Is Privacy Dead?

Emmanuel Carabott on June 28, 2010

Tagged with: Security

With the advent of the internet many people seem to forget about privacy and its importance. Some people claim that privacy is actually dead and has been for a while and we have plenty of examples of people who knowingly and willingly breaching their own privacy but does this mean that people no longer care about privacy?

What is obvious is that people nowadays seem to love sharing every little aspect of their lives with the whole world. From social networking sites like Facebook to people like Jennifer Ringley whose famous JenniCam site broadcasted unedited and uncensored footage of Jennifer from 1996 – 2003.

Another possibility is that people consider social networking sites to be fun and are therefore carefree in their usage. Stories such as employees getting fired due to comments about their current employer seem to suggest this is indeed the case. In this case I would assume that Farm Boy employees thought that being a ‘members only’ group would keep their comments private, but in a world where secret treaties are leaked can anyone really expect that limiting access is protection enough? Apparently some people are willing to bet their jobs that it is. Worse yet it’s not an isolated case as there are many known cases of people incriminating themselves on social sites.

It’s not just about knowingly sharing your personal details with the world either. Nowadays no one thinks twice about buying items off the internet; it’s convenient and easy but not everyone understands the privacy one sacrifices in doing so. When buying online you’re sharing a lot of confidential information including credit card number, name and address. We’re trusting that those details will be kept safe, that they will not misused and that the company we’re buying from is secure. Unfortunately this isn’t always the case as I myself discovered when one of the credit cards I use exclusively online was used to buy services on the other side of the globe. None of the companies I bought from advised me of any breach they suffered which compromised my credit card number and there were no reports on the media either. That said I still didn’t stop buying online even after falling victim to the dangers involved.

On one hand we live in the information age; no matter how much you value your privacy it’s impossible to keep everything secret. Every subscription, online purchase, bulletin board registration, social networking site participation, government institution and more will record your details and store them in some form or another. Whether we want to or not we have to trust that these entities will keep this data safe from threats both outside and within their infrastructure.

On the other hand we do not want to make an already bad situation worse. Going back to Jennifer Ringley (the person who started the trend of lifecasting) we have someone who didn’t mind sharing every intimate moment of her life with the whole world yet was still annoyed when, after reciting her phone number over the phone and streaming it to everyone watching her cast, it resulted in people calling her.

The truth is that most of the time we’re better off if certain details remain private. Every piece of information which becomes public could potentially be used by social engineers. Think of something as trivial as an internal telephone list where a social engineer has a list of employees, their title and telephone number. Let’s assume the social engineer wants to gain access to credit card details. He first needs to log in and for that he requires credentials. With a phone list he could try a simple social engineering attack – he calls up the sales manager and asks for an employee who works in sales, when the manager says he got the wrong number he asks to be forwarded to the person (in this case his victim) and tells the victim that he is sitting next to his (the victim’s) manager and they’re running an audit (or any other excuse) and asks for the victim’s credentials. The victim knows the call is coming from his manager’s office (because it was forwarded), this person called him by name and would therefore assume the attacker is sitting next to his manager while asking for his credentials; he is therefore very likely to comply with the request. A simple attack and all that was needed was a phone list.

A lot of information can be used by hackers to launch targeted attacks. If one of your employees posts on Twitter that your company still refuses to upgrade from IE 6 even though everyone knows how insecure it is (an actual post I came across) an attacker who has exploits that target IE 6 knows which company to launch an attack on.

Social sites have made people want to share every detail of their lives with everyone and in turn they’ve become more trusting. In itself it’s a nice concept; sharing is good but it can also be dangerous to a person or an organization. When something is shared with the world, it’s gone public and in most cases is impossible to take back. That being said it is also important to understand that in most cases privacy only helps in hiding the problem. If the employee didn’t post about his company using IE6, it would still have used IE6 and it might still be vulnerable. If Farm Boy employees didn’t write about their unhappiness with their work place they’d still be unhappy. A social engineer with no access to a phone list can still call up a company and social engineer his way to potential victim’s details such as the manager’s name and phone number.

Privacy might only buy you some time while fixing the real problems; however, it still remains a core value that we should retain as important, especially online.

About the Author: Emmanuel Carabott

Emmanuel Carabott (CISSP) Certified Information Systems Security Professional has been working in the IT field for the past 18 years. He has joined GFI in 1999 where he currently heads the security research team. Emmanuel is also a contributor to the GFI Blog where he regularly posts articles on various topics of interest to sysadmins and other IT professions focusing primarily on the area of information security.

More Posts from Emmanuel Suggest a Topic

12 Comments

John Mello July 16, 2010 at 3:00 am
Emmanuel, you might be interested in a recent survey by Zogby International that found consumers are very concerned about being stalked by companies on the Internet. The polling firm discovered that 81 percent of the consumers participating in its survey were “somewhat” or “very” concerned about businesses tracking their Web surfing habits and using that information to target advertising at them. What’s more, 88 percent said it was “unfair” for companies to do such tracking without a consumer’s permission. In addition, 79 percent told pollsters they’d like to see a “do not track” list similar to the “do not call” list used to discourage telemarketers from making unwanted sales calls to homes.
Emmanuel Carabott July 16, 2010 at 5:08 pm
That would be interesting indeed, do you know the title of the study or better yet have a link to it?
I also ran into the following article today:
http://arstechnica.com/gadgets/news/2010/07/users-of-location-services-worried-about-robberies-stalking.ars
which seems to indicate that people are mostly aware about the issues but in some cases decide to ignore them apparently. Still being aware is at least a good start!
Sue Walsh July 28, 2010 at 6:24 am
Great article! It’s true-no one really thinks about online privacy until theirs is breeched. They rely on the companies they do business with to keep their info safe and private and that’s not always a good idea.
That’s terrible about your credit card. I’m guessing either whatever company had their data breeched didn’t realize it or it fell into the hands of a rogue employee at one of them. I was caught up in the Heartland data breech. I got a letter from my bank telling me they had been informed that their customer’s cards had been affected so they were canceling them and replacing them with new ones. I was fortunate that no fraudulent transactions had occurred!
Emmanuel Carabott July 29, 2010 at 11:20 am
Thanks Sue,
It would have been nice if companies inform when they discover credit cards have been compromised. I do wonder however how many people would actually pro actively cancel their credit cards if they’re informed these might have been compromised!
Delois Blanche July 30, 2010 at 12:17 am
I think people have the right to share what they want to share regardless of whether it’ll get them in trouble or not, provided that they are aware of what they are doing, and what could be the consequences. Sadly, a lot of them do not always have the common sense to consider the repercussions of their actions. Common sense isn’t common after all.
But the worse thing is, there are those who purposely invade other people’s privacy without their permission and consent. I think it’s about time that something serious should be done about that.
Bruce July 30, 2010 at 12:36 am
On the internet, it should be automatically assumed that whatever you send online is not 100% private and secure. Take Facebook for example. Does anyone notice that the ads you are getting seem to be somehow related to the recent searches or mentions you have done online? Example, if you are searching for pregnancy related terms, you seem to be getting pregnancy or baby related ads. Why is that?
Yes, they KNOW what you are doing online.
Emmanuel Carabott July 30, 2010 at 1:03 pm
@ Delois
In principle I agree with you, everyone should be free to do what they want. If someone wants to advertise their social security number online it’s their choice. However like you correctly said some people do not realize what the repercussions of their actions will be and that’s the core problem. The big question then is how should you act towards these people? Ideally you would educate them but that’s not always possible. You could also ignore the problem and leave everyone free to act as they wish but it’s not really that simple either. What happens if such a person writes about things which are damaging to his/her employer? What if they write about security issues that put their company at risk? What if they write things which make their company liable?
I agree everyone should be free to act in any way they wish, this also means that businesses can also act in any way they wish, the problem is striking a balance between the two. It’s not easy and there is no clear answer unfortunately.
@ Bruce
It’s not just Facebook really, targeted marketing is a big thing. A lot of businesses try to do it. Some use the terms you search for to decide what Ads to show you, others try to guess what you like by using the contents of the page you visit (that is displaying the Ad) and some go even further than that and try to track every page you visit by installing adware/spyware on your machine.
Daniel August 10, 2010 at 8:53 pm
With Facebook facing heavy criticism for its failed security measures, it looks like this topic won’t be going away soon. Strangely enough, the world doesn’t seem to be bothered. With the advent of Twitter and Chatroulette, the masses seem to be embracing more security liabilities instead of avoiding them. I’m thinking there has to be some sort of backlash in the future. Privacy may not yet be dead, but it’s surely dying.
Dennis Thompson August 10, 2010 at 9:07 pm
@Bruce
I predict a sort of social backlash (of more than the vocal variety) in the next decade or so. With the internet cracking user profiles open like a nutcracker in Christmas, it’s only a matter of time until the world implodes under the sheer weight of its own lack of security. How that backlash will go, I can’t really say. But I’m predicting it will literally change how we interact, and socially network online.
Emmanuel Carabott August 11, 2010 at 11:52 am
You’re right Daniel. It seems there is a new culture emerging which thinks privacy is not that important anymore; or, maybe more to the point, that it’s not a big deal when you yourself ignore your own privacy. It seem the story changes when other people try to take your privacy away, as monitoring is still a controversial subject.
Louise Mck. August 14, 2010 at 4:30 am
@Daniel @Dennis
It’s funny how both of you mention some sort of social backlash due to the lack social networking security. But isn’t Facebook and Chatroulette already feeling the brunt of this backlash? A good number of users have been very vocal about the lack of privacy, but it’s not like this “backlash” has done any sort of damage to the user base. These users still haven’t stopped using these sites, neither have they started migrating to try any others. It seems like the world is addicted to social networking, whether it’s healthy for them or not.
Emmanuel Carabott August 18, 2010 at 11:57 am
Hi Louise
That was, in fact, one of the points in the article. It’s true, some people see the privacy issue but ultimately seem to decide to ignore it. Others seem not to see the issues at all or see them and still believe that nothing bad will ever happen to them. Dennis might still be right however. Those people that are not aware or believe they’re immune will very likely change their opinion once they become victims. With social networking become more popular more people will likely be targeted so there might be a critical mass at some point as when enough people get bitten peer pressure will force change.
Its obviously just speculation but quite possible I believe.

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.

Is Privacy Dead?

Get your free 30-day trial

Get your free 30-day trial

About the Author: Emmanuel Carabott

12 Comments