Know before agreeing to a privacy policy

Tony Anscombe, Chief Security Evangelist at ESET talks about the trade-off between using a free service and giving up our personal data becomes much less palatable when we think about the wider ramifications of the collection and use of our personal data

The doorbell rings, you answer, and a representative of a large company is on the doorstep offering to allow you to use their free service, something you know would be useful and convenient. All the rep asks you to do is tick a box on a piece of paper and the service is yours to use. They hand you 15 pages of ‘Terms and Conditions’ that all look legal and complex, and before you know it the rep is on their merry way.

The next day, an engineer turns up to install devices that monitor your internet activity, what TV programs, movies, radio and music you consume, keep track of the temperature you like in your home, when you turn off the lights, log who you are calling and connecting with, track what products you purchase and how frequently, monitor where you travel in the car, and even opens your mail, and scans the content before you have the opportunity to read it yourself. Your partner is freaking out at the surveillance being installed in your home and questions if this invasion for access to a free service is worth it.

If you get the sales rep on the doorstep tomorrow, would you tick the box, or ‘opt in’ as it’s commonly referred to?

This week is Data Privacy Week, an international initiative that aims to empower individuals to reflect on who is collecting their data, why and what it might be used for, and hopefully take some action to limit any overexposure.

Read (between the lines)
When was the last time you read a privacy policy or reviewed the permissions when installing an app or creating an account to access an internet-based service? And will Data Privacy Week be a driver for you to do so?

If you are reading this blog, then maybe you are engaged in protecting your personal data. But you have probably, like me, felt like you are banging your head on the proverbial brick wall when trying to get the people around you to engage in protecting the privacy of their personal data, or to even appreciate that there is an issue that they could do something about.

Perhaps the driver is that people trade their privacy to remain connected with family and friends. No one wants to feel disconnected; therefore, engaging in social media may be seen as essential for social interaction. The trade-off, as we know from the many whistleblowers and investigations, is profiling, mining and in many instances the selling of our personal data or our general behavior online in order to provide companies and organizations with the opportunity to influence our future actions or thoughts.

What causes the lack of engagement, though, potentially is the complexity and length of privacy policies. In many instances, reading this policy could take 20-plus minutes and even then you might need to be an expert or a lawyer to understand the language and meaning of what you have read. Even if you are in the potentially small minority of people who do read a privacy policy, then does it tell you the meaning of the data being collected, as opposed to a list of what data is being collected?

When studying programming at college, one of my lecturers used a rather inappropriate example to drive home the point that data as a list can be meaningless until it is put in the correct order. He wrote three numbers on the board, sorted lowest to highest, and asked the class what the numbers relate to. The class struggled with any meaningful explanation. Only when he reordered the numbers did it become clear that they related to a person’s dimensions. The exercise, while inappropriate, made the point.

Every little bit of data counts
Each individual piece of personal data collected may appear as an acceptable trade-off to access a service or use a product. What could change an opinion, however, is understanding what information is being collected when viewed holistically.

Imagine if a privacy policy stated the actual use of the personal data collected – data collected will be used to identify if you are in a segment of society whose political view can be manipulated, resulting in you changing your voting position, or your online actions give indicators that you may be easily manipulated into taking further risk when investing, which could result in financial loss (or gain).

The comment often heard while banging the head on the privacy wall is, ‘they already know everything about me, so why should I care?’. It’s not necessarily what they know – it may be more about understanding what can be deduced, predicted or how it can be used to manipulate your actions or thoughts. If individuals who agree to the collection of their data by a company could listen to the internal meetings of the data analytics team on how they can use the data to generate revenue and what they know holistically about the data subject, then it would be shocking.

We give up more data than we realize and are often put in the position of deciding that the collection of a single piece of data is probably okay. We do this potentially without considering the ramifications of what the overall collection of all data we agree to ultimately means – and how the information may be used.

During this Data Privacy Week, when you hand over a small snippet of personal data to a company, take a moment to consider the context of what else they may know and whether this small snippet is the bit that joins everything together and creates a full profile of you that could be used in a way you would not necessarily find acceptable or that might not be in your best interests.

Lost Password