One aspect of privacy that is often overlooked is how several, seemingly minor, pieces of information can be combined to produce a much more serious privacy breach.
A simple example of this comes from the world of online payments. When sending order confirmations by e-mail, many merchants will use the last four digits of a payment card. This is enough to let the user know that their card has been charged, but still safe to transmit as there is not enough information to allow fraud.
If an eavesdropper intercepts the email, they will know the customer email address and the last four digits of the payment card. With this information, the eavesdropper may be able to find the customer on social media. Many people list their date of birth on social media accounts, and even if this is not publicly visible then dated posts with birthday greetings will allow an attacker to determine the day and month, and often the year as well from comments about the person’s age. This again is considered to be fairly safe.
The eavesdropper now has a user’s email address, date of birth and the last four digits of their card. For a number of online services, this is enough information to allow a reset of the password and email account. With access to the user’s email, the attacker has potential to gain much more information and control of the users’ other online accounts.
None of the information leaked is problematic individually, but cumulatively it becomes a serious problem.
Personal fitness data
Many people have a mobile phone or a similar device set to log their exercise habits and happily share these details openly online. Generally this data isn’t seen as a privacy breach, and can often be a source of pride, but think about the things it may give away.
A sudden drastic change in exercise habits may indicate a serious health problem, and when correlated with other data (such as time off work or vague posts on social media from friends) this could disclose information to co-workers and employers that the user does not yet wish to share. Users who log their daily walking habits could have further details leaked if GPS data shows they were in the vicinity of a particular clinic, and users who log their diets could indicate a type of medical condition by a sudden diet change.
Fitness details and social media posts can also reveal long term patterns of movement. A user may not wish to disclose particular political or religious affiliations or employment in a sensitive job, but an adversary with a leaked list of locations where important events happened may be able to correlate this with people whose social media comments and GPS details of exercise regularly put them in the right areas at the right times.
Thinking about the potential cumulative effects of small pieces of personal data on your privacy, what might you do to protect yourself?
© Newcastle University