Is your personal data ever really private?
Americans can’t be blamed for questioning whether their digital data is ever entirely secure.
Yahoo (YHOO) on Wednesday disclosed a three-year-old security breach that compromised 1 billion user accounts. The same day, popular note-taking app Evernote changed its privacy policy, disclosing that engineers that oversee machine-learning programs may look at customer data to improve the service, causing a firestorm among its customers.
Both cases highlight the importance of understanding how companies approach personal data. Because online identities are always at risk, consumers should take steps to protect themselves, especially when it comes to sensitive data linked to financial accounts or email, cybersecurity experts say.
Personal data isn’t under threat only from hackers. It can also be imperiled by corporate privacy policies or user agreements.
“Privacy and marketing are often are at polar odds with each other,” said Paul Calatayud, chief technology officer of Overland Park, Kansas-based FireMon. “It’s important as a consumer in general to understand the services that you’re taking advantage of and figure out what the monetization could be. For example, when Google came out with their version of Picasa, their initial licensing said any photo you uploaded became theirs.”
Any service that is free -- such as Yahoo’s email -- often comes with marketing or data permissions that allow the company to analyze or sell customers’ information, he noted. “If it looks too good to be true because it’s free, they are most likely monetizing some of your data,” Calatayud said.
Evernote is currently coping with a backlash from customers after changing its privacy policy, with some customers taking to social media and vowing to close their accounts in response. The reason? Evernote said it’s adding machine learning to create new features, and some of its employees may need to review customer data “to make sure everything is working exactly as it should.”
Evernote’s privacy policy isn’t unusual, although the way the company disclosed the latest tweak “maybe made it more unique, and people are riled up about it,” said Aaron Tantleff, information security and privacy lawyer at Foley & Lardner. “If you go through privacy policies, there is always the ability to access information for law environment” or other purposes.
Tantleff added, “People should understand that with a free service, you are still paying for it, and you are paying for it with your data.”
“Time to uninstall Evernote. Like, right now,” wrote actor and blogger Wil Wheaton on Twitter.
Evernote, though, has had the right to read customers’ notes before this recent policy change. Spokesman Greg Chiemingo noted that its existing privacy standards allow employees to access a customer’s data for a number of issues, including “troubleshooting proposes” or if its terms of service have been violated.
With the latest changes to its privacy policy, any data reviewed by engineers won’t be personally identifiable, he added.
“We hope customers understand there is no broad set of employees accessing information,” Chiemingo said. He added, “The negative reaction is based on an unfortunate misperception of what’s going on. I have no access to customer data, and there’s no reason the vast majority of Evernote employees would access anyone’s notes.”
While privacy experts recommend that consumers read privacy policies and user license agreements, most people skip over the fine print and just click “accept.”
Calatayud said he tested this at a previous job when he sent out a new company policy to thousands of employees and buried an Easter egg in the fine print: If they emailed a certain account to say they had read the policy, they would receive $100.
“We had 1 percent of people send that email,” he said.
Consumers need to decide whether they trust the company with which they are sharing their information, said Terry Ray, chief strategist at Redwood Shores, California-based Imperva.
“Once shared, regardless of the trust the consumer has in the organization with which they share it, the only measure of security for consumer data is what the organization has implemented as a data security strategy,” Ray said. “My inherent trust of my bank, whether misguided or not, is still higher than that of a phone application, which I might personally see as less interested in protecting my private data.”
Relying on a password manager such as LastPass, which Calatayud said he uses, can help keep information secure. He said he groups his passwords into three categories. The lowest one is for social media sites such as Facebook (FB), where he says not much harm can come from a hacker breaking in.
The middle tier is for brand-related or reputation management, such as professional services such as LinkedIn (LNKD).
The top tier includes Calatayud’s email and financial sites, where a hacker could do real damage. He recommends multifactor authentication for the most sensitive sites.
“People need to think about how email is the new currency,” he said. “It’s critical in information and enabling access to your other accounts.”
Good password hygiene is increasingly essential as more companies deal with data breaches. People tend to reuse the same passwords, or slightly tweak their passwords to create a not-so-different variation, which heightens the chance that a scammer will gain unauthorized access, Tantleff said.
He said he believes companies that have been hacked should require their customers to reset their passwords, instead of merely recommending a password change.
“I do recommend people should read their privacy policies. They should think about what it collects,” Tantleff said. “You may want to think about going from a company’s free service to its paid version, because of the difference of what they do with the data.”