RSAC | October 9, 2024 | By: Bob Ackerman

Let’s get right to the point regarding privacy and its cousin, data protection. It’s a prickly topic, one underpinned by huge problems for decades. And while a few positive developments have eased the pain relatively recently, privacy remains mired in a troublesome quagmire.

Unlike the European Union, which implemented the General Data Protection Regulation (GDPR) (GDPR) years ago, the US still tries to make do without a comprehensive Internet privacy law. This is unfortunate because privacy breaches on the Internet pose real dangers. Your medical conditions could be shared without your consent, for instance, or your banking data could be made available to third parties. At the least, you might have your emails hacked, a ubiquitous headache.

Disconcerting as it may be, every computer click or keystroke leaves a digital trail. Even government data collection has managed to fall into the hands of hackers, according to a 2023 Pew Research Center survey.

Among a number of other things, Pew has found that 71% percent of Internet users  are now worried about government use of their data, up from 64% in 2019.  A majority of those surveyed, 67%, say they understand little to nothing about what companies are doing with their personal data, up from 59%. And 77% of the Pew survey participants said they had little or no trust in leaders of social media companies to publicly admit mistakes and take responsibility for data misuse.

Meanwhile, most folks don’t even want to know how much worse the situation may get as the explosion in artificial intelligence continues unabated.  I think we’re just starting to see the AI abuses,” Bruce Schneier, a computer security pro and fellow at the Klein Center for Internet & Society at Harvard University recently told the media.  

In fairness, there are practices in place that try to improve privacy, but by and large they have been minimally effective. A case in point is “reading” often ignored privacy policies on many websites. Some folks read them, but typically not in their entirety, Pew found.

Far more common than privacy policies are notices that ubiquitously pop up on websites that use cookies and ask users to “accept” or “manage” them, based on their preferences. Cookie choices were designed to give people more control over their personal data.  In practice, however, they have typically become unwieldly and annoying.  According to Carnegie Mellon University’s CyLab Security and Privacy Institute, few people bother to click on cookie links.

Some forward-thinking companies have begun making inroads in strengthening online privacy. Apple, for example, has introduced a pop-up window on iPhones that asks users for their permission to be tracked by different apps. Users have the option to either “Allow” tracking or “Ask App Not to Track,” giving users more control over their personal data.

Facebook also is working to enhance privacy by working on a new method of showing ads without relying on personal data. Its pending project involves developing a system that would allow advertisers to target users solely based on their contextual interests and behaviors. Identities per se are hidden.

Conversely, Google initially announced its intention to phase out third-party cookies, a common method used for tracking user behavior across different websites. But negative responses from advertisers pressured Google. Instead, Google introduced Tracking Protection, which restricts the ability of websites to track users across different sites but doesn't entirely eliminate the use of third-party cookies.

Relatively recently, federal government authorities leveled a $25 million civil penalty against Amazon and pressured it to adopt a permanent injunction to settle alleged children’s privacy violations related to its Alexa voice assistant. Amazon had retained children’s voice recordings indefinitely.

As these and other privacy developments come to the forefront, for better or worse, here are some ways that employees and other individuals can independently improve their security posture.

+ Secure Your Web Browser: For starters, use a virtual private network (VPN). This encrypts your Internet activity and masks your IP address. Also enable “Do Not Track” if available, which sends a request to the sites you visit to not track you. And consider using private browsing, which hides your searches and other browsing activity when others use your computer.

+ Keep Your Software Up-to-Date: This means you don’t miss security fixes. Software vulnerabilities open the door to hackers. If you find it a hassle to apply updates manually, use tools to automate your software updates.

+ Delete Cookies Regularly: This materially prevents websites, advertisers, and other third parties from tracking you online. Configure your browser to automatically delete cookies at the end of the browsing session.  

+ Defuse Threats when Backing up to the Cloud: The cloud is packed with its own privacy issues. Use encryption to secure your Internet connection and defuse this threat.

Remember that the privacy landscape isn’t altogether bad. As previously mentioned, some companies, researchers and privacy experts are working on technology to make it easier for people to signal how they want to be tracked online.  If you’re an employee, as most RSAC folks are, ask the right person in the company to consider doing the same thing.

See article here.