Stolen Information
In pre-Colombian America, cacao was highly valued — worshiped by ancient civilizations, often traded for goods. It was believed by Mayan and Aztec cultures to have magical properties and was used in birth and death rituals. If an Aztec sacrifice victim didn’t seem all that into what was happening, they would be given chocolate (mixed with the blood of past victims) to provide some additional energy.
Enter Hernando Cortes, Spanish explorer and soon-to-be conqueror of the Aztecs. Cacao’s bitter taste didn’t immediately appeal to him, but in 1527 when his bloody work was done in the Americas, he brought some beans back with him to Spain. It turned out that when mixed with honey or sugar, cacao became a sweet chocolate drink. It quickly rose to be a very popular drink among the nobility in Cortes’ homeland — and its most closely guarded (and sought after) culinary secret. Drinking chocolate became a symbol of the rich and powerful of Spain.
Almost 100 years later in 1606, an Italian explorer named Francesco Carletti discovered the secret of the chocolate drink while exploring the West Indies, releasing the Spanish secret upon the rest of Europe. Suddenly, everyone knew what chocolate was, how it was made, and how to get it for themselves.
In effect, this was one of the first data breaches released to the public.
Like many people, I have multiple email addresses. I have one personal email address, a work address, a school address, and one email that I use for sign-ups and accounts. According to the website haveibeenpwned.com, which scans data breaches for your email, my sign-up address and associated passwords have been leaked 7 times, most notably by Adobe (with 153 million affected users). Similar data breaches occur many times every year. In 2020, the largest data breach was from a website called CAM4, an adult video content site. This breach consisted of 10 billion records containing personally identifiable information, including:
First and last names • Email addresses and password hashes • Country of origin and sign-up dates • Gender preference and sexual orientation • Device information • Miscellaneous user details such as spoken language • Usernames and user conversations • Payments logs including credit card type, amount paid and applicable currency • Transcripts of email correspondence • Inter-user conversations • Chat transcripts between users and CAM4 • Token information • IP addresses • Fraud and Spam detection logs
— Security Boulevard
Totaling around 7TB of content, this data breach was caused by a simple misconfiguration of the database server — the information security equivalent of leaving your front door unlocked, open, and hung with a sign that says “walk-ins welcome.” Security researchers found the security issue several months after the initial misconfiguration, meaning data from this server had likely been discovered by malicious actors many times over before it was discovered by the company.
It’s not just data breaches that are a concern either. What about information being stolen with uninformed consent? Has anyone ever read a full document of Terms of Service? If you have an Android phone, you likely have been providing Google with your location at all times. Every time you visit a webpage with a Facebook Like button, it sends that webpage to Facebook — even if you don’t have a Facebook account. If you have an activity tracker, your physical characteristics are likely shared with the company that made the tracking device. In general, there’s a common saying among many groups of privacy-aware people: “If you’re not paying for a service, you’re the product.”
For many people, the above information may be enough to decide to return to a pre-industrialized way of life. For others, sharing their information with large tech companies is no big deal. I will quickly address a few of the common thoughts among those who don’t mind sharing their data, and hopefully convince you of the importance of data privacy.
“It’s just shared with the company, why do I care if they have my information?”
Once you decide to give your information to any company, you are making a lifetime commitment: that company will never give that data back, and almost every large tech company has a history of sharing their data with governments. If the company gets hacked and your data is exposed to the world, there is absolutely no taking that back, and you will get no reparations.
“If my data is anonymized, it doesn’t matter if it gets leaked anyway — no one will know it’s me.”
There is almost no such thing as truly anonymized data. Researchers in 2019 were able to re-identify 99.98% of individuals in some anonymized data sets used for scientific computing. Using smartphone location data, some researchers were able to identify 95% of individuals based solely on 4 timestamped location data points. This website shows how likely you are to be re-identified based on basic information about yourself (birthdate, gender, and ZIP code). The average US citizen will be identified by these metrics 83% of the time.
“Why should I care? I have nothing to hide.”
You may not, but that doesn’t mean that your data looks clean to law enforcement. Facial recognition technology is becoming adopted by law enforcement agencies across the world, and it has a long history of being wildly inaccurate. Similarly, the footprint of your data may arouse unwarranted suspicion — and the government wants that footprint.
If you’re still not convinced, Philosophy Tube has an excellent video on this topic.
This all culminates to one question: “What can I do?” Ultimately, not much. No matter what you do, if you want to remain a functioning member of society, you must consent to some level of data collection, because that is the way our world has decided to function. You can’t get a job without an email address, and without a job, you can’t eat. That being said, there are a few ways you can improve your privacy.
VPNs
VPNs (Virtual Private Networks) do a lot of advertising online as the definitive way to protect your privacy. In reality, they don’t do a whole lot to actually protect you. VPNs simply mask your IP address (a unique identifier assigned to your connection) to look like you’re coming from a different location. This can be helpful, but IPs are rarely used to actually track users. On top of this, many VPNs keep logs of user activity, and there is no way to tell if a company claiming to keep “zero logs” is actually telling the truth.
Password managers
Password managers are a great way to keep yourself safe from data breaches. If you use the same password across multiple websites and one of those sites has a breach, many malicious actors will try the leaked login data on common sites (social media, email, etc). Password managers can help by generating random passwords for every website you use. A good password manager (like Bitwarden linked above) will have no access to your data at all — it is accessible only to you.
Be politically active
When legislation is presented in your area that protects your data privacy, call your representative (if you’re in the US) and tell them you support it. Ultimately, the only thing we as citizens can do to enact large-scale change is through political action.
If you’re a programmer…
… consider the ethical implications of the work you’re asked to do and its possible applications. This is something we’re rarely (if ever) asked to do, but the work we do can change the world for the better or worse. Let’s ensure it’s the former.
