General security

Ten Important Privacy Threats

Daniel Dimov
February 18, 2014 by
Daniel Dimov

1. Introduction

As the Internet becomes more and more important to our lives, the challenge is to enjoy the conveniences of online activities while reducing the risks of privacy violations. A good understanding of the privacy threats is an important factor for preventing privacy violations. In order to provide such an understanding, this article discusses ten important privacy threats, namely government surveillance (Section 2), data profiling (Section 3), hacking of bank institutions (Section (4), hacking of software companies (Section 5), hacking of government health care websites (Section 6), fake online complaints (Section 7), using Facebook for background checking (Section 8), hacking of delivery drones (Section 9), hacking of cloud computing servers (Section 10), and hacking of Google Glass (Section 11). The privacy threats are explained in the form of stories of fictitious individuals. Finally, a conclusion is drawn (Section 12).

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

2. Government surveillance

John is a businessman based in the United States. He regularly phones his business partners located in the Middle East. Unexpectedly, two agents of the Federal Bureau of Investigation (FBI) came to John's home and started asking questions about his relations with people from the Middle East. The agents knew the dates when John visited shops, bookstores, restaurants, dentists, doctors, sport clubs, and sport events. The agents knew the location of each of the aforementioned places.

John has not done anything wrong that can provoke an investigation by the FBI. His business and the business of his partners were not connected to any illegal activities. John was investigated by the FBI because of a report produced by the National Security Agency (NSA). The report was generated by a group of analytic tools called collectively Co-Traveler. Co-Traveler examined information about John's phone calls and, in particular, the location data, unique identifiers, time of call, and duration of call. On the basis of that information, Co-Traveler concluded that John may be a suspicious person.

3. Data profiling

Jessica is a 19 year old girl living in the home of her parents in the United States. Jessica discovered that she is pregnant. She decided not to immediately tell her parents about her pregnancy. Jessica often visits stores in her home town. Suddenly, Jessica started receiving advertising materials from one of those stores. The materials advertised baby products. Jessica's parents noticed the promotional materials and asked Jessica if she was pregnant. She did not want to lie and admitted that she was pregnant.

How did the store figure out that Jessica was pregnant before her parents? The store creates a profile of each customer. The profile contains the name, credit card, and the address of the customers as well as information about any purchases made by the customers. A special software application examines each profile and decides what advertising offers need to be sent to each customer.

Jessica bought large quantities of unscented lotion, scent-free soap, extra-big bags of cotton balls, hand sanitizers, washcloths, and supplements of calcium, magnesium, and zinc. The software application used by the shop analyzed the purchases of Jessica and decided that Jessica was pregnant.

4. Hacking of bank institutions

Peter works as a bank executive in the United States. Suddenly, his home was robbed. After an investigation, it was revealed that the thieves found Peter's address on the Internet. His address was published on the Internet by a hacking group that hacked the website of the US Federal Reserve and published private information about 5,000 US bank executive accounts. The information included addresses, private email addresses, and home phones.

5. Hacking of software companies

Stephen is a lawyer. He uses the software products of a company for the creation of various documents. One day, he read in the newspapers that hackers had stolen nearly 3 million encrypted customer credit card records stored by the company. He checked the balance of his credit card and found out that someone withdrew USD 20,000 without his permission.

6. Hacking of government health care websites

Alex is HIV positive. He was registered as HIV positive in a government website. The government website was hacked and the personal data of 70,000 individuals, including Alex, was made available online. After the hacking attack, Alex's employer found out that he was HIV positive. The behavior of his employer and colleagues changed in a negative direction. As a result, Alex decided to leave his job.

7. Fake online complaints

Dr. S. has a private health care practice in the United States. His business was very successful until someone wrote an anonymous complaint in one of the publicly available consumer complaint websites. The complaint stated that Dr. S. was a sexual offender.

Consumer complaint websites allow dissatisfied customers to publish complaints. In most cases, the consumer complaint websites do not check the facts on submissions by the complainants. Some of the consumer complaint websites do not allow anyone, including the authors of the complaints, to modify the complaints. The online complaints are not only visible in the search engines, but often appear on the first pages of the search results. The reason is that, due to their popularity, consumer complaint websites rank high in the search engines.

The complaint against Dr. S. was fake. However, it appeared on the first position in Google's search results for the name of Dr. S. As a consequence, Dr. S. lost many of his clients.

He decided to commence legal proceedings against the anonymous person who posted the complaint with the aim to remove the complaint from the consumer complaint website. However, he found out that, even if he wins the case, the consumer complaint website would not be legally obliged to remove the defamatory content. This is because Section 230(c)(1) of the US Communications Decency Act of 1996 provides immunity from liability for providers of websites which publish information provided by others.

8. Using Facebook for background checking

Carla is a 24 year old college graduate. She applied for a job in a large company. The job application process consisted of several phases, including screening of documents and tests. She reached the final phase, the interview with the employer. Before the interview, the employer looked at Carla's Facebook profile. He found several photos of Carla in night clubs. The employer saw that the photos of the other candidates were taken in various academic conferences. He decided not to hire Carla because she might not be a serious employee. Thus, the photos of Carla's personal life affected directly her professional life.

9. Hacking of delivery drones

Sarah lives in the United States. Sarah has an important political position in the state of her residence. One day Sarah's colleagues sent her a website containing photos of her naked in the swimming pool in her house. The photos were taken from 20 meters above the ground. It appeared that the photos were taken by a flying drone that delivered books to her home. The organization using the drones was hacked and the photos were publicly released.

10. Hacking of cloud computing servers

Nicholas is a lawyer who uses various cloud services provided by a single company. The services include text editors, image editors, email platforms, and organizers. The website of the organization providing cloud services to Nicholas was hacked. As a result, the criminals obtained a vast amount of information about Nicholas and his clients. The information included credit card numbers and information about the personal life of Nicholas' clients. Nicholas lost many of his clients and soon his law practice bankrupted.

11. Hacking of Google Glass

Merry uses Google Glass. Google Glass is a wearable computer worn like a standard pair of glasses. The device displays information on a glass screen in front of the eyes of the user. It accepts voice commands that start with the phrase "ok glass." Google Glass contains 12GB of usable storage and has a 5-megapixel camera which is capable of shooting 720p video. Users are able to upload photos to the Internet.

Merry uses them while walking on the street, while withdrawing money from bank machines, and while staying at home. One day, Marry's Google Glass was hacked. As a result, the hackers obtained Merry's credit card information and hundreds of photos of her private life.

12. Conclusion

Because each privacy violation may have different objectives and different sources, the protection against privacy violations shall be addressed from multiple angles.

Firstly, individuals need to educate themselves on how to adopt good privacy protection practices. Such practices may include, but are not limited to, anti-viruses, anti-spyware, anti-phishing tools, firewalls, changing the privacy settings of software applications, and using complex passwords. In relation to passwords, it is worth mentioning that, in 2012, hackers posted usernames and passwords of 50,000 Yahoo users. Out of the 450,000 passwords, sequential lists of numbers, like "12345," were used 2,295 times. The password "password" was used 780 times.

Secondly, organizations need to adopt security practices in order to protect their customers from privacy violations. Such security practices may include, but are not limited to, anti-viruses, anti-spyware, anti-phishing tools, firewalls, using complex passwords, providing limited information in error messages in order to prevent information security attacks, restricting the users from uploading files that may compromise the websites, and using cryptographic protocols which are designed to provide communication security over the Internet.

Thirdly, the governments need to educate the citizens on how to protect themselves against privacy violations. In this regard, it should be noted that public education materials provided by the governments are often viewed by the citizens as a trusted source of information. The government can decrease the risk of privacy violations by strictly enforcing the existing privacy laws and creating new privacy laws when such a need exist. Because the online threats to privacy are an international problem, the governments need to engage in cooperation with those of other countries.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

References

  1. Ashford, W., "Anonymous hackers hit US Federal Reserve," ComputerWeekly.com, 7 February 2013. Available on http://www.computerweekly.com/news/2240177674/Anonymous-hackers-hit-US-Federal-Reserve .
  2. Dimov, D., "Privacy Implications of Google Glass", 13 June 2013. Available on https://resources.infosecinstitute.com/privacy-implications-of-google-glass/ .
  3. Glaser, A. and Opsahl, K., "Meet CO-TRAVELER: The NSA's Cell Phone Location Tracking Program," the Electronic Frontier Foundation, 5th of December 2013. Available on https://www.eff.org/deeplinks/2013/12/meet-co-traveler-nsas-cell-phone-location-tracking-program .
  4. Hill, K., "How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did," Forbes, 16 February 2012. Available on http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/ .
  5. Jauregui, A., "Federal Reserve Confirms Security Breach, Calls Anonymous Hack Claim 'Overstates'", Huffingtonpost, 5 February 2013. Available on http://www.huffingtonpost.com/2013/02/05/federal-reserve-security-breach_n_2622698.html .
  6. Jordan, B., "Hacker Releases Software to Hijack Commercial Drones", DT Defensetech, 9 December 2013. Available on http://defensetech.org/2013/12/09/hacker-releases-software-to-hijack-commercial-drones/ .
  7. Kashmir, H., "Social Media Background Check Company Ensures that Job-Threatening Facebook Photos are Part of Your Application." Forbes, 20 June 2013. Available on http://www.forbes.com/sites/kashmirhill/2011/06/20/now-your-embarrassingjob-threatening-facebook-photos-will-haunt-you-for-seven-years/ .
  8. Koien, G., Oleshchuk, V., "Aspects of Personal Privacy in Communications -

    Problems, Technology and Solutions", River Publishers, 2013.

  9. Kumar, V., Srivastava, J., Lazarevic, A., "Managing Cyber Threats: Issues, Approaches, and Challenges," Springer, 30 March 2006.
  10. Lewis, P., "Snowden documents show NSA gathering 5bn cell phone records daily," the Guardian, 5 December 2013. Available on http://www.theguardian.com/world/2013/dec/04/nsa-storing-cell-phone-records-daily-snowden .
  11. Poeter, D., "Adobe Hacked, Data for Millions of Customers Stolen", PcMag, 3 October 2013. Available on http://www.pcmag.com .
  12. Solove, D., "The Future of Reputation: Gossip, Rumor, and Privacy on the Internet," Yale University Press, 1 October 2007.
  13. Stewart, D., "Social Media and the Law: A Guidebook for Communication Students and Professionals," Routledge, 2013.
  14. Storm, D., "Insecure healthcare.gov allowed hacker to access 70,000 records in 4 minutes," ComputerWorld, 20 January 2014. Available on http://blogs.computerworld.com/cybercrime-and-hacking/23412/insecure-healthcaregov-allowed-hacker-access-70000-records-4-minutes .
  15. Ward, M., "Cloud computing's security pitfalls," BBC News, 13 March 2013. Available on http://www.bbc.co.uk/news/technology-21754034 .
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.