Data gathered from personal browsing habits is sold by brokers every second. Ride-hailing drivers must periodically resubmit their photos and license numbers in order to work, information that ultimately gets hacked. People at a border crossing into the U.S. must provide account passwords before gaining entry, placing extensive personal information in the hands of unknown authorities.

A reality of the digital world is that data privacy is regularly compromised through personal acceptance, ignorance, government directive or malicious hacking. An underlying question, increasingly being asked in security research circles, is: How big a price, in the use of their personal information, will people pay to participate in the online world?

The answer: They may well have to pay a very large price, in the view of a range of experts at this week’s Usenix Enigma 2018, a security and privacy conference held in Santa Clara, California, by the Advanced Computing Systems Association.

“Just how bad is online tracking?” asked Arvind Narayanan, a researcher at Princeton University’s Center for Information Technology Policy, as he made a personal plea to web browser companies to take control of a worsening situation. “It’s impressively bad.”

Online trackers unchecked

That sites other than the ones visited by an online user can gather data and track surfing habits is not new. What troubles the Princeton researcher is that web browsers often don’t know their users are being monitored by third parties or, if they do, they’re reluctant to do anything about it.

One of the biggest offenders is the “autofill” function commonly found in many browsers, including Google LLC’s Chrome. People may be unaware that data such as email information, street addresses and phone numbers uploaded as a convenience can be captured by third-party trackers and retained even if the user never even submits an autofilled form.

The data being collected extends to more than just occasional forms filled out by unsuspecting online users. In one study, Narayanan and his researchers uncovered prescriptions and health history data being exfiltrated by third-party trackers from a well-known pharmacy website. “They record everything,” Narayanan warned. “It’s like someone looking over your shoulder.”

At the Usenix event, Narayanan issued a call for the tech community to take more serious action against online tracking practices. Specifically, he wants browser operators to publish clear policies on unacceptable tracking, warn users when sites violate tracking limits (analogous to the “https: Secure” designation now found on many web pages) and offer a tracking protection mode. Firefox recently added support for the latter feature.

“Poor privacy is a problem not just for individuals,” Narayanan said. “It’s a problem for democracy.”

Gig workers at risk

Online tracking is not the only front where privacy protections may be under assault. In some cases, they are threatened by rules imposed on the newly employed class known as gig workers.

Kendra Albert, an instructional fellow at the Harvard Law School, presented research at the Usenix conference which documented how people in the gig economy such as Uber drivers, online food delivery workers and pet sitters are frequently required to surrender private information as a condition of gainful or continued employment.

Uber’s practices were highlighted by the breach late last year of personal data belonging to 52 million customers and drivers. It’s reasonable to expect that Uber would retain records containing personal driving information for the people it pays. But the company also uses a practice of random checks, where a driver might be required to pull over and submit a selfie that’s then matched to the photograph of their license on file, as proof they are who Uber thinks they are. If a driver doesn’t provide this proof, known as the “Real-Time ID Check,” they can be summarily dismissed.

“If you don’t get verified through this system, then you are not working,” Albert said.

The Harvard researcher argued that creating a culture in which Uber drivers must submit personally identifying information on demand in order to keep working has made these freelance “gig” workers more vulnerable to phishing scams. Crooks have been exploiting this situation by sending fake emails to known Uber drivers demanding login credentials, which are then used to loot bank accounts. Many drivers comply, no matter how dubious the request, because they don’t want to risk losing their principal means of support.

“It’s somewhat believable because that’s what systems already in place will do,” Albert said. “These problems disproportionately impact workers who rely on gig platforms for money.”

Device seizures at the border

The simple act of crossing a border into the U.S. is also fast becoming a privacy rights battleground. Recent reports indicate that U.S. border agents have dramatically increased searches of electronic devices belonging to citizens and non-residents, demanding login passwords and access to social media accounts.

In a Usenix presentation by Datadog’s Cara Marie and Andy Grant of the cybersecurity and risk mitigation firm NCC Group, attendees heard about the potential privacy implications when border agents demand access to devices, which could contain a significant amount of personal information. If an agent leaves with the device and then returns it, a user driving across the border might be leaving a lot more behind than tire tracks.

“We suspect that agents are making unencrypted backups of personal information,” Marie said. “That can translate into unmitigated access to your digital life.”

Although the Constitution’s Fourth Amendment protects U.S. citizens against unlawful search or seizure without a warrant, the border has been viewed as a kind of “gray zone” without clear protection under the law. U.S. citizens can cross freely, but they might have to part with their device information along the way.

The research presented at Usenix Enigma this week shone a spotlight on just a few of the more obvious areas where privacy concerns have surfaced. Comments from security professionals in attendance indicated a tacit realization that privacy issues run far deeper than what can reasonably be discussed in a conference, and deserve all the focus that can be provided.

“The Web is being used for engineering society,” said Princeton’s Narayanan. “We have a collective moral responsibility to act.”

Photo: Wikimedia Commons