The Privacy Storm

6 minute read

Mar 2018: For many of us that work in technology, the Facebook / Cambridge Analytica crisis currently unfolding (March 2018) is getting attention not just because of the facts of the story, but instead: why has the world started caring now?

Personally, I think it’s simply one of these ideas whose time has come; the tectonic pressure has been building for several years and the seismic event is now upon us. Data thefts, ransomware attacks (most notably against the UK’s NHS), allegations of social media led election influencing have been building and the world is ready to pay attention.

BBC News - The Story So Far

The Great Flood - Data, Data Everywhere

Facebook has been known in tech circles as a voracious data gathering tool for years, the trade off for users seeming fairly transparent - let us use your browsing data and “like and share” behaviours, and we’ll let you share photos of your morning toast with the world. And part of that trade off will be to let corporations know that, well, you’re an extremely avid toast fan and might be a good bet for high-end-toaster adverts.

Perhaps that’s acceptable in most people’s eyes. It’s annoying in a low level, background way, like call centre options menus, but actually Facebook does provide an impressive platform for zero monetary cost and anyway, where’s the harm?

Well - unfortunately there are some pathways to real-world damage and harm happening.

First of all, forget Likes of Aunty Babs’ summer BBQ - no-one cares, other than of course Babs. Much more interesting are the Likes for companies like Nike and Apple, for musicians like 50 Cent and Placebo, authors, movies, TV shows, shops - you get the idea. But why is this so terribly sinister?

It’s not because the connected hivemind now knows you like 50 Shades of Grey. It’s because by comparing the relative Likes of datasets of 50 million people, and using things like sly “personality quizzes” - hello there, Cambridge Analytica! - certain patterns can be observed, certain correlations emerge from that data. In a nutshell it allows certain assumptions to be fairly reliably made from Facebook responses alone: if you Like 50 Shades, you’re perhaps 80% - 90% certain to be female. And if you like particular musical artists - 6 or 7 in a given list of 10 “tell tale artists”, say - you’re maybe 75% likely to be an adult in the US who favours the Democrat party.

New York Times - Cambridge Analytica and the Secret Agenda of a Facebook Quiz (2016)

That’s bad enough - and there are of course many more projections which arise here - and Facebook’s advertising tools let you pretty accurately guide your advertising dollars to very surgically target subsets of people you’re interested in reaching. And so election influencing is suddenly on the table: it’s not fully fledged cheating, there’s no election fraud as such, but it starts to seem dubious ground, ethically speaking, when you can spend millions targeting “Vote Trump!” ads, or anti-Hillary ads, at groups of the populace in important swing states who you know are open to being persuaded to vote in your favour.

And what about people whose Likes and Shares give a strong indication of homosexuality in countries where that’s still a crime?

Or who show up as likely to partake in rebellion in countries in no rush to adopt democracy?

Privacy - You Have Less Than You Think

If you think it’s bad enough that Facebook is such an agent of data leakage, there’s much worse to come. I see a long overdue public debate coming, very soon, about the horrendous exploitation of our personal data and internet habits - by the entire internet advertising industry, not just Facebook.

Ever browsed a few products on Amazon or Argos and suddenly you’re besieged by adverts for those same items everywhere? Your webmail, Facebook, news sites, other shopping sites? No surprise if you have. Again this is using technology that’s more than 15 years old - all that’s changed is the scale of the industry using it. Imagine multi-million dollar corporations (they’re invariably US based) spending millions just to track you from website to website, learning what you’re interested in and trying to sell you that very product. Because that’s what happens - and it’s a mundane, everyday phenomenon now.

Picture the scene: your home town has seen heavy snowfall. You’re the first person out the next morning. All the shopkeepers in town slept in their stores due to the inclement weather (I know - but bear with me…), and they’re open for business and pleased to see you. You visit the chemist, the butcher, the bookies for a cheeky 9am flutter, and then your local charity shop.

Imagine what your town looks like - all that fresh snow, and your footprints: you leaving your house, the shops you’ve visited, and the order you did it. Anyone in a passing helicopter knows exactly how you’ve spent your morning.

And now imagine your boots have a serial number in them: pair 123-456. Now even when your neighbours awake and go about their business, your activities can be identified separately to theirs.

That’s almost exactly what the advertising industry does. Those stupid “cookies” warnings the EU valiantly campaigned for on websites, that show up at the top of the page and you click “Yeah whatever” and ignore them? Cookies are the serial number on your online footprints. And supercookies (yes - those are a real thing, and no they’re not as delicious as you’d think) are carefully and deliberately designed to be all but impossible to avoid or remove:

Anti-privacy unkillable super-cookies spreading around the world – study

They Know Where You Live

But the very worst thing of all, for my money - it’s easy for companies to use these supercookies and their arsenal of tracking techniques to connect a name with these serial-number constructs.

Imagine once again you’ve got your boots on in the snow: you are currently “person 123-456”. The butcher’s never met you before and greets you happily: Morning there, 123-456. You introduce yourself, and pay with your bank card. “Bye Neville” waves the butcher as you leave, and then he notes in his book: “123-456 - Neville from Thingy Street, bank card ending 4421.”

Of course, you need to provide consent for this, and for the butcher to share this information with the bookies and the chemist - all “carefully selected, trusted third party partners” of course, so that’s OK. But when the butcher handed you the 85 page Terms and Conditions you didn’t want to miss out on the last of the pork and apple burgers, so what the hell, sign and move on - who has time for that !

The major risk here isn’t that shoe sellers can more accurately target their shoe adverts. It’s that great databases exist of our more sensitive habits. The 14 year old who’s been researching contraception, the housewife who’s developed something of a gambling habit, the middle aged insurance exec who’s arranging an affair on an adult introduction service. Nothing criminal there - Nothing to Hide, right? - but we all know what people go to the toilet for and yet we still put doors and locks on our bathrooms.

Privacy is important. It really, really, matters.

Do smartphones capture all your conversations? What about Alexa, and Siri, and OK Google? Do devices capture all your keypresses, all the websites you visit, with or without “incognito mode” turned on on your browser? With so many millions of dollars at stake spent tracking consumers - including children - it’s difficult to be so certain where companies really draw the line.

How Do We Stop This?

The outcry at Facebook - which will surely spread to the other personal data vampires in play in the online ecosystem - will surely itself lead to better practice, at least among reputable firms, those with a share price to look after if not their actual users.

Added to that the EU is introducing much more stringent data protection laws later this year, the GDPR. It’s quite dry reading material but it has the potential to be effective, you don’t need to actively do anything yourself to benefit, and the EU has a track record of standing up to the Googles of the world on its citizens’ behalf.

EU GDPR Regulations

Finally, and most effectively, we can take some simple steps ourselves to better protect ourselves.

  • install an ad blocker

  • improve your built in browser privacy, I like this one: Duck Duck Go for Firefox

  • use private mode / incognito mode in your browser, especially when gift shopping and you want to avoid adverts ruining your gift research! you still leave “footprints”, especially on your company’s and ISP’s backend records, but fewer of them and potentially none on your own PC, great for thwarting tracking cookies

  • use a VPN - I use Nord VPN and find it works very well, and it’s well rated by frankly very demanding community

  • review your settings in social media and shopping sites where possible - Facebook, LinkedIn, Amazon all allow you to dial down the intrusions and use of your data

  • never accept the “we will share with chosen 3rd parties” terms, including the weaselly alternating “tick to share / tick to not-share” games (these are known as “dark patterns”, techniques designed to trick and trap you, they’re worth reading about - some sleazy, sleazy business people out there…)

  • do your own research; simple searches for “improve internet privacy” should give you all you need