Marketers say that they keep user data private by viewing it only in aggregate, but the sheer volume of data a cookie can collect about any one person can enable the cookie's owner to infer a surprising amount about the individuals being tracked. As a 2010 report by Gartner found, "the more that personal information can be correlated, the less it is possible to completely anonymize."
But while cookies appear to be going viral, help may be on the way. In 2012, the Obama Administration proposed a Privacy Bill of Rights that would include Do Not Track legislation, so that consumers could choose whether and when to be tracked. Do-not-track mechanisms are being built into major Web browsers, such as Mozilla's Firefox. The Do Not Track concept still has no legal support, however. Marketers, many of whom claim that tracking data is essential to their business, remain free to ignore Do Not Track efforts--or build ways around them.
"Do Not Track has no teeth right now," says EFF's Auerbach. "If you set it in your browser, you should not expect to gain significant privacy." Nonetheless, John M. Simpson, director of the Privacy Project at Consumer Watchdog, sees promise in new legislative efforts--specifically, the Do-Not-Track Online Act of 2013. "I think this may be the only way to get meaningful protection for consumers," says Simpson.
#2: Seizing cloud data
You love how easy it is to grab data from the cloud--and so do law enforcement agencies. And there's only going to be more of that data to love in coming years: Gartner predicts that 36 percent of U.S. consumer content will be stored in the cloud by 2016.
But whether you use a Web-based email service, keep files in Google Drive, or upload photos to Shutterfly, everything you write, upload, or post gets stored in a server that belongs to the online service, not to you. And because of outdated rules enumerated in the ECPA, this cloud-based data is vulnerable to a privacy loophole so big that a Google self-driving car could roll through it.
"A huge concern about using the cloud is that your data does not have the same Fourth Amendment protections that it would have if it were stored in a desk drawer or even your desktop computer," says Consumer Watchdog's Simpson.
One key reason that privacy advocates and some legislators are trying to update the ECPA this year is that the current law treats data stored on a server for more than 180 days as abandoned. This statutory assumption is a vestige of a time when servers held data only briefly before shunting it off to a local computer. Furthermore, the law's definition of such data is vague enough to cover not just email messages--a popular target of law enforcement agencies--but (potentially) other kinds of data stored on servers. Now that so much data resides on servers owned by cloud-based services, and so many people keep content in the cloud for years, a lot of long-stored files that people haven't abandoned could be fair game for Big Brother.
Sign up for CIO Asia eNewsletters.