WHILE many may be concerned about their digital privacy, most are blind to the scope of threats, and digital consumer protection standards that are not yet globally comprehensive.
Digital platforms are used with greater frequency to record many aspects of people’s lives, both social and professional. But in doing so, who are they entrusting their personal history to? Often, it’s a company whose agenda is hidden in the fine print of convoluted terms and conditions (T&Cs). Even accessing simple nuggets of information requires you to navigate a cookie-laden landscape.
Our lives are now tethered to our smartphones and digital identities. All of the convenience offered comes with the hidden caveat of sharing significant amounts of information with our chosen platforms. The increasing complexity of threats in the tech landscape requires us to entrust these actors with larger volumes of personal data, several of which have proven to be poor custodians.
STORM-ASIA gathered experts of the digital realm to share their insights on digital privacy and their concerns going into the future at a recent WED WEB CHAT — How Private Is Your Life?
Meet The Specialists
Tommy Ting, Regional Presales Manager at ESET is an engineer and cybersecurity expert with extensive experience in the field. He has a strong background in various security solutions and has a deep understanding of emerging technologies and threat landscapes.
Dominic Forrest, Chief Technology Officer (CTO) at iProov, has more than 25 years of experience in senior roles at telecommunication companies and internet service providers managing the implementation of large-scale projects. He is currently focused on the development of IProov’s cloud-based infrastructure.
Guy Hearn is an insights and media consultant based in Singapore. The strategy professional with Virtus Asia Consulting has 25 years of experience in media measurement, from with multinational blue chips through to innovative start-ups across multiple categories across the region.
Personal Privacy
“Privacy is about knowing who’s got access to things I consider private,” reckons Dominic.
“From a data perspective, I put my face on my LinkedIn profile because I want people to be able to see it. I expect that to be used only on LinkedIn.”
It has become common knowledge that even the most reputable of platforms have suffered from data leaks, and such data can be used to target individuals for purposes ranging from advertising to cybercrime. “It’s really about knowledge and control of your data. Knowing who has access to it, and what it can be used for.”
Tommy emphasises the importance of having control over our data and who it is shared with. “The sad part of this is, the majority of people these days don’t know the repercussions of what they’re sharing online. They probably post a lot of pictures of their vacations and general lives. Privacy is about control, and sharing my personal information only with those I want to share it with.”
Technical Privacy
“It’s important to differentiate between privacy and anonymity,” says Guy. “If you’re going to engage with the digital world, you/your device, loses a certain amount of anonymity. I think it’s really important for people to try to understand the digital data trail they are leaving, and whether they are comfortable with that, or whether there are elements of that they’d like to keep more private.”
Guy believes that businesses are not interested in educating the consumer about digital footprints and such since they often utilise user analytics to identify interests and behavioural context for advertising and market analysis.
Purposefully Convoluted
According to Guy, the most basic step the consumer can take to educate themselves is to read the T&Cs of the services they are signing up for, but he admits that even he doesn’t go to such lengths. “There may be nothing about the T&Cs that you can actually change. But you should at least be aware of them.”
Guy gives the example of a smart TV agreement, which will likely ask for permission to use samples of your voice. “For research, analysis, development, the wording may vary. That could produce useful results for you. But you should be aware that your conversations may not be, strictly speaking, private.”
Dominic elaborates with an example about Apple’s T&Cs. “For the last version of iOS, the privacy conditions are 573 pages long (much of which is duplicated in various languages) and full of legal jargon. It would probably take a trained lawyer quite a long while to get through those T&Cs, and actually understand the implications. If you can’t understand them, then maybe you’re not getting the privacy.”
Tommy believes that “the length and wording of these documents enables companies to protect themselves legally, but they know consumers will not understand what they are signing”.
Consumer protection agencies could demand that T&Cs be explained in layman’s terms.
Data Breaches
In the case of data breaches, which are not uncommon, the punitive action is often a fine paid to the authority, while the consumer, whose data has been compromised, is left with nothing except assurances of better service standards.
Guy reckons the only resort for the customer is to take their business elsewhere. He believes legislators are most effective when incentivised by the public to take action, and the response to data breaches has thus far been insufficient.
“Are consumers demanding that they get compensated for data breaches? No. Whenever a flight gets cancelled, we see lots of images of stranded people in airports and people angry and upset, understandably so. That becomes pressure from the public. It’s down to consumer pressure to drive legislation.”
Complicated Passwords
As technology has improved, the consumer experience has become increasingly convoluted, particularly with regard to maintaining security. Guy details the transition, “When we all first started using the internet, for our first passwords, we all used the name of our cat. And now we’re into massively complicated combinations of numbers and letters, things that we can’t even remember.”
As passwords have become more complicated, users increasingly outsource security to external platforms. “We have dual token notification (a.k.a. two factor authentication), which is great unless you ever lose your phone. The consumer experience is really not particularly good from a security perspective either,” Guy continues.
He advises people to offer their business to companies who make it easy to understand what they are doing with their data. “It’s not that hard to describe data utilisation in a couple of paragraphs, but there’s an incentive to do the minimum.
“Try to reward businesses who do a little bit more than the minimum,” Guy reckons.
Dominic agrees that businesses face growing security costs. “But for many businesses, depending on the type of business, there’s a much larger cost for not doing it. Data breaches can cripple or destroy companies. The landscape is forever changing, it’s getting harder to keep businesses safe. Furthermore, a lot of companies are stuck with legacy technologies, which makes it even harder.”
Password Managers
Dominic notes that the UK National Cybersecurity Centre has recommended that you do not enforce password changes on people. “Forcing people to change passwords makes it far more likely they’ll change a ‘6’ to a ‘7’ at the end, and it’s more likely to get breached.”
Similarly, in the United States, the National Institute of Science Technology (NIST), who set identity standards globally, recommend you do not force complexity requirements of any kind in terms of special characters, or letter types. Instead, they recommend setting a minimum length, “Ideally, quite a long one. And then don’t force users to change it.”
Dominic does use a password manager, and says there are some trustworthy names on the market. “But I have to say there are one or two passwords for one or two really important things which I just don’t write down or save anywhere.”
Is It Really You?
Dominic points out an issue with mobile authentication, “It’s not actually proving it’s me. It’s just proving that the person who’s got possession of that handset has access to it at that time.”
Dominic learnt this the hard way when he found out his teenage daughter had been accessing his smartphone with her thumbprint.
This is giving birth to the concept of ‘binding’ the identity to the handset, and the only way the CTO sees this happening is using biometrics. However, manually logging each individual is not scalable.
“So, I think there could be a very strong trend towards distributed identity. And I very much hope that will bring much stronger authentication into platforms, and we can move away from passwords, SMSes and other efforts, which really had their day a long while ago.”
Privacy At A Price
Guy worries about the implications of these anticipated trends, and how consumers may be incentivised to give up elements of privacy or face penalties. “For example, a health insurance company might ask you to wear some sort of device or tracker or chip that helps them to monitor your health signals. You can give me a big incentive to do that financially. Or a disincentive (raising premiums).”
Guy acknowledges that this may already be happening in certain industries, but these techniques could be employed to greater effect as we bond more closely with our digital identities.
Who Is Responsible?
Tommy emphasises that consumers should not be made totally responsible for their data, and does not see the role of regulation and legislation of consumer protection diminishing any time soon.
“If the product is free, you are the product,” Tommy points out.
“Laws and regulations are the backbone of accountability for large organisations that handle our data.”
Also optimistic of the future, Tommy has overseen the rollout of a new type of tech, incorporating the concept of ‘secure by design’, where the security of systems is designed alongside the development of the platform, rather than being added as an afterthought. “They’re thinking firstly of the security of the whole system, as they build the application or the system itself.
“So, I’m really hopeful in terms of that. Again, all these things go hand in hand in terms of securing our data, how it’s being used and being processed.”
Watch the full discussion of WED WEB CHAT — How Private Is Your Life? below.
Watch our previous wedwebchats: https://storm-asia.com/category/wed-web-chat/
If you have a topic that is of interest, or have someone who would make a good panellist with a thought-provoking perspective on a subject, please email editor@storm-asia.com with your details and a short summary.
