Civil Hack Back: Hack, Tweak, Delete Your Digital CV!
Von Timo Jakobi
2018 arguably was a good year for privacy of millions of people. The GDPR was put into effect, and thus were new safeguards for user data. And 2019 continued this winning streak for privacy.
Around the globe, GDPR has sparked legislative initiatives for handling privacy for the connected society.
Moreover, at least in Europe, there was quite some jurisdiction in fa-vour of privacy — and the user! Not least, the infamous cookie banner will likely soon be a relic of the past. In this vein, it also looks much like the sun may be setting for opt-out of tracking online. Also, it can be seen that throughout the EU, institutions are willing to increasingly make use the range provided by law in terms of issuing penalties for mishandling data.
Such handling and especially case law interpretation of new legislation is particularly interesting as it often serves as a frame of reference and thus may shape future jurisdiction.
Still, there are many things left open and unclear and many ambiguous terms or concepts need to be filled with examples, best practices and thus lower boundaries. Take for example the “data subjects” (that would be you then) rights: Most prominently, there are:
- the right to access data,
- the right for correction or rectification
- the right to erasure (more famous as “the right to be forgotten”)
- the right to restriction of processing,
- the right to data portability,
- and the right to object.
Hand on heart: Have you, until now, made use of any of these rights? Why not? In my research, I have already asked many people, and it looks, that people are uninterested often times. When going through the process with participants, it often is quite a hassle: Many organizations still do not have actual processes (not even speaking of automated ones…) to gather data they hold about a customer and provide it to them. Organizations would also often times take their time (they have 30 days) to answer your request: What is meant to be practical compromise for smaller companies, to handle requests, provides a loophole for larger companies, making data requests less attractive.
If you follow through, however, next disappointment is just around the corner: You will get raw data. In excel or pdf files, even as pictures. Even google provides you with HTML files, holding plain masses of text, or JSON.
The sheer mass of data is overwhelming to say the least. Also, the folder structure makes it pretty tiring to walk through everything. Despite having everything, it feels like having nothing: Nothing to understand, nothing actionable. Google, for example, provides you with all the GPS coordinates you have every sent when navigating with google maps in a JSON file. As a hobbyist programmer, you might be enthusiastic about what you can do with this data. Think about what your parents might be able to do with this. A key question was: What do they know about me now? For people to gain an overview, what this data actually contains in terms of information, they need tools to process and visualize that data. We urgently need automated tools for consumers, to process and visualize data in a user-friendly way. If the right to access data will not provide it, others need to step in: Consumer protection agencies, national legislation, the programming community, researchers.
Still, beyond caring for “transparency” (such a crazily overstressed term — what’s that anyways?), users remain at the mercy of how data processors (that’s e.g. the provider of a data-based service) will look at the data provided. Given that consumers do want to participate in a digital service, they barely have an opportunity to influence, alter or shape the data they are providing.
This fact is getting more and more crucial as the feedback loop between data analysis and real-life implications is closing in. Fitness trackers are teaming up with health insurance providers, connected car technologies are used for individual car insurance tariffs, not to mention the manipulation of political views or even votes, or the potential for social surveillance and scoring systems as just recently activated in the Peoples’(!) Republic of China. In the western world, there are only the first, seemingly harmless, pieces: However, at some point, your landlord may also have an interest in looking at how you drive because of some weird probabilistic correlation with your monthly rent payments, which may also be of interest for your employer, and so on. It will always be voluntary, yet, at some point, it will just be inevitable to get an insurance, a job, a home. What is being introduced from top down in China, the free market is likely to give to us by our “free will”.
Writing this piece, I have spent some time thinking of an analogy for this absurd situation: Not being able to maintain how you are perceived by others, at all. It is quite telling that I could not come up with one in the non-digital space. The closest I could get, actually was an absolute organization: Jail. Prisoners and Guards. Might sound cheesy. Agreeing or not: It is an uncomfortable situation to be out of control of your own representation. So, what do we do about this? From my perspective, it is time to get active and start to actively shape your digital footprint.
Use your rights; design your digital CV, if life makes you have one. Beyond tools to tell you what organizations know about you — an important puzzle piece to understand how effective you are in your civil hack back — we need tools and creativity:
I want to see dogs with fitness trackers to maintain your daily step training. I want to see athletes providing data of fitness trackers for the public. And if I am about to provide data to my health insurance, let’s make sure it’s from the time I trained for this one run back then!
I want to have a tool that automatically makes me who I need to be to get the lowest price for my new whatever-it-is on the internet, may that be an osx-edge-user or a mobile-opera-cyanogen-android browser fingerprint.
The German OpenSchufa project has demonstrated some of the potential merits, albeit not completely successful. I want to know, what data I should provide to boost my credit score. How do I get the lowest interest rate? Companies use data points and they are only provided by people. The people can create this data, shape, scratch, delete, tweak it.
Snap it, work it, quick — erase it
Write it, cut it, paste it, save it
Load it, check it, quick — rewrite it
daft punk — Technologic
Everybody is doing this with her CV all of the time: My prospective boss — or anybody for that matter — does not need to know what I did in my parents’ basement for the last three years. I am having the interpretive sovereignty over my life, when talking to people I don’t know. I define how others are to see me, by leaving out, emphasizing, passing things under the carpet or accentuating. Why shouldn’t I be able to do this in the digital sphere? The rights are there! Let’s use them to let them become tools for the people.
This article has been published in “The State of Responsible IoT 2019”, it can be found here: https://www.thingscon.org/small-escapes-riot-report-2019-out-now/
