Book Chapter. Profiling through cookies, IP addresses, apps, device fingerprinting and data brokers is getting more advanced, as are new technologies such as Artificial Intelligence, using microchips and sensors integrated into our homes, cars and cities. Everything we do online or via apps is monitored, collected and shared with others, unless we actively do something to stop it. Governments have enacted GDPR and a new breed of visionary companies have divulged into data ethics. But individual also have to do something themselves such as Digital Selfdefense.
“How does Facebook know that my mother has has Alzheimer’s?” a woman asked me one day. “I’ve never mentioned it on Facebook.”
“Have you been to the Alzheimer’s website or googled it?” I asked.
“Yes I have. Is that really why?”
She was surprised when I explained to her how third-party cookies are used to collect as much data about us as possible, share this with lots of other websites and profile us so we can get, so called, personalised advertisements, content and prices.
Patient associations, websites selling medicine, and the vast majority of websites generally have third-party cookies installed on their websites. This means that they share data about their customers with third-parties such as Facebook, Google and often hundreds of other advertising networks. Cookies are just one way to profile us, albeit the most widespread and oldest. Use of IP addresses, apps, device fingerprinting and data brokers are becoming increasingly advanced. This is before we’ve even come to the Internet of Things, where appliances, vehicles and other items are embedded with a microchip that collects and analyses data about us at home or in the car and will no longer primarily be collected via our phones and computers.
Cookies – The first step in profiling
Cookies are the most basic form of data sharing, something that the majority of websites still participate in. Originally, cookie data was anonymous, but sites such as Facebook can identify individuals because they have a login. The same goes for an increasing number of customer loyalty programmes and all sorts of other websites and social media. Therefore, you can no longer say that cookie data is unidentifiable.
In September 2017, Apple, one of the few privacy-friendly Silicon Valley companies, introduced an ‘Intelligent Tracking Prevention’ in their Safari browser. It blocks cookies from the outset, whereas most other browsers are the opposite, monitoring users as a starting point and requiring them to opt out. Three months after its introduction, Apple’s actions caused one of the worlds largest advertising companies, Criteo, to downgrade their projected earnings by 22%. Apple has a 15% market share of all browsers in the world.
How to block cookies
Users who want to prevent corporations and others from following them from website to website and gathering information about their interests or for any other reason, can either choose to use Apple’s latest version of the Safari browser or the Cliqz browser. Or better still, install third-party tools – plug-ins or extensions – in their other browsers. They typically do not block first-party cookies that remember passwords and content in the shopping cart, and they do not share your data with others. Instead, they block third-party cookies or marketing cookies, that share our data with everyone and everything. Here are some great tools:
Disconnect.me/disconnect is a great tool for one’s computer. You can still see the advertisements (and thus support, for example pages that rely on it as a form of revenue), but it blocks the prying marketing cookies.
Ghostery.com is a browser for mobile devices and a plug-in for a computer browser. It has been purchased by the German browser cliqz.com and is very good. Remember to click at the blue ghost and find all the tracker and ‘block all’.
AdblockFast is the best app for mobile devices. It blocks both advertising and marketing cookies. Switch on and off with a single press on the screen.
A short history of profiling
The profiling trend began with airlines’ loyalty programs in the mid 1980’s. The retail sector followed in the 1990’s, with the financial services industry in the late 1990’s. Today, there are numerous corporations with such programs, often collaborating together, selling aggregated editions of their data to analysts and data brokers. It’s not only in the United States. For example, UK’s Tesco, Swedens Spotify and German media agency, Sociomantic, are all part of the great ‘ad-tech’ industry, with the biggest players being Google, Disney, Comcast, 21st Century Fox, Facebook and Bertelsmann. The report, “How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions” concludes that, in the United States, the government has contributed to this development by not having a comprehensive personal data act in so far as it sees privacy only as part of consumer protection. EU Data Protection Regulation, GDPR (General Data Protection Regulation) is taking the opposite view and trying to give individuals control over their own data.
One day in 2017, I had to book a hotel room in Tokyo. I found a lovely double room through Hotels.com for, what I thought was a fair price, DKK 11,000 (€15,000) for 9 nights. I had already blocked cookies, so the system did not know that it was me checking again and again and surreptitiously increased the price, but I thought I would just check if the price I was given was based on my location and which country I was in. I used another browser, with my VPN switched on to a German location and found the exact same hotel room in Tokyo, 9 nights for under DKK 9,000 (€12,000). I booked and paid immediately and received a confirmation in German. I have known for a long time about “price discrimination” as they call it in the EU, or “differential pricing” as it is referred to in the United States, but this was the first time I experienced it first hand. Thus, Digital Selfdefence. Tools to achieve privacy with and not simply a matter of checking data to ensure privacy, but also a matter of “negotiating” better prices.
Our IP addresses, determining one’s physical location down to the specific address, are not only used to personalise offers and content for us, but also to set prices. According to the EU Commission, that has documented price discrimination, 3 it is illegal or at least falls into a grey zone, but it still happens, which my example clearly shows. At the same time, airlines, such as Brussels Airlines, have begun to block users who have a VPN on, so they cannot buy cheaper flights in countries other than where they are located (they assure us, via Twitter, that they do it for our safety – rather than being honest and say it is to stop users being able to exploit price differences).
VPN does two things. It secures (encrypts) traffic between one’s device and the Wi-Fi / server being used, so it cannot be hacked. Additionally, it gives the opportunity to select a location and thus “negotiate” prices. This is free via the Norwegian browser Opera and can be downloaded from opera.com. Go into Preferences and then under Privacy and Security, tick the box to Enable VPN. Up in the bar, you can click the blue VPN badge and set it to a region (not ‘Germany’ or a country anymore, unfortunately) as your location and see if it’s possible to get cheaper prices. If you buy a VPN, then make sure that you have Germany as a possibility, as Germany has much lower consumer tax than e.g. in Denmark, and when you buy a digital product, there are no impediments from buying at a website that believes you are in Germany. It really is a good idea to buy a VPN service and install it on all your devices. There are many good services, but I would recommend you select one with its headquarters in Europe and check which servers they have. For example, if you travel a lot and would like to see TV channels from your home, then you need a VPN service with a server in that country. If you live in Denmark and want to have access to location-based Israeli sites, then a VPN service with servers in Israel is essential.
Here are four recommendations:
IBVPN.com (Romanian) with many servers as well as
Earthvpn.com (Cypriot) with many servers.
In the United States (also in Europe and globally, but it’s only documented in the US) there is a vast industry of data brokers. They can be defined as “a business or corporation that earns their main revenue by selling data on human behaviour, primarily collected from sources other than the people themselves.”
Data brokers collect and sell lists about people. For instance, someone who has cancer, is suffering from depression or is the father of a child killed in a car crash. For example, in 2017 Amnesty International was offered a list 5 with over 1.8 million American Muslims. Some data buyers even offer software for their clients to help them maintain customer databases where each person has a unique code. Even in Germany, the data broker Arvato AZ Direct has over 600 metrics of 70 million customers in Germany, each of them with a unique code, writes Cracked Labs.
Here’s a little number just to get an idea of how big it is: Data Broker Acxiom (USA) maintains databases for over 7,000 customers, including 47 of the Fortune 100 companies. Experian (USA) handles 7,500 customer databases for larger companies. Merkle (GER) states that they maintain over 3.7 billion customer profiles for their clients, including Dell, Nespresso, Microsoft, Marriott, Chase, American Express and Universal. One of the largest data brokers is Acxiom, a database marketing company with a great deal of data providers: Ibotta (mobile purchase data), Freckle IoT (real-time location data), Samba TV (second-by-second TV viewing), Crossix (health data of 250 million US citizens), Twitter and so on.
The consequences of this massive exploitation of personal data can be that some individuals are rejected or discriminated against without their knowledge on a false premise, often without explanation, in connection with a job search, loan or insurance.
The report from Cracked Labs concludes: “Besides additional regulatory instruments such as anti-discrimination, consumer protection, and competition law, it will generally require a major collective effort to make a positive vision of a future information society reality. Otherwise, we might soon end up in a society of pervasive digital social control, where privacy becomes – if it remains at all – a luxury commodity for the rich.”
Apps and Data Harvesting
At one stage, Facebook stopped its users communicating directly with each other via their Facebook app. They had to use the Facebook Messenger app. Ever wonder why? Because, via apps, companies can collect incredible amounts of data. For example, if you have Facebook Messenger, Skype or similar apps on your mobile device, it’s highly likely you have given them free access to your contacts, messages, location, photos (otherwise you cannot upload them), camera, microphone and so on. What few of us understand, is that these apps have full access to all these things on one’s device – even when you’re not using that app. More and more people experience that when they talk to someone about something in the analogue world, they get an advertisement for it without ever having searched online or been on a website about the subject. It happened to this woman:
“I was sitting with my family discussing an upcoming holiday to Dubai. The same evening, several of us noticed gratuitous advertisements for various excursions and hotels in Dubai. It was a pretty chilling experience, and we talked about whether Facebook could be listening. We concluded that the answer had to be yes. The following day we saw articles about “whether Facebook is listening.”
There are lots of similar examples from Google and other apps. Companies typically deny that they listen via the microphone because it clearly oversteps the boundaries of what most people consider acceptable. But the number of anecdotes of corporations listening in to our conversations in the physical world, is becoming so prodigious that it can no longer be dismissed as simply a coincidence.
In March 2016, a BBC report revealed the interception. The journalist described how her phone was on a worktop whilst she was ironing, when her mother came into the room and told her about a family friend who had been killed in a road accident in Thailand. Later, she opened her computer and searched online for something quite different, the story of the motorbike accident in Thailand came up. She had only ever discussed the subject in the room, through a face-to-face conversation with her mother. The journalist then discovered lots of similar stories that the smartphones listen into, depending on which apps are given access to the microphone. In 2016, Facebook denied it, but as Computerworld reports, one should be conscious of Facebook’s (mis)use of words.
It is a good idea to perform a service check on one’s apps and, in general, be-careful when downloading apps to a smartphone, whether they are games, quizzes, career apps or programs. First check what data the app requests, then decide if the service is worth the data. It is hard to assess the value of one’s data, but some apps ask for access to calendars, contacts, inbox, microphone, and clearly there is no need. Maybe there is an alternative option that doesn’t ask for so much? An alarm clock app surely doesn’t need to know your location, whereas a running app does, so maybe it’s ok, as long as you trust the company behind the app.
Conducting a review of settings on a smartphone (on iPhone: ‘Privacy’) is a good idea: Which apps have access to what data? Maybe it is an idea to turn off access to microphone, location, photos, camera etc. for some apps when they are not in use? As a starting point, you could turn off location services on the camera, in that way, the ‘metadata’ (the time and place) that is hidden in all pictures disappears. On an iPhone, you can also turn off ‘significant locations’ under ‘system services’ in the privacy settings called ‘location services’.
A great alternative to both Facebook Messenger and Skype (owned by Microsoft) is Wire.com, which can be used both on computer and mobile devices for both chat and internet telephony. Wire’s business model means it doesn’t rely on data harvesting or selling access to the detailed data of its customer. Wire is financed by investment capital and by selling services to companies. These companies can use Wire as an internal means of communication, like Slack, which is an American service which is not open about what it does and not does with data. Wire operates with on-device processing (one has control over the data on its device) and no profiling. Headquartered in Switzerland and operating from Berlin, it is funded by Skype founder Janus Friis.
Collecting information via cookies and IP addresses are only two methods to harvest data. Device fingerprinting is a newer method and in rapid development which means that companies can collect data about us via the browser and URL we use (even if you have blocked cookies), which computer we use (Mac owners typically have more money than PC owners), the language you speak, date and time, unique identifiers known as MAC addresses and serial numbers.
In late 2017, Marc Al-Hames, CEO of the German safe browser, Cliqz, demonstrated at a conference on data ethics in Denmark, how to use URLs to identify individuals. He showed three URLs, that collected details of internet behaviour data which was legally available to buy on the open market. The first URL seemingly contained a username for a medical site. The other was linked to one administrator interface from a medical clinic. The last – from a bank in Munich – contained an ID number. Combined with the knowledge that the URLs had been visited by the same internet user, it was easy to then identify the individual in question. “Typically, it takes three to nine URLs to identify an individual. As soon as you have the link between the URLs, then have you your identity.” he said.
Until 2017, device fingerprinting was limited to the individual browser. If you changed your browser, you could start over, but now there are so-called cross browser fingerprinting methods being developed.
Individuals Ability to Control
States and corporations are very busy harvesting and processing our data to profile us for both good and bad purposes. The many good examples are when profiling is beneficial to society or the individual, for example, disease prevention, environmental and traffic optimisation or to provide us recommendations on relevant content.
There is an exciting trend in which the individual is at the centre and in control of their own data via the MyData movement and its principles but, in 2018, the situation unfortunately looks like only a negligible number of individuals have control over their own digital identities. Few people understand, that if they take part in a political debate about refugees or update their Facebook status with news that their son is free of cancer, this data will not only be collected by Facebook for time immemorial, but used to profile them for thousands of Facebook’s customers. Facebook also collects government data from others, such as data brokers and therefore citizens often appear on lists of, for example, “mothers of children with cancer” or “neighbour to cancer sufferer”. The MyData movement goes hand in hand with the EU’s Data Protection Regulation (GDPR). Whilst China builds a “big data dictatorship” with a new social credit system for all citizens, the United States has evolved into a “big data monopoly society”.18 With GDPR, the EU is endeavouring to put the individual in focus and in control of their own data.
In addition to trying to control your data by use of cookie blockers, VPN and secure browsers, it’s a good idea to spread your digital footprint as wide possible and create confusion among those you do not trust. For those you do trust, you can fine-tune your data because it can give many advantages. Alternatively, you can work with several identities and just use your real name in your professional life and thus maintain a good “Google CV”, that appears in the first few results pages when searching for your name.
If you want to use Facebook, Instagram, Snapchat, Musically etc. for all sorts of uses that have nothing to do with your work or professional life, consider using a different name, so you can keep your real name “clean” for work. Only use Facebook in your own name, if it is for work purposes. Even when using a pseudonym however, you should refrain from using Facebook for things that you perceive as private, because you need more than one pseudonym to effectively conceal your identity. But with a different name, it is harder for employers, educational institutions, ex-husbands, identity thieves and others to find you. An alias is also effective for downloading reports, apps, games etc. where they ask for name, address, e-mail, etc., unless one has full confidence in the service or has to pay by credit card and therefore need to use one’s own name (there are actually prepaid Master Cards available, without a name on). Only use your own name professionally and with credible services that do not misuse data. Pseudonyms can be generated at fakenamegenerator.com. It’s important not to steal other names or pretend to be someone else (it’s the criminals who do that). Those you chat with in another name should know who you are, it’s not about cheating other people, but about confusing and cheating the algorithms / machines. When using an alias, it is a good idea to have an alias email as well. There are several “free” email services, such as Gmail and Hotmail that are okay to use.
Data harvesting for the future
It’s still in its infancy, but in the future, we will experience many new ways of harvesting our data to profile us. They will be harvested from our cars and everything in them, from tyres to the GPS, fitness trackers and pacemakers, lampposts, entrances to carparks, motorways and bridges, shops and supermarkets, Wi-Fi spots and not least, our homes. Many devices in our homes have microchips, so they can be remotely controlled over the net and most importantly, retrieve data, and in most cases the data will be used for further profiling and for artificial intelligence, also called AI. That way we can get automated services from a robot.
The big challenge for consumers is to figure out who to trust when buying online. There are a number of things you should ask yourself before submitting data to a company:
How does the company make money? By using others’ data? Or do they sell something for money like a product or service that’s not based on private data? In other words, if the company does not take money for it’s product, it’s not free, as they say, because here, individuals are the product – you pay with yours or your friends data (such as location, contacts, messages, etc.).
Where is the company headquartered? If in Europe, it should comply with stricter legislation than in the US and China. Germany, France, Holland, Belgium and Norway are especially good at enforcing privacy laws, so most often, products from there can be trusted.
Can you clearly see who is behind the site and how to get in touch with them?
Can the users of the site interact with those behind the site and with each other and what do they say about the product?
Do they re-sell or share the company data with third parties, if so, who? Remember, “Free” means payment with data – often to the company’s third parties.
Is the company honest about the data it collects and retrieves? Compare what they say they collect, with the data that you can figure out that they need, to provide the service you require.
How does the company behave on different services that ranks them on privacy, such as Ranking Digital Rights, TOSDR, Electronic Frontier Foundation and Trustpilot. What does it look like if you search for their name and personal data / privacy?
Customers May Request Data Ethics
With the many new technologies, an individual may have difficulty getting control over their data. We can though, demand data ethics from those harvesting and using our data. When selecting fitness trackers or a GPS for the car, you could consider the Dutch company, TomTom for example, instead of the American Fitbit or Google Maps, as there is a huge difference in their relationship with personal data. TomTom takes data ethics responsibly and deletes, for example, customers location data on a continuous basis. Fertility tracker app, Clue, from Germany, contrary to its American competitor, Glow, is ethically responsible in its data handling. When buying a car, one should enquire about how the car manufacturer treats data. For example, the CEO of German manufacturer, Audi, assures us that all of the data generated by their car is one’s own. The German data authorities require that individuals have control over their own data in their own cars and that there’s always an option to stop data collection when, for example, somebody borrows the car and doesn’t want it on. Or what about the bank and the insurance company? Do they give their customers data control? Are they really transparent about what they do? When it comes to Smart Cities, a company in Holland has developed a charging station 19 for electric cars based on data ethical principles; using an algorithm the display shows how the electricity is allocated between the cars being charged.
Profiling is Acceptable When the User is in Control
Corporations and governments that, in the future, want to profile their customers/citizens and personalise services, will come out on top by living up to GDPR and be data ethical if they want to avoid large fines and maintain customer confidence. In short, companies should ensure that customers are fully satisfied and understand what happens to their data and even allow them to control it. A bank, an insurance company or a power company can develop one expanded “my page” or a “personal data store” whereby their customers can view and edit all the data the company has about them, including the credit score the company has assigned to the customer.
With true transparency and data control, the company can achieve and maintain digital trust and thus do much more with the data than those who behave unethically with data. Everything suggests that data individuals willingly give to a corporation or government is the best data a company can get, compared to web scraping, buying from data brokers or via cookies. Data directly from the customer is more frequently updated, relevant, rich and credible, as demonstrated by one of the first studies on the topic from France.
Privacy Tech and Data Ethics in the Future
We are today with data ethics, where we were with the environment at the beginning of the 1960’s, when we contaminated the environment and at the same time began an environmental movement. Today we can buy heat pumps and electric cars, get help buying environmental friendly and organic products with certification schemes and most companies have an environmental policy because it pays to do so. We will also see this development with data ethics. There will be certification schemes to help consumers choose products that work responsibly and ethically with personal data. Businesses will use data ethics as a competitive factor and the market for ‘privacy tech’ tools that helps us take control of our own data, will grow.
Initially, privacy will be for the elite. The rich, famous and powerful immediately need more privacy and will be able to afford to pay for that type of service instead of paying with their personal data. Many companies that benefit from harvesting data are facing big challenges with GDPR. According to Cory Doctorow, “There is actually no chance the existing ‘ad tech’ industry can live up to GDPR’s requirement to inform users. The industry sells real-time advertising and shares data with hundreds of others, via cookies and it will be impossible to get consent for that every time” he writes.
With a combination of GDPR and effective enforcement, increasing consumer awareness and empowerment as well as companies who feel social responsibility, the current form of unethical profiling will be a tough one to maintain.
This is a translated chapter from the Danish book Eksponeret
Translation: Jerry Graham, Focus PR