From social apps to restaurants, ride services to universities, data breaches have increasingly become a norm for businesses and consumers alike. This is due, in part, to the fact that consumers’ personal information is now gathered and stored so readily. Coupled with a lack of cyber-privacy awareness, this is also a formula for information leakage.
According to Heng Xu, new professor of information technology and director of Kogod’s Cybersecurity Governance Center, this lack of awareness is a primary reason why breaches happen in the first place. Consumers aren’t aware they’re giving away information, and businesses might not enact proper data protection mechanisms, she says.
“Cyber risk awareness is so essential, but often lacking,” Xu says. “We need to invest in educating both parties — customers and companies.”
For consumers, mobile applications are one of the more pressing places to cultivate greater privacy awareness. They’re the origin of several of the world’s largest recent data breaches, and usage certainly isn’t slowing down.
Xu notes that users often automatically say “yes” to an application’s privacy permissions, agreeing to share personal information with the company and with other users. And once agreed upon, permissions aren’t likely to change, as users don’t usually re-visit them. This provides access to data such as photographs, contacts and geo-location throughout the app’s lifetime.
This oftentimes provides access to friends’ information, too.
The recent Cambridge Analytica Facebook scandal, where the consulting firm harvested 87 million Facebook profiles for users’ data, is a prime example. The firm used a quiz app on Facebook to collect information from its 270,000 takers – and their friends. Hacked profiles quickly skyrocketed, affecting millions of people far removed from the deceptive quiz.
“We often think about data from an individual perspective, how I control my data, and how I restrict my data, but in today's socially connected world, it's a collective matter,” Xu says.
Facebook/Cambridge Analytica also illustrates the two primary data breach challenges businesses face: technical and human. As technologies grow more complex and privacy needs increase, technical breaches – such as the loophole in Facebook’s API – are bound to happen. Breaches due to human error, however, are more troubling.
The scandal happened, in part, because of the privacy decisions Facebook and its consumers made. The company allowed access to users’ information, and users chose to provide it—a common (and in this case, rather high-profile) case of privacy unawareness.
“When the data breach happens because of technical challenges, I don’t blame them. In today’s increasingly networked world, achieving 100% secure technical safeguards is impossible. But when a data breach happens because of human error, I always say, with greater cyber risk awareness, we could have prevented it,” says Xu.
This is one of Xu’s primary research areas — specifically privacy decisions that consumers make. Your Privacy is Your Friend’s Privacy, which analyzes how one Twitter user’s contents affect other users’ privacy, and Privacy Nudges for Mobile Applications, which examines consumer emotions and privacy attitudes, are especially applicable.
Xu’s work through her recent National Science Foundation grant is, as well. Awarded in partnership with Kogod professor Nan Zhang, the grant supports broad research on consumer’s privacy decisions. Through July 2022, Xu and Zhang will work to identify which past consumer privacy choices most likely trigger regrets, and ask users to revisit these decisions.
“Long-term, we want to bridge discrepancies between users’ privacy decisions and their perceptions, especially in mobile systems,” Xu explains. “We hope this will increase awareness at both the consumer and the business level.”
Which is one reason Xu believes the prevalence of data breaches isn’t actually a bad thing. It elevates the awareness of data protection, she says, showing people the consequences of less-than-vigilant privacy decisions.
Frequent data breaches also indicate the effectiveness of the legal requirement that companies report when data are leaked. And the fact that a breach is detected in the first place is a good sign, since they tend to be heavily technical and complex. It’s likely that in the past, many breaches were happening, but companies didn’t have the appropriate tools to confirm or address them.
These positive attributes don’t let businesses — or consumers — off the hook, though.
Companies need to invest in educating their employees and their customers, Xu says, so that they’re more aware of their data actions and privacy decisions. It’s crucial to align protection needs with people in the general public. Without it, hackers will continue easily gaining access to our data.
“I don't want tomorrow's generation to become so [used to this] this is part of normal life. It is not,” Xu says.