How to Keep Your Data Private
Every move you make leaves a data trail. Here’s how to cover your tracks.
Americans trying to maintain their privacy these days can be forgiven for feeling a little vulnerable. Every few weeks brings news of another huge security breach compromising the credit or debit information, passwords, e-mails, or other personal data of shoppers, hotel guests, college students or employees -- in short, just about everyone.
As if our most sensitive financial (or medical) data falling into the hands of thieves isn’t enough to worry about, privacy advocates now tell us that we must worry about all of our data -- all of the snippets that make up the massive trove of (sometimes erroneous) facts and inferences about us, pieced together from public and nonpublic information, and from our behavior both online and off. These shadow profiles can affect what we pay for goods or services, and limit the opportunities we’re offered, financial and otherwise.
In addition to these pressing personal privacy concerns, there’s a growing unease about U.S. government surveillance, following revelations of massive National Security Agency (NSA) dragnets of cell-phone logs, location data and e-mail contacts. The news has spawned widespread interest in products and services that were formerly the province of sophisticated techies, as ordinary citizens scramble to encrypt conversations and cloak their online presence.
Protect your ID
Your first line of defense should be against the thieves who want to poach pieces of your identity for financial gain. More than 13 million people fell victim to identity thieves in 2013, with some $18 billion stolen, reports financial consultant Javelin Strategy & Research. ID theft has moved well beyond compromised credit cards. Javelin found that fraudsters are piggybacking on victims’ utilities accounts, running up unauthorized charges on mobile-phone accounts and infiltrating other Internet accounts, such as eBay, Amazon and PayPal. Two fast-growing offshoots of ID theft include medical ID theft, which poses risks to your health as well as your pocketbook, and tax ID theft, which occurs when someone files for your refund before you do.
The good news is that only 14% of victims in a 2012 survey by the Bureau of Justice Statistics suffered an out-of-pocket financial loss (most losses are borne by financial institutions and other companies); of those, about half lost $99 or less. Most victims surveyed spent one day or less clearing up problems associated with ID theft. One in ten spent more than a month.
Make no mistake: ID theft is a headache when it happens to you. Alex Spencer, a curator for the Smithsonian National Air and Space Museum in Washington, D.C., has been through the ID theft drill more than once. It took him months to clear up a case in the mid 1990s, when he kept getting billed for a cell-phone account he’d never set up. In 2007, Spencer closed a bank account only to find a new account in his name at the same bank, opened a short time later by someone at a branch in another state.
More recently, Spencer got a call from his credit card company saying someone in the United Kingdom was using his card. “When it happens to you, it’s pretty shocking,” says Spencer. Now, he alerts his card companies when he travels to avoid any confusion about possibly fraudulent charges, and he pays about $100 a year to LifeLock, a service that monitors his credit. “I appreciate the protection. I just wish I didn’t have to have it,” he says. (See steps to take if you're a victim.)
Like most victims, Spencer isn’t sure how his information ended up in the wrong hands. Sensitive information about you could be accessed unlawfully or exposed by accident. There were more than 1,000 data breaches in the U.S. last year, exposing more than 500 million consumer records, according to the latest annual report from Risk Based Security, a cybersecurity firm. The report noted that two breaches in 2013 -- at Adobe Systems and Target -- were among the biggest of all time. The hack at Adobe exposed 152 million customer records; the breach at Target, 110 million records, including credit- and debit-card numbers. (See What to Do About the Target Data Theft.)
A few years ago, it might have been safe to ignore such breaches. But Javelin’s most recent data finds that one in three people who are notified of a data breach become the victim of identity fraud.
Financial data theft. Your financial data can be hijacked in a number of ways. Be wary of free Wi-Fi hot spots in public places, and never use an unsecured Wi-Fi network to make financial transactions. Use only encrypted Web sites to transmit sensitive information (always look for a lock icon or “https” at the start of the address). Secure your smart phone and tablet with a password, and use software that allows you to erase the device’s data if it’s stolen. And don’t overlook low-tech precautions, such as shredding paper bills, receipts, insurance forms, credit offers and similar documents.
After news of a data breach, watch for phishing scams, which occur when criminals try to fool you into divulging personal information. If you get an e-mail (or a phone call) that appears to be from an outfit you trust, be suspicious of requests to immediately supply or change your user name, password or other identifying data.
Especially when it comes to credit- or debit-card problems, you can limit the damage ID theft causes by detecting and reporting it early. Usually, you face limited or no liability for fraudulent debts caused by ID theft.
Medical ID theft. Stolen health information can be used to get medical treatment or obtain drugs, or to defraud insurers or government benefit programs. An estimated 1.85 million people in the U.S. were victims of medical identity theft in 2012, reports the Medical Identity Fraud Alliance.
The cost of medical ID theft can be staggering. In a recent survey cited by the Alliance, 40% of victims who incurred costs reimbursed providers for services to imposters, 35% paid for ID protection and legal fees, and 34% paid for care after ID theft caused a lapse in coverage. Such theft can also jeopardize your health by compromising your medical records. Victims risk having legitimate services denied (because benefit limits have already been reached) or receiving inappropriate treatment, ranging from unnecessary to life-threatening.
Safeguard medical information the same way you protect financial data. Don’t carry your medical insurance card if you don’t need it. If you must carry a Medicare card (which lists your Social Security number), make a photocopy and black out all but the last four digits of your SSN. If health care providers ask for your SSN, inquire about their security precautions. Explanation-of-benefits forms may be a pain to decipher, but reviewing them can expose ID theft.
Tax ID fraud. The best defense against tax-related ID fraud is to file your return early. Filers who discover that a thief has beaten them to their refund can wait months to receive their money. But the IRS is stepping up efforts to catch the thieves, with 3,000 staffers working on issues related to ID theft -- double the number in 2011.
Big data, big questions
As a consumer, you might appreciate that online ads and coupons tailored to your interests materialize at the moment you’re most interested, and that those ads help to keep much of the online content you enjoy free. As a citizen, you might be in awe of the way Google searches helped epidemiologists track the spread of the H1N1 flu virus. But there’s a dark side to all this data sloshing around.
Few consumers are aware of the degree to which so-called data brokers collect information on hundreds of millions of Americans -- slicing, dicing and reselling the information for marketing purposes in what has become a multi-billion-dollar industry. The World Privacy Forum estimates that there are thousands of such brokers. The profiles they assemble can include information about your physical and mental health, income and assets, shopping habits, personal interests, and more. The information is gleaned from retailers, loyalty-card transactions, Web-site interactions, public records, survey data, warranty-card registrations and other sources.
The same advanced data analytics that enable personalized marketing may also result in goods being sold at different prices to different buyers or in unequal access to offers, service and benefits, say privacy advocates. Marketers counter that the industry is governed by strict codes of conduct and guidelines designed to make data policies transparent and give consumers control. Still, data used for marketing purposes escapes much of the regulation that governs consumer data accessed by health care workers or used to reach credit or employment decisions.
Consumer profiling and direct marketing aren’t new, but Big Data and powerful analysis allow profiles to be compiled in ways unimagined just a few years ago. Predictive algorithms can mimic credit scores, without the rules that govern the latter, says World Privacy Forum executive director Pam Dixon.
Or consumers might end up on marketing lists that they don’t want to be on, including lists of people suffering from illnesses and diseases, or those with financial vulnerabilities. (Examples of data brokers’ lists include “Mid-Life Strugglers,” “Living on Loans” and “Retiring on Empty.”) Depending on the lists you land on, you may receive the royal treatment, or you could be hit by a barrage of predatory come-ons -- or you might not get offers you’d like to receive.
Claims that data is anonymous are cold comfort, says communication professor Joseph Turow, of the University of Pennsylvania. “If I am followed online and offline by buckets of data that tell particular stories about me, it doesn’t matter if my name is Joe Turow or 2588704,” he says.
Moreover, the Government Accountability Office, which recently investigated data brokers, notes that no federal law gives consumers the right to learn what information is held about them for marketing purposes and who holds it, and often they have no legal right to control the collection or sharing of sensitive information. “The only person who doesn’t have access to all of your information is you,” says Jeff Chester, executive director of the Center for Digital Democracy. At least one huge broker, Acxiom, is lifting the veil on what it collects. You can find out at least some of what Acxiom has on you at www.aboutthedata.com.
Opting out of the brave new world of data collection can be complex and tedious, and sometimes it’s impossible. “The uncomfortable truth is there’s not a single consumer in the U.S. who can get off all the data-broker lists,” says Dixon. (World Privacy Forum has compiled a list of ways to opt out of data-broker lists.) Clicking on the blue triangular icon embedded by advertisers in some online ads and choosing to opt out takes away the personalized ads, but not all advertising or tracking.
You can take steps to minimize your digital footprint. For anonymous Web searches, use DuckDuckGo.com, which doesn’t store any identifying data transmitted by your computer. After you land on a Web page, you can see who is tracking you by using free browser add-ons such as Ghostery or DoNotTrackMe. They can also block trackers by stopping your computer from sending information needed for the tracking to work. The downside: Some Web pages won’t work properly when trackers are disabled.
Efforts to adopt a standardized do-not-track setting for all Web browsers have stalled while technical specifications are hashed out. Most Web sites simply ignore the requests sent by browsers that have a do-not-track option, says Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University. (There are a few exceptions, such as Twitter.)
A new generation of smart phones is taking mobile privacy seriously. For example, Blackphone, retailing for $629, comes with several preinstalled privacy tools for anonymous search and private browsing, as well as encrypted calls and text. Meanwhile, don’t ignore low-tech data mining. If you don’t want to add to your dossier, don’t enter sweepstakes or participate in surveys, share e-mails and zip codes at the cash register, or swap personal data for coupons or discounts.
Uncle Sam, superspy
Revelations about NSA surveillance programs have sparked a robust debate about balancing the need to protect our country from terrorist threats with the privacy concerns of ordinary citizens. Whether you think leaker Edward Snowden is a traitor or a hero, you’ve probably thought about how to protect your own communications from snoopers of any stripe.
Encryption is key. A browser add-on called HTTPS Everywhere, from the Electronic Frontier Foundation, ensures that when you visit sites that support the https technology, your communications will be encrypted. Download the Tor browser to cloak Internet communication; Tor encrypts and then bounces Internet traffic around a network of volunteer servers to mask its source and destination. Encrypt e-mail with GPG (Gnu Privacy Guard) for Apple and Windows. Lock down conversations and texts on your Android phone with RedPhone and TextSecure from WhisperSystems (iPhone versions are in the works).
Trouble is, although some of these services are getting more user-friendly, most are more suited to the technologically advanced.
In the end, says lawyer Lee Tien, of the Electronic Frontier Foundation, consumers should be able to trust policymakers and the big tech companies with their privacy. “It’s got to be the big guys delivering the protections” in the same way other infrastructure is safeguarded, he says. “I drive over a bridge,” says Tien, “because we have a system that allows me to trust that the bridge won’t be defective.”