The Dart researches how data breaches and data monitoring alike put sensitive information at risk and how citizens in the digital age can protect their data from being stolen.
March 14, 2019
There are 312 million internet users, across the U.S., according to Statista. Everyday users enter their information online, whether it’s to schedule an appointment with their healthcare provider or to start an account to stream music. Computer science teacher Alexa Varady contemplates all these services and accounts and acknowledges that with the threat of hackers and watchful media companies, the general user’s data isn’t safe.
“With all the different services we sign up for and all the different accounts we have, it’s likely that at least one of them surely has been compromised,” Varady said.
It takes Pete Enko, a data security lawyer and partner at Husch Blackwell, to track down the people who have compromised the data. Enko got his start as a young associate reading the Health Insurance Portability and Accountability Act (HIPAA) and now applies similar principles of data privacy at the corporate level.
“You get to go sleuthing,” Enko said. “It’s like CSI in terms of trying to figure out how the cyber-attacks happen, you know, who did what, when and how, that kind of situation. That’s the stuff that’s the most fun to me, the cyber security attacks.”
When he works with clients who have undergone data breaches, Enko sees each data breach as a bank or house robbery, where “bad guys” get in, take what they want and find some way to monetize it. In most cyber instances, the goods in question are pieces of personal information such as Social Security numbers, credit card numbers, three digit security codes and email addresses.
When asked what outside parties would want with these elements of a user’s data, Varady did not even have to stop to think before she simply said, “to sell it.”
It’s less about the value of a single user’s data and more about the quantity of data kept within a server — hackers can achieve a high payout by accessing these caches of personal data. According to 2015 data Varady learned in an online Georgia Tech graduate course, three-digit security codes might be worth $2, and credit card information could value anywhere between $5 and $45, PayPal or Ebay account information is worth $27 and health information worth $10. In short, hackers aren’t digging around for information about a single user but the sum users who have input some amount of personal information.
Enko lays out three common goals for security breaches: Electronic Fund Transfer (EFT) information, personal information and email addresses. Access to EFT information allows hackers to redirect money being wired from one place to another, while personal information such as Social Security numbers can be used to set up credit card accounts in the name of someone who won’t even know those accounts exists. Email addresses can be used to set up self-perpetuating scams, such as malware kept in emails that make their way from computer to computer, gathering more and more email addresses.
Many of these email based frauds rely heavily on social engineering, the use of deception to lure users into divulging some sort of personal information, such as EFT information or a Social Security number.
In his line of work, Enko works with companies who are either working through a data breach or want to prevent one in the future. He advises employees to be wary of each email and check the sender, hover over suspicious links and be mindful of what people click on. For many cases of data breaches, he finds that one individual clicking on one suspicious link can lead to major problems.
“You get into that mode that you’re just clicking, clicking, clicking without thinking,” Enko said. “‘Oops, oh shoot, did I just click on that?’ Yeah, you did and now you just launched malware.”
Varady admits that there is not much prevention when it comes to protecting data but does personally use a trick to see which service or account has divulged her data. When signing up for a service, Varady puts a “+service name” after the first part of her email, so it looks like [email protected] The service will ignore whatever is after the plus sign, and the user will be able to see the email address that spam emails, and the malware that might come with them, are sent to. This way, a user can track which service has either divulged an email or been breached.
These safety measures can protect sensitive information from getting into the hands of hackers, but often times the information getting into the hands of companies has been freely put onto the internet by users themselves.
Lives are increasingly lived online from scheduling appointments to posting pictures of a night out. In a study reported by The Telegraph, the average person spends 24 hours a week on the internet. This extremely connected lifestyle can lead to a susceptibility for data breaches through common things such as spam emails and personalized ads.
Whether it’s the promise of a fortune or a fake lottery win, USA Today warns against falling into the trap of spam emails. In a study done by the Barkley Endpoint Protection Platform, spam email scams can cost upwards of $675 million annually.
As for personalized ads, Google’s help page on personalized or interest-based ads states they can collect data from search history and personal preferences to formulate ads relevant to the consumer. In that sense, ads can be hyper-targeted to individual consumers.
Personalized ads work by storing cookies, small bits of data websites use to store user information, on a consumer’s device after the consumer has visited a retail website; the data from the cookie is generated into an ad and follows the consumer to different websites. With this personal aspect comes suspicion from consumers.
New York Times writer Brian Chen wrote in his article, titled “Are Targeted Ads Stalking You? Here’s How to Make Them Stop,” that he finds personalized ads to be more like “stalker ads” than anything else.
Chen recommends clearing the browser’s cookies and history data to sidestep these “stalker ads,” but ultimately there is no true solution for the issue at hand — if data is willingly being given to companies, they will either use that data or give it to other, bigger companies.
Willingly giving data can be simple — through signing up for websites and programs, companies have access to emails and phone numbers to contact their users. Usually this is done to show promotions or updates, but sometimes companies can use these means of contact for more harm than good.
In a recent Wall Street Journal study, it was revealed that certain apps were automatically sending user information to Facebook. It determined the cause to be an analytics feature set up to target Facebook users with certain ads. So, while an app like Flo Health Inc.’s Period and Ovulation tracker claims to not send any “critical user data” to Facebook, information a user inputs is automatically sent to the social media site and then can be paired back with the original user. Even information from app users not on Facebook were sent to the site.
In March 2018, political analysis firm Cambridge Analytica was revealed to have bought data from millions of Facebook profiles in the intent to profile prospective voters in 2014. According to The Guardian, Facebook’s policy states that the information from profiles on the site can only be collected to improve user experience and would not be sold or used in advertising. However, that policy was not upheld in the case of Cambridge Analytica.
At the beginning of the school year, Varady spoke to students at the Digital Citizenship presentation, a series of speakers who discussed digital issues such as online presence and plagiarism. Varady showed an example of all the metadata that could be gathered from a photo. She displayed a photo taken on campus on the board, and showed students the information attached to the file, including an almost exact approximate of where the photo was taken.
Seniors Arleigh Perkins and Brianne Arello are studying the government’s use of American citizens’ metadata in a civic engagement project for their AP Government class. The project revolves around questioning the reasoning behind the National Security Agency’s collection of metadata from phone calls.
“They can’t hear a conversation over the phone, they just know who you’re talking to,” Perkins said. “It’s just kind of keeping tabs on what’s happening but on a very basic level.”
According to their project, the NSA can collect phone numbers, time stamps and call duration times as a precautionary measure in tracking down suspected terrorist threats.
“Our argument is that it takes money to do that,” Arello said. “If it’s a security issue, then that’s fine. If not, then we don’t think it’s necessary for them to take that extra step in order for them to do it.”
Although monitor data for security reasons, Varady contemplates that programmers and hackers work in a constant fight against each other, with one repairing programs and the other corrupting them to monetize the data within. The thought makes her uneasy.
“The more that I learned about computer security, the less that I wanted to use computers,” Varady said.