What do businesses and consumers need to do better when it comes to data privacy?
There’s a thousand tiny bits and pieces of you littered all over the internet.
Somewhere a server knows you like capers, but not pineapple on your pizza, your home address, and your password has something to do with your mother’s maiden name.
Lying out in the open fields of LinkedIn is your full name, profile picture, and employment history.
Tucked away on another computer server is a scan of your driver’s licence that you submitted to prove your identity to access a service many years ago. It should have been deleted long ago, but wasn’t.
A fitness app is logging your daily jog and unless you change the default settings, people you pass using the same app can see your profile photo and the time and place you start and finish your run each day. It happens to be your home address.
Of the thousands of little pieces of data – your data – there’s a good chance some is being siphoned by data collation companies, shared or sold, and that some isn’t being protected particularly well.
The impact of our data detritus can range from the seemingly mild outcome of being targeted with advertising, to the more devastating outcome of having your identity stolen.
New privacy laws are kicking in on December 1 2020. It will become mandatory for businesses to report serious breaches to the Privacy Commissioner and to notify the people affected.
The Privacy Commissioner will be able to issue compliance notices, and direct organisations to provide individuals with the data held on them. It will become a criminal offence to destroy documents containing personal information if a request has been made for them.
A principle in the law has also been updated, to ensure organisations don’t collect identifying information from people if it’s not necessary.
With changes afoot, it’s a good time for consumers and organisations to take a good hard look at data privacy.
A dollar for your data
There is a bit of a myth that many people, particularly digital natives, simply don’t care what happens to their personal data online. That’s not accurate.
A Vodafone Consumer Insights research study conducted by Colmar Brunton shows most people are not okay with businesses selling the data collected from them. “I find this unacceptable,” was the verdict for 66 percent of those surveyed.
Only four percent said it was something they wanted and expected. Twenty-six percent of respondents said they aren’t comfortable with it, but accept it happens.
“It’s not ours to sell, it’s your data.”
Overseas there’s been high profile examples of data being sold.
DNA home profiling kits on-sell genetic information. This is usually sold ‘de-identified’, although US researchers have shown in some cases de-identified data dots can be connected and an identity revealed.
Menstruation tracking apps often share information to advertisers, or social networks selling advertising. Flo Health’s period and ovulation tracker told Facebook when an app user was having her period, or intended to get pregnant.
Even in New Zealand, customer data is sold.
A Consumer Magazine article highlighted loyalty schemes, including AA Smartfuel and Fly Buys, on-sell data. AA Smart Fuel told Consumer Magazine it made around $40,000 from aggregated data in one year. Fly Buys didn’t share how much it makes from selling customer data and supplying data analytics to companies in its programme.
“Personal data is the new oil,” says University of Auckland associate professor Gehan Gunasekara who has been researching the topic for the past 20 years – including “when it wasn’t popular”. He also chairs Privacy Foundation New Zealand.
“If you have somebody’s personal data, you can essentially not only control them, you can manipulate them, you can predict what they’re going to do.”
Gunasekara thinks consumers are becoming more aware of their privacy, “I don’t think people are just surrendering their data thinking organisations can do whatever they want with it.”
He believes people understand privacy policies but still sees there’s a hurdle of fine print where companies can do better.
“No one actually reads them. They’re full of fine print and they go to several thousand clauses sometimes.”
Confronted with dense screeds of legalese, he said, most users don’t make it past the first few sentences. Privacy information should be approached from a customer’s perspective, not the in-house lawyers.
“Very simply tell them, in understandable language, what the organisation plans to do with that information, who it plans to share it with … it shouldn’t fudge the language in an oblique way that allows them to do anything they want with it.”
As well as using simple language, he suggests being specific and informative.
“Don’t say ‘we are going to share it with business partners’. Be more specific with which business partners, for what purpose. ‘Are we going to sell it to them, or are we going to give it to people who are performing a service’?”
More detailed privacy policies can be linked to from the plain language version.
Vodafone New Zealand’s head of privacy and compliance Bec Holdsworth agrees terms and conditions pages aren’t usually read in full but consumer expectations are the data collected is only going to be used to provide a service.
“The belief is that businesses won’t do anything unexpected with consumer data. When I’m handing my data over to a business, it should be making a reasonable effort to be clear with me about what’s going to happen to that information.”
Everyday language is important she says, as well as information shared at key points when data is entered. Changes to the Vodafone app are being worked on to provide an even greater level of transparency when it comes to the privacy and security of data.
“Businesses need to be upfront about what they are doing with data.”
Vetted third parties do have access to customer data to process it on behalf of Vodafone. Data is also provided to law enforcement agencies, when required by law.
She says Vodafone doesn’t sell user data. “It’s not ours to sell, it’s your data.”
Have I been pwned? Keeping your data safe.
A search on the haveibeenpwned.com website, where you can enter your email address and check if it has been involved in a privacy breach, shows this reporter’s personal Gmail address is linked to 15 breached websites, including LinkedIn, Adobe and Dropbox.
Even if you make sure a different password is used on each site you sign up to, breaches are still a worry. Additional information is sometimes revealed including usernames, password hints, phone numbers, date of birth, employers, geographic locations, IP addresses and even website activity.
“There are so many privacy breaches these days, people sometimes forget there’s a human being at the end of every data breach. A significant breach has the potential to cause great harm to someone,” says Holdsworth.
For many, a breach could mean time taken out to get identity documents reissued, deal with financial crime, or worse.
“For someone in an abusive relationship, or a high-risk job, a leak of the location where they live could have really serious consequences for their health and safety. I think it’s incumbent on all of us to take privacy breaches seriously.”
Another reason to take it seriously, according to University of Auckland’s Gunasekara, is the risk of penalties. The changes to the Privacy Act open the door for class actions against organisations.
“At the moment you can bring an action as an individual against an agency, but from the first of December class actions and even representative actions will be able to be brought.”
He believes there’s potential for pro-bono law firms to litigate on behalf of large groups of people.
The other big change is the increased power of the Privacy Commissioner to make compliance orders against an agency without waiting for a complaint. If the compliance order isn’t followed the company could be fined.
“Companies are going to face attacks from so many sources, they’re going to have individuals, they’re going to have the Office of the Privacy Commissioner, they’re going to have privacy advocates like Privacy Foundation New Zealand.”
Online tools on the Privacy Commission’s website are available to help businesses get up-to-speed with the changes.
“Trust is key to customers, if you can show that you are taking privacy seriously, there is a brand value to that to your business,” he said.
While data security mainly falls on the shoulders of organisations collecting and holding it, University of Auckland research fellow Dr Andrew Chen says consumers can play a part.
Often organisations collect data by default. If you can’t see any reason why an organisation would collect a piece of data he suggests getting in touch with them and politely asking why it’s needed.
He gives an example of event management companies requiring a user to enter a physical address as well as an email and phone number.
“I expect an event management service to pretty much exclusively engage with me over email. There’s almost no reason for them to have my physical residential address. Having that data presents a risk to me. They could store it in a database, maybe the database is hacked. Maybe somewhere in their terms and conditions, it’s buried that they can on sell that data to somebody else. I would rather just not give them that information in the first place.”
Sharing personal documents to verify your identity, such as images of your passport or driver’s licence is another instance where consumers can ask questions. Can your identity be verified without the document, is the first that he suggests asking. The second is how the verification is handled, and what happens to the copy of the document after your identity is confirmed.
“By deleting the data, that significantly reduces the risk of them storing your data and being hacked or misused in some way.”
Monetising the overshare
It’s not just security breaches and companies selling your data which can lead to marketers targeting you with ads, there’s plenty of stuff people publish online without thinking about all the ways it can be used.
Your Facebook profile picture could be used by a controversial facial recognition tool marketed to law enforcement agencies. Clearview AI, is one company offering facial recognition systems to law enforcement. It’s been described by the founder as a “search engine for faces”. Officers can snap a photo of someone they want to identify and load it into the software. The software then matches it to faces it’s scraped from public sources – such as Facebook and YouTube.
Chen says there are also data broking companies which siphon information publicly available online.
“I think people can understand how Facebook might use your data to help deliver targeted advertising to you. I think something that people are less aware about is the presence of data brokers, which will hoover up data from all the possible sources that they can get and then create pretty granular profiles about people.”
He said these can be offered as a service to companies. “Where people are being provided targeted services, that’s potentially changing the way they act with a provider.”
A theoretical example of this is health insurance, where the profile a data broker provides impacts what’s offered. In some cases the data could show a person is a lower risk, so the person gets lower premiums, or it might show higher risk and attract a higher premium.
He said data brokers do operate in New Zealand, but to a lesser extent than in places like the United States, as there are fewer public data sources.
“I expect that, for a lot of people who have spent the last 10 years online, living their lives, participating in various kinds of services, it’s not unfeasible that data could be across thousands of different places.
“In some sense it is a bit of a Pandora’s box in that way.”
* Vodafone is a foundation supporter of Newsroom.co.nz *