying into the TSA Precheck and Global Entry programs. While there are some differences between Precheck and Global Entry, the two programs operate on the same principle. In both cases, travelers pay a fee, submit to a background check and in-person interview, and verify their identity with biometric data (fingerprints or iris scans) in exchange for expedited screening while traveling. The benefits of such a convenience are obvious, the drawbacks less so.
A frequent fatalistic response to the question of convenience over privacy is “privacy is going away anyway, I might as well get the convenience.” In the case of air travel, this argument is somewhat sound, given that all air travelers will soon be required to give up biometric data, even if they stand in line.
However, the convenience is not risk free. The Office of Personnel Management breach is proof that data provided to the government is not safe from hackers; but, according to the Electronic Privacy Information Center, hackers are not the only risk. Precheck/Global Entry applicants’ personal data is stored in the Global Enrollment System (GES). GES is exempted from important elements of the Privacy Act of 1974, such as the requirements that an individual can access his or her personal information, and correct and amend that information, and that an agency assures that the volunteered information will not be used for reasons unrelated to the original security purposes. In fact, almost any United States or foreign government agency can request GES records.
The Internet of Things – data privacy in a connected home
The Internet of Things (IoT) refers to the network of devices and sensors that exchange data with each other through the internet. It’s not much of an overstatement to say that IoT spells the end of privacy as we know it. Once limited to desktop computers, the internet is now connected to consumer digital devices like Amazon’s Echo, fitness trackers, televisions, refrigerators, and even pet collars. In many cases, digital connectivity can improve the efficiency and convenience of products and services. But in all cases, data is getting collected.
“The IoT is seeing everything in the world get instrumented, with promiscuous technology that tends to overshare, because business stands to gain from all the metadata about people’s habits,” says Wilson.
In a cogent analysis of the IoT in the Guardian, Adam Greenfield points out the ways that IoT products allow brands to “develop behavioural [sic] models that map our desires in high resolution, so as to target them with even greater efficiency in the future.” Inherent in this trade-off between data and convenience is a transfer of power—users are allowing an algorithm to influence or even make their consumer choices for them.
While some consumers are comfortable letting Amazon know the intimate details of their daily habits, in exchange for seeing some targeted ads, a Pew report highlights the security issues that come with IoT devices. Not only is our personal data subject to identity theft and extortion by hackers, but the devices themselves can be turned into “weapons of mass disruption.” For example, in October 2016, 100,000 compromised internet-connected devices formed a bot-army that attacked Dyn (a DNS provider that acts like a switchboard for the internet) and bogged down the entire internet for a day.
Another threat involves third parties hijacking devices equipped with microphones or cameras to collect additional information beyond that collected during normal device operations. And this threat extends beyond cybercrime; for example, the United States government can do this kind of data collection without a warrant.
Questions to protect your privacy
Is the IoT still in its infancy, or have we reached peak connectivity? Will privacy disappear from human existence, or will people start to reject connected devices as the risks become more apparent? Early evidence indicates a bit of both is likely. Few people will give up their smartphones—the greatest conveyer of personal data—but will most likely welcome clear federal guidelines protecting their digital privacy.
In the meantime, it’s “buyer beware.” Reading the user agreements for every app and product is a good idea, but unrealistic for most people. Wilson suggests that people at least ask a few questions before hitting the “purchase” button:
- What personal data is collected?
- Why is it being collected?
- Who gets to see and use that data?
- Are there any limits to what the company can do with the data it collects?