Protecting personal information: When is too much – too much?

By Will Poole

Last week I received an email from a local store, offering a 15 percent discount between now and the next 15 days. Since I plan to purchase some outdoor garden products in preparation for spring, this was perfect. I went to the website and was requested to log-in to get a coupon. So far, no problem.

Unfortunately, I had forgotten my password so I clicked the “Forgot Password” link and was directed to another page that asked me for User ID, address and date of birth, presumably before I could change or retrieve my password.

DATE OF BIRTH???

That was too much. I promptly closed the website and resigned to making my purchases without the 15 percent discount. But that’s okay, because my privacy information is more important to me than a discount. Giving away my sensitive personally identifiable information to have an online password reset crossed the line. Truth is, this store had already collected my Codice Fiscale (Social Security number equivalent) and my name, address and telephone number when I signed up for the store card.

To be fair, it is absolutely normal for online organizations to gather information about customers for legitimate business motives. They generate statistics about their site visits and customers so they can better market to the clientele visiting their web sites and provide a positive browsing experience. In fact, according to the United States Computer Emergency Readiness Team (CERT), organizations apply information gathered about users visiting their web sites to support their marketing techniques.

Normally when we visit a website, certain information is automatically sent to the site. This includes your IP address (each computer on the Internet is assigned a specific numerical address), domain name (the Internet is divided into different domains and can be identified by looking at the last part of the URL (i.e., .mil, .edu, .com), and your software details.

Many web sites use “cookies” that can also determine other sites or pages you have browsed. Armed with that information, companies can target you with specific advertisements aimed at products in which you have shown interest. Cookies are information that a web site stores on a users’ computer so a particular website can remember users and keep track of users’ preferences. However, it is possible to limit cookies that are collected during your browsing. The following website provides tips on how you can evaluate your browser’s security settings:
https://www.us-cert.gov/ncas/tips/ST05-001 .

As previously mentioned, most websites use cookies responsibly and for legitimate purposes; however, some sites collect information for malicious purposes. This is usually accomplished via misrepresentation – meaning a malicious site pretends it is a legitimate site and may trick users into providing addresses, credit card information, Social Security numbers and a host of other personal information. The good news is that we can limit the amount of information that is collected on us by using common sense, instinct and good technical precautions and protection.

Before providing valuable personal information, it is advised that you review the site’s Privacy Policy. You may want to verify that the site does not share your information with other businesses and that you won’t be added to other mailing lists by default. If the site does not have a Privacy Policy, you might reconsider providing personal information.

If you do provide personal information verify that the website is encrypting the traffic. Many browsers will display a visible lock icon. Also, look at the URL and make sure it says HTTPS versus HTTP. To learn more about website security, see https://www.us-cert.gov/ncas/tips/ST05-010.

Always be wary of providing personal information. Remember that “less is better,” and always deal with reputable companies. Pay attention to the websites you are visiting and make sure your computer is up to date with anti-virus protection. If something feels wrong and you are suspicious when being asked to provide personal information, leave the site and/or call the company to verify.

USARAF is a member of the Department of Homeland Security Stop. Think. Connect Campaign, which is a national public awareness effort to empower the public to be safer and more secure online. All members of the Vicenza Military Community are encouraged to visit the Stop.Think.Connect web site at https://www.dhs.gov/stopthinkconnect increase understanding of cyber threats and actions we can take to better protect our online presence.

Editor’s Note: Poole works with NETCOM TAC-EUROPE/USARAF G6, Cybersecurity Branch.