Mr. Digital is a fictive person who gets up each workday at 6 a.m., drinks his coffee, drives to the park-and-ride lot and uses the subway train to go to his work location downtown. During the day he has several calls on his mobile device with colleagues and business partners, but also family members. On his workstation he updates many documents and then stores and shares them within the company and with business partners.
For planning his business trips he uses his business credit card, and for private events the private credit card, which he also uses for shopping online. In the evenings he is sometimes active on social media, sharing nice pictures of himself, his wife and his other family members. Sometimes he tries new games, views films or uses applications available to download for free or for a small charge on the Internet, though he is not as active as his teenage son and daughter in this matter. Finally, at 11 p.m. he tries to go to bed and switch off the lights.
Sounds like a pretty normal life that many of us live, right?
Let’s have a closer look at the life of Mr. Digital to identify where he leaves “digital footprints” during the day and how it is or can be collected, transmitted and used—or sometimes misused. In this post we will deal more with what can be done from a technological perspective, not with the legal, regulatory or ethical aspects.
So at 6 a.m. the alarm clock on Mr. Digital’s mobile device rings. That means that his mobile device was “on” all night. It has communicated constantly with the base station of his telecommunications provider. This particular night nobody called him, but an SMS arrived from his elderly aunt. Servers at the telecommunications provider can store information such as, Who has sent the message? Who received the message? What was the date and time? and What was the content of the message? Also collected was the information that nobody called him on this particular night.
After having a short breakfast Mr. Digital goes to his car. Of course he knows well the way to the park-and-ride lot he frequently uses. But sometimes the highways are very crowded, so he wants to get the latest traffic information. He activates his navigation system and decides to take “route B” today since “route A” is totally blocked this morning. The navigation system communicates with satellites in the Earth’s orbit, determines the exact position of his car and with the built-in maps navigates his car to the parking lot. Now again a lot of information is being exchanged between the navigation device and the satellite, like Which navigation device is it? To which car does it belong? Which route was proposed and selected by the driver? At which time was each position reached? and so forth. The navigation system’s software (SW) is also updated if needed, and some information about the actual traffic situation on “route B” is provided back to central traffic systems as well.
At the parking lot Mr. Digital uses his park-and-ride user card, which enables him to park and use the subway train. On this card information about him, like his name, birthday, home address and credit card number, is being stored. He puts his user card into the card reader when he enters the parking lot. Again, in the background a server verifies his identity and charges his credit card with an amount. Since some misuse of park-and-ride user cards was detected recently, a face-recognition and verification system has been introduced. So the biometric photo of Mr. Digital on his user card is verified against the actual photo taken of him when he entered the parking lot. Mr. Digital smiles into the camera each time, even though this makes face recognition more difficult.
When Mr. Digital arrives at the train platform he has a short look at his mobile device to read the news headlines. Information between his mobile device and the Internet provider is being exchanged: Which pages did Mr. Digital access at which time? What was he looking for? The train station platform is secured by live cameras that help to prevent criminal and destructive action. A face-recognition system at the police department monitoring the train stations helps to recognize “troublemakers.” Mr. Digital is not one of them, but nevertheless a nice video of him is taken while he is waiting at the station with others, and the date and time information is recorded. This video is stored for some time. What Mr. Digital doesn’t know is the camera resolution and whether it operates at visual wavelengths only or if other wavelength areas such as the infrared are being used to better recognize any weapons under skirts or in bags. In fact, when Mr. Digital entered the train station using the new “secure doors,” he was scanned for weapons and explosive chemical material already, though he was not aware of this. In an airport he is more likely to be aware.
After a twenty-minute trip on the train Mr. Digital arrives at his work location at 7:28 a.m. and uses his company badge to enter. He is granted access. Cameras and photography are not allowed within the company premises, but nobody cares about the built-in camera of his mobile device. At work he connects to the company intranet and the Internet, and again a lot of information, like IP addresses, user IDs and passwords, and download information, is exchanged and stored somewhere. Similar information exchange and storage happens when Mr. Digital talks to his colleagues and partners on his mobile phone. Recently his company introduced a voice recognition and protocol system that creates a protocol of your conversation in written form, similar to what you have in one of the many written chat programs. The word recognition rate is greater than 99 percent, the SW says. Information about who talked to whom at which time, as well as the content, is stored either on a “voice recognition” server or locally on the workstation, or both.
After a long workday he leaves the company. As he exits, Mr. Digital needs to put his badge into the badge reader again. It is 5:35 p.m.
After he takes the route back and arrives again at home, Mr. Digital’s daughter shows him a new app she has downloaded for free from the Internet. She can now share pictures, music and video much faster and has direct access to her girlfriends’ data. She now often receives advertisements on things young girls like and buy. But what makes her worry is that the face of one of her best girlfriends was recently displayed on a porn site. Obviously an image of the friend’s face was taken from a photo from her last vacation with her parents at the pool and then inserted into other ugly pictures. She had shared the pool photo in social media using the new app. The obscene photos that were created from it are now hosted on a server somewhere in Eastern Europe. After hearing this story, Mr. Digital’s daughter is worried about some pictures she found on her mobile device that were taken when she was in the bathroom. Since she was alone there, who could have taken those photos? According to their date and time stamps, obviously this happened after she downloaded the new app. It may be the case that while downloading the new free app she has downloaded additional SW that can turn the camera on her mobile device on and off remotely, take pictures and send them back to a given number.
When Mr. Digital checks his own mobile device he sees some pictures of his work location, part of his terminal screen, his workplace and himself. The navigation system on his mobile device was also activated, but he does not remember activating it. He remembers that he has used his mobile device on several occasions in the last few days, and today he had entered PIN codes, passwords and credit card numbers for things like booking the next family holiday. Suddenly he thinks, Where is my USB key with some unencrypted confidential documents stored on it? He had it in his bag when he left the company.
This night Mr. Digital is going to have a nightmare, if he’s able to sleep at all. A lot of personal and sensitive personal information was exchanged during his day, often without his explicit approval—and all of us are vulnerable to leaving “digital footprints” like these. At that point when we recognize that photos of us or our family members are misused on the Internet or when we recognize the loss of an unencrypted USB stick with confidential company information, we understand the potential threat to us when we leave “digital footprints.”
Search for information about yourself on the internet
If you have ever searched the Internet for information about yourself that you have provided voluntarily, or sometimes involuntarily, you will be surprised what you can find: your name and surname, birthday, home address, telephone and mobile number, photos of yourself and your family members, your wife’s or husband’s and children’s names, information about your profession and where you work, your sexual orientation, your family status, your political opinions, which organizations you work for and your position there, and many other things.
This is already a lot of “sensitive personal information” (SPI). When somebody receives your credit card or any other ID card information and combines this with the information available online, they can further refine their SPI database about you. Ultimately, if someone could get access to all the kinds of data sources given in the Mr. Digital example citizens would have hardly any data privacy. In fact a “vitreous citizen”—that is, one who is visible everywhere, all the time—already exists today. Individuals have all the options to protect themselves, but at the same time ill-minded persons can try to harm them.
Progress cannot be stopped, but what needs to be done is to sharpen your mind, for example, when you enter any information using the Internet, download SW, or use a new device, a USB stick, your credit card or an application. You need to be aware that building smarter networks, smarter computing and a smarter planet means combining various resources, databases and access options. Methods to protect data when they are stored and transmitted, such as encryption, may have been implemented. Data separation and reduction may also have been applied, including physical means. But what was encrypted can be unencrypted again, and what was separated can be brought together.
Regarding individuals’ privacy of information, there is a task for the state as well: protecting the privacy of the individual finally is nothing less than protecting freedom, in my view. And this is a global task when we build a smarter planet: fighting the evil while protecting the privacy of the innocent.
Dr. Turgut Aslan is IBM Cloud Managed Services (CMS) Security Development Workstream Leader in R&D Germany. He joined IBM in 1999 and has more than 14 years of in-depth experience in the IT security and compliance areas.
To effectively compete in today’s changing world, it is essential that companies leverage innovative technology to differentiate from competitors. Learn how you can do that and more in the Smarter Computing Analyst Paper from Hurwitz and Associates.