Looking up the definition of “privacy”, we find in the Oxford dictionary: “The state or condition of being free from being observed or disturbed by other people” as well as “The state of being free from public attention.” In the digital world, privacy is a crucial part of information security. Privacy is often used in the context of Internet privacy, but it is relevant to almost all digital information–from text messages to credit card transactions to smart utility meters giving consumers feedback on their gas and water usage. Privacy refers to keeping information safe and protected from unauthorized access in order to protect the information itself or, in some cases, related information.
Confidentiality and anonymity are related to privacy and are also crucial aspects in information security. Confidentiality ensures that personal information is available only to those with authorized access and consent. Users of digital resources, such as the Internet, are often asked to disclose personal information and will often do so knowingly for the purpose of increased convenience. Webster defines anonymity as “the state of being unknown to most people.” In a bathroom, we want privacy, not anonymity. A whistle blower reporting abuse of power, on the other hand, wants anonymity: one wants people to know the information without the source being known.
One aspect of controlling your privacy is to be aware of how information is used and who has access to it. This is not always straightforward. The vast collections of anonymous data and the ability to mine, fuse, and reconstruct information from data has shown that publicly available anonymous data can be used to reconstruct private information and violate expected confidentiality. Here are some examples of how information can be used.
Many apps on cell phones use a user’s location–e.g. for finding directions to places, finding restaurants or gas stations nearby, etc. Sometimes one wants location information to be kept private. For example, location information could be used to find out someone’s place of work or residence, which could be sensitive information. Furthermore, it could reveal that someone visited a sensitive location, such as an Alcoholics Anonymous meeting or a specialized medical facility.
Latanya Sweeney, a computer scientist at Harvard University, is a pioneer in privacy-invasive research. She showed that 87% of the U.S. Population are uniquely identified by date of birth, gender, and ZIP code. Her work influenced the approach taken in the design of the HIPAA Privacy Rule. More recently, Yves-Alexandre de Montjoye showed that using data mining and privacy research, 95% of individuals from a 1.5 million sample space could be re-identified based on only 4 points in a mobility database. The points included approximate places the person visited and approximate times of the visits. See http://www.demontjoye.com/projects.html for more information on this study and related ones. This research shows that we all need to be aware that being anonymous does not mean someone can’t figure out who you are.
One area of information that requires privacy consideration is financial transactions. Clearly, certain financial information needs to be kept private in order to avoid theft of resources or identity–e.g. credit card number, bank account number, etc. Additionally, people have other reasons for wanting to keep their financial transactions private. One obvious example is criminal behavior, but people typically want legal transactions to be kept private. In a digital world, financial transactions can easily be tracked, revealing location-related habits. In addition, people typically don’t want their financial status (e.g. the amount in one’s bank account) or financial habits (i.e. what they buy and how often) to be public information.
Most financial resources, including checks, credit cards, and debit cards, leave a trail. Only cash seems to make tracing financial transactions difficult. This motivates the introduction of a digital currency. Cryptographic protocols have been developed for providing ways to conduct financial transactions both digitally and anonymously.
One example of cryptocurrency is Bitcoin, which is a decentralized digital currency. The Bitcoin currency does not rely on a centralized administrator. Bitcoins can be bought and used to purchase goods and services and can provide a reasonable amount of privacy. Although owners of Bitcoins are not identified by name, the transactions using Bitcoins can often be traced back to the owner. To provide more privacy, owners will sometimes use a mixing service, which exchanges the coins they own with coins that have a different transaction history.
A popular feature of social media is photo sharing. Some social media apps are completely devoted to sharing images online (e.g. Instagram). What users may not be aware of is what other kinds of information can be gathered or inferred from seemingly anonymous images.
Alessandro Acquisti, a professor at Carnegie Mellon University has conducted experiments on images and privacy. The first experiment involved asking random students on campus to take a photo and fill out a questionnaire. While they were filling out the questionnaire, the photo was run through facial recognition software. The software provided the 10 best matches for the “anonymous” face, which in turn provided a name for the face through social media. In other words, what was anonymous was identified in 1 out of 3 cases in the short amount of time it took to fill out a questionnaire. Names, of course, are usually not considered private information. However, his research showed that social media data can be used to predict social security numbers, which are highly sensitive. This suggests that one anonymous image could be used to predict valuable personal information. For details, see his TED talk, https://www.ted.com/talks/alessandro_acquisti_why_privacy_matters?language=en.
One of the major concerns in digital privacy is Internet use. When browsing the Internet, users might notice ads that are surprisingly individualized–that is, they seem to fit the user based upon other websites the user has visited. But how do these websites know what other sites the user has visited? The extent to which Internet users are tracked is an important topic in privacy and may surprise many Internet users.
Most users of the Internet are aware of certain information they willingly provide to websites to improve convenience or usability. But much of the information that is gathered is gathered without user’s knowledge or consent. In the TED talk, https://www.ted.com/talks/gary_kovacs_tracking_the_trackers, Gary Kovacs discusses how Internet users are tracked both by websites they visit and are aware of and by websites they do not visit and are not aware of. He shows examples of using Collusion (a.k.a. Lightbeam), which is a software add-on to Firefox, that shows graphically the third-party cookies stored on a user’s computer. In other words, it tracks all the websites that are tracking a user, and this realization can be shocking.
Protecting Your Privacy
Awareness is the key to protecting your privacy. Many of the strategies used to protect privacy are the same strategies used to protect against malware and other kinds of attacks, since those are the most common ways that privacy is violated. The same rules apply to privacy–be careful what you click on, be knowledgeable about what you download, be aware of possible attack strategies and different kinds of malware, etc.
A simple way users can protect their privacy is by using good passwords. Users often don’t realize what constitutes a good password. We are typically faced with a tradeoff between strength of the password and memorableness of the password. Both are important because a forgotten password is not a secure password! The following video discusses research that has been done to figure out better guidelines for password creation: https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd. The goal is to educate people so that they can balance convenience and security in password management. Give your students some examples of passwords and ask them how good they are and why. What makes a password strong? What makes a password memorable?