My supervisor is currently on annual leave. While he is relaxing with his family and recuperating after his year of teaching and research, he has left me with a number of tasks to complete; chief amongst them the reading and research for a publication we are currently working on. Instead, I have spent more time than necessary creating a LinkedIn profile, updating my Twitter account and sorting out my emails.
During the creation of my LinkedIn page, I was struck by the sheer volume of data that was being asked for; my name, my educational background, my job history – even my birthday and relationship status. But, of course, LinkedIn is essentially a virtual CV. Its purpose is to connect with other professionals in your field and exhibit your experiences thus far. Fair enough. I input my data. I then began on the fairly enjoyable task of adding connections. My undergraduate coursemates; added. My masters coursemates; added. Friends working in vastly different fields; added. My profile is currently in a juvenile stage – I have 24 connections (if you feel we should be connected, send me an invite!). It was here that I paused, read that these connections linked me to 295,481 other profiles, and promptly decided to take a break.
I have access to over a quarter of a million pages of data on complete strangers. Their names, gender, education, work experience, what they’re good at (and subsequently, what they’re not good at, or rather; not endorsed by their peers for) and possibly their dates of birth and relationship status. A stranger’s complete digital identity, available through simple navigation of a peer’s profile. On the flip side, over a quarter of a million complete strangers have access to my profile.
This openness invites risk. By sharing personal information so freely, users put themselves at risk of identity theft from criminal elements that have identified the opportunities offered by online social networks. The ease of navigation and vast quantity of data available allows information to be harvested efficiently and furthermore, as LinkedIn is a professional network it tends to attract individuals with higher incomes and thus is more attractive to criminal groups. The 2012 Social Identity Fraud Report by Javelin Strategy & Research identified that 10% of LinkedIn members were victims of identity theft, as opposed to 6% for members of Twitter and 5% for members of Facebook.
Identity theft, however, requires more research than is available on the LinkedIn profile. There are no bank details or home addresses, requiring criminal elements to phish for further details; usually either through scams or malware. It is, however, possible for an organised criminal to gain control of an individual’s online bank account by following their digital footprints.
What interested me more than the threat posed by cybercrime, though, was my new ability to collect information on the lives of complete strangers. From no more than a brief conversation with an academic at a conference, I may gain access to their professional network of colleagues and collect data on all of their lives. Similarly, I have very little control over who extracts the data that I have published about myself.
This, in turn, reminded me of PRISM; the recent mass surveillance programme revealed by The Guardian. For those not in the know, PRISM is a vast data-mining operation run by the National Security Agency of the United States of America, along with a number of other intelligence agencies and security services including GCHQ of the United Kingdom (The UK's electronic intelligence agency). The security services collected internet user’s personal data by working in apparent conjunction with large online companies such as Facebook, Yahoo and Google in order to collect the meta-data of their clients. This data is then stored by the intelligence services until such time as it becomes pertinent to access. Internet searches, online banking information, bookmarked websites, purchased items and the contents of emails and instant messaging are all susceptible to interception under this scheme.
When PRISM came to light, civil rights advocates were, to say the least, a bit peeved. The thought that the personal information of regular civilians not engaged in criminal or terrorist activity being accessed by governments was unnerving at best and a bit 1984-esque at worst. Most internet users I have spoken to regarding PRISM have been negative in their views of it (though I admit that my primary data is anecdotal, at best).
In defence of PRISM, when questioned on the need for it and whether or not it infringed on the civil liberties of internet users, William Hague, Foreign Secretary of the UK, said;
“If you are a law abiding citizen of this country, going about your business and your personal life, you have nothing to fear. Nothing to fear about the British state or intelligence agencies listening to the contents of your phone calls or anything like that. Indeed you'll never be aware of all the things those agencies are doing to stop your identity being stolen and to stop a terrorist blowing you up tomorrow.”
Essentially, if you have nothing to hide, then you have nothing to fear – and you have no need for privacy from the state.
I am not going to engage with this particular argument. Professor Solove from George Washington University has provided sound reasoning as to why this statement does not necessarily provide legitimacy to blanket surveillance programmes, and is well worth a read.
What I would like to comment on, however, is the disconnect that seems to exist between self-publication of personal information and the collection of it by a state actor. If individuals are willing to use websites like LinkedIn and share their life story with perfect strangers, then why are they not willing to do the same with the government? Not so much “nothing to hide, nothing to fear”; more “nowhere to hide”. When individuals publish their personal information on the internet, they lose control of it. Any one of my quarter of a million ‘second connections’ could, in fact, be operating a profile with the sole purpose of harvesting information. This, in turn, questions the extent to which individuals can expect privacy in an online environment when they, themselves, have published extensive details about their lives that can easily be accessed by complete strangers? The question I would like to raise here is this: If you were to Google yourself right now, would you be happy with the volume of information that was returned pertaining to yourself? Of course, different people will have different expectations of what constitutes a reasonable standard of privacy, making the challenge of finding a balance between privacy and security that much harder to find.
There is obviously an issue of consent to be raised here. Individuals consent to joining social networks; they input the data stored on their profiles themselves – and they rely on the security settings to keep specific elements of their personal information private. Arguably, nobody consents to having their personal information harvested, but most join social networks understanding how they operate. Even those that create social network profiles without understanding the way in which they work soon come to realise what is involved in creating and maintaining an online identity. They learn that they must consent to publishing the required personal information about themselves for the life of their account and they discover that the ease to which they can visit strangers’ profiles means that their profile is equally vulnerable. The benefits of being able to connect with friends, colleagues, peers and potential employers must therefore outweigh the risks that exist from strangers, or state/criminal actors, snooping on their personal life.
If you want to snoop on my personal life, I have LinkedIn and Twitter.