2012 was a wild ride for cyber security and data privacy with no signs of reprieve as we slide into the New Year. So, how well did we do on our predictions from last year? At the end of 2011 I predicted there would be increased scrutiny of the third party data mining industry, and that has happened. A significant percentage of consumers continue to be concerned that data about them is being accessed and used for commercial purposes without their permission, with the potential for a variety of unhappy consequences.
Social networking continued to be an area in which data sharing caused controversy and unhappy customers (although customer does not quite sound right if the service is free, which all of the major social networks are). As Ryan Goldberg pointed out, social networking has become fertile ground for data abuse, intentional or otherwise. In 2012, the 800 pound gorilla in the social networking room – Facebook – had to start answering to more privacy pundits about what happens to the user data that's been shared, especially sensitive, private data.
Starting in Europe, Facebook users began requesting full lists of all the data that Facebook had about them. This related to a provision in EU law which implies that users could make the request and businesses had to comply. (Facebook has its EU headquarters in Ireland, so the Irish data protection commissioner got involved and several data privacy audit reports were produced, none of which, not surprisingly, satisfied everyone).
Some Facebook users who asked for their own data found the company had over a thousand pages of information about them from a single account, a finding that raised not only awareness but also the level of debate about the implications of social networking. Soon, users in the United States started making similar requests, but began sensing a certain degree of pushback during the process.
During the same time period, after the social networking behemoth went public, investors started to exert more pressure to monetize the vast pools of user data already accumulated. Weighed against privacy advocates, this started to create an uncomfortable tension, which is still evolving. In the meantime, following security and privacy settings changes at Facebook, we found more and more places that a user has to look to ensure data isn't shared with third parties, a non-trivial task.
But what about companies in the data mining business? In 2012, we read that the web analytics company Compete had settled Federal Trade Commission charges over its data collection practices. Clearly, the FTC thinks data mining companies should be much more transparent about what they do with your information, and many consumers agree (our infographic showing the diversity of data that Google could potentially mine was one of the most widely shared posts on the ESET blog this year).
That infographic was prompted by a change to Google's privacy policies. Such changes caused waves of discussion through the entire year, which was notable for a long string of privacy apologies after a variety of surreptitious data collection practices came to light. The cavalier attitude to address book information displayed by the mobile social network Path was just one of many such incidents. Just this week, we see a ton of discussion about changes to the terms of service at Instagram, one of 2012's fastest growing social networks with over 100 million users.
For consumers, the implication of current trends in data mining is to be mindful of the potential abuse of personal information before agreeing to hand it over, and before placing it online in such a way that it might be turned over without your consent. For businesses, the lesson seems to be that transparency is the best policy, at least if you want to avoid outbreaks of outrage or you have an aversion to making very public apologies.
We expect the public scrutiny of data mining companies to increase in 2013 and the whole idea of any single entity aggregating massive amounts of data on Americans is likely to be up for discussion as people learn more about the NCTC (National Counterterrorism Center). This year the U.S. attorney general granted the NCTC authority to collect, store, and analyze extensive data collections on U.S. citizens compiled from non-governmental sources.