Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/29/2020
09:50 AM
100%
0%

Businesses Improve Their Data Security, But Privacy Not So Much

While the California Consumer Privacy Act will force companies to provide a modicum of meaningful privacy, World Privacy Day still mainly celebrates data security.

The number of ways businesses track people has skyrocketed and the increasing deployment of image recognition, machine learning, and data analytics has only accelerated the process. The result is a refocusing of attention on not just the security of the data which company's retain on people, but on whether privacy and technology can co-exist.

Last week, Clearview AI, for example, found itself the target in a class-action lawsuit for its technology that, the company says, uses more than 3 billion images scraped from websites and social media to train a machine-learning algorithm capable of identifying a person in a photo with 75% accuracy. This can be used to reportedly identify victims and suspects in criminal investigations.

Clearview has joined Google as a favorite resource of law enforcement. Google is regularly subpoenaed by international and federal authorities for information about the phones that may have been close to a specific location at the time of a crime.

With the annual January 28 marking of World Privacy Day, a gap has become apparent. While regulations, such as the European Union's General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), have forced companies to take data security more seriously, the more general policy concept of privacy has largely remained in limbo. The California Consumer Privacy Act (CCPA) addresses some of the privacy gap, but most businesses are more focused on keeping their data from leaking rather than structuring their services to promote privacy, says Ray Walsh, a data privacy advocate at ProPrivacy.com.

"While companies spend a lot of time talking about consumer privacy and use 'privacy washing' as a way to gain PR credits with the public the reality is that companies are primarily concerned with data security and the potential that a data breach could land them a hefty fine," he says.

Take Your Pick
Online citizens are largely left with a simple choice: Benefit from modern technologies and lose their privacy, or opt out of many of the technologies that have defined the past decade.

Posting a picture to social media? You've become part of Clearview AI's reverse look-up machine that uses facial recognition to find criminals and victims. Near a crime carrying your mobile phone? Law enforcement can subpoena records from Google's Sensorvault for every phone near a crime scene at a certain time. Use free antivirus? The company behind it may be selling your browsing data to marketers.

Ever since the beginning of the War on Terror in early 2001, privacy has taken a back seat to any technology that can help identify potential enemies. Originally, the administration of President George W. Bush had debated where to draw the line with online privacy opt in or opt out. September 11 eliminated that, says John Ackerly, CEO of data-protection firm Virtru, who had been part of President Bush's National Economic Council in 2001.

"Privacy is one of the major pieces of collateral damage that no one talks about in our reaction to September 11," he says. "It set us on a path to use data and the Internet as a tool to combat terrorism, and I understand why, rather than really moving forward on where the President's instincts were on putting the consumer first."

For the past decade, companies have been focused on dodging online criminals and then nation-state actors intent on stealing data. With the passage of the GDPR, focusing on data security became a business imperative to avoid larger fines.

Yet the policy discussion and legal landscape have become more nuanced, says Ackerly. Companies are beginning to understand that customers want privacy, he says.

"I am optimistic as I've ever been on this journey that we will end up in a place where individuals will be able to take control over their data where ever it is shared," Ackerly says. "I think it is a combination of technology evolving and society just waking up to the trade-offs that we have made over the past 15 or 20 years."

The CCPA, which went into effect this month, has forced companies to be more responsive to consumers and change the way they do business. The legislation, while in effect only in California, will force companies to provide similar rights to most of their customers. Already, other states, such as Washington, are considering similar legislation, and the same grassroots effort behind the CCPA is developing a more stringent proposal for 2020.

"As a result, it will be much more difficult for companies to sell user data, especially without the user's knowledge," says Monique Becenti, channel and product specialist at Web security firm SiteLock. "Although California is leading the way in establishing and implementing this type of legislation, we expect to see other states follow suit given the number of companies that do business with California."

Yet, because data gives businesses a competitive edge, breaking companies' addiction to data will be difficult, ProPrivacy.com's Walsh says.

"Consumer data is going to remain a commodity that businesses will seek to profit from in any way they are legally permitted to," he says. "As long as the US government wants a piece of the pie, decisions like the one made in 2017 when the Trump administration ruled that it was legally permissible for US ISPs to collect and sell user Web browsing habits to third parties are going to keep placing consumer privacy at the bottom of the to-do list."

Related Content:

Greater Focus on Privacy Pays Off for Firms
Companies' 'Anonymized' Data May Violate GDPR, Privacy Regs
Britain Looks to Levy Record GDPR Fine Against British Airways
Consumers Urged to Secure Their Digital Lives
Benefiting from Data Privacy Investments

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "7 Steps to IoT Security in 2020."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...