As internet usage has become a routine activity, so has the mining, analyzing and monetizing of personal information – much of it done without the individuals’ knowledge. According to a Gallup poll, two-thirds of employees in white-collar jobs work from home at least part of the time, meaning there is more activity and personal data in cyberspace than at any other time in history.
Unsurprisingly, the cybersecurity industry has exploded. ResearchAndMarkets.com valued the global cybersecurity market at $183.34 billion in 2020 and predicts it will reach $539.78 billion by 2030. And while much of the consumer-facing part of this booming industry is focused on overt threats – cybercrimes like identity and password theft, hacking banking info and the like –organizations are making billions monetizing data accumulated from individuals using internet search engines, smart devices, social media and e-commerce transactions.
And it’s perfectly legal – for now. Any individual who spends time online has a data dossier that includes their gender, age, address, the companies and products they engage with on social media content, ads or websites, online purchase history and thousands of other data points. Companies have built business models around based on this quantitative and qualitative data and routinely mine, buy and sell this information like a commodity.
“There are behavioral data like shopping habits, high-risk data elements like social security numbers, phone numbers and email addresses,” explains Rachel Cash, Founder & CEO of Detroit-based Elroi, a Black-owned cybertechnology firm. “Outside of that, I can still, from a high degree of certainty, pinpoint you in a population. There are enough data elements that I could have about you that could pinpoint either you or a very, very close duplicate of you in the ecosystem.”
According to Michaela Barnett, CEO of Blacks in Cybersecurity, the rise in social media and internet-based instruction in schools and other activities – especially since the pandemic – has put more personal data online than ever before. “We use the Internet now more than ever for our basic needs. With so many people working from home, everything’s on the Internet – Google Forms, Gmail account, Google Docs, Google Drive,” she says. “Everything’s more accessible, of course, but that leads to its own challenges as far as protecting data.” Blacks in Cybersecurity is a meetup group and conference series established to help highlight and elevate the Black community in the industry.
While it may seem harmless enough on the surface – after all, many companies use that information to market products and services that it believes a particular individual wants or needs. However, that data can also be used to manipulate individual behaviors and responses. “If I have enough data on you, I know what’s going to trigger you to action. And if I craft my ad enough, then even if you may not agree with what I say, if I tailored enough, I can persuade you into things,” Cash explains.
British consulting firm Cambridge Analytica did precisely this when it gathered personal data belonging to millions of Facebook users without consent and used it to provide analytical assistance to Ted Cruz and Donald Trump’s 2016 presidential campaigns. The consultancy closed shop amid the Facebook–Cambridge Analytica data scandal. “With Black professionals, there’s a high propensity for organizations to have access to your information,” says Cash. “Not to say that we’re less technology inclined, but we have value in our data out there, and we don’t always secure it.”
So, in an ecosystem where data is dollars, and its mining is gold, the individual’s best bet is to protect their data as much as possible until legislation catches up to what’s happening in cyberspace. “Fundamentally, we believe data privacy is a constitutional right – you as an individual are entitled to your own data,” says Cash. “A company may have it, but it belongs to you, not to them. You’re the one who originated it. And we are working to create solutions that allow consumers to sell and control their data.”
The good news is that at least 38 states introduced more than 160 consumer privacy-related bills in 2021 (compared to 30 states in 2020 and 25 in 2019), according to the National Conference of State Legislators (NCSL). The NCSL is a bipartisan organization representing the legislatures in the states, territories and commonwealths of the U.S. “What a consumer can do now is request companies to disclose what data they have on you,” says Cash. “Do they have a business reason for that data? Do they have retention schedules – a set time in which data could be used?”
Until the legislators pass comprehensive consumer data protection, the onus is on individuals to control their data. “There’s a lot of philosophical debate within the cyber community about how to approach this within our interconnected world and how to approach it as a consumer simply trying to use a service,” says Barnett. “Which is why a lot of people default away from the main Google, Yahoo, etc. and only use security-focused products like ProtonMail, an end-to-end encrypted email service.”
So, where is this all heading and what is the future of cybersecurity from the individual’s perspective? Cash believes legislation and consumer demand will lead to self-sovereign data where the individual retains control of their data and can push out certain data points to an organization as needed. For example, an auto insurance company would only gain access to pertinent data related to the automotive space. “I have 3000 data elements and will be able to decide which ones will be enough to provide me a service,” she says. “Like a digital wallet, you’ll completely control your data.”