Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


09:50 AM

Businesses Improve Their Data Security, But Privacy Not So Much

While the California Consumer Privacy Act will force companies to provide a modicum of meaningful privacy, World Privacy Day still mainly celebrates data security.

The number of ways businesses track people has skyrocketed and the increasing deployment of image recognition, machine learning, and data analytics has only accelerated the process. The result is a refocusing of attention on not just the security of the data which company's retain on people, but on whether privacy and technology can co-exist.

Last week, Clearview AI, for example, found itself the target in a class-action lawsuit for its technology that, the company says, uses more than 3 billion images scraped from websites and social media to train a machine-learning algorithm capable of identifying a person in a photo with 75% accuracy. This can be used to reportedly identify victims and suspects in criminal investigations.

Clearview has joined Google as a favorite resource of law enforcement. Google is regularly subpoenaed by international and federal authorities for information about the phones that may have been close to a specific location at the time of a crime.

With the annual January 28 marking of World Privacy Day, a gap has become apparent. While regulations, such as the European Union's General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), have forced companies to take data security more seriously, the more general policy concept of privacy has largely remained in limbo. The California Consumer Privacy Act (CCPA) addresses some of the privacy gap, but most businesses are more focused on keeping their data from leaking rather than structuring their services to promote privacy, says Ray Walsh, a data privacy advocate at ProPrivacy.com.

"While companies spend a lot of time talking about consumer privacy and use 'privacy washing' as a way to gain PR credits with the public the reality is that companies are primarily concerned with data security and the potential that a data breach could land them a hefty fine," he says.

Take Your Pick
Online citizens are largely left with a simple choice: Benefit from modern technologies and lose their privacy, or opt out of many of the technologies that have defined the past decade.

Posting a picture to social media? You've become part of Clearview AI's reverse look-up machine that uses facial recognition to find criminals and victims. Near a crime carrying your mobile phone? Law enforcement can subpoena records from Google's Sensorvault for every phone near a crime scene at a certain time. Use free antivirus? The company behind it may be selling your browsing data to marketers.

Ever since the beginning of the War on Terror in early 2001, privacy has taken a back seat to any technology that can help identify potential enemies. Originally, the administration of President George W. Bush had debated where to draw the line with online privacy opt in or opt out. September 11 eliminated that, says John Ackerly, CEO of data-protection firm Virtru, who had been part of President Bush's National Economic Council in 2001.

"Privacy is one of the major pieces of collateral damage that no one talks about in our reaction to September 11," he says. "It set us on a path to use data and the Internet as a tool to combat terrorism, and I understand why, rather than really moving forward on where the President's instincts were on putting the consumer first."

For the past decade, companies have been focused on dodging online criminals and then nation-state actors intent on stealing data. With the passage of the GDPR, focusing on data security became a business imperative to avoid larger fines.

Yet the policy discussion and legal landscape have become more nuanced, says Ackerly. Companies are beginning to understand that customers want privacy, he says.

"I am optimistic as I've ever been on this journey that we will end up in a place where individuals will be able to take control over their data where ever it is shared," Ackerly says. "I think it is a combination of technology evolving and society just waking up to the trade-offs that we have made over the past 15 or 20 years."

The CCPA, which went into effect this month, has forced companies to be more responsive to consumers and change the way they do business. The legislation, while in effect only in California, will force companies to provide similar rights to most of their customers. Already, other states, such as Washington, are considering similar legislation, and the same grassroots effort behind the CCPA is developing a more stringent proposal for 2020.

"As a result, it will be much more difficult for companies to sell user data, especially without the user's knowledge," says Monique Becenti, channel and product specialist at Web security firm SiteLock. "Although California is leading the way in establishing and implementing this type of legislation, we expect to see other states follow suit given the number of companies that do business with California."

Yet, because data gives businesses a competitive edge, breaking companies' addiction to data will be difficult, ProPrivacy.com's Walsh says.

"Consumer data is going to remain a commodity that businesses will seek to profit from in any way they are legally permitted to," he says. "As long as the US government wants a piece of the pie, decisions like the one made in 2017 when the Trump administration ruled that it was legally permissible for US ISPs to collect and sell user Web browsing habits to third parties are going to keep placing consumer privacy at the bottom of the to-do list."

Related Content:

Greater Focus on Privacy Pays Off for Firms
Companies' 'Anonymized' Data May Violate GDPR, Privacy Regs
Britain Looks to Levy Record GDPR Fine Against British Airways
Consumers Urged to Secure Their Digital Lives
Benefiting from Data Privacy Investments

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "7 Steps to IoT Security in 2020."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...