The emergence and meteoric rise of Internet-based firms and social networks is one of the biggest stories of the last decade. The movie version of Facebook's genesis even won several Oscars this year. The social network and its peers are noteworthy not only for their tremendous growth, but also for instituting a new business model. Facebook, Google, and similar companies generate the bulk of their revenues by collecting massive amounts of customer data to sell for targeted advertising.
Advertising based on such extensive data doesn't just result in higher sales—it also offers unprecedented value to consumers by matching them with the products they might want. However, consumers are also concerned about privacy. An ongoing Wall Street Journal investigation reveals the extent to which consumers' online behavior is being tracked by a multitude of players and the vast amounts of data now available to the highest bidder. And we've all being hearing about how the GPS location functionality of today's smart phones may be making it possible to collect additional consumer information. These trends are disconcerting to consumer advocates who recognize that risks exist along with the promise of valuable contextual and location-based offers. In addition to privacy implications, the broad collection of data raises questions about the security of that data. What are the risks to consumers if criminals gain access to these databases?
Any data that is collected and stored is at risk of being breached. This has been particularly troubling for the payments industry. Merchants and payments processors for years collected payment card data in their systems, regarding the threat of a breach as a low-probability and low-loss event. Eventually, enterprising criminals found ways to exploit this data, and PCI-DSS was born as a remedy. Merchants and processors were forced to play an expensive game of catch-up as they scrambled to become compliant.
Some consumers may not worry about breaches of online behavioral data. Who cares if someone finds out their favorite movies, that they have a weakness for Italian handbags, or that they stopped at Kroger after work on Thursday? These pieces of information seem banal and inconsequential. Further thought, however, reveals more worrisome possibilities. Imagine a data breach that exposed all of your movements for the last year, a complete profile of your preferences and demographic characteristics, or all of your online behavior searches for the past quarter. In the wrong hands, such data could be used for illicit activities like identity theft and payments fraud.
Extensive behavioral information could facilitate financial fraud, allowing criminals to fly under the radar of existing fraud detection systems. In the United States, the use of transaction monitoring systems that rely on behavioral analysis to detect anomalous purchases has proven successful in mitigating card fraud to a certain extent. But if fraudsters have access to a consumer's payment behavior in addition to the stolen card, they could mimic legitimate transactions and decrease the chances of getting caught. Sophisticated international crime rings are likely to harness such advantages whenever they're available.
Behavioral and location data could also be exploited by local criminals. Thieves might take advantage of knowing homeowners' locations to rob their homes while they're out. Stalkers sometimes track their target using the location awareness of the target's mobile phone. Blackmail is also a possibility if a person's online browsing or shopping behavior reveals something this person would wish to keep private.
Online and mobile data collection firms can learn from the experience of the card industry to self-regulate and proactively avoid data breaches. The industry has already shown considerable self-regulation in response to privacy concerns, and could expand these efforts to include broader data security initiatives. Best practice data security practices are known, but require up-front technology investments. For example, data can be made anonymous and delinked from individuals, limiting the risk of criminal misuse. The only question is whether online firms will proactively use available data security tools or if they will be stuck cleaning up after data breaches down the road.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed