I know what you did last summer: why you should care about privacy
Let’s face it. Technology is amazing. It plugs into your life and makes it easy to handle so many things. Most of the things you use every day have some kind of technological wonder in them that makes them smarter, easier and even more fun to use.
What’s even more interesting about this is that the benefits of consumer technology products seem to always outweigh the costs. You can get a 200 EUR smartphone that will enable you to have fast access to any available piece of information, it will play your favourite music or it will help you find your way around any city in the world. That sounds like a suspiciously low price.
But the actual cost of using these products is much higher if you add a different currency: data. When you use any kind of technology product, you generate data. That data can range from things that you willingly send to the companies (think Facebook posts or likes and Instagram pictures) to usage data and metadata (like what buttons I click inside an application or who I text and when).
Most of the companies that operate internet services are required by law to provide Privacy Policies that specify what data is collected from the user and what it is being used for. You can usually find this information by following the really really really small or hard to find links in different websites and apps (Pro tip: look for the links on website footers or in mobile app settings and log in / sign up screens). The document linked there will usually be very hard to read for an average person. Not everyone is a lawyer and not everyone has the time to go through a huge, hard to read document, but at least companies take the time to write them. Or not, you know… you can always generate it.
Personal or anonymous
Most Privacy Policies (I say most, because these documents vary widely from one product to another which is an issue for another time) usually distinguish 2 types of data. Personally identifiable information (like your name, email address, home address and so on) and anonymous data.
Companies that collect personally identifiable information are usually subject to strict regulation. Obviously you don’t want that information to be passed around by the company you entrusted it in and that usually only happens when a major event occurs, like a company merger, requests by authorities or hacks (all of which are big issues themselves so we’ll leave those for a future article as well).
Then there’s the question of anonymous data. That data is not linked to any personal information (like your name, email, and so on) and is usually analysed in bulk. This is what we’ll be focusing on in this article.
Anonymous data can be anything the company can get their hands on: device information (operating system version, connected Wi-Fi network, battery level, screen size), metadata (the time and location of a photo you take, how much time you interact with an app or website and what you do when using it), location (GPS location, Bluetooth information, WiFi signals), network (IP address, mobile phone number, internet service provider), health data (steps, calories) and the list goes on.
Most of this stuff might sound useless but this data is crucial in understanding users and usage. It is also information that advertisers would pay enormous amounts of money to get their hands on it. And they do it already. And this is data that you might not even be aware you are sharing with anyone. In fact, this data is so valuable, that there are companies that enable you to willingly sell it and get some cash in return (DataWallet and Datacoup are only two of them).
Let’s briefly recall how online advertising has evolved throughout recent history.
The first form of advertising on the internet was a very small banner on the HotWired online magazine website with the words: “Have you ever clicked your mouse right here? You will”
Advertisers later looked into better targeting customers, and companies like WebConnect and Doubleclick, the later being now a Google subsidiary, emerged to help publishers identify websites that their customers were visiting and to provide tools that could monitor ad performance.
Fast forward a few years and search engines are quickly taking off. Goto.com emerges in 1998 as the first company to successfully provide pay-per-click search ads. Their business model was very simple: publishers would pay a certain amount of money for each click to have theirs ads put in a higher place for certain searches. The top search results were given to the highest bidders.
This had obvious drawbacks for the end-users and Google thought they could fix it. Google launched AdWords in 2000 which was meant to present paid search ads without compromising the overall quality of the search results. This meant that users would get their usual search results along with ads that were relevant to their interests. This was a huge step towards better targeting but a new player changed the game completely.
Social media started gaining momentum in the early 2000s and suddenly there was a new platform where people could publicly connect with other people and share moments from their lives. This enabled advertisers to get a vast amount of new personal data that they could use to target users and improvements in Data Science and Artificial Intelligence increased the quality and the quantity of that data.
The most popular social network today, Facebook, has incredibly powerful tools to target any kind of potential customer. Do you have an app and want to expand your reach to: French & English-speaking women, between the ages of 31 and 56, located in a 10-mile radius of Boston, MA, who work either from home or from a small office in the retail production industry, who are “fit moms” and “green moms” of grade school kids, who have friends with an anniversary within 30 days or friends with upcoming birthdays, who have college degrees from either Northeastern University, Simmons College, Fairfield University, or Emmanuel College, who are active in US politics and either liberal or very liberal and self-proclaimed democrats, who live in a condo or apartment built after 2011, between 2,000 and 2,999 square feet, who enjoy attending ballet, theater and musical theater movies, who frequently travel internationally, plan to travel to Spain, and used a travel app within the last month, who are categorized as “foodies” and “green living” buyers, who tend to spend above average in high-end retail online stores, who are connected to people who have used your app? Facebook has your back!
If you are in that very specific target audience and actually get targeted with an ad for that app knowing the exact segment definition you might start wondering how does Facebook know that about you? You don’t remember sharing anything about ballet or theater on Facebook so what gives? Well, Facebook also tracks your activity outside the website using cookies, tracking-pixels and iframes to name a few of the web technologies. When you take mobile in consideration, there is currently no viable way of knowing what data is sent to whom when using an app. But, to be fair, Facebook is not the only company that does this.
You can check out the data Facebook gathered about you and a very brief and unsatisfying explanation about where it got that information by following this link: https://www.facebook.com/ads/preferences
Tracked by default
Setting some of the ethical issues aside for a moment, if tracking user behavior and interests leads to more relevant ads, then really, it shouldn’t be an issue. Users should see ads for products that they really care about instead of being bombarded with hundreds of banners showing products or services they would never in a million years buy or use. But even with access to this amount of data, publishers are still having issues getting people to buy their products. Research shows that more and more users are using Ad-Blocking software, especially on mobile platforms where ad-blocking grew 90% in 2015.
To top it off, users are not really given a say whether they want to see this content or not. The general consensus on this issue is “you either accept the fact that we are tracking you or you can piss off”. Many companies provide a way for users to opt-out of this but this is generally a very painful process that most of the times is not permanent.
For example, I visit the Ad Preference page on Facebook every once in a while where I have to click on each individual small “X” in the corner of each preference box to opt-out. That X is only visible when you hover your cursor over a box and there is a slight delay until it’s actually shown on screen and clickable. This may be enough for people to just say “Fuck if, let them track me”. A few weeks later, I visit the page to see that some new boxes appeared that I have to click again. It’s Facebook’s fun little way of reminding me that they really don’t give a shit about my preference. They only care about their flourishing B2B advertising business.
Mobile increases the number of collected data points
Companies can gather a limited set of data points for every user on the web. As we’ve seen before, this includes things like the web usage, browser and os version, hardware versions, browsing activity outside a specific website and so on. Mobile devices like smartphones and tablets can, however, provide much more interesting information. These devices are packed full of different sensors like GPS, accelerometers and gyroscopes, light and proximity and, more recently, fingerprint scanners.
Most of the data gathered by the sensors is exposed by the underlying operating system. While manufacturers are making great progress in making users aware of the data they are handing to app developers, they don’t really take any action in limiting it. The situation is particularly bad on Android versions prior to 6.0 (Marshmallow) which account for more than 97% of the Android devices at the time of writing this article. On all these lower versions, when selecting an app to install from the Google Play Store, you would be presented with a list of permissions that app is asking for (permissions range from basic internet access, to full filesystem access, camera, contacts, location, and others). The user’s choice, however, was very limited. If you accepted that the app you were about to install was going to use those things then you would go ahead and install it. If not, then your only choice was to not install it. This “choice” really fits the “you either accept or piss off” mentality of software companies.
Android 6.0 aims to fix this with a new mechanism for permissions that allows the user to accept or decline certain app permissions when they happen (very similar to the iOS mechanism of handling permissions) and this is a very good first step towards users taking control of their data.
The grass is not necessarily greener on the iOS side. Ever since version 2 of the operating system, Apple has provided a way of accessing the device location using
CLLocationManager. Developers would use this class to request access to the device's location and then they would always get that information. In iOS 8, Apple introduced a subtle change in how location is handled. You would now have 2 location permission categories: "When In Use" and "Always" and developers are required to add a short description for the users when requesting the appropriate permission.
The difference between the 2 permission categories is that “When In Use” will provide the location data to the app only when a user is actively using it (the app is in foreground). Apps that request “When In Use” permission can also get location data when in background and the OS will show a blue prompt on the status bar to notify the user that the app is still running. Closing it from the multitask menu will disable all location services.
If an app requests “Always” location permissions, then the developer is given full access to location data. This means that the OS will send location data to the app when it is either in foreground or in background and it will not notify the user if the app is still running. It might also wake up a terminated app when a location event occurs.
This was a huge step taken by Apple to educate developers to respect the user’s data and to only request what they need. But there are developers that simply don’t give a shit about this. Two major examples come to mind:
Waze location privacy settings
The new black overlay in the Uber app
But really, why should you care?
The main thing that you should keep in mind when using different technologies is that you might be giving up a part of yourself to the companies behind them. I’m not saying that you should switch off the internet on your computer or turn off a bunch of functionalities on your smartphone. You bought them specifically to enjoy using that technology. But you should be careful what data you share and who you share it with. Here are a few reasons why you should care about that:
While you are usually informed about the data that is collected about you, we’ve seen that even large, popular and respected companies tend to not tell the whole story about what they are using your information for. The documented misuses so far range from unethical (like selling data to 3rd parties) to downright creepy (like Uber’s God mode and TSA’s full body scans used for the entertainment of male agents)
Hacks and exploits
There is no perfectly secure service. If any company comes to you and tries to sell you a 100% guarantee that their system is unbreakable, make sure you laugh directly in their stupid faces.
Hacks make the headlines each year and have varying consequences. The most recent hack exposed 1 billion Yahoo accounts and the most devastating hack I can think of is probably the 2015 hack of the cheating website, Ashley Madison. The hackers posted a 25 GB data dump which included personal user information like real names, addresses and credit card transactions (roughly 30 million entries). Two deaths are linked to that breach.
Exploits are also a major cause for concern. A recent research shows that real-time crowdsourcing apps like Waze are vulnerable to false traffic and congestion information, routing users through unwanted areas, and even tracking them at scale without being detected.
I hope you can see by now that data analysis is a very powerful tool. But, unfortunately, the issues don’t stop here. Companies are teaming up with psychologists to analyse big data and create psychographic profiles to better tailor messages for different audiences.
As you can see in the video above companies use data to show people the messages that they want to see in order to build trust in their brand. This might become a real free will issue very soon if these kind of practices are not regulated.
After the introduction of the SOPA bill in 2011, internet censorship became a very heated debate subject. The 2011 bill expanded the ability of US law enforcement to combat internet copyright infringement. While it sounds good in theory, the bill would enable the US government to block access to entire domains even if the websites were hosted outside the US and would also enable them to force search engine providers to delete links to any websites that enable or facilitate copyright infringement practices. The bill died in Congress after receiving massive criticism related to freedom of speech.
But the issue of censorship is much more painful in areas with authoritarian and dictatorial regimes. Internet privacy in these areas is in many cases the difference between life or death.
A US based company called Blue Coat is developing software specifically tailored to track internet users in certain areas, deny access to different parts of the network and even identify single users. This has obvious implications for journalists and activists in areas where there are clear human right violations and it could lead to imprisonment and violence.
Thinking back now, I believe that if people had smartphones back in 1989, there would have been no revolution here in Romania and we’d still be living in a communist state.
The future is (not very) bright
Technology has this nasty habit of evolving very fast. While this is generally a good thing, best practices in terms of privacy are usually left behind in this evolution. While authorities struggle to protect the people from the issues presented in this article, the tech industry is moving forward to the next thing.
We are now looking at self-driving cars and personal digital assistants, both based on the incredible advances in AI. But AI needs data to work. And we give up more and more of our data to train these technologies to serve us a better and safer future.
With this in mind we need to be more aware of the data that we share. We need to compare the benefits of using a piece of technology with its true cost. Data privacy should be a basic human right, and the use of personal data should be a “opt-in” not an “opt-out”. But until that happens it is our responsibility to be informed about the data we share and how it is being used.
So, in this holiday season, if you’re a developer, really ask yourself if you are providing the best solution for your users in terms of privacy. If you are a user then it might be time to scroll through the apps installed on your smartphone and uninstall the ones like that stupid calculator app that has access to your entire photo library.
Header photo credit g4ll4is
Originally published at appcluj.ro on December 29, 2016.