The Broader Implications of Data Breaches

Ikea Canada notified approximately 95,000 Canadian customers in recent weeks about a data breach the company has suffered. An Ikea employee conducted a series of searches between March 1 to March 3 which surfaced the account records of the aforementioned customers.1

While Ikea promised that financial information–credit card and banking information–hadn’t been revealed a raft of other personal information had been. That information included:

  • full first and last name;
  • postal code or home address;
  • phone number and other contact information;
  • IKEA loyalty number.

Ikea did not disclose who specifically accessed the information nor their motivations for doing so.

The notice provided by Ikea was better than most data breach alerts insofar as it informed customers what exactly had been accessed. For some individuals, however, this information is highly revelatory and could cause significant concern.

For example, imagine a case where someone has previously been the victim of either physical or digital stalking. Should their former stalker be an Ikea employee the data breach victim may ask whether their stalker now has confidential information that can be used to renew, or further amplify, harmful activities. With the customer information in hand, as an example, it would be relatively easy for a stalker to obtain more information such as where precisely someone lived. If they are aggrieved then they could also use the information to engage in digital harassment or threatening behaviour.

Without more information about the motivations behind why the Ikea employee searched the database those who have been stalked or had abusive relations with an Ikea employee might be driven to think about changing how they live their lives. They might feel the need to change their safety habits, get new phone numbers, or cycle to a new email. In a worst case scenario they might contemplate vacating their residence for a time. Even if they do not take any of these actions they might experience a heightened sense of unease or anxiety.

Of course, Ikea is far from alone in suffering these kinds of breaches. They happen on an almost daily basis for most of us, whether we’re alerted of the breach or not. Many news reports about such breaches focus on whether there is an existent or impending financial harm and stop the story there. The result is that journalist reporting can conceal some of the broader harms linked with data breaches.

Imagine a world where our personal information–how you can call us or find our homes–was protected equivalent to how our credit card numbers are current protected. In such a world stalkers and other abusive actors might be less able to exploit stolen or inappropriately accessed information. Yes, there will always be ways by which bad actors can operate badly, but it would be possible to mitigate some of the ways this badness can take place.

Companies could still create meaningful consent frameworks whereby some (perhaps most!) individuals could agree to have their information stored by the company. But, for those who have a different risk threshold they could make a meaningful choice so they could still make purchases and receive deliveries without, at the same time, permanently increasing the risks that their information might fall into the wrong hand. However, getting to this point requires expanded threat modelling: we can’t just worry about a bad credit card purchase but, instead, would need to take seriously the gendered and intersectional nature of violence and its intersection with cybersecurity practices.

  1. In the interests of disclosure, I was contacted as an affected party by Ikea Canada. ↩︎

Cyberstalking, Victimization, and the Experience of Fear

Ars Technica has a good piece on how cyberstalkers and bullies operate, with reporting based on studies (circa 2006, admittedly) and some anecdotal evidence. In effect, the mechanisms to stalk and bully online are often easy to use, reasonably accessible, and capable of significant intrusion into people’s lives. However, what struck me most poignantly was the concluding section of the article:

In this particular case, going to law enforcement wasn’t going to be much of an option. The woman said she had gotten rid of the BlackBerry, so there was no way to perform forensics on it to gather evidence. The same was true of her father’s computer, which the technician had wiped clean.

That’s a common problem in dealing with these sorts of cases, Southworth said. “Some victims just want their device clean and just want the stalking to stop. But if you clean off the device, you’re destroying the evidence.” And for victims who are trying to deal with an abusive relationship, trying to do anything to remove malware from a phone or computer could put the victim in danger. “Even looking for the spyware can raise the risk,” Southworth said, because the software could alert the attacker of the attempt and trigger violence.

And even when software is removed, the persistence of such stalkers usually means that they won’t stop their behavior—they’ll just take different approaches. That, paradoxically, is an upside for law enforcement, Southworth said. “They don’t stop, so if she wants law enforcement to get involved,” she said referring to the victim, “there’s likely another form of stalking going on for them to catch him with.”

People who haven’t experienced stalking, or the fear of stalking, may not appreciate the emotional desire to just make it stop. Such desires are often based on an attempt to feel ‘safe’ again, often when doing simple things like buying groceries, waiting for a bus, or just going home. As such, wanting to remove the suspicious tracking systems – instead of leaving them there, and maintaining the fear, in the hopes of a criminal arrest – will often take priority over ‘catching’ the perpetrator. But, at the same time, there is often a fear that the very act of ‘making the surveillance stop’ could lead to physical consequences. It’s a lose-lose experience, where any decision merely modifies the ‘kind’ of fear instead of terminating the experience of fear itself.

Moreover, removing suspected surveillance-ware may not alleviate the fear of being monitored: most technical systems (effectively) operate like magic for the majority of the computer-using population. How the surveillance-ware was even installed, or if it was all purged, or if it could infect a person’s computer systems again, will often pervade how a person uses computers. In light of specific concerns (surveillance) that are imprecisely directed (i.e. is my phone, my computer, or other device infected and, if so, would I even know?) a person may simply avoid some actions or actively engage in deceptions to ‘throw off’ someone who might be watching.

In effect, concerns of possible but undetected surveillance are often accompanied by heightened privacy and security efforts. These efforts might be more or less effective (or even needed!), and taking such efforts will almost certainly diminish a person’s ‘normal’ uses of services (e.g. Facebook) that their (not-stalked/bullied) friends and colleagues get to enjoy. Moreover, the experience of having to use such privacy and security techniques is representative of the scarring left by online stalking and bullying: ‘normality’ becomes defined as a defensive posture online based on (often) physical fears. No one’s ‘normal’ should be predominantly defined by fear.

It’s this broader emotional fear that is challenging to address, both in terms of law (i.e. getting the data needed to pursue a meaningful conviction or punishment) and personal mental health (i.e. learning to ‘trust’ systems that aren’t really understood and that have previously compromised a person’s life possibilities).

In Canada, the federal government has recently introduced legislation ostensibly meant to crack down on cyberbullying linked to the unauthorized sharing of a person’s intimate images. While criminalizing the sharing of such images may be a helpful addition to the Criminal Code for certain kinds of cases, doing so doesn’t address the broader challenges linked to cyberstalking and cyberbullying. Addressing these challenges requires something else – though I don’t know what – that meaningfully responds to the societal issues associated with online stalking and bullying in a more holistic manner, a manner that frees people from the persistent fear of being a victim despite going to either law enforcement or removing the stalking-ware.


RCMP members watch porn, snoop on spouses, files show – Politics – CBC News

So, two things here:

  1. These are some of the dangerous uses that a group of BC residents identified with regards to automatic license plate recognition, namely the use of non-hit data (i.e. information not linked to motor vehicle crimes) in excess of the ALPR program’s stated mandate;
  2. Holy hell. This is a case of a police officer stalking/inciting fear in a civilian and her current romantic partner, and there was a reprimand and a few days of docked pay? It’s these kinds of actions that teach people ‘the police won’t protect me if their own interests are involved.’

I mean really, with regards to (2), how terrifying would it be that an ex who is legitimately empowered to exercise the law is stalking you and those associated with you, using a ubiquitous surveillance technology. And moreover, imagine that things had been reversed: that the CIVILIAN was tracking the police officer. No way there’d be a reprimand and a few days of lost pay. No, that civilian would be looking at some intense court actions.

Total. Double. Standard.