It is difficult to trust websites to protect personal information, especially amid reports of data leaks and privacy breaches, but online anonymity may still be possible if consumers are aware of what they're sharing online, and organisations observe best practices.
A recent study by Stanford University's Computer Security Laboratory, which assessed 185 high-traffic websites, found that more than half shared a consumer's username or user ID with another site. Among these top recipients of the user information were Google, Facebook, ComScore and Quantcast.
Information leakage is a pervasive concern, said Jonathan Mayer, a Stanford graduate and the study's author, noting that 61 per cent of websites that he interacted with leaked a username or user ID.
"Many times, developers are not thinking about privacy issues, and it's a fact of life that information is going to leak to third parties. I think we have to recognise that's just the way the web works," Mayer said in a Reuters report.
According to Stephen Cobb, security evangelist at ESET Security, trust is difficult to evaluate online, as consumers tend to trust well-known brand names, but many big brands have, at times, failed to keep promises about security and privacy.
Cobb told ZDNet Australia's sister site ZDNet Asia that Microsoft, for instance, was taken to court by the American Federal Trade Commission (FTC) when the software giant's claims about privacy and the security of its passport online authentication were challenged by consumer groups.
Many consumers are happy to share information about their personal preferences in order to receive relevant information, promotion and offers, or for popular online activities, such as banking and shopping, Cobb noted.
However, he said it is disturbing that the Stanford research revealed that personal information is being shared "without the conscious knowledge" of consumers.
"Websites will eventually lose the trust of consumers, and their online business, if they cannot control the type and amount of personal information that is being shared, and limit the number of parties with whom it is shared," he cautioned.
Joseph Steinberg, CEO of Green Armor Solutions Information, added that data leakage is also made worse by hackers who can also attempt to undermine the policies of companies and websites.
Craig Spiezle, chairman of the Online Trust Alliance (OTA), noted that incidents of data loss occur every day, and while the majority of websites adhere to best practices, there is still no guarantee that user information will not be leaked. If cyber criminals are willing to spend their time and CPU resources, they can compromise most sites via exploits or social engineering, Spiezle explained in an email interview
"[Consumers] must understand that any data they post online can ultimately leak to the public," he said. "Do not rely on websites to be totally secure. If they are breached, you and your data leaks will not be safe."
Online anonymity difficult, but still possible
Remaining anonymous online is getting harder every day, Spiezle noted.
"Think of it as millions of individual pixels of information. By themselves, or with a limited amount of data, they are abstract," he said. "Altogether or combined, they provide a mosaic of who you are."
Paul Ducklin, Asia-Pacific head of technology at Sophos, explained that even anonymous data can sometimes be "mined" to be traced back to a group, or even individuals. He noted that a few years ago, AOL published several months' worth of anonymised search data whereby each subscriber's name was replaced with a random number that gave no hint of the user's identity. Yet, searching the number can provide sufficient details about the users that a US journalist was able to quickly identify, contact and interview one of these names.
However, Green Armor's Steinberg concurred that online anonymity and privacy are still possible to a large extent, in terms of browsing.
Most internet service providers (ISPs), including Google, do not release usage information, so anonymity is ensured based on policies rather than technical systems, he explained.
For absolute anonymity, more must be done, he said, but he noted that most people will not bother with the inconvenience and cost necessary to achieve this. For instance, there are people who are willing to dedicate computers for use solely on public Wi-Fi networks, and who use anti-tracking software on these computers so they can browse with greater anonymity, so that even the ISPs do not know who they are, he explained.
There are also tools for browsing anonymously from home, Steinberg added, but their anonymity is ensured by the policies of the underlying technology, not by technical limitations.
Companies check policies, users beware
Keeping information secure often boils down to the fundamentals comprising a number of well-established security best practices, ESET's Cobb said. There are technical practices, such as hardening the servers, reducing the attack surface, patching fast and often and "application white-listing", he noted.
Data leakage also occurs sometimes due to "overly aggressive" marketing programs that are conducted without sufficient oversight, he said. Business practices should be reviewed periodically to ensure that what the marketing department and site developers are doing with the data is consistent with the company's stated privacy policies, Cobb said.
There are also best practices in policy and procedure, such as background screening and security training for all employees who handle personal data, he said. Companies need to back their publicly stated commitment to privacy with policies that are strictly enforced in the workplace and their online activities, he added.
Failure to do so can lead to data leakage and regulatory scrutiny, Cobb warned, both of which can be very costly to the company's brand image and bottom line.
Companies and websites should also move to a design culture that favours security and privacy, Spiezle added, noting that they should work to minimise data collection, reduce retention periods and continually monitor systems and data flow.
As for users, Ducklin of Sophos remarked that consumers "love" social networking to the point that many of them give away too much information about themselves, their lives and their lifestyle "far too frequently".
"A good starting point to boosting your privacy online is to think twice before you give out anything," he advised. "If in doubt, don't give out. You can have plenty of fun on the internet without telling the world everything about yourself."
If the data is not there, it cannot be lost or stolen, he said. Ducklin added that celebrities can prevent their nude photos from being stolen if they stopped taking nude photos of themselves on their mobile phones.
Via ZDNet Asia