12 Feb 2018

Life online: How big is your digital footprint?

3:25 pm on 12 February 2018

First Person - From grocery shopping to making travel plans the average person's online presence is larger than ever, as more of what we do is carried out digitally.

RNZ reporter, Emma Hatton looks into digital footprints, how much information is out there about a person and how easy is it to find.

RNZ reporter, Emma Hatton looks into digital footprints, how much information is out there about a person and how easy is it to find. Photo: RNZ / Rebekah Parsons-King;

But what happens to this information and who can get their hands on it?

I sat down with a private investigator, gave him only my name and where I work, and asked him to dig.

Within minutes Mike Gillam from Auckland-based firm The Investigators knew my full name, age, address, where I grew up, who my parents are, my partner's name and occupation, where I shop and information about my children.

Given more time, he said he would find a lot more.

"With these type of investigations, the budget's the limit," he said.

Mr Gillam has access to sophisticated software and databases, but said anybody could find out a lot of what he did, through Facebook, Trade Me and other sites that people had voluntarily given information too.

"Facebook is a trove of information beyond just a couple of pictures, looking into who your friends are. You know, if we couldn't get a date of birth just one friend saying 'happy birthday' to you [is enough]. You know, pictures of your vehicle, all that sort of thing."

The term 'digital footprint' refers to information left behind as a result of a person's activity on the Internet.

That includes information we expect to be held by companies - credit history for instance, but also information about what we search for on Google, how long we stay on certain websites and, if a device has a GPS, where we go during the day.

RNZ reporter, Emma Hatton looks into digital footprints, how much information is out there about a person and how easy is it to find.

Internet New Zealand says the full extent of what is online about a person is almost impossible to estimate. Photo: RNZ / Rebekah Parsons-King;

Netsafe chief executive Martin Cocker said most people underestimated the amount of information about them that could be found online.

"When we engage with a website, there are the things we deliberately put into the website, like filling out information fields but then there are things that the website is able to simply glean about us and there's a lot more information in that second category than people think," he said.

"Lots of information about us is out there and it's stored in lots of different places and some of those are highly secure and some of them aren't, some of it will be shared with parties we don't expect it to be and some of it will be stolen and used by hackers."

Internet New Zealand chief executive Andrew Cushen said the full extent of what was online about a person was almost impossible to estimate.

"The extent of this harvesting is a lot more than many people realise. With so much of our lives online now, the complete nut of a picture that a website or a series of websites is able to build up on you or me can actually be quite scary."

Potentially every website someone interacted with was collecting a little bit of information, he said.

"It could be something innocuous like which particular links you're clicking on when you visit there, or they may have cookies installed on the website that say, prior to this website you were at that website and after this website you'll go on to that website.

"Or they track how long you're looking at a particular page, and if it's linked to social media they know more about who you are and who your friends are."

Privacy law

Principle 11 of the Privacy Act puts limits on how people's personal information can be used. However, if the individual concerned agrees to have their information disclosed, the Act does not apply.

Martin Cocker, Netsafe NZ

Netsafe chief executive Martin Cocker Photo: Supplied

Mr Cocker said most websites' terms and conditions contained a clause stating that by using the website, the user had agreed to have their information monitored.

Most people did not realise they were being monitored online, and even less realised they had given their consent.

"Each site that you sign up to has extensive terms and conditions and somewhere within those it will say what they might or might not do with that personal data."

That often included an agreement to share or sell information about the customer to other businesses.

"Many of the big players will share information about you with other businesses, typically they'll try to hold back personal identifying information, but there are certainly plenty of businesses out there that will happily sell the information that you give them to another business because that's a way that they can make money."

For many websites, the only way to avoid your personal information being stored was to simply not use the website, he said.

That was especially the case for apps.

"You'll find that it will say to you, 'This app requires permissions to do these things,' and your options are either to accept those permissions or not to install the app and that's often the case with websites also."

In a statement the Privacy Commission said agencies that provided websites and apps could do better at explaining their terms and conditions in an easy to understand way and could be minimising the personal information they collect.

What is the information used for?

The collection of information is a double-edged sword.

Mr Cushen said while it could potentially be harmful, it could also be helpful.

"A lot of these insights about how you interact online is potentially useful in terms of making online experiences more useful to you and, or to help sell more things to you."

It was a toss-up between convenience and a person's preference for privacy.

While internet experts agreed the risk of personal information falling into the wrong hands was small, it was still a risk internet-users needed to be aware of.

Mr Cocker said data found by cyber-criminals could be used to execute more sophisticated scams.

"We certainly know that there's a lot of information floating around the web that came about through data breaches.

"Many New Zealanders will find themselves affected by that. The primary way is that it would allow cyber-criminals to produce bespoke attacks on you - basically that means if someone sends you a scam which is personalised to you and about you, you're more likely to fall for it and they will personalise it by using information about you that is out on the internet, most of it which is stolen."

[no caption]

Photo: 123RF

It's out there but who can get it?

Auckland University associate professor Lech Janczewski said it was fairly easy to access information once it was held on a website's database.

"It requires good programming skills, you have to know what is inside the machine... but it's not nuclear science, it's much easier than that - and that's why we hear all the time about an invasion of privacy and that somebody's databases have been copied, because it's so easy to do it."

New Zealanders generally had less online about them, compared to people living overseas, Mr Janczewski said.

"An average New Zealand citizen may be in about 40 different databases but an American citizen is in about 200, and that's information like your age, date of birth, marital status, where you live."

A lot of information was readily available from Facebook, LinkedIn and other social media sites.

"[To find more] you have to be a bit more knowledgeable but nearly anybody can do it if they know what they're doing - if you are digitally-savvy then you can find that information quite easily."

Mr Cocker said although a lot of information was collected by large companies like Google and Facebook, they were less likely to have their databases hacked, or to use personal information in a harmful way.

"They tend to be the ones that hold the data to themselves and share information about users in a more generic way with other businesses. It's not typically them that share sensitive information about you, because that information is so valuable to them they don't want to share it," he said.

"Of course there is always the risk that one of these big players who holds all of this personal information would be breached and that data would leak out and there would be lots of personal information out there about us."

Privacy thumbprint

Photo: 123rf

Minimising your footprint

Mr Cushen said there were ways internet users could minimise how much data was stored about them.

"There are tools you can install in your browser that limit the amount of information that can be collected. You can ask Google not to store as much on you and really go into the settings on the likes of Google and condition what you consent to them collecting about you," he said.

"Likewise you can go on social media and target what ads you are served or you can opt out of advertising altogether.

"Where you are interacting with services, see if you can find those settings and see if you can set them according to what you think is reasonable."

However, the trade-off between digital convenience and privacy would always be an issue.

"If you're using online free email then the bargain you have struck in exchange for free email is that advertising is baked into that product. And so at some level there is a computer, not a person, analysing the sorts of things that you are emailing about and using that to present advertising," he said.

"In some cases you can't use the services unless you're prepared to accept a degree of tracking and a degree of insights being derived off of what you're doing."