Recently, the media spotlight has been on the PRISM furore of spying by government agencies such as the NSA. However in all of the hype surrounding this issue, it is overlooked that the private sector has also been culpable in these kinds of privacy transgressions.
Comprehensive surveillance by the state is a serious matter, yet the colossal network of monitoring undertaken by the private sector in targeted digital advertising is just as potentially dangerous, if not more so, in the event this information is abused. Dozens of companies exist solely to profile users and in turn build digital profiles detailing almost all of an individual’s online activities: websites visited, visit duration, and the location of the website, which theoretically tracks the type of people they are contacting (e.g. an Iranian website). Even where the cursor moves on the screen is sometimes tracked (using a mild, albeit legitimate, hack of Microsoft’s Internet Explorer browser). Facebook can provide data to identify an individual’s age and location, and other activity on social media sites can be sifted through to determine one’s gender, ethnicity, political orientation and even sexuality. All of these activities use some of the world’s most powerful supercomputers to attempt to persuade users to buy new products. It is all perfectly legal. This industry is growing fast, with billions of dollars being pumped into start-ups as well as existing firms.
This mammoth data collection effort is achieved by embedding code on webpages to exchange cookies with a user’s web-browser. Cookies act as unique identifiers that collectively provide the information needed to build detailed digital profiles of an individual. Companies called “Data Management Platforms” (DMPs) exist solely to place cookies on as many websites as possible, which then communicate with users’ internet devices to gradually accumulate information for each profile. A profile is used to “serve” an advert most likely to correspond with a user’s interests, thus increasing the likelihood of the product being purchased. Websites read cookies and assess a user’s personality. They can also store these complex and highly personal profiles if the user has an account with the website. Otherwise, private sector data collection relies on users having all the information stored on their computer, awaiting access. The more comprehensive the profile, the more successful these targeted marketing strategies are, so DMPs have huge incentives to collect as much information as possible.
Websites can also see a computer’s IP address (which can track location to a 50km radius), the type of device being used, and the frequency of logins. Thus, it is not difficult for the system to determine fairly accurately where a user lives and works. Although digital profiles are technically anonymous (it is illegal for private companies to collect and store postal code data from your IP address in the same way an ISP must hand it over to the security services upon request), the system does at the very least provide a reasonably accurate regional location. This information, while vague, greatly enhances the utility of digital profiling, which in turn increases the potential for its abuse.
Although exact location based on IP address is not legal for the private sector to ascertain, if “geo-tagging” (which determines exact position based off a phone’s GPS signal) is used as part of the data collection then a profile can track an individual’s exact movements, thus learning where they live and work based on their two most-visited locations. Thus, an individual’s profession, income and lifestyle can all be gleaned.
Digital profiles must remain anonymous, but an individual will be linked to their profile if an advertiser gains address details in order to deliver a purchased item via post. Consider the enormity of online retailers, many of whom are untrustworthy, and all of a sudden we are handing over a lot of very personal data to sources unknown; many of whom operate outside of major Western countries, and thus outside the scope of conventional online regulation. Consider also that, even without address information from product sales, cell-phone geo-tagging often volunteers the mobile phone’s number, making it nearly impossible for digital advertisers not to identify who a digital profile belongs to. Thus, the only thing protecting our individual privacy is the moral fibre of thousands of people who work for these private-surveillance behemoths.
The private sector’s data-collection practices often amount to roughly the same capacity to identify and profile people as those of the NSA. The concern then becomes what checks and balances exist to hold both back. PRISM collects conversation log-data, stating things such as platform used (e.g. Facebook or Skype), how long conversations last, their date/time, and between who the conversations are held. The NSA also tracks things such as websites accessed, visit duration, and what links are clicked. This is remarkably similar to what digital advertisers collect.
PRISM does not collect readouts of emails, nor does it record Skype conversations. Western security agencies cannot gather this data without express permission in the form of a warrant. Log data is all they can collect with extreme ease, but even then this has oversight from courts (albeit secret) and Congress. Digital advertisers by contrast have pretty much a free hand, within their legal constraints, to create comprehensive data profiles. Google even knows the content of a user’s emails. Unlike the public sector, oversight from regulators is minimal by comparison.
When it comes to the question of which has more spying potential, the only fundamental difference between PRISM and targeted digital advertising data-analytics is fast becoming that one is voluntary, requiring users to actively contribute towards creating their digital profile, and the other is involuntary.
There are legitimate grounds for the existence of the data collection model, as present systems operate in order to create advertising revenue, which in turn is vital for the internet to remain free at the point of use. Yet it is still deeply unnerving to know that a largely unregulated sector of industrial-grade spying is occurring to the level that Gmail will, “read your emails, therefore know you have a flight to catch, and know where you are in order to work out traffic conditions.” Private corporations have comparatively little accountability, scrutiny, and perhaps most importantly, their raison d’être is not to protect those whose data they accumulate, but rather to turn the greatest profit possible by utilising their data in whatever way they can.
So what is the next logical step in dealing with these recent discoveries and the broader topic of data protection? The whole surveillance issue is certainly worrying and warrants a major discussion. Few realise quite how much of their private information is in fact public. It is also not acceptable that current spying practices by the private and public sectors should be permissible without at least some form of legitimacy via open public debate. Yet data collection experts in both security firms and the digital advertising market seem incredibly blasé about the recent media storm. In fact, it almost appears that they hope the much-warranted attention of their activities will soon blow-over. When a leading industry magazine interviewed a number of experts in digital advertising, the quotes typically attempted to brush off the criticism of digital spying as “unrelated to” or “much different than that of the NSA.” In the words of one particular contributor, “there’s really no alternative.” This seems to sum up the industry’s views on the topic: There is no problem, so what’s everybody complaining about?
There is small chance of a real discussion being held given the industry’s stance. On the level of a concerned individual however, there are ways to hide your identity online. Tools, such as TOR (The Onion Router), exist to shield physical location, and at the end of a browsing session deleting the browser’s cache and cookies will prevent most data collection activities. Another victory for privacy comes from Mozilla (creators of web-browser Firefox), who have teamed up with a California-based privacy company to attempt to shield users’ online privacy by barring the placing of 3rd party cookies on a user’s computer. Whilst lauded by the privacy lobby, this decision was decried by both the advertising and publishing sectors.
A debate is required on who should collect personal data and why, as is education on methods for protecting personal information. Although the private sector can only uniquely identify people to their online profiles if a person decides to purchase a product and have it shipped to them, it is concerning that a surveillance society is being created by the private sector, whose sole aim is profit. It is small comfort, but the motives behind surveillance undertaken agencies like the NSA are at least in our interests.
Michael Yeomans is a contributor to Geopoliticalmonitor.com