Following the template described in defining the risk context, this post will now break down the elements that build the bigger picture.
- Use case - informing oneself online - current post
- Addressing the threats - securely informing yourself online
- Scenario example - spotting fake news
User activity and actions
NOTE - there are other actions done prior to this, like using a computer and a browser. they are not in scope for this use case and the present use case will focus only Online self-informing specific actions
1. Search subject on a search engine
The most easy way to find an answer to one of our questions or to inform ourselves about a subject is to search for it on a search engine. This is an conscious activity, where the user takes action to find out something.
A different way most people inform themselves is through social media. Stumbling upon a subject on a social media feed is a passive matter, where the users scrolls and certain subjects come into the users visual radius.
2. Access the links on the first page
Usually, one will go for the first links or those with a 'catchy' title. A natural tendency would be to access already known websites from the list, in case the user is aware of any previous websites accessed.
3. Trust or not trust the source
In most cases, the user will assume the information is real based on
- the fact that its there (on the internet OR on the social media feed) OR
- the amount of social recognition (likes, comments)
Users need a systematic approach to determine if a source should be trusted or not. Without this, the user will most likely base his/her decision on appearances.
The assets in this case, is all the information directly and indirectly processed whenever we inform ourselves about a subject by going through the actions listed above.
- search string - the item you have looked for. This can be used to identify a persons opinion or (lack of) knowledge, like in the case of British people not knowing what is EU after the Brexit vote.
- personal opinion - before informing ourselves about a subject, we usually have a personal opinion on it, either based on facts or on assumptions. This can be deducted from the search string which, depending on how it is formulated, can say much about ones personal opinion
- search results - the results that the search engine displays for you search string
- search history - the items previously searched for on the search engine. Search engine owners (such as Google) keep a record of these items for statistical purposes and to improve search results
- browser history - your browser keeps (by default) a record of the accessed websites & locally / remotely
- browsing metadata - whenever browsing on a certain website, our computer 'shares' information like connecting IP, browser name and version, screen size, location,
Note - the below enumerated adversaries are considered the most relevant for this use case. There can be other adversaries as well, but they might be restricted only to specific scenarios.
the entity controlling the search engine - knows what you are looking for, thus can determine how do you think
Internet service provider (ISP) - sees browsing patterns, knows what you are interested in
subject stakeholders - the subject(s) of the article may have a certain interest in having people presented with the information at hand . e.g. presidential campaigns
information source author/owners/sponsors - the entity behind the information article has a certain interest in presenting information. They can, in turn, sell your info to marketing
marketing businesses - as mentioned in the adversary perspective, marketing and sales are dramatically boosted when using (potential) consumer data, making any kind of personal information valuable.
Note - there are considerably many more other threats associated with online browsing and informing oneself online. This article limits itself only to those looked upon from the information security and privacy perspective when informing oneself via common channels such as search engines and social media environments.
1. Your data being used against you
The data you directly or indirectly share with the internet when informing yourself online can be used to build a picture of you as person (profiling) or used against you in various means.
Case 1 - being monetized for the benefit of others
Online advertising is a billion dollar industry which flourishes on user data, mostly collected from browsing and searching habits of individuals around the world. The methods through which this data is collected can be very well used by ill-intended people to correlate between what seems to be a irrelevant data on web browsing and a social media profile - thus concluding on what a certain person needs, buys, looks for or is simply curious about.
Case 2 - legal actions
There have been clear cases where search and browser data has been used as evidence in court. Such data is acceptable in a court of law, proving their validity and actual value.
2. Untrue information
Which can lead to a personal opinion based on untruthful details. Fake or untrue information has been in media before the internet, its primary driver being profit or political interests.
3. Misleading information
Information is not necessary untrue, but it misleads the user from the reason he/she got there.
There is special type of content out there that formulates it headlines so that the user is attracted to click on it, but it mostly contains misleading information or information that the user never actually wanted to know. These are called clickbaits and the psychology behind them makes perfect sense - reason why so many people lose time.
4. Accessing a modified or a different content that what was expected
Case 1 - man in the middle attacks
If your connection to the website is not secured, the communication can be intercepted and modified as it happens. There are various tools designed to do man-in-the-middle attacks and are freely available online.
Case 2 - advanced attacks like quantum insert
Adversaries can remotely instruct a browser to connect to a different website than the one the user is requesting - and it is not sci-fi, but practiced since at least 2005 by secret services.
Case 3 - personalized results
Search engine companies, like Google, have been serving personalized search results for many years. While one can see the benefit in this, receiving results more relevant to what you have searched before can also be an issue. Maybe you are not getting the entire picture. Maybe the results that technology flagged as 'irrelevant' for your profile were exactly what you were looking for.
Since the risk context is now built, it is now time to move on to how we address the threats related to informing yourself online, with an appropriate example of a fake news article.