Learn Who Wants Your Private Data (and Why) - Take Control of Your Online Privacy (1.1) (2014)

Take Control of Your Online Privacy (1.1) (2014)

Learn Who Wants Your Private Data (and Why)

We’ve seen that lots of information you may want to keep private travels over the Internet. That in itself isn’t a problem; after all, you want to share private information with your family, friends, doctor, and so on. Problems can occur when someone accesses personally identifiable information (see Personally Identifiable Information) without your consent or even, in some cases, your knowledge.

Who exactly might be trying to learn private information about you online? I’m glad you asked; this chapter shows you who wants to know about you and, crucially, why. Knowing who you’re trying to keep your private data private from is a useful first step.

Advertisers

The Web is powered by advertising as much as it’s powered by servers and routers. Many Web sites devote far more space and resources to ads than to their actual content. As you know, it’s difficult to read the news, watch a video, check your email, or even search for pictures of cute cats without being bombarded by ads.

Web sites sell advertising space because that’s the only way most of them can make any money. However irritating or even slimy you may consider online advertising, it is the mechanism that has kept most Web sites and other Internet services free.

The companies that purchase advertising want to get their money’s worth, and that happens only if the ads result in sales. So advertisers expend a tremendous amount of effort to ensure the ads each person sees are likely to be interesting and thus lead to purchases. When advertisers make money, they’re able to keep buying ads and the sites that display the ads can stay in business.

Years of experimentation have shown that the most effective ads are those that target individual needs and preferences (including things you didn’t even think you needed!), not those that are merely relevant to a site’s content or the perceived needs of a broad demographic group. For example, if an advertiser knows I’m in the market for an air conditioner and shows me an ad for one—even on a completely unrelated site—the chances of making a sale go way up.

How might an advertiser know I’m in the market for an air conditioner if I’m not on the site that sells air conditioners? There are a number of techniques, including tracking cookies (which I discuss in Manage Local Storage of Private Data), but most involve using instructions hidden on a Web page that store data on my device when I visit one site (say, a search at Amazon.com) and then check that same data when I go to another site (say, weather.com) containing an ad from the same provider or advertising network. Although the server may store the details of my visit, the local data enables me to be identified across sites.

As you search the Web, browse various sites, follow links, and use ad-supported apps, advertisers can build up elaborate profiles of your perceived interests and tastes. And, because your IP address (or profile information you’ve entered into a social networking site like Google+ or Facebook) tells them roughly where you are, they can even display ads for local businesses selling the products you’ve shown interest in.

Unless you regularly search for things that someone else might regard as suspicious, none of this should be a concern. After all, if I truly do want to buy an air conditioner, I’d rather see an ad for an air conditioner than an ad for weight-loss products or hair color. Targeted ads should, in principle, be more helpful to me than random ads.

But…

Individually targeted advertising isn’t always to your benefit. The same bits of data advertisers can piece together to determine your interests and location can be used for things like showing higher prices on furniture to people who live in wealthy neighborhoods—or higher prices on electronics to people using Macs rather than PCs. They could also be used to determine that you are a registered voter in the “wrong” party, resulting in a phone call sending you to the wrong polling place.

In fact, the privacy concerns get even worse. Imagine this scenario, only slightly fictionalized from real life. A retailer tracks your online purchases and, noticing that you’re buying larger clothes, folic acid, and unscented lotions, guesses that you might be pregnant. Then, in an effort to be “helpful,” they display ads for baby clothes and cribs—or maybe they even send such ads by mail. Now family members, coworkers, or other people who might see those ads also suspect that you’re pregnant. Oops.

The variations on this theme are endless, but the point is that advertising can never be targeted with perfect precision. An advertiser may think it’s showing ads only to you, but your spouse, parents, kids, or anyone else who might use the same accounts or electronic devices can also infer private information about you by seeing on your screens the ads that were targeted at you.

When targeting becomes unfair or misleading, when it gives away personal information to others, or when it benefits only the advertiser and not the consumer, you may feel that your private data has been misused. Unfortunately, there’s no master switch you can throw that says, “Sure, you can know who I am and what I search for, but only if you use that information responsibly.” If advertising becomes intrusive or creepy rather than helpful, you may want to take steps to prevent any advertiser from collecting your private data, not just objectionable advertisers. As you’ll see throughout this book, the number of ways in which you voluntarily give away personal data extends far beyond the Web sites you visit, so this isn’t a problem with a perfect solution—but you can certainly reduce the risk.

The Google Problem

Google isn’t just a search engine; it’s a provider of email, document storage, videos, phone service, and numerous other capabilities. What they all have in common is Google’s legendary contextual advertising—that’s how Google makes money. And the more of Google’s services you use, the more personal data the company has about you that can be used to target ads with ever greater precision. Make no mistake about it: every search, every YouTube video viewed, every email read contributes to Google’s personal profile on you, to be used for the express purpose of displaying targeted ads.

You can use other search engines and other email providers, buy a non-Android cell phone, and watch videos on sites other than YouTube. But it’s nearly impossible to avoid Google altogether (although some people try). By all accounts, Google works hard to prevent your personal data from falling into othercompanies’ hands—after all, that would be giving away the store. But will Google be able to protect your data from everyone, forever? And can you trust Google itself not to be evil with your data?

On the one hand, it’s not in Google’s best interest to alienate its users. On the other hand, it is a giant corporation whose primary mission is to increase shareholder value, not to protect your privacy. If push came to shove, I’d have to guess Google would choose profit over kindness. And, even the best-intentioned companies sometimes experience security breaches that leak personal data.

I won’t say that you shouldn’t trust Google. But you should be aware of the massive amount of information most of us give Google for free—and remember that there’s always a cost somewhere.

And, even though I’m picking on Google here as the largest provider in its class, you shouldn’t think other companies with comparable services (Microsoft, Yahoo, and so on) are fundamentally different. The more data any company has about you, the more power they have—and the greater the risks to your privacy at their hands.

Local Villains

Another category of people who might be out to get the digital goods on you is what I’ll call “local villains.” Let me give you some examples:

· Ex-spouses or former partners who want to make your life miserable or even find evidence to use against you in court

· Neighbors with whom you have a dispute or disagreement

· Your current employer, who may want to make sure you’re not violating company policies or misusing proprietary information

· A prospective employer who’s trying to judge your appropriateness for a position

· Stalkers, thieves, and other criminals looking for evidence of when you’re home or not, where your kids are, and other information

· Friends and relatives who like to snoop and gossip

As a group, local villains tend to be less technologically sophisticated than advertisers, hackers, and others who seek your personal information. On the other hand, they may be more motivated, and they’re far more likely to be focused on you personally rather than on a sales demographic you represent. And, let’s face it, most of us have tons of personal information online that’s readily accessible by the general public—Facebook, Twitter, Flickr, personal blogs, and so on.

Hackers

Some of them do it for fun. Some do it for notoriety. Some do it to make money. But one way or another, thousands of intelligent but misguided people around the world spend every waking hour trying to break into computer systems to steal information and money, to trick you into buying something, or simply to cause mischief.

I shouldn’t call them “hackers,” because hacking is a noble art and only a small subset of hackers use their powers for evil. But you know what I mean: black hats. People—mostly young men—who write and distribute viruses, keyloggers, Trojan horses, and other malware. People who send spam and use phishing messages to con you into handing over your passwords. People who take over computers by the millions to turn them into botnets. Bad guys.

Hackers rarely target specific individuals—in most cases, it’s nothing personal. The two pieces of private information most of these bad guys would be happiest to have are your credit card number (for obvious reasons) and any password that protects financial information (for the same reasons) or provides access to large amounts of your data, such as your email account. Although it’s difficult to protect your privacy from a truly determined hacker, you can take steps (as discussed elsewhere in this book) to make their work harder and less rewarding.

Note: If you want to see what the bad guys—hackers and others—have been up to lately, you can search the massive (although incomplete) database of the Privacy Rights Clearinghouse for privacy breaches. It’s fascinating and deeply sobering: the list is extremely long and growing fast.

Big Media

The RIAA (Recording Industry Association of America) and MPAA (Motion Picture Association of America)—along with record labels, movie studios, publishers, and other major copyright holders—are keen to know who has been pirating their media. Apart from monitoring BitTorrent traffic and file sharing sites, these firms work closely with ISPs to identify people who illegally share movies, software, and other copyrighted materials. Depending on your location and provider, this could lead to serious consequences including civil lawsuits and termination of your Internet service.

I don’t blame copyright holders for protecting their property; I’ve had my own work pirated and lost money because of it, and it’s no fun. (You did pay for this book, right? Just checking. If not, I should mention in passing that I can see you right now.)

The problem is, sometimes big media companies make mistakes. They’ve sued little old grandmothers who don’t even own computers and made other egregious blunders. Even if you’d never consider stealing media (I did tell you I’m watching, right?), you might prefer that your file sharing activities be kept private.

Big Money

Banks, credit unions, credit card providers, and other financial institutions may want evidence of your thriftiness or trustworthiness in considering whether to offer you a mortgage or other loan. Insurers may want to see whether you engage in risky behavior or have medical conditions that might influence your rates or disqualify you. When lots of money is at stake, it’s only prudent to collect as much information as possible to make a good decision. That’s as true for large corporations as it is for you.

You should not be at all surprised if a potential lender or insurer checks out your Facebook page or searches for your name on Google. Your health-food blog and tweets about your jogging regimen might score you a better life-insurance premium; Facebook posts about late-night drinking binges could raise your car insurance rates. You may never learn why these things happened, either—companies generally aren’t required to reveal how they go about researching you.

Big Data

I’ve mentioned Google (and will do so again)—it may be the largest non-governmental data collection entity in the world. But it’s certainly not the only one. Facebook, Twitter, and other companies with users numbering in the hundreds of millions collect massive amounts of data on users’ tastes, preferences, opinions, geographical whereabouts, and other details. Although this data is mostly used for targeting advertising (see Advertisers), it can also be put to many other uses, from the virtuous (helping you find a parking space) to the creepy (profiling you as a potential criminal).

Big Brother

Unless you’ve been protecting your privacy by living in a remote cave without electronics or human contact, you’re probably aware of the string of revelations starting in mid-2013 about ways in which government agencies, including the NSA (National Security Agency) in the United States and Britain’s GCHQ (Government Communications Headquarters), have been secretly collecting phone records, email, recordings of Skype conversations, and other data most of us thought was private—on the authority of secret courts and accompanied by gag orders that prevented those who knew about the data collection from revealing it. In fact, this sort of thing has been going on for a long time, and there’s no end in sight. The public might never know the full nature or extent of government data monitoring.

Tip: For detailed and continuously updated discussions of the ongoing revelations about government monitoring, see Timeline of NSA Domestic Spying at the Electronic Frontier Foundation (EFF) or Global surveillance disclosures (2013–present) at Wikipedia.

All this is being done, of course, in the name of preventing terrorism and other crimes. You may or may not believe that. You may trust the government and feel that a reduction of privacy is justified by an increase in security, or you may feel the whole thing is an appalling abuse of power. Whatever your opinions, I believe the following facts are uncontroversial:

· Massive data collection has happened and continues to happen. There are apparently no technological barriers preventing the government from monitoring most email, phone calls, and other online data.

· The laws governing data collection may eventually change, but if the U.S. government’s current monitoring was performed for years without the public’s knowledge that the law permitted it, the same thing can happen again. (And in any case, making something illegal doesn’t mean it won’t occur.)

· Although we now know something about data collection by the NSA, FBI, and other U.S. law enforcement agencies—and comparable efforts in certain other countries—the full extent of global monitoring is unknown. It’s plausible that other governments have the capability to capture at least some of your personal data, even if you access Internet services only in your own country.

· Other than lobbying for changes in laws you may disagree with and voting for people whose privacy positions you trust, there’s little that average citizens can do about this sort of data collection.

Going back to the “I have nothing to hide” argument (see Learn What You Have to Hide), the difficulty with all this from a privacy point of view is that even if you are the most harmless and trustworthy person in the world, something you say or do online could be misconstrued or misrepresented. Just as spam filters incorrectly flag some legitimate messages as junk mail, government computers could incorrectly flag you as a potential threat, and that could have consequences ranging from inconvenient (such as being put on a no-fly list) to devastating (being charged with a crime you didn’t commit). Computers have been known to make mistakes—and so have the people using them.

What about Privacy Policies?

Almost every Web site and Internet service has a published privacy policy, and I’d think twice about using a site without one. Privacy policies spell out what data the company collects (particularly personally identifiable information), how it’s used, what protections are in place to safeguard it, and so on.

Privacy policies, like software licenses, are typically full of boring, inscrutable legalese. They might be good for curing insomnia, but they’re not exactly page-turners. Even so, you might find it interesting and educational to read the privacy policies from a few sites you visit often. As you do, keep the following in mind:

· Although a company may be legally obligated to publish a privacy policy stating how it uses your data, it’s not required to have a policy that protects your privacy. A privacy policy could state, “We ruthlessly collect every scrap of personally identifiable information we can find about each user and sell it to the highest bidder, with malice aforethought.” So, don’t mistake the presence of a privacy policy for a pledge of privacy.

· Privacy policies sometimes contain cleverly worded loopholes—and policies could be updated without your knowledge to become less protective of your personal information.

· However strict and commendable a privacy policy may be, it is, at best, only a policy—not a barrier. A company may say it stores your data in a secret mountain fortress protected by a dragon, but does it have a contingency plan in case a hobbit shows up with a magic ring and a bunch of dwarves? These things happen.

· A privacy policy does not, by itself, have the force of law. If you can prove that a company violated its stated policy, you might be able to win damages in a civil lawsuit. But that can’t prevent, undo, or correct a breach of privacy.

I wouldn’t want to do business with a company whose privacy policy admitted to practices I disagree with, and I’d rather know about such things up front. But even a fantastic privacy policy is no guarantee.