For those of you not in the know, it is that time of the year again. On Thursday, January 28, we celebrate – or at least sheepishly acknowledge — Data Protection Day. This particular day on the calendar came to be back in 2007. What’s more, this year marks the 40th anniversary of Convention 108 as well as the 15th edition of Data Protection Day.
The history of Data Protection Day
What’s Convention 108, you might ask? Convention 108 was a treaty that set out some of the first internationally agreed rules for the protection of individuals with regard to the processing of their personal data. According to the Council of Europe’s website: “For 40 years, Convention 108 has influenced and shaped the protection of privacy and of data protection in Europe and beyond.” In other words, many of the privacy rights that we enjoy today stem from the signing of this influential agreement back in 1981.
The event is also known as “Data Privacy Day” in the US and in other countries around the world, and the theme chosen by the US National Cybersecurity Alliance for this year’s event is about owning your privacy and respecting others. Somehow it seems fitting, given that we have been under lockdown for most of the past year.
At Avast, we try to celebrate the actual data protection and privacy efforts all year long, which is why I said “sheepish” above. Just to remind you, here are a few links to some of the blogs that we have posted:
Why it is important to do a social media privacy refresh, and subsequent posts on how to do that for Facebook, for Instagram, for Twitter and for TikTok. This could be a constant activity because the social media vendors labor constantly to change their privacy settings. Even if you look away for just a few weeks, you should schedule these refresh events frequently if you are concerned about your privacy.
Part of the problem with talking about social media privacy is that we are our own worst enemy, and Facebook in particular knows this and exploits this. I wrote a blog post a year ago about some of its (then) more egregious privacy abuses that I would urge you to review. There were plenty of others in the past year too. So Data Protection Day should have a special place of dishonor to remind us of Facebook’s numerous privacy transgressions. But let’s move on to the messaging apps.
Earlier this month, I mentioned a series of tips from Consumer Reports on how to improve your privacy settings. And there are a collection of tips on how to make Signal more private (if you are giving up on WhatsApp).
Web browsing privacy issues
But wait – there are more software settings to mess with. How about that piece of software that we all use constantly, our web browsers? Last year was this very revealing browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College, Dublin. He set up six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when a user launches them on a typical Mac desktop and the browsers then “phone home.” All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.
If you aren’t familiar with Brave, it is built on the same Chromium engine that Google uses for its browser, but it does have a more logical grouping of privacy settings that can be found under a “Shields” tab as you can see in this screenshot.
It also comes with several extensions for an Ethereum wallet and support for Chromecast and Tor. This is why Brave is marketed as a privacy-enhanced browser. Brave scored the best in Leith’s tests. It didn’t track originating IP addresses and didn’t share any details of its browsing history. No matter what browser you use, you should probably audit your browser extensions and get rid of ones that you don’t use or that have security issues, as Brian Krebs wrote about it here.
I realize that’s a lot of tips to take into consideration to be sure. And it probably will seem daunting to click through all those links and follow their instructions as you navigate to the various settings pages. Maybe that is why we only celebrate Data Protection Day once a year because it will take all year to cycle through all your apps to get them set just right. This could be the digital equivalent of washing the windows on your favorite skyscraper.
Privacy vs. anonymity
But so far we have been just talking about software settings. There is the bigger picture about data privacy, something so starkly illustrated with this website (sorry, but I am not linking to it) showing a vast grid of more than 6,000 images of people’s faces who were captured at the January 6th riot on Capitol Hill. Each face is tagged with a string of characters associated with the Parler video in which it appeared. What bothers me most about this site is that you don’t know who a bystander was and who wasn’t.
This brings up the issue of online anonymity. When most of us think of this word, we usually mean that we don’t want anyone – whether it be the government or any IT department — to keep track of our web searches and conversations. We will say we want some amount of privacy when we are at work, whether we are using our computers and phones for work-related tasks or not. But balancing anonymity and privacy isn’t an either/or situation. There are many shades of gray, and it is more of an art than science. Making sure you understand the distinction between the two terms and setting their appropriate expectations of both should be a critical part of any job managing IT security. In fact, these actions could be a special honorable mention for Data Protection Day celebrations by themselves.
Sometimes, the purported solutions to privacy controls only make things worse. Windows 10 comes with a series of “personalization” settings that are enabled for the maximum intrusion into our lives by default. One of them – letting ads access a specially-coded ID that is stored on your computer to personalize messages for you – is presented in a way to “improve your experience.” If you choose this route, this translates to increasing the creepiness factor, as ads are served up online based on your browsing history. We wrote about this last year when we discussed canvas fingerprinting, which is a related issue.
Just because I do not know who you are does not mean that you have any privacy. Someone who captures my face when I am out on a remote hiking trail – or at a political rally — can still expose my location and my name and I could be tagged without my knowledge.
So, enjoy today. Click on a few of our aforementioned tips, tweak some of your privacy settings. And try to remember to watch out for your privacy more than once a year.