• PrivCom Bermuda

Massive data breaches show the need for "Herd Privacy"

As with public health issues, sometimes to be effective in protecting individuals' privacy we must think in terms of the herd...

Massive data breaches involving the biggest social media sites have shown yet again the value and need for laws like Bermuda's Personal Information Protection Act. These recent exposures included personal information for over one billion (!) users of tech giants Facebook, LinkedIn, and the newer application Clubhouse.


Specifically, the way these exposures occurred was through a practice called "data scraping," or the use of automated tools to scan for vast amounts of unprotected information.


Scraping is not a new problem - just last year Clearview AI intentionally used publicly-shared social media images to build a vast facial-recognition database. However, a new twist on the way data scraping practices take advantage of our connections is important for individuals to realise.


We've heard a lot lately about the value of herd immunity: how if enough of us protect ourselves by taking measures like vaccination, then the rest of the community will benefit because diseases won't have anywhere to spread. While "herd privacy" not a new idea, as we live more of our lives online and become more interconnected, safe behaviour and good hygiene by the majority of the community can have exponentially helpful effects.


One way that data scraping can cause harm is if individuals or organisations take advantage of how we choose to share information with our friends and connections. For example, many apps request access to our phone's Contact List to allow us easily connect with fellow users. For some apps, this is a legitimate or practical request, but for some it is less justifiable. In addition to knowing who we are connected with, this information also allows the app-maker (and anyone else) to better understand our identity using identifiers like our phone number.


In Facebook's case, this was the feature abused by data scraping to collect personal information. If one person shares their contacts with an app, suddenly that application may have access to personal information relating to a contact who has no business or consumer relationship with the app. Or, an individual may have previously chosen not to share their name or phone number with an app-maker - only for the app-maker to receive those details from another friend, which allows the organisation to connect the dots. This sort of mass data gathering is similar to the actions taken by Cambridge Analytica in past years to target individuals for political influence.


An easy way to think about this is that when you connect with a friend, they can see your listed interests and posts. Depending on settings, they may also be able to share your details with others, who may then be able to share, who may then be able to share, etc. Researchers have shown that our online privacy can depend as much on our friends' privacy settings as our own.


Ideally, anyone you connect with should be someone you trust to only use your information appropriately. I understand that is not always practical, as we connect with many people in our community and beyond, so we have to think of ways we can continue to connect while protecting the "herd." As with a public health emergency caused by a spreading disease, any individual who falls victim will go on to expose many more. Only by ensuring that we all protect our privacy can we protect the entire herd.


A good place to start is by limiting when you provide access to your contacts in apps and to stop doing so by default, and by checking who may access your profile details and share them.


In other instances of these recent exposures, the information is published to social media platforms "publicly." This means that the user did not select for restrictions on the information. Such a practice may be useful for individuals who wish to make money from sharing pictures or would like their LinkedIn profile to be viewed by recruiters.


In their terms and conditions, social media companies will often forbid the practice of automated scraping of public data, and users should be cautious about what they make "public," because the information could be used in surprising ways or for other purposes besides what the individual wanted.


Simply by possessing a database of public connections, someone will be better able to draw conclusions about individuals or reveal trade secrets. In one all-too-modern example, fans of a young adult book series deduced the lead actor's casting, because her father "followed" the producer on Twitter!


When an individual or organisation uses scraping to create a database of this public information, it can also cause security risks, since individuals may more easily be impersonated for identity fraud.


Users should consider carefully what they may accidentally be sharing publicly, and take the time to review privacy settings. Using our health analogies, these practices would be good personal hygiene for living a healthy online life, and the more people who do so, the better the "herd" is protected.


If you have questions or would like to learn more about how you can protect yourself, your family, and our community, you can reach out to the Office of the Privacy Commissioner using the details on our Contact Us page.


Alexander McD White

Privacy Commissioner