In the coming years, organizations’ insatiable desire to understand consumers through behavioral analytics will result in an invasive deployment of cameras, sensors and applications in public and private places. A consumer and regulatory backlash against this intrusive practice will follow as individuals begin to understand the consequences.
Highly connected ecosystems of digital devices will enable organizations to harvest, repurpose and sell sensitive behavioral data about consumers without their consent, with attackers targeting and compromising poorly secured systems and databases at will.
Impacts will be felt across industries such as retail, gaming, marketing and insurance that are already dependent on behavioral analytics to sell products and services. There are also a growing number of sectors that will see an increased dependency on behavioral analytics, including finance, healthcare and education.
Organized criminal groups, hackers and competitors will begin stealing and compromising these treasure troves of sensitive data. Organizations whose business model is dependent on behavioral analytics will be forced to backtrack on costly investments as their practices are deemed to be based on mass surveillance and seen as a growing privacy concern by regulators and consumers alike.
What is the Justification for This Threat?
Data gathered from sensors and cameras in the physical world will supplement data already captured by digital platforms to build consumer profiles of unprecedented detail. The gathering and monetization of data from social media has already faced widespread condemnation, with regulators determining that some organizations’ practices are unethical.
For example, Facebook’s role in using behavioral data to affect political advertising for the European Referendum resulted in the UK’s Information Commissioner’s Office fining the organization the maximum penalty of £500,000 in late 2019 – citing a lack of protection of personal information and privacy and failing to preserve a strong democracy.
Many organizations and governments will become increasingly dependent on behavioral analytics to underpin business models, as well as for monitoring the workforce and citizens. The development of ‘smart cities’ will only serve to amplify the production and gathering of behavioral data, with people interacting with digital ecosystems and technologies throughout the day in both private and public spaces. Data will be harvested, repurposed and sold to third parties, while the analysis will provide insights about individuals that they didn’t even know themselves.
An increasing number of individuals and consumer-rights groups are realizing how invasive behavioral analytics can be. An example of an associated backlash involved New York’s Hudson Yard in 2019, where the management required visitors to sign away the rights to their own photos taken of a specific building. However, this obligation was hidden within the small print of the contract signed by visitors upon entry. These visitors boycotted the building and sent thousands of complaints, resulting in the organization backtracking and rewriting the contracts.
Another substantial backlash surrounding invasive data collection occurred in London when Argent, a biometrics vendor, used facial recognition software to track individuals across a 67-acre site surrounding King’s Cross Station without consent.
Attackers will also see this swathe of highly personal data as a key target. For example, data relating to individuals’ personal habits, medical and insurance details, will present an enticing prospect. Organizations that do not secure this information will face further scrutiny and potential fines from regulators.
How Should Your Organization Prepare?
Organizations that have invested in a range of sensors, cameras and applications for data gathering and behavioral analysis should ensure that current technical infrastructure is secure by design and is compliant with regulatory requirements.
In the short term, organizations should build and incorporate data gathering principles into a corporate policy. Additionally, they need to create transparency over data gathering practices and use and fully understand the legal and contractual exposure on harvesting, repurposing and selling data.
In the long term, implement privacy by design across the organization and identify the use of data in supply chain relationships. Finally, ensure that algorithms used in behavioral analytical systems are not skewed or biased towards particular demographics.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.