Your online life may not seem worth tracking as you browse websites, store content in the cloud, and post updates to social networking sites. But the data you generate is a rich trove of information that says more about you than you realize -- and it's a tempting treasure for marketers and law enforcement officials alike.
Battles have long raged over how third parties can access and use your data. This year, your online privacy faces new threats, as a result of emerging technologies and new regulatory efforts that could affect how your Web-based life is protected... or exposed.
[ Also on InfoWorld: Businesses, privacy activists wrestle over California privacy bill. | Also: Mozilla pulls tracking trigger for Firefox 22, ignores ad industry attacks. | InfoWorld's Robert X. Cringely says "Internet privacy is dead -- film at 11" | Learn how to protect your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
Federal law may or may not mitigate the privacy threats. Efforts to update the Electronic Communications Privacy Act (ECPA) aim to make your online data harder to collect and share. Meanwhile, proposed legislation called the Cyber Intelligence Sharing and Protection Act (CISPA) could make it easier to obtain.
As you watch your privacy being kicked around like a football in a scrum, pay close attention to the following five major threats.
#1: Cookie proliferation
The invisible cookie software agents that track your browsing habits and personal data are likely to multiply in 2013. Advertising networks, marketers, and other data profiteers depend on cookies to learn more about who you are -- and what you may be interested in buying. Unless legislation imposes legal restraints on Web-browser tracking, your system is likely to accumulate more cookies than you'd find in a box of Chips Ahoy.
Cookies have been proliferating at a rate that would impress epidemiologists. "Five to 10 years ago, if you opened NYT.com in your browser, you'd get a cookie from the New York Times, maybe a couple, and that would basically be it," says staff technologist Dan Auerbach of the Electronic Frontier Foundation. "Today you get probably on the order of 50 cookies from all sorts of third parties: ad servers, data brokers, trackers. They can build up this big profile about your browsing history."
The worst part, says EFF's Auerbach: "It's totally invisible to users. They have no idea what's happening."
Marketers say that they keep user data private by viewing it only in aggregate, but the sheer volume of data a cookie can collect about any one person can enable the cookie's owner to infer a surprising amount about the individuals being tracked. As a 2010 report by Gartner found, "the more that personal information can be correlated, the less it is possible to completely anonymize."
But while cookies appear to be going viral, help may be on the way. In 2012, the Obama Administration proposed a Privacy Bill of Rights that would include Do Not Track legislation, so that consumers could choose whether and when to be tracked. Do-not-track mechanisms are being built into major Web browsers, such as Mozilla's Firefox. The Do Not Track concept still has no legal support, however. Marketers, many of whom claim that tracking data is essential to their business, remain free to ignore Do Not Track efforts -- or build ways around them.
"Do Not Track has no teeth right now," says EFF's Auerbach. "If you set it in your browser, you should not expect to gain significant privacy." Nonetheless, John M. Simpson, director of the Privacy Project at Consumer Watchdog, sees promise in new legislative efforts -- specifically, the Do-Not-Track Online Act of 2013. "I think this may be the only way to get meaningful protection for consumers," says Simpson.
#2: Seizing cloud data
You love how easy it is to grab data from the cloud -- and so do law enforcement agencies. And there's only going to be more of that data to love in coming years: Gartner predicts that 36 percent of U.S. consumer content will be stored in the cloud by 2016.
But whether you use a Web-based email service, keep files in Google Drive, or upload photos to Shutterfly, everything you write, upload, or post gets stored in a server that belongs to the online service, not to you. And because of outdated rules enumerated in the ECPA, this cloud-based data is vulnerable to a privacy loophole so big that a Google self-driving car could roll through it.
"A huge concern about using the cloud is that your data does not have the same Fourth Amendment protections that it would have if it were stored in a desk drawer or even your desktop computer," says Consumer Watchdog's Simpson.
One key reason that privacy advocates and some legislators are trying to update the ECPA this year is that the current law treats data stored on a server for more than 180 days as abandoned. This statutory assumption is a vestige of a time when servers held data only briefly before shunting it off to a local computer. Furthermore, the law's definition of such data is vague enough to cover not just email messages -- a popular target of law enforcement agencies -- but (potentially) other kinds of data stored on servers. Now that so much data resides on servers owned by cloud-based services, and so many people keep content in the cloud for years, a lot of long-stored files that people haven't abandoned could be fair game for Big Brother.
Law-enforcement agencies are requesting cloud-based data with increasing (and unsettling) frequency. Google's Transparency Report graphs a 70 percent increase in such requests over a span of three years, from 12,539 requests in the last six months of 2009 to 21,389 requests in the last six months of 2012.
Cloud services aren't just rolling over, though. For example, Google might comply with a subpoena to reveal the name, contact information, and login records of a Gmail subscriber. But Google would insist that the requesting authority obtain a court order requiring Google to provide greater levels of detail, such as the mail header for a message. In addition, Google would demand to see a search warrant before giving government investigators access to actual email content. Tellingly, the percentage of information requests that Google has fulfilled has dropped slightly over time, from about 75 percent in 2010 to about 66 percent in 2012. Twitter's transparency reporting site offers similarly enlightening reading.
Law-enforcement interests have scuttled past attempts to update ECPA, so it's hard to say whether the current efforts will get any farther. "The only true protection is to understand that anything you put up there can be accessed by somebody else," says Consumer Watchdog's Simpson. "If you don't want that to happen, don't put it in the cloud."
#3: Location data betrayal
Call it the end of the easy alibi: Location data will make it increasingly difficult for you to wander around the world without someone knowing exactly where you are at any given time. Your cell phone is the primary tattletale, but the location data you post to social networking sites are revealing sources, too. Pinpointing your whereabouts will get easier still as other location-beaming devices come online, from smarter cars to smarter watches to Google Glass.
"When you leave your house and go to a friend's house, run errands, go to work, visit a lover -- whatever it is you do -- if your geolocation is tracked and recorded, that's a lot of information about you," says senior policy analyst Jay Stanley, of ACLU's Speech, Privacy and Technology Program.
Armed with this data, advertisers might (for example) send you promotions for nearby businesses, wherever you are. The result could be a nice surprise -- or not. According to a 2011 report by Gartner, "forty-one percent of consumers say they would be concerned about privacy if they were to use mobile location services so that they can receive more targeted offers through advertising or loyalty programs."
You'd be even less pleased if law enforcement officials, your employer, or your ex-spouse's private detective used location data to keep tabs on you. Lillie Coney, associate director of the Electronic Privacy Information Center, points out that an employer-owned device "lets your employer track you, on and off the job. What kind of consequences and profile data are based on your geolocation, based on the course of your time in or out of work, where you are, how late you are?"
And as with cloud-based data, the legal requirements for obtaining location data from your mobile service provider are not terribly stringent. According to EFF staff attorney Jennifer Lynch, "It's pretty easy for the government to get access to the location data, and very hard for users to prevent that data from being gathered."
There may not be much you can do about your employer. EFF's Lynch says that reining in the government's zeal for location data may be tough as well. "It's such a useful tool for law enforcement to get access to this info, there's a lot of pushback," Lynch says.
Calabrese of the ACLU says that updating the ECPA is a crucial step in making location data less open to scrutiny. "A lot of location info is flying around, and that's why it's so critical to get legal protection. You should be able to use a cell phone without worrying about being tracked."
#4: Data never forgets a face
Posting and tagging photos online may feel like innocent fun, but behind the scenes it helps build a facial recognition database that makes escaping notice increasingly difficult for anyone.
"Most consumers are already in the largest facial recognition database in the world, and that's Facebook," says EFF's Lynch. Indeed, the immense quantity of photos uploaded to Facebook makes it the poster child -- or rather, giant -- for the privacy issues surrounding this technology.
In testimony before the Senate Judiciary Committee in July 2012, Lynch described how Facebook users were, at the time, uploading about 300 million photos to the social networking site every day. Facebook uses the tags associated with those photos to build ever-more-detailed "faceprints" of what you and your friends look like from every angle.
If Facebook used this data strictly to help you find other people you know on Facebook, it might be okay. But Lynch says that when Facebook sells user data to third parties, photo data may be included -- and the sanctity of the data afterward is uncertain. "Facebook says it takes care to protect the data, but we don't know how they do it," she says.
Lynch's 2012 Senate testimony also noted that the government has reviewed or requested Facebook data for purposes as varied as citizenship applications, criminal cases, and security checks. "We know that law enforcement asks for this information from Facebook," Lynch said recently. "They don't just ask for your post, but all photos you've been tagged in." Access to Facebook data allows law enforcement officials to move beyond the blunt instrument of a mug shot or a driver's license photo to find people much more easily.
And Facebook isn't the only source of facial-recognition data. Companies such as Google and Apple have facial-recognition technology built into some of their applications, too -- most notably online photo sites. According to John Simpson of Consumer Watchdog, "Someone can take a photo of you and then track you down based on other identified photos of you that may have been posted on the Web. It's scary and opens very real dangers of being stalked."
The future of facial recognition offers scant comfort. Continued advances in surveillance technology, including drones and super-high-resolution cameras, will make identifying individuals in public places easier than ever, especially if the entity doing the surveillance has a nice, fat, facial-recognition database to consult. As in connection with other cloud-based data, revisions to the ECPA could boost privacy protections for digital photos -- depending on what gets enacted. Says Lillie Coney of EPIC: "If they're not locked down, photos could be part of our information economy that can be generated into revenue, sold, traded, used. You don't know where they are."
In her Senate testimony, Lynch proposed that private-sector databases such as Facebook's should be required to obtain consent or an opt-in from consumers to any facial recognition system.
#5: Scanning in the name of cybersecurity