Following the template described in defining the risk context, this post will now break down the elements that build the bigger picture.


User activity and actions

NOTE - there are other actions done prior to this, like using a computer and a browser. they are not in scope for this use case and the present use case will focus only Online self-informing specific actions

1. Search subject on a search engine

The most easy way to find an answer to one of our questions or to inform ourselves about a subject is to search for it on a search engine. This is an conscious activity, where the user takes action to find out something.

A different way most people inform themselves is through social media. Stumbling upon a subject on a social media feed is a passive matter, where the users scrolls and certain subjects come into the users visual radius.

2. Access the links on the first page

Usually, one will go for the first links or those with a 'catchy' title. A natural tendency would be to access already known websites from the list, in case the user is aware of any previous websites accessed.

3. Trust or not trust the source

In most cases, the user will assume the information is real based on

  • the fact that its there (on the internet OR on the social media feed) OR
  • the amount of social recognition (likes, comments)

Users need a systematic approach to determine if a source should be trusted or not. Without this, the user will most likely base his/her decision on appearances.

Assets identified

The assets in this case, is all the information directly and indirectly processed whenever we inform ourselves about a subject by going through the actions listed above.

  • search string - the item you have looked for. This can be used to identify a persons opinion or (lack of) knowledge, like in the case of British people not knowing what is EU after the Brexit vote.
  • personal opinion - before informing ourselves about a subject, we usually have a personal opinion on it, either based on facts or on assumptions. This can be deducted from the search string which, depending on how it is formulated, can say much about ones personal opinion
  • search results - the results that the search engine displays for you search string
  • search history - the items previously searched for on the search engine. Search engine owners (such as Google) keep a record of these items for statistical purposes and to improve search results
  • browser history - your browser keeps (by default) a record of the accessed websites & locally / remotely
  • browsing metadata - whenever browsing on a certain website, our computer 'shares' information like connecting IP, browser name and version, screen size, location,

Adversaries

Note - the below enumerated adversaries are considered the most relevant for this use case. There can be other adversaries as well, but they might be restricted only to specific scenarios.

  • the entity controlling the search engine - knows what you are looking for, thus can determine how do you think

  • Internet service provider (ISP) - sees browsing patterns, knows what you are interested in

  • subject stakeholders - the subject(s) of the article may have a certain interest in having people presented with the information at hand . e.g. presidential campaigns

  • information source author/owners/sponsors - the entity behind the information article has a certain interest in presenting information. They can, in turn, sell your info to marketing

  • marketing businesses - as mentioned in the adversary perspective, marketing and sales are dramatically boosted when using (potential) consumer data, making any kind of personal information valuable.

Threats

Note - there are considerably many more other threats associated with online browsing and informing oneself online. This article limits itself only to those looked upon from the information security and privacy perspective when informing oneself via common channels such as search engines and social media environments.

1. Your data being used against you

The data you directly or indirectly share with the internet when informing yourself online can be used to build a picture of you as person (profiling) or used against you in various means.

Case 1 - being monetized for the benefit of others

Online advertising is a billion dollar industry which flourishes on user data, mostly collected from browsing and searching habits of individuals around the world. The methods through which this data is collected can be very well used by ill-intended people to correlate between what seems to be a irrelevant data on web browsing and a social media profile - thus concluding on what a certain person needs, buys, looks for or is simply curious about.

Case 2 - legal actions

There have been clear cases where search and browser data has been used as evidence in court. Such data is acceptable in a court of law, proving their validity and actual value.

2. Untrue information

Which can lead to a personal opinion based on untruthful details. Fake or untrue information has been in media before the internet, its primary driver being profit or political interests.

There are also various ways to make fake news seem authentic, like using social media bots, creating realistic audio-video recordings or submitting/paying for fake reviews and comments
.

3. Misleading information

Information is not necessary untrue, but it misleads the user from the reason he/she got there.

There is special type of content out there that formulates it headlines so that the user is attracted to click on it, but it mostly contains misleading information or information that the user never actually wanted to know. These are called clickbaits and the psychology behind them makes perfect sense - reason why so many people lose time.

Other type of content, that might be also flagged as clickbait are the online scams - most known being the get-rich-quick or lose-fat-quick schemes.

4. Accessing a modified or a different content that what was expected

Case 1 - man in the middle attacks

If your connection to the website is not secured, the communication can be intercepted and modified as it happens. There are various tools designed to do man-in-the-middle attacks and are freely available online.

Case 2 - advanced attacks like quantum insert

Adversaries can remotely instruct a browser to connect to a different website than the one the user is requesting - and it is not sci-fi, but practiced since at least 2005 by secret services.

Case 3 - personalized results

Search engine companies, like Google, have been serving personalized search results for many years. While one can see the benefit in this, receiving results more relevant to what you have searched before can also be an issue. Maybe you are not getting the entire picture. Maybe the results that technology flagged as 'irrelevant' for your profile were exactly what you were looking for.


Since the risk context is now built, it is now time to move on to how we address the threats related to informing yourself online, with an appropriate example of a fake news article.