Five Less-Known Ways You May Be Tricked Into Compromising Your Data Online
Data Governance is a series on the use and abuse of data by private and government entities. It examines the many gaps and overlaps within multiple policies and laws that seek to regulate data.
The ever-increasing value of personal data has spurred a gold rush among companies that are now trying to know more and more about users and their habits.
From consumer behavior and lifestyle choices to your political orientation, income and spending habits, every little piece of data is being meticulously monitored by companies and governments alike.
Till a few years back, the harvesting of personal data and how it was being handled was largely opaque and users had little-to-no knowledge of what information they were giving websites just in some clicks. However, with more scrutiny by lawmakers and rising awareness among netizens, websites have had to be relatively more transparent about their tracking habits.
But that didn’t mean an end to their quest of gathering data. Websites started deploying covert strategies to get you to tell them more, sometimes by burying the privacy clauses deep inside their terms and conditions or through forms that users may unknowingly fill.
Some such ‘Dark Patterns’, as termed by user experience designer Harry Brignall, are tricks that websites and applications use to obtain consent for collecting data.
Protecting your data becomes even more relevant in the Indian context. India has no overarching legislation yet to protect individual privacy and community data even as the government, in tandem with the private sector, has launched numerous data projects and surveillance programs. Till there is, the responsibility to protect their own data lies with the individual itself.
Here are five lesser-known ways how websites may trick you into giving them your data:
The Good Ol’ Friend Spam
This is a trick when websites or applications ask for access to your email or social media profiles by telling you that it will be easier to connect to friends and contacts.
However, what they do not tell you is that you’re granting permission to send messages and emails as if they are directly from you, without your explicit consent.
This particular strategy of friend spam was being widely used by networking website LinkedIn. It came to light in 2015 after tech blogger Dan Schlosser provided a detailed walkthrough of how LinkedIn encouraged you into giving them access to your email by promising users a “strong career network” and then sent multiple emails to your contacts inviting them to join the platform.
The developments that followed resulted in LinkedIn being fined $13 million as part of a class-action lawsuit. Subsequently, the company said it had significantly reduced the number of emails users receive from the website.
Granting websites access to your social media and email accounts or contact lists is an easy misstep to avoid.
Trick Questions (And Checkboxes)
Some websites and services use confusing language to lull you into sharing your data.
When registering with most websites or services, they have you fill a form with your basic information. Usually, such websites have a series of checkboxes that will let you opt in to services like receiving promotional content from them and their third-party affiliates.
How you’re tricked is when the terms are worded in a way that ticking the first box would mean that you do not want to opt-in, while ticking the terms in the second box would make you opt-in. However, by presenting a negative option first, the website is trying to make unsuspecting users either tick both boxes or keep both unchecked. In either scenario, you end up opting-in.
Sometimes these checkboxes may also include hidden subscriptions to services, which calls for more caution while clicking on them.
A False Padlock Of Security
There is a general perception that websites with an HTTPS in their address with a tiny padlock beside it are secure.
There’s more to it than meets the eye. HTTPS is a more secure encrypted version of the standard HTTP -- or Hypertext Transfer Protocol -- which is used to send and receive webpages, files and resources over the internet. A little padlock on the top left of the browser, sometimes accompanying the word ‘Secure’, usually suggests that the website is using HTTPS.
Of course, it is recommended that users engage with websites that have HTTPS and be cautious of the ones that don’t. But that is not enough.
According to cybersecurity firm Malwarebytes, these certificates of security--that underly the ‘S’ in HTTPS--are easily available to buy with many web hosting companies offering them for free without doing a thorough check of the websites. “So, while users can now expect to see the green padlock on every site, especially the ones where they make financial transactions, the trust that we can put into the underlying certificates is going down,” the company says in its blog post.
In short, having an HTTPS or a padlock sign does not make a website completely secure. It does provide security from external hackers but not from the website itself, which could very likely be trying to get your data. About 58% of all phishing websites, that illegally try to obtain your data, now have a padlock symbol and use HTTPS, according to cybersecurity researcher PhishLabs.
So is HTTPS recommended and desirable for cybersecurity? Yes. Is it enough? No.
Permissions: Think Before You Click
App permissions are perhaps one of the easiest ways to trick you into giving your consent and accessing your data.
Smartphone applications will ask for a wide variety of permissions while being installed that range from access to your contacts, your gallery or even the microphone. The key question you should ask yourself before granting access is: does this app need to use this feature?
Picture a car racing game that you’ve just installed. And one of the permissions it seeks is access to your front camera. Does it really need it? Will not giving it access to your camera change the way you experience the game? More often than not, the answer will be no.
To be sure, granting access to your microphone or camera doesn’t mean that the application will necessarily snoop on your private conversations. But it does mean that it will have your explicit consent to do so at any given time.
That makes it a risky proposition. A review of over 1,100 apps by the Global Privacy Enforcement Network had shown that one-third of the apps are unable to justify why they require permission for a particular functionality. Besides, how most apps handle your data is buried deep into their wordy privacy policies that very few end up reading.
An extremely popular example of this is how in 2018 it came to light that Facebook had been logging call records and SMS data from Android devices. It turned out the social media giant--frequently criticised for its privacy mishaps--had gotten access to SMS and contacts of users through their Messenger application. Facebook admitted that they were logging user data but said that it was an optional feature that could be turned off.
Apple Inc.’s iOS operating system is known for its robust and detailed app permissions. The newer versions of the Android operating system too have improved and are giving more control to users on what they want to share with apps and what they don’t.
The Final Nail: Bombarding You With Privacy Options
As funny as it sounds, giving users extremely granular privacy control options is actually a good way to make them share more.
There are two aspects of behavioural psychology simultaneously at play here: Consent fatigue and control paradox.
Consent fatigue is when users are provided with constant privacy choices to the point where it becomes tedious. Every time a user visits a website they are asked to check or uncheck a list of cookies that they want enabled. It can become a tiring experience. The result is that users may just end up accepting most default options, which are usually the less privacy-friendly ones.
A rise in consent fatigue was noted particularly after the European Union implemented its General Data Protection Regulations that gave sweeping powers to users over their online data.
The other aspect, called control paradox, relies on giving you a sense of security when you have granular control over your data. A study by the Carnegie Mellon University had suggested that if users get more control over their privacy, they are more willing to risk sharing personal information.
“The argument is appealing: users do want more control over how their information is collected and used,” the study said. “The paradoxical policy implication of these findings is that the feeling of security conveyed by the provision of fine-grained privacy controls may lower concerns regarding the actual accessibility and usability of information, driving those provided with such protections to reveal more sensitive information to a larger audience.”
There are, of course, no easy ways to protect your online data. Getting in control of your data involves convenience trade-offs and demands more general awareness among netizens. Whether they make those trade-offs or not, is a choice left to the individual.