We are being watched. Now, what do we do about it?
At this year’s South By Southwest Interactive conference in Austin, Texas, a whole bunch of people got together and talked about online privacy. After a while, I started playing a little game called “Who Knows I’m Here?”
It works like this: I drew up a list of every single way someone could look at all the electronic data I’m constantly shedding and use it to determine that I’m at SXSW—or, at the very least, in Austin.
“Privacy is about how we present ourselves to the world. It’s about our ability to choose.”
It didn’t take long before the list stretched to an unsettling length, giving me a whole new perspective on privacy—one that fundamentally changes what privacy really means in the Internet age.
First off, there are the organizers of the festival. Not only do they keep a record of every attendee’s name, hometown, and company affiliation, but everyone has to get their badge scanned to enter each panel. So, every few hours during the conference, SXSW knew exactly where I was. As does my wireless cellphone provider, Verizon, and the creator of my phone’s Android operating system, Google.
If I checked in on Foursquare anywhere in Austin, Foursquare would know that I’m here, as would Facebook if I used it to checked into a location. Since the Facebook mobile app has access to my geolocation data, I wouldn’t even need to check in somewhere for Facebook to know where I am because that type of locating ping happens on a regular basis. The same goes for Twitter or any other app on my phone that I’ve let access my location.
Next, look through all the apps on your phone and try to remember which ones have access to your location data.
Info about my location doesn’t stop at my smartphone case. When I opened up my laptop and logged into the wireless network at the Austin Convention Center, my IP address became visible to any website I access. Tracking an IP address can’t always convert into a precise location, but it can usually get somewhere in the vicinity.
I also looked at Yelp for a delicious Texas barbecue joint and used Google Maps to figure out the best way to get there—actions that implicitly give away my whereabouts.
Then there’s my credit card company, which saw that I paid for that brisket in Austin, and the bank that operates my checking account can see that I took cash out of an ATM nearby. If I flew in, there would also be the airline and ticket booking site, such as Expedia or Kayak, that let me compare ticket prices across multiple carriers.
I could keep going, but you get the idea.
The number of entities that know my location right now is huge and that’s just for one piece of information. What about for other things about me, such as how old I am, what kind of car I drive, what type of food I like to eat, the name of my all my aunts and uncles? For nearly every aspect of my life, there’s probably some company out there somewhere that can make an inference about it based on the data I’ve provided to them with hardly a second thought.
This sort of widespread data collection has been going on for much of the Internet’s history, simply as a result of how the early online world was structured. At the outset, it wasn’t particularly practical for websites to handle relatively small payments, and many Web users were uncomfortable sharing their credit card numbers online. In part for this reason, the default cost of most online services was—is—zero. For companies looking to make money online, the most attractive thing they could monetize was the personal data and attention of their users.
The presence of all this data online was rendered in stark relief by NSA leaker Edward Snowden. All of the data being intercepted by the National Security Agency wasn’t just created out of thin air, it was information willingly provided by users to their Internet service providers, wireless providers, and countless online services. The only reason the NSA could grab it in the first place was because we shared it and companies collected it.
Last year’s SXSW was the first to convene after Snowden went public. Much of the conversation that took place in 2014 circled around people digesting those revelations. Snowden himself spoke, via live streaming video from an undisclosed location in Russia, urging tech developers to create easy-to-use methods of secure communication that are impossible for the NSA to crack—or, at least, difficult for government spooks to gobble up on a grand scale without considerable effort.
This year, the conversation had evolved considerably. Attendees have internalized that nearly everything they do online is being recorded in some way. That realization seems to be doing something very interesting to the very definition of privacy.
During a panel on surveillance, cryptography pioneer and privacy advocate Bruce Schneier argued that the pre-Internet conception of privacy has become hopelessly outdated. Privacy used to mean being left alone or keeping the details of your life away from the prying eyes of others. On the Internet, Schneier argued, privacy means having the ability to actively and intentionally curate our own online identities; we must chose which aspects of our lives we share and with whom we share them.
“Privacy is about how we present ourselves to the world,” he insisted. “It’s about our ability to choose.”
In another panel, Pew Research Center Internet and American Life Project Director Lee Rainie noted that millennials have a tendency to share more details of their lives through social media than older people but are simultaneously more concerned about privacy than their parents.
“Young people are more focused on networked privacy in the network age. They’re sharing more, but they’re more attuned to privacy issues than older people,” Rainie noted, adding that the sentiment is growing among all age groups. “It’s clear that privacy is not a binary condition for Americans. It’s not an on/off switch. … Throughout this data is that Americans seem to be clamoring for more control over what’s happening to them. They want more agency.”
It’s also likely the most straightforward retort to people who shrug their shoulders at the Snowden revelations—the people who argue that they have nothing to hide because they aren’t terrorists or criminals. The people who make up a significant chunk of the two-thirds of Americans who, according to a Pew Internet study released during SXSW, are aware of NSA’s domestic electronic surveillance system but haven’t altered their behavior in any way because of it.
“It’s clear that privacy is not a binary condition for Americans. It’s not an on/off switch.”
Framing data collection as a personal choice makes the entire business model of a company exchanging a service for personal data far more explicit. In many cases (if not most of them), the information each of us gives up by posting something online or using a mobile app is relatively minor compared to the service or entertainment we get in return. This is because these companies combine your data with everyone else’s data to create extremely valuable data sets. If you understand that tradeoff, and if you’re cognizant of it, the exchange is on much fairer terms because you can consciously decide what to share, what to keep private, and when to avoid a service entirely.
Take, for example, the rewards card you get at the grocery store. Swipe your card at checkout and you’ll get a discount on a a whole range of products. Stores don’t give these discounts out of the goodness of their hearts; they’re an incentive for people to give information about their shopping habits. Rewards cards allow stores to build profiles of your shopping habits and then use that information to more precisely market to your tastes. Maybe a lot of guys have tendency to come in on Sunday nights and buy disposable diapers and a six-pack of beer. A store that recognizes this pattern could stick an end rack stocked with Coors next to the diapers section and tick their beer sales upward.
The grocery store is collecting information through your rewards card and using it for themselves, but there’s also virtually nothing stopping the company from taking that same information and selling or leasing it. Let’s say you go the grocery store once a week and buy a gallon of cream and a carton of cigarettes. Sure, that’s information the grocery store may find useful, but it’s also unquestionably something your insurance company might like to know when setting your health insurance rates.
Is that type of situation a good thing or a bad thing? Well, if you’re a Chunky Monkey-loving chain-smoker, that type of data use isn’t in your interest. But if you work for an insurance company, or are in the same risk pool as someone your insurance company has more detailed information about, it’s probably good news because your costs may drop.
It should be noted here that not every piece of data a company collects is going to be sold to a third-party. In fact, a lot of companies have privacy policies stating that the personal information they collect will remain in-house. However, there are startlingly few legal restrictions on what a company can do with the user data it has collected. If Facebook suddenly decided it wanted to start selling data profiles of the like and habits of individual, specifically identified users, there would be nothing stopping it other than likely bad PR.
At another SXSW panel, this one hosted by the Christian Science Monitor‘s new cybersecurity news site Passcode, the topic turned to the potential of the profiles built though the collection of large amounts of personal data to lead to discriminatory outcomes.
Nicole Wong, the former Deputy Chief Technology Officer for the White House, recalled working on an in-depth report for the Obama administration about the intersection of big data and privacy. “If you pick away at questions about privacy, you see people are worried about fairness and non-discrimination,” she explained. “People are afraid they’ll miss out on opportunities.”
“The new definition is the right to control who I am.”
Here’s an example. Let’s say you listen to a lot of hip-hop on Spotify. That information, combined with a number of other data points, builds a profile that says you’re African-American. Maybe it’s accurate, maybe it’s not. Either way, there’s a lot that could be done with that information. When you do a Google search for apartment listings, will it just show you ones in predominantly African-American neighborhoods—a sort of soft digital redlining? Amazon could show you different prices for certain products versus someone whose profile lists them as white. It may change your odds of getting a home loan or change the rate on your mortgage. If all of the data collection and analysis is happening algorithmically, the actual term “race” likely never explicitly enters the equation because the profiles could be built on sets of correlations that are proxies for race.
Charging people different prices for the same good or service is generally legal but prohibited in the United States when done on the basis of race. If all of this is happening algorithmically, without any direct human intervention, is it still discrimination?
Rainie said that confusion about personal data and its uses is something experienced by a large number of Americans.
“The majority of people we asked [in our survey] don’t think … [the current laws about online data collection] are adequate,” Rainie said during his panel. “They don’t think it’s possible for their own personal actions to protect their own privacy, to keep their information safe. They’re more anxious to have a legal regime that sets the rules of the road. They think that people beyond their own capacity should be helping them through this.”
The problem is that the technology is rushing ahead so fast that it’s difficult for regulators and politicians, some of whom infamously don’t even use email, to grasp mechanisms of data collection so vast that even many of the organizations collecting the data have trouble entirely understanding it.
What’s certain is that viewing privacy as the line between opting in and opting out won’t help anyone involved in the digital dance of data reach a place of comfortable compromise because it doesn’t allow for a middle ground. The use of services that collect personal data is inevitable, but empowering individuals to, at the very least, be aware of what they giving up when they download something from the app store is certainly a step in the right direction.
“The 20th century definition of privacy is the right to be left alone,” Rainie insisted. “The new definition is the right to control who I am.”
Photo by Josh Hallett/Flickr (CC BY 2.0)