Cyber: Your Digital Shadow
Mar 15, 2010

Have you thought about your “digital shadow” recently? Whether you’ve thought about it or not, yours is probably growing. Unless you were born in a barn and live off the land, it’s hard not to have a digital footprint these days.

The term digital shadow refers to the trail of online information created about you – and by you – without your explicit intent, as you use the Internet. But calling it a shadow can be very misleading, given its visibility to others, even when you’re not aware of it.

Your digital shadow is more like a set of “online annotated fingerprints.” Much more than basic account information can be learned about you from databases, thanks to all the additional data that gets associated with your identity. It’s easier than you might think to connect the dots and build a picture of your life and actions.

Leveraging Available Location Data
Consider your use of cell phones. Depending on your phone’s features, your location can be pinpointed to within a few metres using triangulation with cell phone towers or GPS. The phone companies certainly have the technology to constantly track your physical movements. What prevents them from using your location information (or abusing it) without your knowledge? Basically, the answer is privacy policies and their enforcement. Do you know what the phone company is doing with your location information right now?

You may feel that you have nothing to hide, and it doesn’t really concern you much if others have information about your location. But it’s a slippery slope. While we can all think of how location information could be useful in locating a fugitive, or finding victims of an accident, there is a wide range of scenarios that fall into a grey area – anywhere from “targeted marketing” to “cyber-stalking.”

In Harlan Coben’s novel “Hold Tight,” a parent uses the GPS tracking feature on his son’s cell phone to locate him after being uncharacteristically out of contact for a while. Many phone companies now have this feature. Does yours?

Would you want an obsessive ex-spouse or friend to simply pay a fee for locating your cell phone at any time? Maybe the phone company would like to charge you for the ability to block access to your location data.

What were once ludicrous science ­fiction scenarios are no longer highly improbable. The Tom Cruise movie ­"Minority Report" featured talking billboards in pedestrian walkways that harassed ­people by name as they walked by. While this annoying scheme relied on facial ­biometrics, the same effect would also be possible if the advertising company received your location information in real-time from the cell phone company.

In that same movie, the authorities used mutant humans with the ability to see into the future, so they could arrest people before they committed the crime. How far off is this scenario? It might be closer than you think, even without the need for the unlikely sentient mutants.

Risks of Reality Mining
Although we don’t seem to have a ready supply of reliable psychics to aid law enforcement, there is a new area of research called “Reality Mining,” spearheaded by Dr. Sandy Pentland of MIT.

Reality mining is the concept of integrating the inputs from machine-based ­sensors of to analyze movements of individuals. The goal of this research is to open up a range of practical applications for detailed, real-time location data. It could help answer deeper questions about human behaviour and even predict people’s actions in certain situations – and locations.

Reality mining has the potential to help with the study of epidemiology and other problems, but at the same time, demonstrates how close we are to creating a real-time picture, as well as a historical trail of evidence, detailing where you are and what you are doing, at any given time. The ­current MIT study observes consenting individuals using today’s technologies like cell phone networks. Technically, the research is verifying that whenever you are connected to the “grid,” you are leaving behind data that can be harvested and used.

Imagine being called as a witness in a trial based on the fact that the authorities knew exactly where you were at the time of the crime. Or perhaps they might ask you to aid in a sting operation, based on ­predicting that you will probably be at a location where a crime is likely to be ­committed.

Dr. Pentland’s team performs its research in a well-documented and ethical manner that is intended to bring benefits to society through new applications, or by demonstrating technological risk scenarios. But it’s clear that the technology implications of this research are bringing us closer to a point where surveillance of individuals well beyond location tracking becomes ­relatively simple.

Once your presence in a database can be determined, what other information about your location and actions is available today? With web-based services like (an online game and loyalty service that is popular with iPhone and other smartphone users), Twitter and even Facebook, it becomes much easier to track your physical location and actions based on posts associated with you. With a few creative Google searches (called “Google dorks”) or the use of illicit, but easily available search tools, you can find information about almost anyone who uses these sites. With a “social engineering” trick or two, “identity theft” also becomes possible, which opens the doors to an attacker or ­investigator.

Privacy Policies – Get to Know Them
While not “exciting” reading, privacy laws and policies are becoming more important to all of us as a way of defending our digital shadow. It’s time for each of us to take a closer interest in them. Any good policy defines a clear scope, mandates specific requirements with accountability, and details the penalties for violating the policy. Privacy laws and policies are often weak in one or more of these areas, leaving ­wide-open interpretations and opportunities for abuse.

Knowledge is Power – Especially Managing Risks
With this in mind, and knowing how long it will take to have a solid infrastructure of enforced laws and policies, your best defence is in realizing how your digital shadow can be used and abused. To start with, question the trustworthiness of businesses that manage the connected devices and websites you use. Do they have solid privacy policies that protect your rights, and can they prove that they handle such private data responsibly?

Of course, you will weigh the conveniences of new technologies against the possible risk that you might become a ­victim of online scams or cyber-stalking. You may decide the trade-off is worth it to you, but you can’t expect to make an informed decision without being aware of the risks.  

Scott Wright is an Ottawa-based security coach, podcaster and consultant.
© FrontLine Security 2010