How Data Privacy Affects Us All

How often have you given away your private information?

If you go to a restaurant and pay the bill with a credit card, does the card ever leave your sight? If you call a taxi to pick you up at home, what happens with your name and address? If you order things online and they’re shipped to you, how many different companies get copies of that information?

Habitually, we are trained by our modern world to hand over this kind of information all the time. We’re so used to it, most of the time we never even think about it. We gladly entrust sensitive information to random people with no formal trust relationship and little or no personal investment in protecting it on our behalf.

Data Privacy Day is January 28, 2015. It's an opportunity to take a step back and think about this power imbalance. We’ve done some work here at Blackphone asking people if they’ve ever actually thought about all the permissions they give to apps they install on their phones. It’s a sobering account because it confirms what, intuitively, we already know: people don’t give this issue much thought, but when you ask them to, they are horrified both at their own ignorance about the problem, and the extent to which technology takes such liberties and buries them in the overall user experience.

Now look at your smartphone. It probably has several apps on it. What information can those apps access? Your address book of personal and professional contacts? The contents of your SMS messages? Your web searching and browsing history?

What kind of story would that information tell about you? If you knew someone had malicious intent, would you hand over any of that information willingly? Probably not.

If you’re using a smartphone or similar device for both your personal and work activities, the risk is amplified. You’re not only exposing your own personal information, but also potentially leaking your employer’s information as well. As we’ve seen with Sony and countless others, the costs for such risks can be catastrophic. So even if your company has a robust privacy apparatus internally, it all comes to pieces if a trusted individual perforates the safety envelope and lets an untrusted device become the target of attack.

The ease of capturing and moving digital information has reduced the cost of collection, storage, and processing of our sensitive information to effectively almost zero. This is why there is a monetary incentive to gather it, even if it can only be used to generate tiny fractions of a penny of revenue on behalf of whomever gathers it. Taken in a scale of millions of repetitions, that monetization of your personal data adds up quickly. Perhaps the apps have a privacy policy—have you read it? Did you evaluate it in detail before agreeing to install the app? Again, the answer is ‘probably not,’ and that’s very much by design.

A recent data point released by Vasco Data Security in Belgium suggested that if you were to properly review all the privacy policies in effect for a typical smartphone and mix of apps, it would take 72 working days to get through them all. Clearly, this approach is not practical and isn’t working.

For DPD2015, we encourage all of you to adopt a simple statement: Take Back Your Privacy. It’s your right, it’s your data. Be aware of what you give away and have some notion of how it might be used. Demand better commitments and performance from the companies with which you do business. Encourage your employer to see this as a reciprocal activity; they want you to protect their information (and treat it as your own), but they should similarly be offering you tools and training on how to protect your information as well.

Most of all, join the conversation. These are complex, often conflicted issues. Oversimplified generalizations will not advance the state of the art, nor are they reflective of best practices. Technology can help, but this is also a people and process problem, and most people and companies would agree that waiting for the regulators to define a solution is risky as well. Government classifying negligent handling of personal information as a crime is one thing, but that same government prescribing specific technical solutions is quite another. The landscape is fluid and treacherous, and no one official approach is likely to work well in all situations.

Privacy is an approach as well as an outcome. We have a responsibility to take ownership of our data and choose carefully how to use it, as well as an expectation from our commerce and communications partners to respect our wishes and their own policy commitments. The best place to start is at home, where our information footprint is at its most personal.