The inescapable truth of modern life is that all interactions with the internet are recorded and stored, creating digital imprints of user activity and personal information. In the highly interconnected world of the internet, there is no such thing as a simple online interaction between two parties. While tools do exist to erase the digital trails of some interactions, the complex value chains involved in online shopping, information searching and social media conversations create “digital ghosts” that are almost impossible to erase.
Understanding the scale of the problem
Leveraging its Inbox Scan tool, digital and payments security specialist Dashlane estimates that:
- On average, more than 107 shopping, social media and communications accounts were linked to a typical email address in 2015, with the figure rising to 130 in the U.S. and 118 in the U.K.
- The number of email-linked accounts was growing at a rate of 14% per year, effectively doubling every five years.
- The average number of accounts per internet user is expected to reach 207 by 2020. The statistics clearly indicate a continual rise in the number of online transactions. As consumers’ preference for online shopping increases, the privacy risks associated with stored personal data also increase.
It is unlikely that consumers making a one-time purchase from a vendor will close and delete the account once that purchase has been fulfilled. As a result, a record of the shopper’s personal information, including email address, phone number, bank details and physical mailing address would be retained by the vendor and could be shared with third parties. Opting out of information sharing is not entirely risk-free, either. If the online seller is acquired or goes out of business, the parties assuming control of its assets may not be legally bound to honor such agreements with the customer.
A single web-based transaction involves many intermediaries, such as credit card companies, banks, clearinghouses, logistics and shipping companies, email hosting providers and internet search engines. Online vendors’ proprietary “one-click shopping” applications can pare down the number of intermediaries involved in a transaction and contain the dissemination of information, but personal data will still be shared between several parties.
Dude, where’s my data?
Online vendors are required to keep records of all transactions for tax and security purposes and, faced with the high cost of storing increasing volumes of sensitive data, vendors increasingly opt to store such data on external systems. While many countries around the world are moving quickly to enshrine the principle of data sovereignty in law, massive quantities of historical data are already stored in data centers around the world. Tracking down and deleting that data — which may have been disseminated in a fragmentary form to multiple players in the value chain — would be an immense challenge, and efforts to track down and delete data will, themselves, create a new digital footprint.
Consumers are increasingly concerned about the extent to which personal data resides on the internet after closing and deleting accounts. In response, Google has offered the Right To Be Forgotten tool, giving individuals and companies the ability to remove sensitive or incorrect personal information from its records. However, Google’s rigorous check-list, which is designed to prevent abuse of the tool, can discourage its use. In addition, if other web users have already viewed that data or linked to it from other sources, the Right To Be Forgotten tool’s abilities are diminished.
The biggest holders of internet user data are data brokers, organizations that collect information on online transactions and then sell that data to such third parties as advertisers, insurance companies and local governments. Globally, there are thought to be 4,000 data brokers of significant size, with the most prominent being Acxiom, Experian, Epsilon, CoreLogic and Datalogix.
Consumers can contact these companies to receive a report or list of the personal information they hold and can request to have the information edited or removed. However, it is a complex process and there is no assurance that all of personal data will be identified. It is also a process that would have to be repeated regularly as these organizations will continue to buy data from online sites.
Another obstacle to eliminating digital ghosts is the fact that private organizations and initiatives such as the Internet Archive have been trawling the internet for many years to store any and all information for posterity. This includes social media postings, blogs, comments and user-generated content. Besides raising issues of “ownership” of intellectual property, these organizations have an archive-like mindset and offer no tools for concerned individuals to have specific data removed.
Digital ghosts increasingly haunt social media
The digital paper trail often extends far beyond the platforms individuals subscribe to. According to a 2016 UK consumer survey conducted by Ground Labs, 84% of respondents believed fewer than 20 of 50 named organizations held data on them; however, the survey omitted a number of key online global platforms, leading to the assumption that the true reach of data footprints are likely to be much higher than people estimate.
The ubiquity of social media has encouraged wholesale sharing of personal data and intellectual property that is inadequately covered from a recovery and insurance perspective. Few platforms are equipped to deal with the complex legal issues arising from the archiving or ongoing usage of individuals’ data after death.
The law and social media platforms do not have clear policies about what happens to the accounts of deceased users. In the U.S., certain states have enacted legislation enabling individuals to authorize named people to access and control digital estates, but the precise terms of such laws differ from state to state, and some states have yet to adopt such laws. As with traditional wills, individuals are well advised to create a digital estate plan and designate a person responsible for making decision about the disposition of online accounts upon their passing.
A digital detox won’t help
The DuckDuckGo privacy-centric browser has grown in popularity in recent years, hitting a new daily high of 14.8M direct requests at the end of January 2017, highlighting the extent to which internet users have become concerned with privacy in a post-Snowden world. However, browsers such as these are not widely known and do not come pre-installed on smart devices as equipment vendors want to prioritize their own data-gathering software.
Since all online activity depends on recording data, the only way to truly ensure that personal information collected and compromised is to avoid the internet altogether. This approach is not at all practical, given the extent to which essential services, such as utilities, health care and social services are digitalized. Paper-based systems are extremely rare these days and cash-only transactions are nearly impossible to perform.
In the end, the best recommendation is for consumers to take responsibility for managing their digital imprint by limiting the number of sites they interact with, closing and deleting old accounts, using browser privacy settings, and changing passwords frequently. Being proactive about protecting your personal data is the best way to reduce the risk of your data being exploited.
Click here to learn more about comprehensive cybersecurity from Willis Towers Watson.