
SNAP. You press the shutter icon on your phone and capture a photo of your baby daughter. With a couple of swipes, you attach it to an email in your Gmail app and fire it off to your mother-in-law.
As personal data goes, it doesn’t get much more innocuous. But the truth is that spraying around any private information is risky. You might think that’s overblown. As long as you have nothing to hide, you have nothing to worry about.
Advertisement
It’s not that simple. Just look at this summer’s hack that exposed the data from Ashley Madison, a site catering for people looking for an affair, and imagine if the same happened with all your emails stored by Google, or your photos on Facebook. Even if you’ve done nothing illegal or immoral, faced with a database of every photograph and comment you’ve ever shared privately, friendships and business deals could dissolve the world over.
And there are plenty of vulnerabilities. The material displayed on the web is stored, often in central server farms. Whenever you upload text or pictures, they are ferried to these farms by cables. Although there are safeguards, data can in theory be hacked, stolen or altered at many points along the way.
Let’s return to that photo, and imagine that once your mother-in-law receives your email, she immediately uploads the baby pic to Facebook. The likelihood is that even such an everyday occurrence will send information pinging on unexpected routes around the world, often leading it to be stored in places with unfamiliar privacy laws (see “Around the world in 80 microseconds“).
Bear in mind, too, that companies such as Google and Facebook will often store many copies of your data. Andreas Olah, who researches server architectures at market analysts IDC, says Facebook copies your data into formats readable by all sorts of devices and creates backup copies. If your mother-in-law had recently been on holiday to the US, Facebook would probably have sent the photo to a US data centre too, just so that she wouldn’t have wait for it to load were she to visit again.
In short, one simple share can create reams of potentially hackable data. This state of affairs demands caution from all of us, says Judith Lewis, a consultant based in London who previously worked on email security. “Just pretend you have a stalker who sees everything.â€
Studies show that people with more complete mental models of the physical internet also have a fuller understanding of privacy risks. Unfortunately, the same research found that this understanding leads to “security fatigue†– we get bored with worrying.
What can we do with this knowledge, anyway? A common refrain is that you should encrypt everything. Encryption has traditionally been hard to learn and required enthusiastic adoption not just from you, but everyone you communicate with. “If we want privacy to be protected, the only way to do it is collectively,†says , a cyberprivacy researcher at Carnegie Mellon University in Pittsburgh, Pennsylvania.
Encrypted web communication protocols such as the https system commonly used for internet shopping and banking, and those that underlie some popular messaging apps, have made that easier. But a better solution might be to include protection in the core design of devices and online services. The Blackphone, released in September and powered with Google’s Android software, allows you to use any app you like but feeds it blank fields instead of the data it expects.
The Blackphone will set you back $799, and Google still gets your data, even if third parties don’t. Plus, it doesn’t allay the worry that others might not take care with your data. “No matter how securely you share something, the recipient can still be stupid with it,†says Lewis. A basic understanding of how the internet works should give us pause for thought in how much we share.
Like this? Read: “Get smarter: 9 ideas to make your life betterâ€
Around the world in 80 microseconds
You use Google’s email service Gmail to send a cute baby pic to your mother-in-law a few miles away, who then posts it to Facebook. That data will be stored on server farms like the one pictured above – but where? Starting from Âé¶¹´«Ã½â€˜s London, Boston and Sydney offices, it goes something like this
From London…
The Gmail pings around London then speeds under the sea to be stored in Dublin, Ireland, where Google has a huge data centre. When your mother-in-law posts the picture, it lands at Facebook’s new European data centre in Lulea, Sweden – a country that gives itself permission to investigate any data crossing its borders. It is also backed up at Facebook original data centre at Prineville, Oregon.
From Boston…
After ping-ponging across the US – but never leaving it – the photo lands at Lenoir, North Carolina, the closest of Google’s seven US data centres. It is also stored at Prineville, and backed up at a couple of other locations. Gmail encrypts data, so the average hacker is probably not a problem on this circuitous route; the US National Security Agency, which maintains “backdoors†to US technology company servers, perhaps more so.
From Sydney…
Neither Google nor Facebook maintain data centres in Australia. The email is stored in Singapore or Taiwan; the western US is again the destination of the Facebook photo. Many nations don’t like data straying outside the protection of their own privacy laws. A recent European court ruling might mean US firms will no longer be able whisk data across the Atlantic – perhaps paving the way for countries to insist on having data centres on their turf.
Trace your own data
Data you produce online will take various routes. Follow these steps to start tracking
1. Open the terminal application on your computer Mac: Applications > Terminal Windows: All programs > Accessories > Command prompt
2. Type “tracert yyy.com†and hit enter where yyy.com is the website you are visiting
3. Watch as your route through the internet is traced
The long numbers are the IP addresses of the computers that are routing your data. The strings of letters are the machines’ hostnames, indicating which company is running the computer. Buried in the hostname are airport codes, indicating the cities each machine is in.
This article appeared in print under the headline “Need to know: Internet architectureâ€