ENISA and the privacy considerations of online behavioral tracking

The European Network and Information Security Agency (ENISA) poses the question: is e-data the new currency? “Internet users are being increasingly tracked and profiled and their personal data are extensively used as currency in exchange for services.” If this is the reality, it says, it is important that all stakeholders understand the mechanisms and methodologies. “This study provides a technical perspective on behavioral tracking,” adding that while some advertising companies interpret DNT as an opt-out of targeted behavioral ads, “Tracking is the problem – not behavioral advertising.”

The analysis examines existing tracking techniques and future trends; the risk to users; mitigation methods; and recommended actions for the future.

The two main motivations for tracking are user profiling (mainly for targeted advertising), and web analytics. User profiling, however, goes beyond just advertising. “One of the biggest risks of tracking is global surveillance. This surveillance can be performed by government, for security or political reasons, or by companies for commercial reasons,” notes ENISA. But it also warns that collected data can be wrong: “The potential harms are error, abuse, lack of transparency and accountability.” The reality in the modern world is that incorrect tracking by some governments could prove terminally wrong.

The report also shows that we are only in the early days of user profiling, where the convergence of different technologies is beginning to demonstrate disturbing potential. It highlights ‘reality/physical mining’ and ‘augmented reality.’ For the first, it notes that modern smartphones have multiple sensors automatically and continuously collecting data on both location and user. “The idea of collecting so much personal information naturally raises many questions about privacy and portends the specter of a surveillance society,” comments ENISA. For the latter it highlights a recent study that demonstrated anonymous photos (such as might be used in a dating site) can be named by comparison to social networks such as Facebook. Such “inference techniques will become increasingly feasible,” warns ENISA, and difficult to control “since all presented results were based on publicly available information.”

Apart from government surveillance, other dangers in increased behavioral tracking highlighted by ENISA include service and price discrimination (a particular problem in insurance since the profiling could reveal a propensity for a particular disease, leading to increased premiums); and ‘personalization’, where users get trapped in a ‘filter bubble.’ “In authoritarian states,” comments ENISA, “personalization could also be used to increase censorship by selecting news to show to specific users.”

Current protective measures fall into three broad groups: technology, legislation and education. Empirically, these are not sufficient – even legislative controls. ENISA mentions the European ePrivacy Directive. “In practice,” it says, “the directive has had little force; Member States have not taken any measures to enforce compliance, and in many cases they have treated browser cookie settings as adequate implementation [EU2011].”

So, what to do? ENISA makes 9 recommendations, aimed variously at policymakers, the industry and researchers. These range from refocusing the attack on tracking rather than advertising, developing more meaningful privacy policies, and better privacy tools and better violation detection. Mobile devices are not omitted. The problem here is that many of the available anti-tracking options are PC browser-based, while mobile third-party tracking occurs in the third-party app; so “solutions adapted to mobile platforms should be developed.”

Finally comes the recommendation that has been strongly, but not very successfully, voiced by privacy advocates for years: privacy by design. “More broadly,” suggests ENISA, “the burden of enforcing online privacy should be shifted to businesses. This will push companies to integrate privacy into their products and processes, instead of disclaiming liability for privacy in legal notices.”

What’s hot on Infosecurity Magazine?