The All-Knowing Internet: Your Personal Data Reveals Everything About You
In his book kaddish.com, Nathan Englander makes a pretty profound observation while contemplating the likelihood of an All-Knowing God. It’s hard to imagine an All-Knowing God but we now live in a world where it’s pretty easy to accept the existence of an All-Knowing Internet. More specifically, there is an enormous amount of data that is known about you. In fact, almost everything about you is now known or knowable. Doubt me? Come along for the ride. It’s going to be scary and maybe exciting, but this is a red pill, blue pill moment. Once you know it’s going to be hard to look at the world the same. If you don’t want to know what The Matrix is then read no further.
We’ll be covering who it is that knows everything about you, what they do with your information, how you should feel about, what if anything you can do about it, what is the proper role of government to regulate this and what laws are in place or on the horizon. To provide some bounds on this enormous topic, the focus will be on North America/US. That said, this is all as relevant for people who live in Beijing, London, Copenhagen, Sydney, Sao Paulo and Seoul. It’s just significantly scarier for people who live in Russia, China and repressive countries like Iran and Turkey whose complexities are beyond the scope of this article.
For readers of my articles, I’m going to be changing things up a bit with this one. First of all, I’m going to speak in first person a fair amount (see that, I just did it). Secondly, I usually have exhaustive research and links to back up the facts and perspectives I’m providing. In this case, I’m actually an expert, having run a Digital Agency for 18 years. Most of the companies referenced in this article, really do not like to talk about any of this. But I’m going to.
Choose Your Dystopia
In discussing this a few years ago with Sean Shelby, the Chief Technology Officer of Digital Agency, Isobar, he made an astute observation. In the 20th Century, there were two big dystopian novels: 1984 and Brave New World and this question of your data comes in two flavors which corresponds with each.
Big Brother
In 1984, Big Brother knew everything about you and controlled your life. When Edward Snowden leaked information about all the data that the US Government gathers and keeps on individuals, people were mortified and outraged. And perhaps appropriately so. There is a trade-off between keeping us safe and invading our privacy and the general consensus was shock and horror that the government was gathering data without a warrant and storing it against our will.
By and large, we trust our government is not going to act in an evil way with our data so maybe the trade-off is worth it. If you lived in Russia or China, I think you would and should be very much more concerned with the government security apparatus deciding that you may be a threat to its regime and as a result, locking you up or worse. But how much should we trust our government? What if we had a leader who felt it was in the interest of national security to monitor and eliminate subversive elements that are acting contrary to the greater good of the nation? It is probably wise to view our government with a degree of suspicion even if we believe we currently live in a benevolent democracy.
Brave New World
In Aldous Huxley’s classic, Brave New World, there is a magical drug, Soma, that people take that allows them to expand their world and experiences and feel better, keeping them addled and controllable. In this analogy, that “drug” is the one that you have voluntarily put into your pocket and won’t go anywhere without. The amazing super computer that your life has become entirely dependent upon, your smartphone (iPhone or Android). As we will soon get into, this super computer that you carry with you is an incredible tracking device not just of your physical location, but of your digital activities and all your relationships. And you, voluntarily share all of that information, and probably hardly give it a second thought.
The thing that’s interesting about this one, is that you volunteer this information and even once you learn how you do it, who gathers your data and what they do with it, you probably won’t change your behavior. In fact, you probably can’t imagine how you could.
Partly because it’s not as interesting to focus on government surveillance of you and partly because there is an incredible amount of ignorance on the topic, we’ll be focusing on the Brave New World dystopia.
What would an All-Knowing God know about you if it existed?
It would know all the outward things about you that are known by any acquaintance. But it would also know things that only those closest to you know. It would know things that you wouldn’t even want your spouse/significant other to know. It would also know your desires, whether you shared them or were even aware of them yourself. It would know things that you can’t really know like when you are likely to die or experience life transforming events. In many ways, it would know you better than you know yourself. And its memory would be much better than yours; in fact, it would be infinite.
Let’s see how the All-Knowing Internet stacks up.
Physical Location
Perhaps the best way to understand this, is to look at the handy feature that Google provides in a dashboard. And it doesn’t matter if you have an Android phone or an iPhone. If you have a Google app of any kind on your phone, Google knows where you are and everyplace you’ve ever been ever since you got that smart phone (or the one you used to have, or the one before that, etc.). Not picking on Google here, they’re just kind enough to allow you to see the data they have about you. Apple, Facebook, Verizon, AT&T, T-Mobile, and plenty more have this same information.
With Google’s dashboard you can literally hit a play button and look back at the day to watch yourself move around on the map. And not just for today, you can look at yesterday, last week, last month, last year, etc. Let me share a personal example of a day I had a while back. I was in Detroit visiting my client, General Motors. On the day in questions, I decided to stay at my mother’s house in a Detroit suburb. So the dashboard tracks me leaving my mother’s house, driving to my Detroit office, then heading over to meet with my GM client in the Renaissance Center, then heading back to my office before driving to the Detroit airport, flying to Chicago, driving home to my house but stopping at the CVS on the way home to pick something up for my wife before eventually settling in at my home. And by the way, this is from five and a half years ago, so this isn’t even a new thing but I bet it’s news to you.
You too can join Google to see everywhere you’ve been via the Google Maps Timeline.
What things could you do with this kind of location information?
Fighting Crime - It would seem that it should be pretty easy to solve a drive by shooting. Figure out who’s phones drove by the scene of the crime during the incident, eliminate the grandma and focus in on the guys with a criminal record. Bring them in for questioning, find physical evidence, get eye witness confirmation and you have proof they were at the scene of the crime. It doesn’t appear that police actually do this at this time. They seem to talk about triangulating cell towers. Hint to the police, just ask Google.
Track your employees – A lot of businesses provide phones to employees particularly businesses with salesmen. And when your company provides you with a phone or a computer, it’s technically their property. Although not common, they probably can legally track employee movement. So when the sales guy says he was out meeting with clients all day, you can figure out that he really spent his day goofing off somewhere. This is a pretty sticky area that most companies are pretty reluctant to wade into. But if you’re a truck driver, they’ve probably been tracking you for years. Ostensibly to support their Just In Time deliveries but also to verify you aren’t speeding, driving more miles per day than legally allowed or spending the afternoon at a truck stop instead of driving.
Track your spouse/significant other – If your spouse/significant other, knows your Google login or has access to a computer you’re logged in on, it’s pretty easy to figure out where you really are and where you’ve been. Say you’re at work but you’re really on the golf course, busted. Worse yet, say you’re working late but you’re in someone’s apartment or a hotel, busted.
Big Brother – Again not the focus but, in addition to police, any government agency could use this information to put you in the same room with another suspect, at the scene of the crime or to identify suspicious or “unpatriotic” behavior.
So why do they all have this information and what do they use if for?
With Google, it’s actually pretty easy to understand one of the things they use if for, directions. You rely on Google Maps, Waze (Google owns that too) or Apple Maps to guide you while driving, walking or taking public transit. So, at some level, of course they need to know where you are in order to tell you when to turn. And for that matter, since they know where millions of other people are, they’re pretty good at estimating how bad traffic is and how long it’s going to take you to get to your destination. This also helps them to find the best route. Google in particular, takes that a step further. Even when you go to Google Maps on your computer (not just your smart phone), they’ll give you an estimate of how long it will take you to get home, even if you never told them where home is.
That all seems pretty helpful. What else do they do with it? They also use it to target ads. There is a lot more to come on this topic but all that data about where you spend your time is really valuable to these companies and the advertisers that pay the bills. After all, you didn’t pay anything for the Map apps. Did you really think those amazing applications were actually free? You pay with your data.
I know you’re thinking, ok so if I’m walking down the street and going to head by a Starbucks, maybe I’ll get hit with a Starbucks ad or maybe an offer. Yes, you will. But even when you’re sitting in your home, on your computer, wallowing in the “privacy of your own home”, they know where you spend your time.
So if you spend a lot of time in a neighborhood even if it’s not where you live or where you work (they know where that is too), they know you’ve been there. Businesses in that neighborhood will want to target you with ads since you are not just the demographic they’re looking for, you actually spend time near their business. You’re the potential customer they’re looking for.
There are a lot of ways that they know your demographic information, and we’ll get to that in a bit. But even if they didn’t. Remember, they know where you live so they know the average income in your neighborhood and the average home price, whether you’re likely to be a home owner or a renter and whether you’re likely to be married or have kids.
The Value Exchange
This is a point I’m going to be coming back to time and time again. You are getting something with a lot of value like a Map application, Facebook, Gmail, Twitter, Instagram (owned by Facebook), YouTube (owned by Google), Snap Chat, etc. You were not required to pay for these amazing things and trust me there are billions of dollars of cost behind them. But they make many more billions of dollars on advertising thanks to you and your data.
And is it really that bad if you get targeted with ads for a new mini-van when you’ve got a baby and you’re actually in the market for a minivan. There aren’t too many young single people that would be enthusiastic to see an ad for a minivan so recognizing that and giving them an ad for a fuel-efficient sedan is probably something they’re more likely to appreciate. And the advertiser doesn’t want to annoy you more than they have to or waste money showing you an ad for an automobile you’re just not interested in.
In fact, if they really understood everything about you and were good at anticipating your needs, you’d get ads and offers for products you’re actually in the market for. Which would save you time and effort on your research and would make ads less annoying and actually kind of valuable.
That’s the positive story.
The negative story is, that all these companies have all this data about you. And why are you not as bothered by Apple, Google, Facebook, Amazon and Netflix having all this data as you were when you found out that the US Government had all that data about you? Maybe you should be? Why do we trust them with our data? What rules are they following to make sure they don’t do horrible and egregious things with your data?
The short answer is almost none. And to the extent that there are rules, they’re largely making them up as they go along. For the most part, they recognize that if they act inappropriately, they are going to get laws placed on them that they don’t want or their customers are going to freak out and rebel against them. It’s in their own interest to generally behave appropriately. But there is very little US legislation in place governing this. And if you’ve paid any attention to the congressional hearings with technology executives like Facebook CEO, Mark Zuckerberg, it’s probably a good thing there isn’t much legislation. Our Congressmen really have very little understanding of how any of this actually works.
And as many have sadly discovered via social media, once on the Internet, information can never truly be erased.
Smart phone data
Lest you believe that if you simply didn’t use Map apps, you’d be free from this, you should understand that almost all apps want your location information. Generally, they do this to provide you more appropriate content like the weather where you actually are, recommendations to great restaurants near you or people nearby that you know or might want to get to know. And as been recently revealed, your smartphone, itself, keeps track of everywhere you go.
To be clear, it’s not just location data that your smart device captures. Your iPhone knows every song you’ve ever played, every text message you’ve every sent, every game you’ve ever played, movies/shows you watch, what you search on, what sites you visit, who you’re contacts are in addition to where you live, work and spend your time and with a small bit of extra effort, who you spend your time with.
This begs a few questions. How does Apple use this information? Where do they store it? Is it secure? Can I do anything to stop it? Should I want to?
Let’s take the first question. Apple uses at least some of this information to better understand usage, behavior and application conflicts. Indeed, there is some level of opt-in with both a Mac computer and an iPhone/iPad with regard to collecting application performance and usage information and sharing that with developers to improve products. We all benefit from a majority of people opting in for this type of analysis with regards to improved app usability, performance, battery drain and stability.
But Apple needs to make some trade-offs in how it decides to use this information. For example, Apple voluntarily decides it’s reasonable to use any information about music you purchase or stream through their platform but not use information from CD’s you digitized (although they have all that information too). What would they use that for you might ask? Well, there’s the obvious, recommending music that other people with similar listening attributes also like. But there is also the less obvious.
For example, being able to tell an advertiser not just the type of music their target audiences like to listen to but the most popular new songs with that audience or better yet with the trend setters in that audience, who are already listening to what will soon become your new favorite song. As a result when that product shows up in a commercial, the background music will be not only be something that you enjoy but will also help you understand at an intuitive level that, this product is targeted at you and the product you’d have if you were maximizing the person you want to be. Again, this isn’t necessarily bad, it can be hard to figure out what products are targeted at you and your needs. If the right music can help you figure that out, then that’s just kind of helpful.
But this does start to get into an area, where we might reasonably ask whether there shouldn’t be some rules about how this information is used and who has access to it. As previously noted, our leaders don’t seem to have a good handle on this topic and their ignorance could really stifle innovation and have negative unintended consequences. Yet, we are almost entirely reliant on the good judgement of hopefully well-intentioned companies. It should be clearly stated that these companies do have a strong motivation to act in their self-interest by protecting your data and privacy. Further, there is a close line to walk between having our digital devices be intuitive and helpful and having them become downright creepy. And these companies are explicitly mindful of this balance.
At present, there are conventions and best practices which are generally supported by third party platforms with regards to the use of data where it is generally stored in a way that makes it non-personally identifiable. And in reality, none of these companies actually care about you, as a specific person. They want to deliver the best most helpful suggestions, recommendations, and ads to the user, whoever that person is.
It should be noted that Apple and the iPhone was the focus of the above. Google owns and controls Android, the operating system that the vast majority of non-iPhone smartphones run on. So, for example, a Samsung Galaxy phone runs on Android. This complicates who exactly knows what, as there are adjustments that Samsung makes for their phones which are different from what Motorola or other Android smartphone manufacturers do. But there isn’t a very meaningful difference between Google and Apple with regards to the data they have access to.
It’s Not Just Your Smart Phone - Cookie Data and Data Aggregators
Cookies
If you’re freaked out or otherwise scared by any of the information so far, it’s probably about to get worse for you so buckle up. When you go to a website, it drops what is known as a Cookie. A Cookie is a self-contained collection of data that is useful to you and to a website you visit. For example, a Cookie is helpful in allowing sites you frequently visit to recognize you, “Welcome Back Geoff”. It is super helpful with things like not requiring you to enter your username and password every time you show up; let’s face it you have so many of those damn things, it’s handy not having to deal with it every time. Cookies can also recognize you such that even if you don’t have a login for a site, it knows you’ve been there before and what offers its previously made or things you’ve previously looked at.
Ever wonder how some news sites recognize that you’ve read three free articles this month and are now going to block you from viewing more unless you subscribe? That’s thanks to the cookie. It used to be easier to delete individual Cookies than it is now. Cookies are much more hidden than they once were perhaps for the express purpose of making it hard for you to subvert their intentions. Cookies don’t just recognize you, they can contain bits of information about your status that helps the site behave properly like understanding that you’re not just known but a member or a priority member. They also help sites better track customer behavior on sites so they can better identify usability problems, bounce rate (when people leave a site immediately) and shopping cart abandonment among other things.
But Cookies are also used by third parties. Specifically, ad serving platforms. These Cookies, are literally used to track what sites you visit and what you’ve clicked on and looked at on those sites. They can further be used to create a profile on you by tracking you across websites. So even if you think you’re not logged in so you’re anonymous, these Cookies allow you to be tracked and profiled.
Ever wonder how it is that once you visit Nordstrom’s site and look at a pair of shoes that you then see an ad for those exact shoes when you go to CNN to read some news? That is an ad Cookie doing its thing. This is at some level remarkable and at another level rudimentary and simplistic. It’s remarkable because your actions on Nordstrom’s site is impacting what you’re seeing on the CNN site. Rest assured, there is absolutely no direct relationship between the CNN site and Nordstrom site.
Nordstrom merely needs to have agreed to drop an ad serving platform Cookie and determined that it wants to serve up so called, “retargeting ads” to site visitors using an ad serving platform such as DoubleClick (acquired by Google several years ago). In the Google/DoubleClick platform advertisers, like Nordstrom, select sites they want to advertise on and agree to terms they’re going to pay for ads on a premier site like CNN. Otherwise, they work with a Programmatic ad platform where they agree how much they’re willing to spend and will then deliver the retargeted ad to people when they show up after the ad platform conducts Real-Time Bidding with other potential advertisers. In that sense, it’s remarkable how fast those ads show up given everything that has to happen before hand, including the real-time auction.
So why is that simplistic. The example above is simplistic because it’s a relatively unintelligent ad. It recognizes something you’ve looked at then shows it to you again when you show up somewhere else on the web. There are remarkably more sophisticated techniques used to determine which ad to server up and to whom. Those rely on much more data to determine who to target. Companies will build these databases based on the things they know about you. For example, that you’re an existing customer, what you’ve bought in the past, where you live, what your email address is, what your phone number is, etc. But that information is fairly limited. So more sophisticated companies will buy data from third party data aggregators such as Acxiom, Epsilon, and Merkle.
Data Aggregators
Data aggregators are not all the same but let’s talk about the kind of information the best ones have. In short, they know everything about you that is knowable and there is much more knowable than you think. They know your marital status, where you live, they use various bits of information to approximate your income, they know how many credit cards you have, whether you pay your bills on time, what kind of car you drive, how many kids you have, whether you buy things from catalogues, what your highest level of education is, where you work, where you go out for dinner, how much you spend at dinner, in short, they know just about everything about you. They gather this data from a wide range of sources such as credit card companies, public census data, credit bureaus, proprietary cookies, content providers (magazines, sites, etc.), surveys, etc.
Companies will marry up the data they know about John Smith, their customer, with the information they obtain from third party data aggregators. Again, by convention, not by law, this married up information is stored in a non-personally identifiable manner so that nobody at the company can look at John Smith and see information that John Smith did not voluntarily provide to them. That’s fine because when they advertise to John Smith, they don’t particularly care that it’s John Smith, they’re just trying to advertise to someone with a high likelihood of being receptive to their advertising. Of course, these databases include not only existing customers but can include pretty much every potential consumer in the United States.
Here too, there are varying levels of sophistication with what can then be done with this information. This starts with advertising to people who share a lot of attributes with their good customer, John Smith or by targeting people whose demographics (age, sex, location, education level, income level, marital status, race, etc.) align with the target buyer for their product or service offering. With more sophisticated providers and platforms, advertisers can have a database that includes everyone in the United States with all of their attributes. Then they use algorithms and analysis to target people with the highest likelihood of responding, maybe targeting ads to regions, cities or neighborhoods.
They might for example want to advertise for their chain of restaurants to only people fitting the right income level, age, and behaviors including people who are known to visit the neighborhoods where their restaurants exist. By associating all of that information to a Cookie that identifies the individual, advertisers can even ensure that they only serve up that ad to people actually on their list. Again, using an auction method, they can serve up those ads to people on hundreds of participating sites depending on where they can get the ad served for the right price.
This is not to argue that this is a nefarious activity perpetuated by advertisers of products or services, the content sites that are supported by those ads or even the Googles of the world that make Billions of dollars serving those ads. Again, you get great functionality and content for “free” as part of the previously mentioned value exchange. And if you’re going to be served ads, it’s to your advantage that they be ads that are relevant and of interest to you. But that doesn’t mean that you shouldn’t be concerned about the massive information that has been collected about you and your on-going behavior which perpetually augments that data. It is truly the stuff of dystopian novels and the dream of tyrants since the world began to have such in depth information on all manner of activity and behavior of their subjects.
Believe it or Not, We May Be Taking it Up a Notch
Voice - Alexa/Echo, Siri, OK Google and Cortana (Yes Microsoft is trying to participate in this)
Voice enabled devices are starting to become ubiquitous. If you count all the smartphones, they already are. But they are now commonly in our kitchens, family rooms and bedrooms. And all of these devices (including your smartphone) are always listening. This last statement requires some explanation. These devices are always listening if only for the activation command: Alexa, Hey Siri, OK Google after which they then listen to what you say next, process and respond. But the fact remains, these devices are, therefore, always listening. So you can add that to the list for that dystopian or tyrannical scenario. Remember all the spy movies where people snuck into guarded buildings and hid a bug in the lamp. No need for that when your targets insist on taking a listening device everywhere, they go.
A story broke recently that revealed that Amazon does record and listen to things said to Alexa devices such as the Echo. In fairness, Amazon said that a very small percentage of messages are listened to by Amazon employees and contractors in numerous places around the world. According to Amazon, the voices are not identifiable back to who they belong to and this is done to improve natural language processing and other capabilities. But Gizmodo just wrote an article stating that Amazon has geo coordinates for all devices and can easily use those coordinates in order to map to homes. Again, it is unlikely that any of these companies really cares about you as an individual, so it is very unlikely that anyone really wants to listen to the mundane aspects of your life that are captured.
I should say that, while I have extensive knowledge about how all the previous data mentioned is used, voice data is relatively new and still very much evolving. I will say that, in Q1 2014, I was one of the first beta users for the original Amazon Echo. After a couple days with the device, I wrote a piece on my assessment and prognostication on how this device would evolve and the gap it would fill. I felt like it had a very good chance of becoming the J.A.R.V.I.S. (of Ironman fame) for the home being able to turn on and off lights, music, the TV, etc. as well as answer questions about what was going on in the world, capture your shopping list, and actually fulfill the list from Amazon, in addition to becoming an advertising platform in and of itself. This opinion was not initially shared by many and we couldn’t find a publication willing to run a story on what they were sure was going to be another failed consumer device from Amazon (boy were they wrong). As it turned out, it’s almost seemed like Amazon has been operating from the strategic plan I articulated.
Why tell this anecdote, other than to get in an I told you so? It’s because, it became immediately clear to me that this device, that was in a room, not on my smartphone, could provide a valuable role as a handsfree device to control my home and provide me with information. Also, as a beta user, when I asked questions like the score of a game or league standings, which it had no idea how to answer, I knew that Amazon was going to figure out that those were things people wanted to know and add those features (which, in fact, they did). Similarly, Amazon continues to pay attention to unsatisfied Alexa questions and analyze what went wrong. Did the system misunderstand the words, the meaning or is it just not programed to address a type of question that is being asked by a lot of people? They are surely continuing to try to enhance the offering and make it better. But again, that doesn’t mean you shouldn’t be concerned.
Again, I focused on the Amazon offering but the same can be said about the offering from Google and Apple, both of which now also have stand-alone devices which are basically copy-cat versions for the Amazon Echo. Further these voice controls from Amazon, Google and Apple are being built into an expanding array of consumer devices.
Genetics
An All-Knowing Internet, would certainly want to understand your genetic make-up. This would include whether you are a genetic carrier of one or more diseases. What your likely life expectancy might be (although the actuaries at insurance companies are pretty good at estimating this based on all the other data). Who your ancestors are; you may be surprised. Children and siblings you didn’t know existed.
People are now adding their genetic information to the set of data out there. But the main companies, 23andMe and Ancestry, store and handle your data in a non-personally identifying way. Like a random number+letter ID that just has demographic information with it. Your account has access to the random key associated with your genetic data. They generally store your personal information and your genetic information on different servers. Assuming they actually follow these practices, that should provide pretty solid security for your information.
23andMe has a consumer offering but that’s not how they make money. They sell the genetic data as aggregated data for medical research. If you opt in, then your individual data may be used in research in a non-personally identifiable way.
I actually believe in their mission where they are trying to better understand disease conditions through their research. In general, the medical profession only finds people once they are afflicted by a disease. But through this type of research they can find currently healthy people who carry genes for a disease. This allows better understanding of contributing factors that might cause one person with the gene to get the disease and another to not get the disease. It would be otherwise impossible to find such people, certainly not at enough scale to be scientifically significant.
There is some risk that the government might force companies to turn over genetic information in mass but at that point the government would probably force genetic records for everyone anyway. Why do one without the other. For example, the government could require all hospital blood tests to be submitted for DNA analysis and what hospital won’t comply? You’d need an underground medical system to avoid being included in the genetic database. So, I don’t think there’s a lot to be gained by trying to avoid that particular dystopian scenario.
I’d opt in on research with 23andMe but not for Ancestry. Ancestry has a partnership with Google for research which creeps me out a bit more since, as we’ve already discussed, Google already has so much information about me (and you). Also, Ancestry’s policy makes all of your public family tree information available to researchers which by definition means it can’t be non-personally identifiable. Not really sure what their thinking on that is. Clearly researches might find your heritage interesting for medical or ancestry purposes but at that point, I’m out.
What I said above about Ancestry using your family tree information if you consent to genetic research really sounds like it couldn’t be true. This is a link to the Ancestry informed consent page which includes the following under “4. What data is used?” when you give consent to participate in research, “Family Tree Data: Information that you voluntarily share with us about yourself and family members when creating family trees, such as genealogical data, pictures and birth dates.”
But if you decide to do DNA testing, you’re betting that these companies are going to be able to protect your data. And if they don’t that it’s not going to cost you very much. It’s currently illegal to use genetic information to deny health insurance or raise premiums. But it can be used by disability and life insurance companies. So I’d be cautious about doing genetic testing with your Dr. I don’t think they are likely to demand your 23andMe data and pretty sure they don’t currently but legally I suppose they could or at least require you to answer if that testing identifies you for increased risk. That’s currently the biggest open area of risk. There is also the risk that your genetic information gets used for identifying criminals which is really only an issue if you or your family members are criminals.
Are there any laws and regulations protecting our personal data?
The answer is yes, kind of. There is a European law called GDPR that went into effect in May of 2018 and a California based law, CCPA, going into effect in January of 2020. I’ve included more information on both of these and governmental regulation more broadly in a post script at the end of the article.
The most noticeable impact to consumers has been all those annoying notices that you need to acknowledge the first time you visit a site that tells you that they use cookies. See one example of the cookie notification from the Conde Nast Traveler site below:
If you look closer at the Conde Nast Traveler Cookie consent you see that in addition to just accepting cookies, they provide an option to manage your preferences; see below. You can’t see them all below but I counted 42 entities dropping 73 Cookies on this one site in just this Advertising Targeting category alone.
Just in case you thought I made it up earlier, note the language above about tracking you across the web and creating a profile on you. The next time one of those annoying pop-ups shows up, you might want to look a little closer before accepting or hitting the X in the corner, to see if you have options to opt out of some or all of their cookies.
Security, hackable
Let’s say you can get comfortable with all this information about you being in the hands of so many companies. This still leaves open the question of whether they can protect your information from being stolen. And the sad truth is that nobody can provide 100% assurance that they won’t get hacked. In the past few years, so many organizations that have gotten hacked that it’s hard to have any confidence in any company’s ability to protect your data.
The US Government Office of Personnel Management, which processes security clearances, got hacked and had all the very detailed information of all the people that have security clearances or have applied for security clearances was stolen. Equifax, one of the three large credit bureaus got hacked, exposing 145.5 million consumers data. Sony got hacked by North Korea. Chase Bank got hacked, exposing the data of 76 million households and 7 million businesses. In 2018 alone the following retailers were hacked, Macy’s and Bloomingdales, Adidas, Sears, Kmart, Delta Airlines, Best Buy, Saks Fifth Avenue, Panera, etc. Yahoo got hacked, exposing data for a whopping three billion accounts. Some of these hackers are going after data for espionage or intellectual property reasons, some are trying to steal your information in order to sell it to others who want to get credit cards and mortgages in your name, still others may have different nefarious objectives.
Although Facebook hasn’t been successfully hacked (as far as we know), there has been a tremendous amount of concern about user data that was utilized by political operatives from Cambridge Analytica. It’s not entirely clear that this was particularly different from the typical data based marketing that I’ve been describing though. Even more concerning, this April it was reported that more than 540 million Facebook user records were exposed, including 146 gigabytes of user data, by a third party developer. Another third party developer similarly exposed 22,000 user’s data which even included user names and unprotected passwords. So even if Facebook can’t be hacked, the same can’t be said for third party developers with access to their platform who, in the above cases, just incompetently stored the data in an unprotected fashion on a public cloud (no hacking required). And how is it that a Mexico based third party developer had access to 540 million Facebook user’s data in the first place?
This is the world we live in where our information including some of our most intimate information is everywhere in the hands of companies we know and love and companies we’ve never heard of and will never directly interact with. The vast majority of these organizations have no motivation to do anything untoward with your information. But that doesn’t mean they won’t. And even if your information can be “safely” held in their hands, they really are quite imperfect when it comes to keeping that information safe from criminals or governments who may wish to steal your information and use it anyway they’d like, in order to serve their needs without any regard for you or your interests.
It should be noted that the companies that have the most of your information like Google, Apple and Amazon, also have the most secure systems on the planet and to date, have yet to disclose a major data breach (sadly Facebook can’t really be included on this list anymore).
The All-Knowing Internet
This all brings us back to the All-Knowing Internet, which, if you’ve stayed with me this long, you’ll have to concede that it is pretty all-knowing at this point. It’s already amazing in ways that could not have been believed a generation ago. But what will we do with this immense amount of power or perhaps what will it do to us? The Internet certainly has gotten good at selling us stuff and will only continue to do so. But can it do more? Can it be used to elevate humanity?
The All-Knowing being is really limited unless it has intelligence. And as turns out Artificial Intelligence is coming of age and its capabilities are accelerating at a rate that is not well understood by the vast majority of people and politicians. This will be the focus of an upcoming article. And indeed, is an even more amazing phenomenon with incredible potential for good as well as the potential to bring about the type of dystopian nightmare found in movies like Terminator and The Matrix. Perhaps we don’t quite have a Beta god yet, merely an Alpha. But we now can stare into that future and clearly envision not only what it might look like but how we will get there.
Regulatory Post Script:
GDPR
There is a European Union driven set of laws and regulation that are putting limits on what companies can and can’t do with information and requires them to let you know what information they have on you. This is called GDPR (General Data Protection Regulation) and went into effect starting May 25, 2018. Strictly speaking this law only applies to sites operating in Europe. But many large companies have stated that they will be following these regulations globally partly because it would be hard to build out capabilities to comply in Europe and have different capabilities for the rest of the world and partly to address the rising public concern on personal data handling. It is possible that these EU regulations will become de facto standards for multi-national companies operating in the US. According to a mid-2018 analysis, about 20% of US, UK and EU companies said they were fully compliant, 53% said they were in the implementation stage and 27% hadn’t started.
These policies are quite onerous, and the penalties are very steep (up to 4% of global annual revenue or 20 million euros, whichever is larger). These regulations started to go into effect in 2018 and have had some effect on how companies in the US are operating. Behavior of data providers and data aggregation platforms has not changed in a meaningful way though. As mentioned earlier, the most noticeable impact to consumers has been all those annoying notices that you need to acknowledge the first time you visit a site that tell you that they use cookies. As a result, major US brands don’t drop cookies now unless you accept cookies or navigate on the site. For clarity, below is the earlier example of the cookie notification from the Conde Nast Traveler site:
This is in essence a lot like the pages of disclaimers that most people don’t read but are required to acknowledge if they want to use a site/app. If you want to use the site, you have to accept that they use cookies. So now you’ve effectively agreed they can use cookies to track you. You probably liked it better when you still had the ability to say, “I never agreed to that.” Enforcement and complying with GDPR is still evolving. It’s not perfect but, in fairness, it’s a start.
It should be noted that there is an older 2011 EU law, commonly referred to as “The Cookie Law”. This law required companies in Europe to alert users of cookie utilization and allow them to opt out of some or all. Actually, a nice Cookie and Cookie Consent explanation here.
For clarity, I’ve included the Conde Nast Traveler Cookie settings form again below. But this time, I’m showing the Strictly Necessary Cookies tab. This gives you a sense of some of the reasons whey cookies are necessary and sites can’t really work properly without them.
Although it may not always be the case, this sort of ability to adjust cookie settings is the new standard.
So, you’re thinking, “Hey, the European Union is way more on top of protecting user privacy than the US government.” Well, you are correct. But there is always a trade-off. Let’s think of all the technology companies that you interact with on a daily basis: Apple, Google, Amazon, Facebook, Snapchat, Instagram, Twitter, LinkedIn, YouTube, Netflix, Microsoft. Did you notice what they all have in common? They’re all founded and based in the US. To their credit, US politicians and regulators have been reticent to stifle our Internet-based technology sector and for good reason. But it is not incorrect to be giving it a renewed amount of attention. The risk is that politics is given more weight than prudent legislation. The further risk is that poorly informed politicians and regulators concoct laws and regulations that have very negative unintended consequences.
CCPA
In June of 2018, California passed a law called the California Consumer Privacy Act (CCPA). This law goes into effect on January 1, 2020. It went from a draft to law in less than a week so that extra time will be required to iron out the specifics. The intentions of the Act are to provide California residents with the right to:
Know what personal data is being collected about them.
Know whether their personal data is sold or disclosed and to whom.
Say no to the sale of personal data.
Access their personal data.
Equal service and price, even if they exercise their privacy rights.
Like GDPR, since this affects doing business on-line in California, it will effectively impact any company or organization that operates digitally in California. But as a result, any national company/organization or multi-national company/organization will need to comply with this legislation at least for activity in California. This may be the law that puts some control of your information back into your hands. It’s currently being thought of in terms of web sites but is theoretically much broader. Given all the information about you that is out there and used, it’s hard to imagine the effort that will be required to put the genie back in the bottle. Unlike GDPR, the fines for violations are relatively tiny, $7,500 for an intentional violation and $2,500 for unintentional violations. So, it’s not clear how much effort companies will put into compliance versus accepting a few thousand dollars in penalties. We’ll have to see how this unfolds.
