In October 2015 the European Court of Justice ruled that the Safe Harbor agreement was invalid. This agreement enabled American companies that comply with European data protection law to transfer and store data of European citizens. Under the American Patriot Act this allowed US authorities to gain routine access to the online data of Europeans stored with American companies, which according to the European Court infringed on the privacy of EU citizens.1 These jurisdictional issues around data stem from the fact that individuals no longer own or store their data, that third parties have become the data holders. The question we try to answer in this article is how do we lose control of our own data, where is it saved if it is no longer in our immediate surroundings, and what can be done to reclaim some control over our data?
Our devices – computers, mobile phones, and tablets – are constantly telling others where we are and what we are doing. Mobile phones in particular are very effective tracking devices: Where we go, it goes, and it records our location all the time – even when we're not connected to the Internet. It also collects information about our contacts, which websites we visit, and the apps we use.
This might sound abstract, so lets take a closer look at location data. Location collected over time can tell a surprisingly full story about who we are and what our life looks like. Location data can predict where we live and work by analyzing where our phone sleeps at night and rests during the day.2 Subsequently, if location data is layered with other data like Google maps, a company that has access to location data can tell where we have been: whether we visited the doctor, which restaurants we have visited frequently, and even whether we are part of a political organization. When location data is layered with time and data, the location can be linked to public events, which can tell something about participation in protests, the attendance of a concert or festival or even a visit to specific support group. Now imagine a company has access not only to our own location data, but also to that of all our friends and family. Putting these locations together can give insight into who was in a room together at what time, and from this social graphs3 are built to identify what type of social relationships exist between people.
Another common form of data collection happens in the browser, which provides companies with insights into our interests, likes and behavior. Most, if not all, websites have third party trackers included in them. The visible trackers are the Facebook like button, Twitter bird and even the advertising on the page. These third party trackers are companies that are separate from the website, companies that offer the website specific services like advertising, analysis and social media share options. The purpose of data collection in the browser is for companies to collect data and build up a profile4 of who we are: age, gender, where we live, what we read, and what we're interested in. This information can then be packaged and sold to others: advertisers, other companies, or governments.
Is the omnipresence of devices in our everyday life and the convenience of specific tools and services the sole reason that control is lost over personal data? No, data creation is more complicated then that. Data is created by us as a prerequisite for using a service – think of the data needed to register for Facebook or Gmail. Location and browser data is created when we interact with our devices. Other people tag us in social media. There are also more subtle ways5 to create data about us. When we register for specific government, financial and social services, name, tax number, income, address and other data are required. When we move within and between cities, CCTV cameras and public transport systems are logging movements. Buying a plane ticket requires entering personal data and payment information into a website, which is shared at least with the airline and border police.
What is even more invisible is data about us that is inferred from other data. Data brokering companies create group profiles6 on the basis of shared characteristics, based on social media networks, location data and/or browsing behavior. Our individual profiles can get tied to one or more group profiles, binding the group characteristics (data traces) to us. These group characteristics then become part of our individual profile, which can determine our credit rating, type of advertising and offers we receive. The problem is that we have no control over which group profiles we belong to, nor what inferred data traces are created and added to our individual profile.
Complicated? Let's take a fictional person, Renata, to understand inferred data. Renata lives in Rio de Janeiro, and spends most weekdays studying at the Universidad Federal. Her phone reports her location from there. On Friday and Saturday night, however, her phone reports back from the area Santa Teresa until around 4am, before returning to the location where it normally 'sleeps' (Renata's home on Rue Bento Lisboa). A data brokering company knows that many people who study at the Universidad Federal and go out in Santa Teresa also browse for vegetarian recipes and search for the latest rock concert. Based on Renata's movements, the company decides that she fits the profile of this group and labels her as a vegetarian rock-music fan.
'Data is the new oil.' It does not matter whether this analogy is accurate. The truth is that there is a multi-billion-dollar data industry making money from our data. In the data industry companies range from data collectors, data cleaners, data sellers, all the way to attention sellers. Most of these companies have names we have probably never heard of, such as Acxiom, AdSquirt, Rubicon, CommScore and DoubleClick, whereas others are companies we might use on a daily basis, such as Google, Facebook, Linkedin and OkCupid. However, all these companies make money on data that is collected about us.
As a response to an in-depth investigation by the Federal Trade Commission (FTC) into the data broker industry7, the oldest and one of the biggest data brokers in the US, Acxiom, gave people access to their personal data. Acxiom opened a website8 that gave US citizens, after some bureaucratic processes, the ability to see, change and remove their data. In many instances US citizen who gained access to their Acxiom profile did not delete their data but changed it so that it would represent them better. This action moved them from being Acxiom's product to becoming free labor for the company9 by making Acxiom's data sets more accurate and thus more valuable.
If our data is not saved by us but by the data industry, where is it? This is not very exciting: it is safe to assume that our data is stored in data centers all around the world. Our data is stored by multiple companies, and large commercial corporations like Google or Facebook do not store it in one location. These companies copy and store it in multiple locations. Individuals can only delete this data if the company gives them permission to do so.
The friction in increasing privacy and digital security as an individual is that companies and governments are becoming more and more sophisticated about collecting, analyzing and storing data, while we, the users, are made responsible for protecting our data with strategies and tools that only cover part of our digital traces. This does not mean that we should not do anything, but it does mean that we can only make it a little less bad and that all measures will have an expiration data.
The first steps to increase our privacy and take control of our data are actually surprisingly easy. Be aware of what is collected, where and who has access to it (other people, companies or governments), make choices about what data we want to keep private and which data we are comfortable sharing with others. Try the following steps:
Give as little data as possible. When we open a new email, social media or online shopping account or register for an event or a website or book a flight, several data pieces are requested. Limit the amount of data shared with companies by taking a critical look at the necessity of providing data for the use of a tool or service. Is this really necessary and or are there other ways? For instance, Twitter does not have a real name policy and enables people to create an account using a fake name with a random picture. However, the service still asks for an email address and mobile phone number. There is another way, though, because registering in the browser only requires an email account and not a phone number. Creating an anonymous email account is much easier than having an anonymous phone number.
Block tracking in the browser. There are some very effective bits of software that block trackers, encrypt website connections, or stop spying ads from running – all of which can make a big difference to our privacy. Apple recently allowed ad blocker in the App Store, enabling us to block third party trackers in the browser on our phones. Don't forget to clear the browser history and clear all cookies on a regular 'daily' basis.
Play around with default settings. Commercial Internet services have privacy settings which are often set to 'share as much as possible', but luckily this can usually be changed in our browser and on platforms like Facebook and Google. Remember that by changing the default setting, we are limiting the digital traces that will become public, but this does not mean the company that owns the platform will not collect it.
Have multiple identities. Play with separating your data profiles by creating different identities for communicating with work, family, network and friends. Try creating different identities for online shopping or use different browsers when accessing Amazon, Facebook, Twitter or Google.
Use alternative services. When we use commercial services for our email, chat apps, maps and file sharing, we share a lot of data with these companies. Using an alternative to these commercial services, will give us more control over who has access to this data. Find out which 'alternative' email services exist.10
Don't forget the privacy and digital security basics. There's no such thing as 'perfect privacy' or 'perfect security', but there area few simple things we can do to keep our content, communications and web browsing more private and more secure. Keep our devices clean and healthy, use unique and strong passwords, install HTTPS everywhere, anonymize our Internet connection using the Tor Browser.
For more practical tips on managing your data, please visit us at myshadow.org and securityinabox.org
Fieke Jansen (NL) is a researcher and writer who aims for more transparency in the global data industry. Currently she works as the Project Lead for the Politics of Data program at the Tactical Technology Collective, which is an international organization dedicated to the use of information in activism.
Ivar Veermäe: Center of Doubt