CARDIFF UNIVERSITY SCHOOL OF COMPUTER SCIENCE AND INFORMATICS

Personal Online Risk Assessment

CM3399 Communication Networks and Pervasive Computing
Philip Strong
0807259

The internet is a global network overflowing with information and innovation; however the personal information of the average user is routinely targeted by information harvesting companies and organisations. This paper discusses the methods and risks of this practice and concludes by judging whether the lack of privacy is a fair price to pay for the services offered in return.

Introduction
In recent years, the internet has moved from a tool reserved for business and enthusiasts to a commodity found in most homes, and available almost everywhere. This has enabled people to communicate with each other easier than ever before and to obtain information quickly and simply. However with this increase in information availability comes the risk of decreased privacy and discretion, and recently companies have been exploiting this for financial gain and marketing, through various methods. The continuous flow of information that users place in control of the service providers allows them to analyse the data as they see fit. An advantage for these companies is that they can do almost anything they want, as their users must accept their privacy policy on registering with the service, and most people dont read them (Masnick, M. 2009). In this paper, the methods companies use to obtain personal information, the data they store and what can be done with it will be discussed, as well as the consequences of allowing this data to be acquired and how you can avoid giving it away. This report will pay particular focus to the actions of the current leaders in the personal information industry.

The companies seeking your personal information

Several companies use your data for internal purposes, such as targeted advertising and behavioural marketing, but others specialise in obtaining this information to sell to other companies. The main players in this industry are websites which pose as service providers, such as social networks and search providers. The main examples of these companies are Google and Facebook, though many other websites employ similar techniques. Google is an internet software services provider, which was first merely a search provider, but has now expanded its service portfolio to include web based email, office productivity, mobile software, a web browser, and social networking. All these services require the user to input information, which is analysed and used to target advertising. Googles annual revenue in 2011 was $37.9 billion. Facebook is the most used social networking website in the world with over 800 million active users in the world (NYTimes, 2012). Users sign up and add contacts, personal information and broadcast messages to their contacts with status updates. Other services are available such as photo uploading, event organisation and content delivery apps. This information is all used to build a profile of the user which is in turn used to target adverts based on their actions, as with Google. Facebook had an annual revenue of $3.71 billion in 2011, where 88% of their revenue was from advertising (SEC, 2012).

Methods of obtaining personal data

A lot of people make it very easy for these companies to gather the data they require. Many companies offer a service in exchange for the right to use your data. For instance, Facebook offers many communication and social services, whilst funding this by selling its users information and data. Google offers a vast array of software services and ultimately makes money by analysing your input to their services and as such targeting its advertising to products and services that you are most likely to take an interest in. This results in little work being required to coax your personal information from you, as you feel as though you are merely using a website to talk to a friend, update your family or write an email. You dont feel as though you are giving the service provider the information they need to sell to advertisers. The phrase If Youre Not Paying for It; Youre the Product (Fitzpatrick, J, 2010) has been

used many times to describe the business models of Facebook and Google, because the service they appear to offer is merely a front end to the information vacuum cleaner that is paid for by large companies. Even if you were to not use these services or you felt you didnt put any information into their systems, you are not free from them. Whenever you send an email to a Gmail address, your email will be analysed by Google and your information may be stored in their servers. If a friend uploads a photo of you or mentions you in a post on Facebook, they have the ability to pick out your name and begin creating a profile of you even if you were never to use the website. These methods are somewhat obvious, and as you are inputting information into their services, make it easy for them to obtain your information. However, other methods are employed which may seem more intrusive and are so seamless, you may not know you are being watched. Whenever you search with Google, your search is logged. When you click a link, your IP address is logged and a timestamp taken, and all input to web forms is logged in the same manner. Google leaves cookies on the computers of its users, which track the movement of the user around the web, and all of its server logs are kept, which hold information such as IP address, browser type, operating system and location. This small amount of information allows you to be identified and a profile of you built as you use their services more and more (Dover, D. 2008). Google also offers Google Chrome, a browser that offers many benefits over its competitors, with the price being that it is even easier for Google to see what websites youve visited. Server requests are also used to implement a technique called web bugs (Smith, M. 1999). This is where an almost invisible object is embedded into a web page or email (usually a 1x1 pixel GIF image), which causes the client to make an HTTP request to a server which will then capture the information sent with the request; the same information that is sent with a regular server request.

The data they have on you

When creating an account for these services people fill in a large form, handing over chunks of information about themselves for free. Personal details like name, address and contact details are the obvious variables that are easily obtainable. Hobbies and interests are a little harder to acquire, but by analysing the actions of the user this information can be discovered. Search information, status updates and posts, and fan pages you visit are stored to begin to create a profile of your personality and appeals. Other information, such as contacts and activities are extracted by analysing your communications, creating a network of associates and monitoring what web pages and sites you visit, and when. A non-detailed list of all the information Google admits it can obtain from its users was compiled spanning 9 pages (Dover, D. 2008). Some of the more surprising information Google may hold about you includes all text youve translated using Google Translate, your stock portfolio from Google Finance, your bank information from Google Checkout, where you are at any given time using Google Calendar and Google Android and your height, weight and blood type from Google Health (Dover, D. 2008). This is just a brief selection of the information they hold, and this is just Google.

Controversy surrounding information tracking

Information harvesting companies have recently been criticised for their practices when attempting to procure users information, using technological loopholes and vague legislation to allow them to capture as much information about their users as possible. Facebook has been called out for supposedly attempting to continue tracking users after they have logged out from the service, by retaining cookies containing information that can be used to identify an account (Williams, C. 2011). This extends the risk of sensitive personal data being tracked when the user has explicitly expressed that they do not wish to be followed, by logging out. Whilst Facebook has denied that cookies were stored on the computers for tracking purposes (Protalinski, E. 2011), it still might compromise their privacy policy. Google has very recently changed its privacy policy to cover all its services rather than having an explicit policy for each service. This policy means that information collected from one service can be used across all its other services, for instance your search history can be used by Gmail, YouTube and Google Plus, all to target adverts to your interests (The First Post. 2012).

Avoiding being watched

If finding out how much companies like Google and Facebook know about you has scared you, you might be pleased to know there are ways to reduce how much they can discover. Whenever you use one of their services your action will be logged, but by only sharing information you are comfortable with them knowing, and taking steps to reduce any other information they can obtain, the risks can be reduced and the internet experience made more private. The privacy policies of these services will explicitly state the information they harvest and their sources. It is recommended to read the privacy policy, especially the parts which state this information, before signing up to them. If the service claims to obtain or share information that you are unwilling to divulge, it would be unwise to use them as once you have accepted a privacy policy, the service provider is then allowed to log or track anything that they have stated. Due to the fact that these services often rely on cookies to track your movement around the internet, browser plugins are available to contain these cookies to just the browser session. An example of such a plugin is Disconnect, available from http://disconnect.me. This plugin attempts to reduce the information that is tracked about you when browsing the internet, whilst not impacting on the usability of the services (Purdy, K. 2010). This plugin, for instance supports multiple browsers and was created by an ex Google employee, however many similar plugins exist with a similar goal. Modern browsers include a privacy mode, Private browsing in Mozilla Firefox and Incognito mode in Google Chrome. These modes are designed to leave as little a footprint on the computer they are being used on as possible, however they also provide a benefit to the online privacy concerned user. One feature is that no cookies will remain on the system after the browsing session is over; a normal browsing session will retain all cookies unless they are manually deleted (Google Chrome Help).

Regulation of the internet

These services are evolving into a relatively new market, and often take advantage of a playing field with little rules and regulation. There has been much debate about whether the internet should or should not be regulated (Darlington, R. 2009), and so far it has been regulated much like traditional media. Seeing as the internet is now full of media created by the general public, this model is not

sufficient, and if information harvesting companies are to exist on the internet, there needs to be a form of regulation to ensure the user is not exploited and their privacy remains intact. On the other hand, regulation may kill these services. Whilst some may insist that they invade privacy, they do also offer high quality, free services and tools and by increasing the effectiveness of advertising can also contribute to the stimulation of economies.

The risk of sharing your information

With so much tracking taking place, it raises the question of what possible consequences there could be from allowing information companies to harvest personal information of almost every web user. The user assumes that their data is safe with the service provider, but what if the provider was to be the victim of a highly sophisticated attack, revealing personal information about its many users. This might sound farfetched, but it has already been attempted, with attacks on both Google (Wee, S and Oreskovic, A, 2011) and Facebook (Waugh, R, 2012) taking place recently. This leaves personal information which would otherwise be secure moderately easily accessible to criminal organisations and hackers. Information about you could be used by the police, forensic investigators and the government against you in court. If an information harvesting company were supplied with a subpoena, they are legally required to hand over any information that they hold on a suspect. This could include private messages sent on Facebook Messages or Googles Gmail, pictures uploaded to a Facebook profile or a Google Picasa account, or even locations visited using Facebook Check-in or Google Android.

Conclusion
This report has discussed the amount of information that is stored about internet users, focussing on the practices of Facebook and Google. These services target adverts to the user whilst masquerading as a free service provider, offering a tantalising array of social media and productivity applications that entice the user to feed the companies personal information without thinking about where it is going. Even so, is this invasion of privacy a price worth paying for the vast collection of seemingly free tools and features? This is not a question with a definitive answer; however it has been discussed that there are methods of mitigating the risks and reducing the amount of information these services can harvest from their users. If a user is willing to have their personal information analysed and stored to target advertising to their interests, this business model offers many benefits to the user whilst being mutually beneficial to the advertisers and the information providers alike. To a user that is very conscious of their online footprint, the benefits may not outweigh the apparent invasion of privacy, and as such the services may be considered as more of a breach of trust than a free tool. However, it has been shown that these services can also track internet users who are not members or users of the particular services or websites. On a personal level, I feel that the risk is acceptable when steps are taken to reduce the amount of information available to the service providers. I use services which are funded by advertising revenue whilst using the disconnect.me plugin. I pay particular attention to the information I share with the services. I believe that my personal information, when intelligently managed, is a fair price to pay for the standard of the services that are provided.

References
Masnick, M, (2009). People Don't Read Privacy Policies... But Want Them To Be Clearer. Available: http://www.techdirt.com/articles/20090216/1803373786.shtml. Last accessed 1 st March 2012. NYTimes. (2012). Facebook Business Profile. Available: http://topics.nytimes.com/top/news/business/companies/facebook_inc/index.html. Last accessed 1 st March 2012. Securities and Exchange Commission, (2012). Facebook Registration Statement. Available: http://www.sec.gov/Archives/edgar/data/1326801/000119312512034517/d287954ds1.htm Fitzpatrick, J, (2010). If Youre Not Paying for It; Youre the Product. Available: http://lifehacker.com/5697167/if-yourenot-paying-for-it-youre-the-product. Last accessed 2nd March 2012. Dover, D, (2008). The Evil Side of Google? Exploring Google's User Data Collection. Available: http://www.seomoz.org/blog/the-evil-side-of-google-exploring-googles-user-data-collection#list. Last accessed 2nd March 2012. Smith, M. (1999). The Web Bug FAQ. Available: http://w2.eff.org/Privacy/Marketing/web_bug.html. Last accessed 2nd March 2012. Williams, C, (2011). Facebook criticised for 'tracking' logged-out users. Available: http://www.telegraph.co.uk/technology/facebook/8789942/Facebook-criticised-for-tracking-logged-out-users.html. Last accessed 2nd March 2012. Protalinski, E. (2011). Facebook denies cookie tracking allegations. Available: http://www.zdnet.com/blog/facebook/facebook-denies-cookie-tracking-allegations/4044. Last accessed 2nd March 2012. The First Post, (2012). Should we fear Google's privacy policy changes? Available: http://www.theweek.co.uk/technology/google/45673/should-we-fear-googles-privacy-policy-changes. Last accessed 2nd March 2012. Purdy, K. (2010). Disconnect for Chrome Disables Third-Party Tracking While Keeping Webapps Operational. Available: http://lifehacker.com/5713277/disconnect-for-chrome-disables-third+party-tracking-while-keeping-webappsoperational. Last accessed 2nd March 2012. Google Chrome Help. Incognito mode (browse in private). Available: http://support.google.com/chrome/bin/answer.py?hl=en&answer=95464. Last accessed 2nd March 2012. Darlington, R. (2009). How the internet could be regulated. Available: http://www.rogerdarlington.me.uk/Internetregulation.html#IR2. Last accessed 2nd March 2012. Wee, S and Oreskovic, A. (2011). Google reveals Gmail hacking, says likely from China. Available: http://www.reuters.com/article/2011/06/02/us-google-hacking-idUSTRE7506U320110602. Last accessed 2nd March 2012. Waugh, R. (2012). Watch your wall: New Facebook attack has stolen passwords from 45,000 users - and could be spreading through infected links. http://www.dailymail.co.uk/sciencetech/article-2083118/Facebook-hacked-Ramnit-worm-stolenpasswords-45-000-users.html. Last accessed 2nd March 2012.