Technology professionals starting their careers will need to decide where they stand on privacy and whether they intend to develop strong privacy protection or rely on ingrained less reliable software.
Could 2021 be the year that made abstract concepts like ‘data’ and ‘privacy’ real for us all? The ransomware attack on the Health Service Executive was proof that data has a value. The criminals who took the HSE’s critical information hostage demanded $20 million in payment to release the data.
Earlier this year, Facebook was involved in a breach where more than half a billion records about its users leaked on an online hacking forum. Nothing to see here – or so Facebook would have us believe. Except it really is important.
These are not isolated incidents. Since a picture is worth a thousand words, we recommend you visit a superb visualisation (below) of the world’s biggest data breaches over at ‘Information is beautiful’. It’s not much of a spoiler to say you’ll recognise some familiar names like the Marriott Hotel Group, British Airways, LinkedIn… the list really does go on.
Some information leaks are accidental. A house for sale in England was available to view on a 3D virtual tour when a security researcher happened to discover the video exposed personal information about the owners. It included financial bills and other details that identity thieves could have used.
Part of the problem might be that, when we talk about “data”, it can have the effect of making any problem relating to it seem abstract or unconnected to the real world. The HSE attack was all about holding a valuable asset to ransom in the hope of a big payday. The data might be intangible, but the consequences were all too real. They included delays to hospital appointments, scans, and critical treatments.
And the information itself has a value: days after the HSE breach, medical and personal information about Irish patients was being shared online, including hospital admission records, treatment details, and home addresses. Information leaked in the Facebook breach included people’s full names, phone numbers, birthdates, and email addresses.
(Around 1.5 million Irish Facebook users had their details leaked, so now might be a good time to check if you were among them. You can find out if you’ve been affected by typing your mobile number into haveIbeenpwned.com.)
Good data privacy practice recommends you should change your password after a breach. At a push, we can change our emails or our phone numbers – although we’d probably prefer not to – but what are we supposed to do if our name, date of birth, or health information is out in the open?
As individuals, we may be much more than the sum of our data, but these are some personal details we’re talking about. It doesn’t take a great leap of imagination to think of the ways scammers could exploit people’s sensitive health data. Anyone with a web browser and 15 minutes to spare could dig up a lot. (The Irish Independent called the Facebook trove a “stalker’s paradise”.)
While we’re on the subject, there are apps and websites that market themselves to potential stalkers. A cybersecurity company called Traced recently published research which found that it’s possible to check when someone’s WhatsApp status changes to ‘online’ by entering their mobile number and seeing when the owner of the phone last opened WhatsApp.
So, privacy matters. And the more connected and digital we become, the more information about ourselves we put at risk. On some level, many of us must suspect that we’re giving away more than we bargain for when we sign up for ‘free’ online services. Those adverts pushed to us online (and following us around the web) don’t come from nowhere.
It’s a cliché that the biggest lie on the internet is “I have read the terms and conditions”, but it contains more than a grain of truth. Even for those of us who are conscious of the privacy of our data, it’s worth asking the question: when we sign up to use online services, are companies playing fair when they tell us what they do with our data in their privacy policies? A study by the UK banking service thinkmoney found that it would take 17 hours to read the terms of the top 13 most downloaded apps in the UK. If you’ve ever tried to read them, you’ll quickly find they’re often written in legalistic language that most people would struggle to follow.
Research from Truata, a privacy technology company, found that 66% of consumers are more likely to be loyal to a brand they trust to use data appropriately, while 65% would stop using brands that don’t behave responsibly with personal data. It also found 78% of consumers have already taken steps to reduce their digital footprint.
So if you’re in the early stage of your career in technology, think of this as a call to arms. Pay attention to privacy at every stage of a development project. That doesn’t mean you’re just doing what the GDPR tells you to: you’re increasing the trustworthiness of the company you work for and the products it creates.
We already know what bad practice looks like, but that doesn’t mean you need to make the same mistakes. Don’t be part of the problem if you are in a position to be part of the solution. Bring up privacy in every meeting. Be aware of where, when and how the product or service you’re working on uses personal data. Ask pertinent questions like ‘why are we gathering this data?’ ‘Do we really need this information?’ ‘Is it a good idea to create a large database full of personally identifiable information when the risk of compromise is so high?’
Privacy is like climate action: we all have a part to play. We’re all rightly appalled when we see footage of plastic littering beaches, or oil spills. In the same way, you can be part of something better, by contributing to preventing information from leaking all over the web. And anyone working in the technology industry has the potential to be a positive influence on product development for the better, and to be proactive about privacy and security.
Instead of ‘move fast and break things’, now’s the time to change the message to: ‘go slowly and build carefully’.