You Are Being Tracked Online: Here Are 5 Ways to Protect Your Privacy
If you listen carefully when you turn on your smartphone or tablet computer or go online using your computer, you’ll hear a deep sucking sound. That's the sound of all your personal data being gobbled up by a growing array of digital service providers.
On Feb. 23, the White House issued a long-awaited report outlining a framework for personal cyber privacy, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Global Innovation in the Global Digital Economy.” Billing itself a "Consumer Privacy Bill of Rights," the report stresses the need for transparency, security, accuracy and a reasonable limits to what is collected.
Unfortunately, this “white paper” is in keeping with the Obama administration’s overall policy of compromise so that both policy and principle meet the vested interests of those with power. As with the banking and financial service regulation or oversight over healthcare providers, insurance companies and big pharma companies, the interests of the digital data collectors and the advertising industry will be furthered while the privacy rights of ordinary digital user will be sacrificed.
Overlooked by the media, the Federal Trade Commission issued a warning earlier in February over apparent violations of children’s privacy rights involving the operating systems of the Apple iPhone and iPad as well as Google’s Android and their respective apps developers. Its report, "Mobile Apps for Kids," examined 8,000 mobile apps designed for children and found that parents couldn’t safeguard the personal information the app maker collected.
To illustrate how pernicious this practice is, one iPhone app, Path, offered by a Singapore developer, downloaded an iPhone users' entire address book without alerting them. Prodded by a letter from Congressmen Henry Waxman (D-CA) and G.K. Butterfield (D-NC), Apple’s CEO Tim Cook said the company will ensure that app developers get permission before downloading a user's address book.
The battle over your personal data is principally about ad spending. The mass media is witnessing a shift from “broadcast” media like newspapers, radio and TV to “targeted” media like website ads, search capabilities and social networks. The consequences for newspapers and magazines are clear; TV is fighting to hold onto every ad dollar with a new “social TV” initiative. And your personal information is what enables targeted advertising.
* * *
The Consumer Privacy Bill of Rights proposes seven principles to direct congressional legislation and federal agency rulemaking. These principles are:
“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.” This means that individuals should have control over their data.
“Consumers have a right to easily understandable and accessible information about privacy and security practices.” This means that that corporate data collection policies should be transparent and companies should disclose the scope of information collected, how it is used and whether it is shared with or sold to third parties.
“Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” If one accepts the new reality in which companies are people, this means that companies should be moral in their relations with consumers, especially with regard to children.
“Consumers have a right to secure and responsible handling of personal data.” This means that companies should maintain safeguards to protect a user’s data and prevent unauthorized access and improper disclosure of the data.
“Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.” This means that companies should provide consumers with reasonable access to their personal data as well as the ability to correct mistakes, request deletions or limit its use.
“Consumers have a right to reasonable limits on the personal data that companies collect and retain.” This means that companies should collect only as much personal data as needed to further contextually appropriate purposes and once data is no longer needed, it should be deleted or de-identified. It also means that consumers should have the ability to make corrections.
“Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.” This means that companies should conduct full audits where appropriate and, if they disclose personal data to third parties, they do under enforceable obligations to adhere to the Consumer Privacy Bill of Rights.
In addition, the report urges greater interoperability between U.S. privacy principles and the country’s international partners, especially the European Union.
* * *
Two industries, advertising and data brokers, principally drive the colonization of digital personal information. Traditional online usage practices such as monitoring of sites visited, ad click-throughs and email keywords are the bread and butter of information capture.
At a Senate hearing in September 2007 reviewing Google’s acquisition of DoubleClick, Sen. Herb Kohl warned, "The antitrust laws were written more than a century ago out of a concern with the effects of undue concentrations of economic power for our society as a whole, and not just merely their effects on consumers’ pocketbooks. No one concerned with antitrust policy should stand idly by if industry consolidation jeopardizes the vital privacy interests of our ciitzens so essential to our democracy."
The merger of these two ad-serving businesses set the stage of greater integration of personal information gathering and the online ad industry.
According to Forrester Research, total online advertising will more than double over the next five years, jumping from the 2011 estimate of $34.5 billion to $76.6 billion by 2016. Giving some texture to these numbers, eMarketing estimates that the top five online services control more than 70 percent of all monies spent. These five (and their relative market share) are: Google (43.5%), Yahoo! (11.9%), Facebook (7.7%), Microsoft (5.4%) and AOL (2.8%)
Facebook collects two types of information: (i) personal details provided by a user and (ii) usage data collected automatically as the user spends time at the site clicking around. When joining Facebook, a user discloses such information as name, email address, telephone number, address, gender and schools attended. In addition, it records a user’s online usage patterns, including the browser they use, the user's IP address and how long they spend logged into the site.
Twitter has also come under increased scrutiny in the wake of revelation that a UK company, DataSift. The company launched a service called “Historics” that mined Twitter's data for a variety of marketing purposes, including brand management, financial trends and to gauge public opinion. And Google is notorious for cream skimming every Gmail for keywords to link to ads.
More pernicious, your personal Social Security number, phone numbers, credit card numbers, medical prescriptions, shopping habits, political affiliations and sexual orientation are now fodder for both corporate and government exploitation.
Both the ad agencies and data brokers have information capture down to a bad science. They track your every keystroke, your every order and bill payment, words and phrases in your emails and your every mobile movement.
And your personal information is pretty cheap as the following examples illustrate: address - $0.50; phone number - $0.25; unpublished phone number - $17.50; cell phone number - $10; Social Security number - $8; drivers license - $3; marriage/divorce - $7.95; education background - $12; employment history - $13; credit history - $9; bankruptcy information - $26.50; shareholder information - $1.50; lawsuit history – $2.95; felony record - $16; sex offender status - $13; and voter registration - $0.25. [Source: www.turbulence.org]
The leading data brokers are Acxiom, ChoicePoint, Intelius, Lexis Nexis and US Search Profile. They acquire, slice and dice your personal information as if they were running sausage factories – and your personal life is the unlucky pig. Nearly all offer some type of “opt-out” procedure, but these are usually restricted to public and elected officials, including law enforcement officers working undercover, on a high-profile assignment, under threat of death or serious bodily harm. The burden to opt-out falls to the user and usually is secured only in writing on official government letterhead.
The Privacy Act of 1974 ostensibly forbids the federal government from collecting personal information for one purpose and using it for another. It also prohibited the federal government from creating records about citizens unless the information is intended for a specific law enforcement investigation. But nothing stops the feds from using data collected from private brokers.
The Government Accounting Office reported in 2006 that the Departments of Justice, Homeland Security, State and the Social Security Administration used personal data gathered from brokers.
In 1996, 22 federal agencies spent $1.7 million on such contracts; by 2005, the same agencies spent $40.5 million.
* * *
The White House white paper on online privacy is a whitewash of good intentions to cover a flawed policy. The following five challenges identify some shortcomings of the proposed Consumer Privacy Bill of Rights:
1. Privacy needs to be made a right.
“Privacy” is an implied – as distinguished from an explicit – right guaranteed by the Constitution. For all the rights suggested in the White House’s white paper, no new real right to privacy is proposed.
The first privacy principles were proposed in a 1973 report, “Records, Computers and the Rights of Citizens,” and updated repeatedly since. In 2007, the FTC defined five “core principles of privacy protection”: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. None of these guarantee a right to data privacy.
In the not-so-distant past, without a special court order, what you wrote in a sealed letter or said during a personal telephone conversation was private. For online entrepreneurs like Facebook’s Mark Zuckerberg, those days are over. Once you connect to the digital ether, whether via a computer, smartphone or tablet, your ostensible private information becomes public and prime for commercialization.
2. Regulation should replace voluntary compliance.
The White House program is based on the various interested parties, particularly online advertising companies, adopting a voluntary compliance commitment to safeguard people’s online privacy. But will self-regulation work?
The White House, following the FTC’s lead, is promoting a program supposedly supported by some of the industry leaders, including Google and Yahoo. It’s known as “Do Not Track” and, as proposed by Google, will feature a do-not-track button to be embedded in most Web browsers; such a feature is not yet on the homepages of either Google or Yahoo. The Do Not Track function will work like FTC’s Do Not Call list.
There are real problems with the Do Not Track program that the online ad industry is adoption. The Electronic Frontier Foundation’s warning needs to be kept in mind: “… we’ve still got a long way to go. And, unfortunately, it looks like online advertisers are already working to water down the Do Not Track protections.”
However, there is a deeper problem with this approach: the burden to stop personal data collection is on the consumer. As an increasing number of online ads reveal, it's getting harder to delete these ads, one often hunting in vain for the off indicator. The White House had the opportunity to turn the data collection paradigm on its head and require ad agencies, online services and data brokers to first get the user’s permission to collect their personal information before exploiting it.
3. Data vendors should be held accountable.
The White House document calls for data brokers to permit consumer reasonable access to the data they collect. It encourages the collectors to provide a mechanism for review, revision and limits to its use.
The unasked question is simple: Whose data is it? The approach shared by the White House and online data industry is based on the unstated assumption that the collected data is the property of the collector and not that of the individual from whom it was gathered.
The federal government needs to require data aggregators to provide individuals an opportunity to periodically (e.g., annually) review and revise the information collected. People should also receive notification if/when the data collector disseminates or sells a person’s information and to whom. If, during the intervening period between reviews, new data is collect and disseminated and is found false, the individual so harmed should be able to sue for damages.
4. Bar federal agencies from buying private data.
The white paper fails to address the federal government’s growing reliance on information gathered by private data collectors, whether the information is accurate or not.
By billing the report as a Consumer Privacy Bill of Rights, the White House artfully sidestepped the other identity American’s share, their citizenship. Twenty-plus federal agencies, including the Departments of Justice, Homeland Security, State and the Social Security Administration, use privately collected personal data to spy on American citizens.
The white paper calls for increased protections against violations of the 4th Amendment but not the 1st Amendment – the government's intrusion into personal privacy.
Americans should be guaranteed the same right to review, revise and be notified if/when their data is disseminated to a government agency or a private vendor. American citizens should not be in an undeclared war with their government.
5. There’s a need for a global personal privacy standard.
The U.S. and Europe are moving in two opposing directions with regard to data privacy rules. The White House plan emphasizes mutual recognition of privacy approaches, an international role for codes of conduct and enforcement cooperation to safeguard personal privacy.
Yet, the U.S. model is in keeping with its long tradition of putting the interest of business before its citizens; the Europeans are developing an online privacy program that places the interests of citizens first.
In time, these competing approaches will bump heads and the U.S. will try to use its economic muscle to advance the interests of the domestic online businesses. It remains to be seen whether Europe will hold out.