Before I dive in to this final post on Internet security and privacy, I’d like to point you to a U.S. government website I discovered only this week, OnGuard Online, that contains a lot of useful information about Internet safety. If you’re interested, you might investigate and bookmark it for later exploration.

I want to conclude this series by talking a bit about anonymity and something known as “reidentification.”

Promises of anonymity can be misleading and are anything but absolute guarantees. In a 2000 study, Latanya Sweeney determined that a voter list could be correlated with medical records at a rate of 87 percent, using only three pieces of demographic data: sex, ZIP code and birth date. This enabled anyone with some technical skills to link the “anonymized” medical data to a particular name. The term for this linking is reidentification.

The Electronic Privacy Information Center (EPIC) defines reidentification as

…the process by which anonymized personal data is matched with its true owner. In order to protect the privacy interests of consumers, personal identifiers, such as name and social security number, are often removed from databases containing sensitive information. This anonymized, or de-identified, data safeguards the privacy of consumers while still making useful information available to marketers or datamining companies. Recently, however, computer scientists have revealed that this “anonymized” data can easily be re-identified, such that the sensitive information may be linked back to an individual. The re-identification process implicates privacy rights, because organizations will say that privacy obligations do not apply to information that is anonymized, but if the data is in fact personally identifiable, then privacy obligations should apply.

At Tech.Pinions, Steve Wildstrom writes,

For the past several years, a highly technical but very important debate has raged among privacy experts: How easy is it to identify an individual from a collection of data that supposedly lacks personally identifiable information?

…
A centerpiece of the debate is a 1997 incident in which Latanya Sweeney, then an MIT graduate student and now a computer scientist at Harvard, identified the medical records of Massachusetts Governor William Weld from information publicly available in a state insurance database. The incident led to important changes in privacy rules for medical information, especially under the Health Insurance Portability and Accessibility Act (HIPAA), and 15 years later it is still influencing the debate over data privacy.

By default, browser and mobile software don’t protect against the collection of data. Only a small fraction of Internet users install simple but powerful browser add-ons such as DoNotTrackMe or Ghostery to prevent tracking via cookies on personal computers. Even those can’t prevent the many other forms of tracking, and mobile devices don’t allow their installation in any case.

There is no regulatory infrastructure set up to monitor collection, aggregation and trading of consumer information. Privacy laws are no guarantee of anonymity. For example, despite HIPAA, it isn’t too difficult to determine a lot about an individual’s health and medical history just by looking at his or her routine purchases and activities. If the amount is large enough, collected and aggregated non-confidential information can violate privacy every bit as much as disclosure of confidential information does. Resistance to aggregation of our information has been mostly temporary — and mostly focused on a particular instance du jour that makes headlines.

Back in 2007, Facebook launched Beacon, which allowed them to put an invisible “bug” on websites of its more than 40 “partners” (among them Sony Pictures, eBay, Epicurious, the New York Times, and Travelocity) that allowed Facebook to see everything its users did on the partner sites, and associate that activity with their Facebook accounts, whether or not they were logged in. When someone purchased an item from Overstock.com, for example, that purchase would appear on the person’s Facebook wall, and in the News Feed of that person’s friends. Facebook users were opted-in to Beacon without being asked, and had to manually turn it off. After an outcry from Facebook users, Beacon was shut down in October, 2009, and Facebook subsequently settled a class-action lawsuit in 2012 for $9.5M that alleged Beacon breached federal wiretap and video-rental privacy laws.

But Facebook didn’t abandon Beacon’s goals. Using “like” buttons, requirements for registration to comment at online publications with your Facebook ID, and installing third-party cookies, Facebook still can monitor lots of your online activities that Beacon was supposed to capture. And we consumers still mostly aren’t aware of this monitoring.

Data collection without consumer notification now is the norm in Internet commerce. Facebook also has drastically weakened its privacy policies several times, each time making more user information less private — by default. The Electronic Frontier Foundation published a timeline (unfortunately, current only as of 2010) of Facebook’s Eroding Privacy Policy. And as of January 2013, Facebook is at it again, launching Graph Search to allow users to search and filter through friends, friends of friends, and even total strangers’ activities, likes, and interests.

On Facebook, things are more available by default than people may think. But even beyond specifically public settings, actions and photos that were once lost in the “sands of Timeline” are now more easily discoverable by strangers with loose ties, forcing us to reassess what we actually think is private and what is not.

There are many more examples, but I think you have the idea, so I won’t belabor it. Reidentification and collection of our personal information happens every time we go online. I urge you to be careful online, to install tracking blockers, and to adjust your Facebook privacy settings and then review them often. A good guide is here. Websites like the Electronic Frontier Foundation provide a wealth of information on staying safe online.

As always, please feel free to discuss this, or any other topic, in the comments. It’s Friday Free for All!

Read the rest of this entry →

How many of you use the same logon ID and password for more than one online account? Do you working folks have your password written on a sticky note inside your desk drawer or taped to your monitor? Who uses a password that’s a word in the dictionary, your birthday month, a favorite sports team, a spouse’s or child’s name, your street name, your family pet? If you’ve switched email providers (for example, from Hotmail to Gmail), did you simply abandon your old account without deleting it? And don’t even get me started on what people do on Facebook!

I do so much electronically that last winter when I lost connectivity for a few days, I was nearly frantic thinking of what I couldn’t get at. I do all of my banking online, receive and pay all of my bills, prepare and file my income tax returns, keep my appointment calendar, make many purchases on Amazon or eBay, pay for them with PayPal, and communicate with friends and family via email or Facebook. I wouldn’t have it any other way now, but it requires a higher level of cyber-awareness and personal protection.

Although my career was in information technology, I confess I was, until recently, guilty of some of the things I asked about in the intro. A couple of hacking incidents last summer, affecting Wired’s Mat Honan and The Atlantic’s James Fallows, with devastating results that received a fair amount of publicity, made me wake up to how exposed I was. I promptly took precautions to make my online activities much more safe. It is impossible to be totally safe online, but we can make it considerably more difficult for someone to gain access to our personal information, just by investing a bit of time and effort. Here are some Web sites with good information (and I hope your eyes don’t glaze over with too much geekspeak).

Protect Your Privacy Online has definitions of common cyber security terms, and lists several suggestions for protecting yourself (and your children) from online predators.

Follow some simple guidelines for creating and managing your passwords. We have finite brain cells to keep track of multiple logon IDs and passwords, so consider using a password manager like LastPass (free and very secure) to generate complex passwords and keep track of them for you. And then protect your LastPass “vault” with a complex password/passphrase. I’ve used a memorable (to me) four-word phrase, substituted numbers and symbols for many letters and used a combination of lower and upper case to “spell out” the phrase. It’s probably not hack-proof, but it’s pretty darned secure.

Two-factor authentication provides an extra level of security, because it requires two different means of identifying you before permitting access to your accounts. It uses both something you know, like a password or PIN, combined with something you possess, like your cell phone. After you enter your password, you’ll receive a code on your phone via text message, and only after you enter the code will you get into your account. You can now use two-factor authentication to protect your password manager software, your Facebook and Google/Gmail accounts, and several other places you’re vulnerable.

If you use Facebook, “like” Facecrooks and you’ll be kept current on Facebook scams, privacy concerns, etc. One of their best posts recently is How to Lock Down Your Facebook Account for Maximum Privacy and Security. Since Facebook seems to tweak things regularly that affect your privacy, it’s a good idea to check your settings frequently. And if your offspring are teens who use Facebook, make sure they have their accounts protected, and do insist that they give you full privileges to see what they’re posting! I discovered that my college-freshman grandson had a very naive understanding of what can happen to his Facebook posts! (“But Grandma, only my FRIENDS could see that!”)

Get Safe Online has a wealth of information (do hover your cursor over the topics across the top of the page).

Hopefully if you’ve followed even a few of the links, you’re prepared to tackle making your cyber life more secure. And feel free to ask questions or share experiences in the comments. This is, after all, Friday Free for All!

Photo: Wikimedia Commons Creative Commons Attribution 2.0 Generic license. Author: olga.palma

Photo by Rich Kaszeta under Creative Commons license.

Good Friday morning, Firepups. Fridays will be a grab bag of what I’ve been reading, what I’ve been mulling over, an occasional rant, current events, and a standing invitation to put in your two cents. As our Suzanne likes to say at Late Late Night, “Off topic IS the topic” — so come join in.

Here’s what’s on my mind this morning:

A choice that men will never have to make.

Matt Taibbi — always worth reading!

Helen visits the zoo at Fox News and tells Margaret all about it. The animals are in cages and not so scary.

Apparently Facebook wants to organise our relationships. What could possibly go wrong?

My local classical station starts playing Christmas music at Thanksgiving and then plays it exclusively starting about two weeks before the holiday. I’ve written them to suggest that many in their listening audience don’t celebrate Christmas (Muslims, Jews, etc.) and might like some variety, but I got a polite lame response and they continue. They still play Christmas music after Christmas until at least New Years. And Kohl’s started playing Christmas music in their stores on November 1st. I am sick of it already!! (I told you there might be a rant!)

Nordstrom has the right idea! They post this sign in their store windows at this time of year.

My recollection is that they curtain their store windows and “unveil” them that Friday morning. As you might expect, they’re usually lovely.

I’m having a toasted Asiago cheese bagel with a generous schmear. What’s your pleasure this morning?