Literature Review

Mitigating personal information exposure on the web

Introduction

There are many studies focusing on the exposure of, and necessary protections for, personal information on the Internet. These studies can largely be split into two groups: those identifying risks associated with sharing personal information online, and those proposing solutions for the protection of that personal information. Young people are commonly identified to be at risk as a result of sharing personal information [1][2], and social networking sites are often cited as a high-risk point for this to occur [3][4]. To protect personal information, some studies look at potential technical measures [5][6], while others focus on legal recourses [7].

Risks

Studies into risk due to sharing personal information online mainly identify identity fraud and phishing as two of the major concerns. There are studies identifying possible vectors for this to happen – online dating networks, due to the increased assumptions of personal legitimacy involved, have been noted as a prime target [8]. Aunshul finds that users of online dating services are more willing to share personal information in return for a perceived personal connection, and are victimised by fraudsters for this reason.

Based on a similar premise of increased willingness to share personal information, social networks have also been identified as a prime vector of identity fraud – in particular where social networks such as LinkedIn are used to share corporate or organisational data. Silic & Back (2016) [9] showed this; in particular, they identify that where social networks provide relevant contextual information such as a matching employer, users are more susceptible to phishing for sensitive data. Studies on related topics, such as the study by Livingstone, Haddon, Görzig, & Ólafsson (2011) [3] into the risks children face online, also cite social networks as a high-risk point for accidental disclosure of personal information.

Mitigation

Risks such as these pose a significant threat to personal integrity, and hence require some form of mitigation. Proposed protection systems often focus on social networks because of their often large userbase and high risk. One such system is proposed by AbdulKader, ElAbd & Ead (2016) [10], who put forward a system of weighting the importance of individual data with regards to their sensitivity, and using these weightings to hide more sensitive information. Although this system does result in lower vulnerability of personal information, it seems to have the disadvantage of encouraging users to rely on systems to protect their personal information, which would have a negative effect on privacy outside social networks, where such systems do not operate.

Another technical solution to protecting personal information is outlined by Jammalamadaka, et al. (2011) [5]. The solution proposes to protect personal data stored with web-based data-hosting services (WDS) – such as Google Drive – by intercepting HTTP requests to them and encrypting any personal data they contain before it reaches the WDS. This results in a substantive increase in privacy, as the data involved is no longer available in plaintext to employees of the WDS or to attackers who gain access to its database. However, the approach described requires “service adapters” to be written for each WDS that should be protected. These service adapters must be written by someone with expert knowledge both of HTTP and of the WDS’ request definitions, which severely limits the number of people capable of doing so. This raises a question about how trusted sources for service adapters can be identified and broadcast.

A third solution promotes the idea of a personal information management system (PIMS), which is essentially a private server that contains and manages all personal information about the owner of the server [6]. The authors state that the use of a PIMS “does not prevent data sharing, [it] prevents unilateral data hoarding.” This results in only a small increase in privacy – while users are given more control over what data they share, the PIMS must be configured correctly to prevent accidental disclosures of sensitive personal information such as National Insurance numbers (or Social Security numbers in the US) or credit card details.

Other studies focus on legal responses to such risks. Cassim (2015) [7] looks into the legal responses to identity fraud in three countries: South Africa, the UK, and the US.

South Africa has introduced the Protection of Personal Information Act (POPI) which seeks in part to establish standards under which all collection, storage and processing of personal information must be conducted. It prohibits collection of personal information without explicit consent, and specifies heavy penalties for non-compliance [7].

Similarly, the US has passed the Identity Theft and Assumption Deterrence Act, which makes using or transferring personally identifying information without its owner’s explicit consent a criminal offence [7]. Lastly, the UK enacted the Data Protection Act in 1998, which requires companies to apply strict privacy controls when handling personal information [11][7].

These laws for the most part introduce penalties for the incorrect or criminal handling or use of personal information. These penalties are useful as a deterrent to potential identity thieves, and are also valuable in prosecuting criminals once caught, as they set out consequences for specifically related crimes as opposed to generic theft or fraud. However, while this does provide some mitigation of personal data exposure, the mitigation is mainly retaliatory rather than preventative. It can be argued, therefore, that such legal approaches to the risks are not as effective as the technical solutions that prevent data from being exposed to crime in the first place.

Conclusion

There is a wide scope of literature covering the risks and mitigations for exposure of personal information online. There is a wealth of information on technical solutions that prevent information from being obtained illegitimately in the first place, and there are some studies - although fewer in number - that cover legal responses to crimes committed using personal information collected online.

References

  1. Bryce, J., & Fraser, J. (2014). The role of disclosure of personal information in the evaluation of risk and trust in young peoples’ online interactions. Computers in Human Behavior, 30. doi:10.1016/j.chb.2013.09.012.
  2. Bryce, J., & Klang, M. (2009). Young people, disclosure of personal information and online privacy: Control, choice and consequences. Information Security Technical Report 14, 160-166. doi:10.1016/j.istr.2009.10.007.
  3. Livingstone, S., Haddon, L., Görzig, A., & Ólafsson, K. (2011). Risks and safety on the Internet: The perspective of European children. Full Findings. LSE, London: EU Kids Online. Retrieved from LSE.
  4. Barbovschi, M. (2014). Dealing with misuse of personal information online - Coping measures of children in the EU Kids Online III project. Communications: The European Journal of Communications Research, 39(3), 305-326. doi:10.1515/commun-2014-0114.
  5. Jammalamadaka, R., Mehrotra, S., & Venkatasubramanian, N. (2011). Protecting personal data from untrusted web-based data services. Network Security, 2011(9), 11-16. doi:10.1016/S1353-4858(11)70096-4.
  6. Abiteboul, S., André, B., & Kaplan, D. (2015). Managing Your Digital Life. Communications of the ACM, 58(5), 32-35. doi:10.1145/2670528.
  7. Cassim, F. (2015). Protecting personal information in the era of identity theft: Just how safe is our personal information from identity thieves? PER: Potchefstroomse Elektroniese Regsblad, 18(2), 69-110. doi:10.4314/PELJ.V18I2.02.
  8. Aunshul, R. (2009). What's Love Got to Do with It? Exploring Online Dating Scams and Identity Fraud. International Journal of Cyber Criminology, 3(2), 494-512.
  9. Silic, M., & Back, A. (2016). The dark side of social networking sites: Understanding phishing risks. Computers in Human Behavior, 60, 35-43. doi:10.1016/j.chb.2016.02.050.
  10. AbdulKader, H., ElAbd, E., & Ead, W. (2016). Protecting Online Social Networks Profiles by Hiding Sensitive Data Attributes. Procedia Computer Science, 82, 20-27. doi:10.1016/j.procs.2016.04.004.
  11. Ford, M. (1999). Recent legislation. The Data Protection Act 1998. Industrial Law Journal, 28(1), 57-60.