Hackers obtained the Social Security numbers of more than 145 million Americans. Paid political chaos monkeys allegedly harvested data from at least 87 million Facebook profiles in an effort to influence the 2016 U.S. election, the Brexit vote, and possibly more. In a practice that could easily become discriminatory, police departments are mining social media profiles in the name of public safety.
These stories are all connected by a common denominator: data. Nearly everything we do online leaves a trail of data that is then combined and analyzed on servers across the globe in a kind of decentralized dossier of human behavior.
To many of us, that may sound abstract, or benign, or both. But is it?
To bring the issue out of the heady headlines, I tried to get a handle on how much of my own data was out there. This prompted just what you might expect: confusion, panic, and rage, followed by a strong urge to purge — to perform a data detox of my own.
Broadly speaking, my detox game is already on point. I’ve done the Master Cleanse juice detox (mercifully for my roommates, it was while they were out of town). I’ve been to sweat lodges. And every year or so, I do a clean install on my laptop and smartphone, wiping all the stored data and manually reinstalling apps and software, rather than recovering them from a backup. I know how to detox IRL and digitally. I’ve even written about it before.
Not a problem, I thought. I got this.
I focused on the platforms I use most — Google and Facebook — as well as my my favorite note-taking app, Evernote. Like many people who have taken a sudden interest in their digital privacy, I was startled by what I learned. It turns out I didn’t have this. None of us do.
I’m someone who’s been online since the mid-1990s. I’ve worked in the digital media and advertising businesses. I understand that our data is being collected to make products more useful to us and to make us more useful to advertisers. But seeing the surveillance economy all in one place made that truth more stark — and more unsettling.
During the course of my data detox, there were practices that surprised me and practices that did not. I was not surprised, for instance, to discover that Alphabet knows more about me than any other company in the world. But to get a more granular understanding of how that breaks down, I started by listing all the Alphabet-owned services I use: Google Docs, YouTube, Gmail, Calendar, Drive, Photos, Contacts, Translate, Chrome, Maps, Wallet, and, of course, the O.G. Google — the search engine.
Next, I made a list of the kinds of information these services might capture. That list was long and included things like my creative dreams (Google Docs with future book ideas), my embarrassing questions (YouTube demos on how to tie a Windsor knot), and my fears (Google searches for “How do you know if you have cancer?” Also: “How long did it take for Rome to collapse?”). There was also all my personal and professional correspondence (Gmail),a log of how I spend my time (Google Calendar), and my photos (Google Photos). Most alarming to me was a log of my up-to-the-minute location (Google Maps).
Depending on your settings, visiting myactivity.google.com can bring the company’s background tracking into the foreground. There, I saw every search query I’d ever run, most of the websites I’d visited, and almost every literal step I’d taken.
Horrified, I then completed the Google Privacy Checkup. There, I was able to see my default settings for logging and sharing. For example: “Let people with your phone number find and connect with you on Google services, such as video chats.” I don’t think having my phone number means you get to interrupt me with your face whenever you choose, so I turned that off.
YouTube was set to automatically show videos I liked and channels I subscribed to. Disabled.
Google+ was set to share my photos and likes and restaurant reviews. I had completely forgotten about Google+. (I have now mentioned Google+ more times than any single person in the past two years, and for that, Google should pay me. They can just put the money in my Google Wallet, which they have access to.) I disabled all that, too.
How accurate do I want my data portrait to be if it is being used primarily to encourage me to part with my time, attention, and money?
Next, I reviewed all the locations from which my account had been accessed. When I didn’t recognize one of them, I decided to reset my password and turned on two-factor authentication.
In the section for advertising settings, I was able to edit the list of topics Google thinks I’m interested in and against which they sell my attention to advertisers. But even though I could update that list — Google thinks I like dance music; I hate dance music — there’s no way for me to know why Google thinks what it thinks. I decided to disable any and all information-sharing with the “2+ million websites and apps that partner with Google to show ads.”
To its credit, Google offers a centralized and relatively user-friendly place from which to view and control your account, but I found the breadth of the data collection more unnerving than the relief I got from being able to exert a little control over it.
I finished my Google-data detox with a mixture of satisfaction and wariness. But it turns out Google was entry-level detox. When I moved on to Facebook, I pretty much lost it.
It was relatively easy to figure out some of what Facebook thinks it knows about me, thanks to a Chrome browser extension called What Facebook Thinks You Like. Whereas Google listed 28 things I appear to like, Facebook listed 713: “New York metropolitan area,” “Step Up (film),” “observational comedy,” “law school,” “motorsport,” “Michelle Obama,” “global warming,” and, oddly, “missing person.”
Facebook’s accuracy was spotty. I do love New York, the Step Up films (teen dance movies are my jam), and Michelle Obama (because I’m a patriot). I do not like “motorsports” or “law school.” No one likes law school. I also don’t like “global warming.” Nor “missing person.”
I was briefly amused by the discrepancies between the real me and the picture painted by Facebook, but it also prompted a question: How accurate do I want my data portrait to be if it is being used primarily to encourage me to part with my time, attention, and money? I toyed with the idea of whether or not, in the interest of my own privacy, I ought to obscure the real me with misleading signals.
What if I started liking Facebook pages about guns and engaging with content about white nationalism (or, worse, electronic dance music)? Of course, if I did that, I would also hinder the platform’s ability to provide value by knowing as much as it does about me.
Did I want to spend my time and energy making Facebook less efficient and more chaotic for myself? Is that what it would take to be truly free—to inconvenience myself by pretending to be someone else?
Like Google, Facebook has a settings page from which I can view and adjust my security and privacy settings. I also decided to look at the “Apps and Websites” and “Ads” settings, which are not listed in a way that suggests they are related to security and privacy, even though they obviously are. (Since Mark Zuckerberg was hauled before Congress in April 2018, this section of the settings page has changed, so your experience may vary slightly from mine.)
Given recent headlines, I was compelled to scrutinize the section about apps. When I got to that page, the first thing I saw was a monster of a disclaimer:
On Facebook, your name, profile picture, cover photo, gender, networks, username, and user id are always publicly available to both people and apps. … Apps also have access to your friends list and any information you choose to make public.
It has become central to an international news story that Facebook shares user data with linked apps, but I think it’s safe to bet that very few of Facebook’s two billion users had any idea until recently that this was part of the terms of service.
As another point of clarification: in Facebook-speak, “apps” refers to multiple things. They are the apps you launch from within Facebook (remember those?), the services you log in to with your Facebook ID, and the services you’ve “connected” to your Facebook account, including some websites. When I popped over to the Apps tag, I saw more than 400 listed. I literally screamed out loud. (I mean literally literally.)
To get our heads around why this matters, let’s look at one particular app on the list. Years ago, I discovered a mobile app called GateGuru. It’s operated by TripAdvisor and lets me browse airport maps and directories from my phone. This is obviously more convenient than hunting down information kiosks—which are, it seems to me, always inconveniently located.
I logged in to the app with my Facebook account because it was faster that way and I was hungry. That decision marked the beginning of a trilateral trade relationship between me, GateGuru, and Facebook: I used my Facebook identity to quickly access GateGuru. In exchange, GateGuru helped me find the Shake Shack closest to my departure gate.
In that deal, Facebook gave GateGuru the following information about me: My name, gender, birthday, all my friends’ names, my employers, my schools, all my status updates, every Facebook group I belong to or page I like, my events, photos I’ve uploaded or been tagged in, my religious and political views, my hometown, my current city, my videos, my website URL, the content and member list of the Facebook groups I manage, and my relationship status, which I would describe in this instance as “Super Fucked.”
Even if GateGuru doesn’t abuse my data, there is no way for me to know how robust its security is — or that of the 400-plus apps that have been collecting my data for years.
Horrified by the what-ifs, I spent more than an hour going through all the apps I had authorized, and I removed hundreds of them. No surprise, there was no bulk removal option when I did this—this feature has since been added—so I had to go through each and every one of them in a rhythm of click, scroll, remove, wait, curse, click, scroll, remove, wait, curse.
I then downloaded all my data from an easy-to-miss link on the settings page (it’s here). I deleted three years’ worth of search history, location history, and video-watching history that I didn’t know the company was holding. I turned the sharing defaults from “public” to “friends” or “just me” on just about everything. I made myself harder to find. I deleted the contact information for more than 3,000 people I had unwittingly uploaded to Facebook. (I discovered this on a random page nowhere near the privacy settings.)
We’re the raw material for the next phase in computer science: The computers study us and then take that data and run with it.
Facebook has long enabled and encouraged this system of data collection, sometimes under the guise of user empowerment: “We give you the power to share as part of our mission to make the world more open and connected” is how the company has put it in the past.
But a company that has spent billions in acquisitions and invested heavily in everything from virtual reality to drones can get different things done when it wants to. Facebook has 25,000 employees and generated more than $40 billion in revenue in 2017. This same company knew about the Cambridge Analytica data abuse in 2015 and didn’t act on it until it was reported by the press.
In response to massive and unrelenting global pressure, the company is finally starting to deploy some of its resources to secure users’ privacy on the platform. It has announced initiatives like Clear History and launched an investigation and audit of apps that had access to our data.
But Facebook investigating app makers for data abuse is like Breaking Bad’s Walter White investigating Jesse for all that meth he made in Walter’s lab using Walter’s scientific knowledge. Those apps would not have our data without Facebook in the first place. Nowhere in these newfound data-protection solutions has Facebook acknowledged its role in creating the problem.
Knowing all this, it’s hard to take seriously the man who in March testified before Congress and then posted this on, yes, Facebook: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”
Once I’d looked closely at Google and Facebook, my thoughts moved to the apps I had installed on my iPhone. Curious what data they have the ability to collect, I picked one — Evernote, since I use it daily — and decided to take a look at the most dreaded and inscrutable copy on any product: the terms of service (TOS). Cue thunder, lightning, organ music.
I had put off this portion of the data detox because I prioritize time with my girlfriend, watching Atlanta, and living my life. Still, I was curious to learn how another tech company might be storing and using my data. I chose Evernote because I use it for everything from political strategizing to recipe tracking. I think of Evernote as a user-friendly operation with a business model that doesn’t depend on selling me to marketers. Evernote even has a human-readable “Three Laws of Data Protection:” your data is yours; your data is protected; your data is portable.
All told, the terms run nearly 29,000 words, which is about half the length of your average paperback. I dumped the text into an unlisted Medium post to see the estimated reading time: 109 minutes. (You can read some of my real-time reaction notes in this public read-only Google Doc.)
What I learned is that Evernote uses encryption to transmit my data, which I appreciate. I also noticed that Evernote considers me its customer and largely collects data to make using the service easier. That means gaining access to my camera and photo library when I want to add images to my notes, or ingesting my contacts database to make auto-completing easier when I want to share notes with other people. It’s convenient, but it made me uncomfortable, and I’m not so lazy that I can’t type in a full email address, so I turned it off.
I was curious under what conditions Evernote employees might be able to access my notes. Like, if I leave the app, what happens to the files? Similarly, what if I leave planet Earth? If I stop using the product voluntarily, all the notes must be manually deleted before closing my account if I don’t want the company to store them. As to the more morbid question: It turns out I need to designate some poor sucker as custodian of my brainstorms and musings if I want them removed after I die. (The full explanation is worth a read.)
All told, it took me about three solid hours to get through the TOS for my favorite app. Now I understand why Facebook thought I was interested in law school. I have 313 apps on my phone. If they’re anything like Evernote, I could spend roughly 940 hours reading various terms of service—or I could use that time to accrue enough credit hours for 10 Juris Doctor degrees.
This “data detox” I’ve done reveals just a few steps of a much larger journey. I’m saving for later my experience with creepy trackers that monitor our website behavior, and I just didn’t have the mental energy to dive into the world of credit reports or smart-home appliances. (Alexa, stop snitching!)
All this matters, because our data is being used to impact things far beyond the ads and content we see. It is already being used to determine job opportunities, loan rates, dating matches, and criminal sentencing guidelines. Follow Dr. Safiya Noble and her concept of “algorithms of oppression.” Read Cathy O’Neill’s book, Weapons of Math Destruction for a deeper understanding.
All this also matters because the Next Big Things — artificial intelligence, machine learning, speech and facial recognition — will be powered by more of our data. We’re the raw material for the next phase in computer science.
To be clear, not all data collection is bad. Much of it is essential for a service to operate well—to be worth your time and money. Data collection and tracking enables Evernote to know that I’m the same user on my iPhone, iPad, and web browser and enables GateGuru to remember who I am and that I like Shake Shack. Processing all this data allows Google to recommend shortcuts on my commute and Twitter to suggest interesting tweets I may have missed and Facebook to remind me of my friends’ birthdays.
But this same construct goes too far by offering up my religious beliefs, contacts database, location history, and hundreds of other bits of intel under the bad-faith claim that I granted permission and fully understood some rat’s nest of legal documents.
So what do we do? As individuals, we have options. First, as I’ve demonstrated, we must understand what we’re giving up. “Data” isn’t some vague thing we can’t understand, and “technology” isn’t a magical gift bestowed only upon the wise and elevated engineers in Silicon Valley. We have seen the consequences of data falling into the wrong hands, so let’s do something about it.
As much as this data-detox business sounds laborious, it’s important. Consider it a form of hygiene akin to your annual household spring cleanings and your daily showers. At a minimum, I recommend everyone take the following steps:
- Tune your settings on all major tech platforms, starting with those that sell targeted advertising (Google, Facebook, Instagram) and moving on to those that treat you as the primary customer (Amazon, Apple, Microsoft). Each of these company’s products has a settings page. Start there, click, read, edit, curse — and download your data if you’re so inclined.
- Secure your network connections with a virtual private network, and encrypt your browsing sessions with HTTPS Everywhere so your ISP can’t snoop on your website activity. The Electronic Frontier Foundation offers a good starting point.
- Read a few Terms of Service agreements. Know that this may take you hours, and that you will encounter information — AND WORDS IN SCREAMING ALL-CAPS — that you don’t understand, but do it anyway. This Lost In Small Print tool can help you get started.
- Use less data-grabby services like those recommended by Alternative App Centre. The site highlights less data invasive options for all sorts of software.
- Conduct your own data detox. Here is the one I found, made by Tactical Technology Collective in partnership with Mozilla.
We’re still in the early stages of the networked age, and we can fight for a different future. In the meantime, for ideas on how we might wage that bigger fight, see my companion piece, humbly titled “A New Tech Manifesto: Six Demands, from a Citizen to Big Tech.”
Baratunde Thurston is a futurist comedian, writer, and activist. He would like to acknowledge the Data & Society Research Institute, Surya Mattu, Belinda Thurston, and Elizabeth Stewart for their contributions to the thinking in this article. If you’re feeling inspired, moved to complain, or simply want to stay connected, Baratunde welcomes a chance to respectfully collect your data. Text him at +1-202-902-7949 with the message: #datadetox (really—it’s a public number) or visit Baratunde.com.