With state and federal regulations on data privacy in development, organizations are still trying to get a handle on their potential exposure and liabilities. A recent data privacy report released by Lokker points to web browsers as the “new endpoint to defend” for data privacy concerns, but the stakes and concerns go much further.

According to Lokker, a data privacy solutions provider, the report is the culmination of a study of some 170,000 websites, an effort that revealed more than 5.1 million data privacy risks. The findings framed some of those risks in digestible terms. Brian Ebert, Lokker advisory board member and former chief of staff at the US Secret Service, spoke with InformationWeek about the report’s findings, the potential implications for businesses, and what companies should consider about privacy regulations going into 2023.

Is it surprising that the user’s web browser presents so much vulnerability for data privacy?

It’s really the nexus of the user’s browser and the web page itself. Those two things together have created all sorts of opportunities for there to be unauthorized transfer, collection, whatever you want to call it, of people’s personal data. I think it’s, for the most part, the companies themselves that run the websites aren’t even aware that that’s happening.

Everything that the report shows and what I know, they don’t know the extent that the data’s being shared, collected, moved downstream. They don’t understand that a lot of apps that they allow for a primary purpose actually have a secondary purpose and part of that is data is being provided to third parties down the line.

It’s almost inevitable that as technology gets more advanced that there’s just more of these unauthorized collections, transfers, grabs of folks’ data and it’s a huge problem.

The report cites the majority of online trackers being tied to Google, Facebook, and Microsoft. How quickly could the discussion on data privacy shift if policymakers focus on those companies or if those three companies decide to change tactics?

Brian Ebert, Lokker advisory board

Those organizations right now don’t have a lot of motivation to change their behavior. That motivation can come through regulation, both at the federal level as well as from the state level. A federal legislative fix doesn’t appear to be forthcoming any time real soon -- obviously it’s being worked on. The state level regulations are evolving and certainly there’s a lot of new state laws that are going to go into effect early next year.

That pressure needs to come from consumers, grassroots up to organizations, to companies that run these websites. And also, the pressures that come from press and lawsuits about this. Organizations need to, one way or another, understand the scope and scale of the tracking that’s going on and focus on protecting their customers against this sharing and collection in order to be compliant with new regulations, but also in order to not have their reputation be tarnished. At the end of the day, people don’t really care that much if a company is aware or not aware of what’s going on with their website. People are going to hold those companies accountable. Part of the solution must be companies deliberately prioritizing the privacy of their customers. These companies are making a lot of money off of the data that’s being collected off their sites, whether they’re collecting it directly or they’re acting as intermediaries for the data to go to data brokers or other third-party entities. I just don’t feel that they have a lot of motivation on their own right now.

Has social media become more intrusive now with the data it gathers? Or is this simply the way it has been for a long time?

People are paying more attention and it’s becoming more of a story for a number of different reasons. Privacy is very important to Americans, but I think for a number of years as all these new services and products became available lightning fast that we started to give up the privacy. We went around a corner as a society where people started to think, “This is inevitable. There’s no way that these social media companies, the government, who ever it might be, it’s just a necessary evil that they’re going to track my information.”

With legislation in Europe, GDPR, and California and Virginia and a number of other states who’ve passed legislation that’s caused these big websites to provide some consent. It’s not realistic in terms of the cookie consent because cookies are just the very tip of the iceberg of how this data’s being collected and used. Now customers are seeing that they have some choices. They’re also seeing with these regulatory laws being passed or anticipation of them coming down, they’re starting to see lawsuits and they’re starting to read more press on data breaches, which is a different problem than what this report dove into.

The effects of data breaches are reaching more and more people because a lot of that information goes to the dark web, and it might be years after a data breach that somebody’s reputation or credit or financial situation takes a major hit. For all these reasons, people are paying attention more than they were even a couple of years ago. I hope it’s a wake-up call to companies.

Is data anonymity disappearing? Even if users are “anonymized,” is so much data gathered about our healthcare, finances, and education that it is relatively possible to identify individuals?

The short answer is yes. What Lokker’s research was all about was looking at a number of different sectors and through the lens of a number of different data privacy risks. One of the risk areas was fingerprinting scripts. These fingerprinting scripts are a way for folks to get around the cookie restrictions. It’s a way for folks to link protected identification information or protected health information to consumers by taking a look at their browser settings. They can fill in the blanks and figure out who these people are and then associate them with other data they might have about that person and build a bigger dossier of an individual. That is technology that specifically exists to get around organizations trying to get around and get a handle on cookie consent, so they can break through people’s identities and so they can’t be anonymous.

In the line of work I was in previously, it was a real issue that we’d see this information used to build fake identities and for all sorts of financial crimes. Anonymity has been diminished by all this different technology.

Data has become a significant piece of statecraft. Should we expect to see more nation states try and compromise data privacy? Is this developing into a type of digital cold war?

There is no doubt that nation states are very aggressively going after our data at every different level. Whether it’s nation states directly or folks sponsored by the nation states -- at a financial level, at a personal level, reputational level, and then obviously intellectual property rights. It is a huge problem in this space and certainly not getting any better. From the report that Lokker did, one of the nine areas that they looked at is foreign domains. They’re looking at Russia, Iran, China, Belarus, which is a proxy for Russia. Certainly the data showed that there was a lot of third-, fourth-, fifth-party entities that were on public facing websites that had scripts from those countries. I think it was over 10,000 or 11,000 scripts that were identified. It’s certainly a real problem.

What to Read Next:

California Data Privacy Law Nabs Sephora, Sets Stage for Future

Can Data Collection Persist Amid Post-Roe Privacy Questions?

Data Privacy Enforcement Actions Step Up

Litigation vs Google May Cause Ripples in Data Collection