Personal Data Discoverability to Human Searchers: Observations on Personal Data Availability
Pages 499 - 512
Abstract
Personal data is widely and readily available online. Some of that personal data might be considered private or sensitive, such as portions of social security numbers [1]. Prior research demonstrates the knowledge of personal acquaintances of data used in secondary authentication protocols [1]. We explored discoverability and location of personal data online and gathered observation actors making the data available.
To empirically understand online data discoverability, we sought to identify select personal data of 32 volunteers. United States Naval Academy (USNA) Midshipmen and recent graduates of the USNA cyber operations major used publicly available online information to assemble personal data of participants. On average, the investigations took 10–20 min and accurately recovered substantial personal data.
Of the sample, 68.75% of mother’s maiden names, 34.38% of nicknames and 28.13% of mobile phone numbers were accurately identified. Searchers noted that data was most readily obtained by performing a “social pivot” from the original participant and tracing social relationships on commercial sites (e.g. WhitePages) and social media (e.g. Facebook). Personal data was most frequently revealed as a result of social connections rather than direct, first person information provided by participants though their own web presence.
Measuring the discoverability of personal data online provides insights into data vulnerabilities and actors in data availability. Data discoverability has ramifications on discussions of privacy beliefs and behaviors and current and future authentication protocols.
References
[1]
Acquisti A and Gross R Predicting social security numbers from public data Proc. Natl. Acad. Sci. 2009 106 27 10975-10980
[2]
Anderson, M., Perrin, A.: Share of U.S. adults using social media, including Facebook is mostly unchanged since 2018 (2019). https://www.pewresearch.org/fact-tank/2019/04/10/share-of-u-s-adults-using-social-media-including-facebook-is-mostly-unchanged-since-2018/. Accessed 16 January 2020
[3]
Schneier B Schneier on security: privacy and control J. Priv. Confid. 2010 2 1 3-4
[4]
Ackerman M, Darrell T, and Weitzner DJ Privacy in context Hum. Comput. Interact. 2001 16 2–4 167-176
[5]
Madejski, M., Johnson, M., Bellovin, S.M.: A study of privacy settings errors in an online social network. In: 2012 IEEE International Conference on Pervasive Computing & Communications Workshops, p. 340 (2012)
[6]
Richards, K.E.: Risk analysis of the discoverability of personal data used for primary and secondary authentication. University of Maryland Baltimore County, MD, US (2017)
[7]
Joinson A et al. Privacy, trust, and self-disclosure online Hum. Comput. Interact. 2010 25 1 1-24
[8]
Kokolakis S Privacy attitudes and privacy behaviour: a review of current research on the privacy paradox phenomenon Comput. Secur. 2017 64 122-134
[9]
Buchanan T et al. Development of measures of online privacy concern and protection for use on the Internet J. Am. Soc. Inf. Sci. Technol. 2007 58 2 157-165
[10]
Richards KE and Norcio AF Nicholson D Exploring the discoverability of personal data used for authentication Advances in Human Factors in Cybersecurity 2018 Cham Springer 97-105
[11]
Reeder R and Schechter S When the password doesn’t work: secondary authentication for websites IEEE Secur. Priv. Mag. 2011 9 2 43
[12]
Drouin M et al. Facebook fired: legal perspectives and young adults’ opinions on the use of social media in hiring and firing decisions Comput. Hum. Behav. 2015 46 123-128
[13]
Schau HJ and Gilly MC We are what we post? Self-presentation in personal web space J. Consum. Res. 2003 30 3 385-404
[14]
van Dijck J ‘You have one identity’: performing the self on Facebook and LinkedIn Media Cult. Soc. 2013 35 2 199-215
[15]
Lindamood, J., et al.: Inferring private information using social network data. In: Proceedings of the 18th International Conference on World Wide Web, Madrid, Spain, pp. 1145–1146. ACM (2009)
[16]
Griffith V and Jakobsson M Ioannidis J, Keromytis A, and Yung M Messin’ with texas deriving mother’s maiden names using public records Applied Cryptography and Network Security 2005 Heidelberg Springer 91-103
[17]
Bonneau J, Just M, and Matthews G Lewis DE What’s in a name? Evaluating statistical attacks on personal knowledge questions Financial Cryptography and Data Security 2010 Berlin Springer 98-113
[18]
Rabkin, A.: Personal knowledge questions for fallback authentication. In: ACM International Conference Proceeding Series, p. 13 (2008)
[19]
Khanna, S., Chaudhry, H.: Anatomy of compromising email accounts. In: 2012 IEEE International Conference on Information and Automation. IEEE (2012)
[20]
Acquisti A and Gross R Danezis G and Golle P Imagined communities: awareness, information sharing, and privacy on the facebook Privacy Enhancing Technologies 2006 Heidelberg Springer 36-58
[21]
Beldad A, de Jong M, and Steehouder M A comprehensive theoretical framework for personal information-related behaviors on the internet Inf. Soc. 2011 27 4 220-232
[22]
Chen H-T and Kim Y Problematic use of social network sites: the interactive relationship between gratifications sought and privacy concerns CyberPsychol. Behav. Soc. Netw. 2013 16 11 806-812
[23]
Hallam C and Zanella G Online self-disclosure: the privacy paradox explained as a temporally discounted balance between concerns and rewards Comput. Hum. Behav. 2017 68 217-227
[24]
McDonald AM and Cranor LF The cost of reading privacy policies J. Law Policy Inf. Soc. 2008 4 543
[25]
Liu L, Cheung CM, and Lee MK An empirical investigation of information sharing behavior on social commerce sites Int. J. Inf. Manag. 2016 36 5 686-699
[26]
Grossklags, J., Acquisti, A.: When 25 cents is too much: An experiment on willingness-to-sell and willingness-to-protect personal information. In: WEIS (2007)
[27]
Benson V, Saridakis G, and Tennakoon H Information disclosure of social media users: does control over personal information, user awareness and security notices matter? Inf. Technol. People 2015 28 3 426-441
[28]
Gratian M et al. Correlating human traits and cyber security behavior intentions Comput. Secur. 2018 73 345-358
[29]
Il-Horn H et al. Overcoming online information privacy concerns: an information-processing theory approach J. Manag. Inf. Syst. 2007 24 2 13-42
[30]
Acquisti A, Adjerid I, and Brandimarte L Gone in 15 seconds: the limits of privacy transparency and control IEEE Secur. Priv. 2013 11 4 72-74
[31]
Lee N Consumer privacy in the age of big data facebook nation 2014 New York Springer 139-147
[32]
Lo B Sharing clinical trial data: maximizing benefits, minimizing risk JAMA 2015 313 8 793-794
[33]
Oravec JA Deconstructing “personal privacy” in an age of social media: information control and reputation mangement dimensions Int. J. Acad. Bus. World 2012 6 1 95-104
[34]
Dlamini MT, Eloff JP, and Eloff MM Information security: the moving target Comput. Secur. 2009 28 3/4 189-198
[35]
Pavlou PA State of the information privacy literature: where are we now and where should we go? MIS Q. 2011 35 4 977-988
[36]
Bonneau, J., et al.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012)
[37]
Brown AS et al. Generating and remembering passwords Appl. Cogn. Psychol. 2004 18 6 641-651
[38]
Vu K-PL et al. Improving password security and memorability to protect personal and organizational information Int. J. Hum Comput Stud. 2007 65 8 744-757
[39]
Sasse M, Brostoff S, and Weirich D Transforming the ‘weakest link’ a human-computer interaction approach to usable and effective security BT Technol. J. 2001 19 3 122-131
[40]
Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret. Measuring the security and reliability of authentication via “secret” questions. In: 2009 30th IEEE Symposium on Security and Privacy (2009)
[41]
Polakis, I., et al.: All your face are belong to us: breaking Facebook’s social authentication. In: Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, Florida, USA, pp. 399–408. ACM (2012)
[42]
Hartzog W and Stutzman F Obscurity by design Wash. Law Rev. 2013 88 2 386-418
[43]
Lutz, C., Strathoff, P.: Privacy concerns and online behavior–Not so paradoxical after all? Viewing the privacy paradox through different theoretical lenses. Viewing the Privacy Paradox Through Different Theoretical Lenses, 15 April 2014
[44]
Zimmermann V and Gerber N The password is dead, long live the password – a laboratory study on user perceptions of authentication schemes Int. J. Hum Comput Stud. 2020 133 26-44
Recommendations
Privacy and Power Implications of Web Location of Personal Data Authenticators
HCI for Cybersecurity, Privacy and TrustAbstractKnowledge of personal data enjoys a long history of use in authentication. Given expanding personal data availability, authentication systems are at risk from sharing data online. This study explores the discoverability of the data – specifically, ...
Gifting Interpretations of Personal Data
CHI EA '18: Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing SystemsResearch on physical representations of data has often used personal data as its focus. Core aim of making personal data physical is to provoke self-reflections through a felt experience. In this paper, we present a preliminary study which employs the ...
An Interview Method for Engaging Personal Data
Whether investigating research questions or designing systems, many researchers and designers need to engage users with their personal data. However, it is difficult to successfully design user-facing tools for interacting with personal data without ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© Springer Nature Switzerland AG 2020.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 19 July 2020
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in