The risk assessment framework, connecting safely, and the new world of data
Transcript
Risk Assessment
This is a risk assessment or “threat model” that you can use to evaluate data security.
You can also use these questions to help your users understand the ways in which their data can be safeguarded. You’ve already begun this process in the previous reflection activities in module one.
The assessment questions listed here were developed by Electronic Frontier Foundation.
In the following modules, you’ll gain the background to help you understand and best answers to questions two through five.
This module will help you continue to build an understanding of who might be collecting your personal data and why, what that might mean, and steps you or library patrons might take to protect personal data.
Who collects digital data?
The default condition of our digital lives is a value exchange. As internet users, we often provide data in exchange for information, applications, services, or access to the internet.
Sometimes we make these exchanges intentionally, with full knowledge. In other cases we may have mixed feelings about the exchange, or be uninformed about details, or unaware that it’s happening at all.
Knowing risks and trade-offs will help you make exchanges that are right for you and your patrons, and better protect data online. Let’s begin by reviewing our definition of digital data, and also add in a second term, metadata.
Examples of digital data include: social security numbers, addresses, photos and videos, text messages, web browsing or social media activity history, email content, medical and financial records.
Metadata is information about other information.
Examples include time, date, and amount of time you spend using a web page; day, time, location, and type of camera used to snap a photo; recipient, address, date and server from which an email was sent.
Metadata may seem far less juicy than the web page, photo, or email it describes, but it is a rich source of information.
And there are a number of actors who have an interest in digital data and metadata.
These include, but are not limited to: corporations, governments, non-profit organizations, and malicious hackers and cybercriminals.
Their motives vary, and they may use different means to collect information online. Understanding the aims and methods of each will help you and your patrons make better data security choices.
Corporations are one of the most pervasive actors in the world of online data collection.
They may keep data generated by you and your patrons for themselves, or sell it to third parties or data brokers who sell to others. This data is a resource to be “mined” in ways that align with objectives of others, from advertisers to advocacy groups. Consider the case of many internet service providers, who have access to the internet traffic we generate, even at the library.
Your data may be used to generate advertising targeted to your interests, or tailored content, like political ads or misinformation, designed to influence your opinions. What’s more, our data can be combined in such a way that others can make inferences about our behaviors more broadly.
Using data you shared or revealed online, corporations build a profile of you. This profile could include your ethnic background, marital status, income, political affiliation, immigration status and more.
This profile may be used to create a more personalized digital experience, providing certain types of content that “match” your profile. However, a user profile can be constructed and used in ways that reflect racial, economic, and social biases, limiting your access to online content and opportunities, and serving as a means of digital discrimination.
Your online activities tell a story. It’s a story about your preferences, relationships, health status, life events.
Corporations use your story for profit. This is happening to such a degree that personal digital data has been compared to oil: a vast new, exploitable resource.
Connecting Securely
Now that the data we and our patrons create online can be extracted and recombined in such a way as to make a portfolio of the way we spend our time online, let’s start our discussion on how we can better protect our data.
We can start by connecting to the internet securely.
WiFi is the technology that allows local devices to send and receive data wirelessly using radio waves. Cellular connections operate in much the same way: data is sent wirelessly to base stations known as transmitters.
Wired connections tend to be more secure than wifi. They send and receive data faster.
Wifi has become more and more common than wired connections, and often much more convenient.
There are two types of public wifi: open networks, as found in the library. The other type is password-protected. If you’ve had to type in a password in order to gain access to a wifi network, you have used a protected network.
Free public wi-fi is a convenience for some; for others it’s the only option to get online. Be cautious about the data you send over any public connection, but especially an open connection, and here’s why.
If a wifi connection is unsecured, that means that any data sent over via this connection travels as readable packets of text, in every direction, “in the clear” as it tries to reach the router.
Anyone nearby who has a wifi device set to “monitor” traffic can intercept these packets. Most wifi devices do not have a “monitor mode” but anyone can buy such a device.
To help protect the data you and your patrons send on public wifi, make sure every site you visit uses HTTPS, the secure version of HTTP during your entire visit, not just during login. HTTPS will make sure your data is encrypted before it is sent.
Here is a list of tips for safer use of public wifi networks.
To be safe, you and your patrons need stay aware of how and when you are connecting. Identify if the network is legitimate, and be mindful of what you’re sending.
Using secure protocols on wifi will help keep your data safe. We’ll hear more about encryption with HTTPS in the next section.
Using HTTPS
In Module 2, you learned about HTTP, hypertext transfer protocol, and its variant, HTTPS.
The S in HTTPS is for secure. This means that everything sent via HTTPS is encrypted. Anyone intercepting packets sent by this method will find them an unreadable jumble of nonsense.
You and your users should only send sensitive data by HTTPS, and it’s easy to see when this protocol is active in the browser bar, as shown here.
Keep an eye on your browser bar for HTTPS. It’s becoming more and more common, but not all sites use it, and not all the time.
Some sites may just use HTTPS for the login or commerce functions only, while the rest of the data is sent via HTTP, easily readable to anyone, especially on a public wifi network.
Using VPNs for Extra Security
A VPN, or Virtual Private Network allows you to send and receive data, to browse the public web so not even your ISP can track your browsing history. It also adds a layer of encryption in addition to HTTPS, which protects your data and web activity over public wi-fi.
VPNs protect your online activity from your ISP and other sources. They can conceal your geographic location, and prevent data from being intercepted in transit.
There are lots of reasons to use a VPN. They are excellent tools for journalists, dissidents, activists and others who handle sensitive information. But everyday users have a right to this same level of protection, too, for searches about common private, personal matters.
Should you or your patron wish to make use of a VPN, it is important to ensure that your VPN provider is a trusted source. They act as a ISP, and have the ability to see your traffic.
In order for the VPN to shield you, you must provide them with your HTTP and HTTPS requests. See the resources section at the end of this module to learn how to evaluate a VPN service.