Web Browsers at the Nexus of Data Privacy Exposures and Risks


With state and federal data privacy regulations being developed, organizations are still trying to get a handle on their exposure and potential liabilities. A recent data privacy report published by Lokker points to web browsers as the “new endpoint to defend” for data privacy issues, but the issues and concerns go much deeper.

According to Lokker, a provider of data privacy solutions, the report is the culmination of a study of some 170,000 websites, an effort that revealed more than 5.1 million data privacy risks. The results framed some of these risks in digestible terms. Brian Ebert, Lokker Advisory Board Member and former US Secret Service Chief of Staff, spoke with InformationWeek about the report’s findings, potential business implications, and what businesses should consider regarding regulations in privacy policy by 2023.

Is it any surprise that the user’s web browser has such a data privacy vulnerability?

It is really the link between the user’s browser and the web page itself. Those two things together have created all sorts of possibilities for the unauthorized transfer, collection, whatever you want to call it, of people’s personal data. I think it’s, for the most part, the companies themselves that run the websites aren’t even aware of what’s going on.

Everything the report shows and what I know, they don’t know how much data is shared, collected, moved downstream. They don’t understand that a lot of the apps they allow for a primary purpose actually have a secondary purpose and part of that is that the data is provided to third parties afterwards.

It’s almost inevitable that as technology advances there will be a bit more of this unauthorized data collection, transfer, data entry and that’s a huge problem.

The report cites the majority of online trackers linked to Google, Facebook and Microsoft. How quickly could the data privacy discussion evolve if policymakers focus on these companies, or if these three companies decide to change tack?

Brian Ebert, Lokker Advisory Board

These organizations currently do not have much incentive to change their behavior. This motivation can come from regulation, both at the federal and state level. A federal legislative fix doesn’t seem to be coming any time soon — clearly, it’s being worked on. State-level regulations are changing, and there are sure to be plenty of new state laws coming into effect early next year.

This pressure has to come from the consumers, from the grassroots to the organizations, to the companies that run these websites. And also, the pressures that come from the press and the lawsuits on this subject. Organizations must somehow understand the scope and scale of ongoing tracking and focus on protecting their customers from this sharing and collection in order to comply with new regulations, but also so as not to see their reputation tarnished. tarnished. At the end of the day, people don’t really care whether or not a company knows what’s going on with its website. People are going to hold these companies accountable. Part of the solution must be for companies to deliberately prioritize the privacy of their customers. These companies make a lot of money from the data collected on their sites, whether they collect it directly or act as intermediaries for the data to be passed on to data brokers or other third-party entities. I don’t think they have much motivation on their own right now.

Has social media become more intrusive now with the data it collects? Or has it just been like this for a long time?

People are paying more attention to it and it’s becoming more and more of a story for a number of different reasons. Privacy is very important to Americans, but I think for a number of years, as all these new services and products became available at lightning speed, we started giving up on privacy. We took a turn as a society where people started to think, “It’s inevitable. There’s no way these social media companies, the government, whoever, it’s just a necessary evil that they’re going to track my information.

With legislation in Europe, GDPR, California and Virginia and a number of other states that have passed legislation that has caused these big websites to provide some consent. This is unrealistic in terms of cookie consent, as cookies are only the tip of the iceberg of how this data is collected and used. Now customers see they have choices. They’re also finding that with the passage of these regulatory laws or the anticipation of them being passed, they’re starting to see lawsuits and they’re starting to read more press about data breaches, which is a different issue than in which this report dipped.

The effects of data breaches affect more and more people because much of this information goes on the dark web, and it can be years after a data breach that the reputation, credit or financial situation of someone take a major hit. For all these reasons, people pay more attention to it than they did just a few years ago. I hope this is a wake-up call for businesses.

Is data anonymity disappearing? Even if users are “anonymized”, is there so much data collected about our health care, finances and education that it is relatively possible to identify individuals?

The short answer is yes. The purpose of Lokker’s research was to look at a number of different industries and through the lens of a number of different data privacy risks. One of the areas at risk was fingerprint scripts. These fingerprint scripts are a way for people to bypass cookie restrictions. It’s a way for people to link protected credentials or protected health information to consumers by viewing their browser settings. They can fill in the blanks and figure out who those people are, then combine that with other data they might have about that person and build a bigger case on an individual. It’s a technology that exists specifically to circumvent organizations that are trying to move around and master cookie consent, so that they can drill into people’s identities and they can’t be anonymous.

In the line of work I was in before, it was a real problem that we saw this information being used to construct false identities and for all kinds of financial crimes. Anonymity has been diminished by all these different technologies.

Data has become an important part of the art of governing. Should we expect to see more nation states attempting to compromise data privacy? Is this turning into some sort of digital cold war?

There is no doubt that nation states are very aggressively attacking our data at all levels. Whether it’s nation states directly or people sponsored by nation states – financially, personally, reputationally, and then obviously intellectual property rights. It’s a huge problem in this space and it’s definitely not getting better. According to Lokker’s report, one of the nine areas they looked at was foreign domains. They are looking at Russia, Iran, China, Belarus, which is a substitute for Russia. Certainly, the data showed that there were a lot of third, fourth, and fifth-party entities that were on public websites that had scripts from those countries. I think it was over 10,000 or 11,000 scripts that were identified. It is certainly a real problem.

What to read next:

California data privacy law shuts down Sephora and sets the stage for the future

Can data collection persist despite post-Roe privacy issues?

Intensified Data Privacy Enforcement Measures

Disputes against Google can lead to ripples in data collection


Comments are closed.