Privacy team: eat cookies in moderation
Blindly accepting cookies, or clicking straight through the general conditions and 'I agree' when you are installing a new app: lots of people do it. But in doing so, we are unwittingly giving away a lot of our personal data to big organizations. The TU/e privacy team has a new campaign it hopes will raise awareness of privacy in our community, explain how the university protects your data, and encourage you to take your own steps to protect your data.
Everyone is always talking about privacy but what exactly is it and why is it so important? That's difficult to explain in a single sentence, says privacy officer Vera van Lierop: “It's an aspect of a human right, the right to have your private life protected.” Colleague Anouk de Ruijter adds: “Data is increasingly valuable to big companies because your personal information says a lot about you and your behavior. And that's something businesses and authorities can use to their advantage. And it's why you should think twice before you give away your data.” Colleague and fellow privacy officer Ineke Litjens recognizes another problem: “We're doing so much digitally that we're becoming ever more dependent on applications. This is making people nonchalant about things like accepting the conditions attached to an app. As a result, people are often (unwittingly) sharing more about their personal life than they realize. And often it isn't immediately apparent what will be done with your personal data, nor what the impact of that will be.”
TU/e recognizes the importance of privacy and the need to keep personal data well protected, and so since the summer of 2018, when the AVG (the European privacy law) became effective, it has had a privacy team. In early 2022 this was expanded to include two new privacy officers. Anouk de Ruijter, Ineke Litjens, Vera van Lierop and Laura Overmars are all privacy officers and Yolande Coelen is the group's office manager. “We recently started an awareness program – the kickoff took place during Intro 2022,” says Litjens. Under the motto ‘This is the only cookie you can blindly accept,’ stroopwafels (Dutch syrup waffles) were handed out at their stand at the Intro fayre. “Awareness of this type of privacy needs to be raised among everyone at TU/e: researchers, students, support staff; privacy is a matter for everyone.”
Data at TU/e
All kinds of data on each of their students and employees is held by educational institutions for a long time, longer than you may think. Litjens: “If you ask a student what data we hold and how long we keep it, I suspect many won't know the answer. Universities are required to keep certain data about their students. Think, for instance, of data like your name, address, email, BSN (social security number), the courses you're taking and have taken, your grades and your telephone number. By law, we have to keep the grade list accompanying your degree for a full fifty years.” Van Lierop: “Because when you leave with a degree, we have to be able to prove you're entitled to it. Of course, TU/e's systems also hold all kinds of data on our employees, such as name and address data, bank details and marital status. This last item is important to the tax authorities. And don't forget, a lot of research conducted at TU/e involves human subjects, medical research studies for example.” The university also processes a good deal of (sensitive) data on these people. Holding this amount of data always entails risk, like the risk of a data leak.
Cookies
Going back to the awareness raising campaign, you may be wondering why there's such a strong focus on cookies. Litjens: “We all encounter them every day. A lot of people quickly accept them just to be rid of them, like tracking cookies. But by giving permission, you allow your behavior to be monitored. The sites create a profile of you containing everything you click on, everything you buy and, in the worst case, even your payment data.” So it can pay to accept only functional cookies, the minimum that's needed for a website to function. But as a rule you have to set this choice yourself because in the pop-up most sites have placed a check against every type of cookie. Litjens: “In this way, a business can know more about you than you know about yourself.” De Ruijter knows the consequences of this knowledge: “Based on what they know about you, you'll be presented with adverts, on Facebook for example.” Litjens: “An everyday example is Albert Heijn's discount card, the Bonuskaart. It keeps a record of exactly which products you buy, and these days you'll even receive personalized offers on items you buy frequently, provided you sign in with your personal data. They can derive entire patterns from your purchasing behavior: whether you eat healthily, have children, etc. And they act on that to make you buy more. The privacy team ensures that the applications you use for your education or work use these kinds of cookies as little as possible.”
Something to hide? Yes!
Even when an organization takes good care of your personal data, there's plenty you can do to protect your privacy. Litjens is clear about this: “You do have something to hide, though you may think you don't. And you always have something to protect. You really don't want everything about you to end up in other people's hands. If you wouldn't share something with your friends, why would you share it with large companies? Especially those with commercial purposes in mind. And the more data about you that's flying around online, the more vulnerable you are to hackers.” This is another area with an increasing number of cases; where, for example, people have been blackmailed with an email stating that their bank account has been hacked, and some leaked data has been pasted into the email as ‘evidence’ to make them believe the story.
Suppose you've already given away too much data, is there any way back? “Under the AVG (the European General Data Protection Regulation, ed.) you can request a printout from any organization of the data they have on you,” Van Lierop knows. “Next, you can submit a deletion request that ought to be acted upon within a reasonable period of time. Though this timeframe is not precisely defined.” De Ruijter has another tip: “With social media like Facebook and Instagram, under the settings you can see the data on you they are holding, make a deletion request, and change what they are allowed to hold in future.”
“Remember, we don't know what the data they already have on us could be used for in the future,” remarks Litjens.
Zuckerberg's got your photos too
The data now being collected goes beyond the old standards like name, email and IP address. “When you're installing them, some apps ask for access to your location,” says Van Lierop. “And access to your photo library,” adds De Ruijter. An average photo library in a cell phone holds thousands of photos, among them certainly a couple you'd rather never see on a website.
Litjens: “Our team carries out privacy checks on applications, systems and suppliers, but also ensures that personal data is processed and stored in accordance with the AVG. For example, we check whether more data than necessary is being processed and we carry out risk inventories. Any application that wants access to your documents and then the freedom to change them, even though it's not an app intended to do this, is one we refuse.”
That privacy is a hot topic within the TU/e community is evidenced by the many questions received by the privacy team. “Like whether it's wise to process data in a particular way,” says Van Lierop. As well as the campaign designed to focus attention playfully using stroopwafels, training courses for employees have also been developed (on Canvas, ed.). “Anyone can take these courses and work individually, at their own pace,” says Litjens. “We also offer training courses for individual services, tailored to meet their own very specific needs, as we do for HRM, ESA and Finance. And the data stewards give courses to researchers on the use of personal data during, for example, medical research studies.” These courses are just as popular as the others, she knows. “Awareness is certainly increasing, which is a good thing given the quantity of personal data being processed here.”
Book tips
Would you like to know more? The privacy team recommends two Dutch-language books Je hebt wel iets te verbergen by Maurits Martijn and Dimitri Tokmetzis and Het is oorlog, maar niemand die het ziet by Huib Modderkolk. The latter is about how possessing certain data makes you powerful. With the right data you can paralyze entire power plants or take out the interbank payment system. The book by Martijn and Tokmetzis alerts you to the fact that you too have certain data that you don't want to see in the public domain. Intrigued to know whether your data has already been leaked and through which account? Then take a look at www.haveibeenpwned.com. Similarly, the website www.watchyourhack.com is useful as it describes in plain language how you can arm yourself against hackers. Lastly, the privacy team has more awareness activities planned for this academic year and infographics are being developed for TU/e students and employees.
Tips: what you can do?
- Would you like to take steps of your own? A privacy training given by TU/e can be a good start.
- Report any data leak you spot, don't be deterred by worrying that you caused it yourself. Litjens: “People often think of a data leak as being something very big, but it can be as simple as receiving an email containing personal data that wasn't meant for you.” The privacy team looks into every data leak with the security team and can take measures to reduce the risks.
- Do you want to use a new application or tool? Or process personal data needed for your research? Then get in touch with the data coordinator at your TU/e service, the data steward at your department or directly with the privacy team.
- Never share personal data on public networks. These include all unsecured Wi-Fi networks like those you find in restaurants, the train or in big cities. “And never ever make a purchase on a public network,” says Litjens emphatically. “It's easier for your bank data to be intercepted.”
- Check your cookie settings. The standard settings are often more favorable to the company dropping them on you than they are to you. Choose to accept only functional cookies. It only takes a couple of extra clicks and the gain in privacy is significant.
- Use a VPN. At TU/e this is the default when you access the internet via your TU/e account, but at home you have to actively enable it yourself.
- Get familiar with your privacy rights. Litjens: “People are often not aware that they can request to see data and have it deleted.”
- Use a webcam cover on your laptop. Litjens: “This is a standard feature of many TU/e laptops. Use it whenever you aren't video calling.” De Ruijter: “You can also buy a screen sticker for your laptop or telephone that prevents anyone next to you reading your screen from the side.”
- “The next time you install an app, take a good look at the terms and conditions ,” says Van Lierop. “Know what you are accepting and who your data is being shared with.” It's often more parties than you think.
Discussion