In a recent tweet (@securityskeptic), I offered a definition of "data at rest" in social media driven society:
Data at rest are information waiting to be exfiltrated or disclosed without notice or consent.
Is this a spot on assessment or am I overly cynical?
Much of your data at rest are data you disclose or share, so judge my assertion by considering how large a portion of our increasingly mobile- and tech-enabled society shares seemingly every waking thought. Everything's in play: what food we eat, where we dine, our travel plans, the sports we play or watch, whom we like or despise, Our work place matters, projects, or research. Our social engagements, personal health, medical advice, emotional states, and (intimate) relationships. Even information that is arguably not for play is at risk of disclosure, a consequence of mishandling or malicious (criminal) activities (exfiltration, exploits, or targeted extraction).
Many Internet users share spontaneously or frivolously. In some cases, users share because they can’t access content without doing so. In other cases, users share because they think they are only sharing with friends, family or colleagues. In social networking, sharing (disclosing) can be infectious (“he shared so I will”).
The problem with sharing
What you post to a social network has more permanence – and exposure to unintended use or misuse – than what you share in a face-to-face conversation. How often do you consider who processes or collects data that you share or why, where the data are stored or for how long? Do you think about the possibility that "your" data may be further shared by web sites that collect data? Many users are only now coming to realize that when all these data are coupled with location services or applications, they paint a detailed and elaborate picture of the intimate or sensitive aspects of who we are and how we live and behave.
As a test, look at your history of tweets, Facebook or Google+ postings, public and restricted. Nearly all of us voluntarily reveal a great deal more personal data than we imagine. But while we facilitate, we really aren’t our own or only worst enemies.
Your data are more popular than you are
The extent to which bits and pieces of personal data are collected and shared for commercial purposes is alarming. If you have a virtual presence, virtually everyone wants to know everything about you. Worse, our willingness to share is creating markets for even more data. Moreover, the risk that personal data will be exfiltrated or disclosed as a result of a data breach can no longer be discounted or dismissed.
Every day, the same people who share without hesitation or discrimination express righteous indignation when they discover an app, service provider or vendor is collecting or sharing their life bits without notice or consent. But even a small sampling of evidence tells a different story:
We don't have the will to question why something is free. Example: mobile users are so consumed with the notion that "the Internet is free" that they hesitate to buy a registered version of an app for a paltry $.99 when they are offered a "supported by advertising" version. Few consumers consider what the app is collecting from a mobile device, how the collected data are used, and by whom.
We undervalue our personal data. Example: users concede to sharing or disclosing what they might in other circumstances consider private information because it's a precondition for joining a social network. The prevailing sentiment? Shoulder shrug, it's the cost of participation.
We are more trusting or naive in the virtual world than the physical world. Example: We’ll happily strike up a conversation with a Twitter account we follow or see in a retweet. Would we be as trusting if a fellow subway passenger inserted himself into a conversation we’re having with a colleague or friend?
How do we correct course?
Don't think in terms of major course corrections. Instead, begin with these small measures:
Accept that “free” is not worth the hidden cost. Paying for a mobile app may “free” you from ads or tracking, and you may unlock more features.
Use social media, but do so with eyes wide open. Assume that no matter what privacy controls say, what you publish may be shared or disclosed (remember, privacy policies can be deceiving or may change, and legislation like CISPA may render such policies moot).
Review what you have already published on social networks. Look at the profiles and posts you've made. Where possible, take advantage of privacy settings. Delete or obfuscate personal data that reveals more about you than you are comfortable revealing.
When subscribing to new social network, submit the barest minimum of information you need to create an account. For example, if you can create an account merely by identifying your country of residence or state, don't include your street address.
Separate personal and social network correspondence. Create a separate email account and use this as your designated point of contact with social media sites (and for correspondence). I know individuals who have separate email accounts for each social network (fredstwitteraccount@<emailservice>, mlbfacebook@<emailservice>...).
Small adjustments to behavior can be beneficial. The harder but sometimes wisest adjustment, however, is: