Data Privacy Day (DPD) is January 28. Sounds exciting, right? I’m sure you’ve got the pinata stuffed and the presents on the way.
What is DPD about?
It’s all about me!
We generally don’t like to use this phrase. It’s considered selfish and arrogant, leading others to dislike us. But in the case of data privacy, it’s acceptable. Personally, I’m not very interested in being compared to what statistics might say about what data is collected from others. I’m personally invested in keeping certain details about me private, and I want to know which aspects of my data are being collected by whom and for what reason.
We all differ in what we want to keep private. Some people are happy to talk out loud in detail about their latest surgery, while some are like an infosec professional I know who uses an avatar photo and pseudonym for all online interactions and also has a PO Box for any shipments. This person is serious about not letting anyone know their identity. The important effort is protecting the personal information that you want to be protected.
How do we check our Privacy Settings?
Anyone who has worked with music in a Digital Audio Workstation (DAW) is familiar with using tools such as quantize and latency. The DAW that one uses determines where the settings get changed, but the settings are there. Of course, this goes for any software. File – Open… may be in the upper left or on a sidebar. Alternatively, you may even need to use a keyboard shortcut.
On a similar note, each device has privacy settings that determine what cookies are enabled, if location data is shared, etc. They’re all there, but the device determines where the settings get changed. Just like any software menus, one has to learn where those settings are. The more devices, the more there is to learn. But you’re reading this because you’re interested in knowing more and more, right?
You might wonder, “That sounds like loads of fun, but why is my data privacy important? Why go through so much trouble to keep my type of device secret?”
On the surface, the process of installing an app is both simple and straightforward: pick the app and choose “Install.” Invisible to you and me, almost every app (and website) is programmed to automatically collect your device type, IP address, location, date and time, OS version and internet provider, among other details. In and of itself, this collection of data is not really a big concern; there’s nothing in there that tells the company, “This device belongs to Ross Moore, and he lives at 12345 Anywhere Street.” There’s nothing personal in what they’ve collected so far.
Or is there?
Businesses have a vested interest in your data. Giving the benefit of the doubt, companies use this collected non-personal data to give you better products and services. All of that data lets them figure out details such as the most popular devices used, what pages in the app are most visited, what times of day the app is most heavily in use and from what locales the app is most and least accessed.
But not all companies are upfront about what they collect, not all companies secure the data properly and not all companies use the data as it should be used. Also, you may not want certain things, including non-personal details, known about you. (You have rights.) Crime happens, as well (e.g., data gets stolen), so you might not want your private data seen by criminals; there’s comfort knowing that private information is not there in case of theft.
I believe that the privacy issue isn’t so much that private information is shared. Anyone who has read the Privacy Policies of their favorite apps realizes that a lot of data is collected. The issue arises when private data is shared in a way with which we disagree. This disagreement could be a result of reasons such as not trusting one of the companies involved in the data sharing process, a general wish to remain anonymous or wanting to remain invisible to an ex.
I don’t wish to promote FUD (Fear, Uncertainty, Doubt), so this is not about trying to scare people into leaving their apps or being anxious about the collection. Rather, I’d like readers to be aware of what personal information apps are taking in and what those companies are doing with the data.
Putting it into perspective
Companies are generally upfront about what data they collect. When we click “I Agree” to the EULA (“End User License Agreement” – I know…we all read EVERY word of each 50-page agreement), we have agreed to their collection. Did you read what they collect? Your personal risk-o-meter doesn’t care if that calculator app gets your IP address – simple app, simple function, no login, etc. required. But you might be concerned if that social media app is reading all of your posts and messages and sending that info to another company for analysis.
We each have our own level of risk that we accept; that’s certainly an individual decision. A main factor that improves that decision-making process is knowing what is being collected. With that knowledge, each of us can make the best decision for each service.
Your part to play in protecting your personal data online – and that of your family – is about being aware of the importance of your privacy and the details of how to protect it. And that’s what Data Privacy Day is all about: experts, professionals and enthusiasts helping others out with the who, what, where, when, why and how of data privacy.
Here are some actions you can take to protect your data to help ensure privacy:
- Enable 2FA wherever you can. If someone tries to log into one of your 2FA-enabled accounts, then you’ll know about it, thus giving you time to change your password. 2FA prevents about 90% of attempted account takeovers.
- Perform a Health Checkup. Go through your apps now and then to make sure your Privacy Settings are in good shape according to your definition of privacy fitness. Sometimes after an app or device updates, some settings are set to Default, so it’s prudent to review your settings.
- Keep your device locked and in view. It only takes about five seconds for someone to swipe a phone, so if it’s locked with a good PIN or biometrics, they have your device but not your data.
- Make a contact list. Just in case you encounter some kind of data theft, have a list of contact information handy. Local police, local FBI office, credit card companies and the like are good contacts to start your list.
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.