The weaponisation of personal data: how consumers can regain control

NAB

Without being fully aware of the potential privacy and security ramifications, consumers have been wilfully providing companies with the asset they most desire: personal data.

This has strengthened the hand of big business while reducing the autonomy that consumers have over their data and how it’s used. According to a recent study, 78% of UK consumers believe that businesses benefit disproportionately from data exchange, while a mere 8% think that consumers benefit more.

Otherwise known as the ‘weaponisation of data,’ a term first coined by Apple CEO Tim Cook, corporations store and share personal consumer information with one another to increase convenience, drive sales and boost profits, often at the expense of consumers’ privacy rights.

Knowingly or unknowingly we consumers have been complicit in this erosion of our personal privacy and security. But when we rely so heavily, and often unconsciously, on the convenience that companies and social networks provide in storing our data and validating our identities, how do we go about regaining control?

The issue of convenience culture

The key problem is that convenience has become customary in our consumer culture. Not simply do we want every good and service to be at our fingertips, we unconsciously expect it. In this sense, convenience has become so ingrained in our everyday lives and psyche that we don’t take time to consider the potential costs attached to it.

Social media (SM) networks and big tech companies don’t endow us with seamless user experiences simply to benefit us; they do so that we place trust in them, and rely upon them, so that in return, we enable them greater and greater access to more and more of our data: our likes, interests, transactions and future desires.

LinkedIn and Facebook for instance, have access to swathes of personal user information: your place of work, your familial, social and professional connections, your political inclinations, your career history, where you go to eat, where you shop and infinite other pieces of data.

This data becomes even more valuable to companies when they can piece it together, or “connect the dots,” with the personal data they gather from other sources.

For instance, if you use your Facebook login to sign into the website of your favourite clothing retailer, whether for convenience, security or both, you invariably grant Facebook access to that aspect of your life and behaviour. With this access, it will learn even more about you: how often you order t-shirts and trainers, where you like to order them from and, through this information, begin to develop an idea of how much disposable income you have and when you get paid. Equally, the retailer will have access to your age, date of birth, where you work and who you friends are even before a transaction has been made.

This coopetition, which many of us fail to recognise as anything more than a mere security measure, facilitates the amassment of data, which paints an increasingly comprehensive picture of each user/ customer. On an industrial scale, they can learn from this data to project future trends, influence behaviour and develop business models accordingly, ensnaring us inside the ecosystems of Internet and tech giants. Do these companies really need all of this information to verify a customer’s identity? Of course not.

The cost

Legislation, in the form of GDPR, has started to hold big corporations accountable for the way they collect, store and use our personal data. Prior to GDPR enactment, companies and organisations only had to inform consumers that their data was being collected and used under the Data Protection Act (DPA). Under GDPR, they are now mandated to request users for their clear affirmative consent to access and use their information and inform them on how it is being used.

While the majority of companies adhere to these regulations, they hide requests to access our data in plain sight; in the depths of long and complicated terms & conditions that most consumers, in the eternal pursuance of convenience and speed, agree to without reading or considering. These Ts & Cs are constantly changing, and while we are notified of these changes, we rarely have time to read and interpret new protocols and legal amendments. Instead, without thinking about the implications to our privacy, most of us passively click ‘accept’ and give companies consent to access more and more of our lives and behaviours.

Besides the many privacy implications, the correlation of all this personal data can also jeopardise the online safety of consumers and their families. For instance, simply by scrolling through a user’s Facebook or Instagram account they can find revealing details about that person: their favourite food, their mother’s maiden name or the name of their first family pet; information that we typically use to answer a security question when we have forgotten our password. With minimal research, the adversary now has access and control of medical records or an online bank account.

The solution

It’s fair to say that most consumers wouldn’t wittingly disclose their personal data if they were aware of how it might jeopardise their privacy and security. However, the unconscious expectation of convenience, and a lack of cyberliteracy, means that we continue to do so en masse. How then, do we prevent companies from gaining access to data they don’t need access to, and from connecting personal information back to the individual user?

One prospective solution is the creation of an online identity, which we can use to verify ourselves when buying things and logging into websites that can’t be linked back to us or analogised with other personal information that is extraneous to the transaction in question. This kind of ‘proxy identity’ would simply contain the data required when completing a transaction or signing in to a personal account.

Who could be a trusted custodian of such an identity? One prospect is banks. Renowned for their trust and ability to navigate the complexities of changing financial and legal regulations, banks could prove the most well-suited guarantors for managing and validating proxy identities.

In essence, your bank would become your identity wallet. Through your online banking portal, you would be able to access other websites, accounts and records without the need for another password or disclosing any other personal information to the site in question.

Many banks already possess the necessary infrastructure to facilitate the development of a more secure authentication process. We also trust them more than any other type of company or organisation that we interact with. It seems then, at a time that consumers value online security and privacy more than ever, that the foundations are already in place.

By Niel Bester, SVP of Products for Entersekt


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/