In the last post we discussed GDPR: What it is, and why it matters. We ended on the question of why—why is GDPR necessary? Why do we need these protections??
To answer the question generally, we need to be protected from corporations’ mishandling of data. Misuse of data encompasses a variety of undesirable actions, including:
- Collecting data without a user’s knowledge
- Storing data in a way that is vulnerable hackers, and
- Sharing data with third-parties without user consent.
These oversights may seem benign at first, but they become concerning quickly when you consider just how much sensitive data internet companies can collect.
Perhaps you can recall a time when you visited a store in person and later saw an ad for that same store on Google. Or, maybe you heard the bizarre story where Target predicted a woman’s pregnancy and mailed her coupons for baby products before she even shared the pregnancy with her family.
More alarmingly, perhaps you’ve seen the viral video where a man receives an ad for a product after merely speaking about it in the presence of his phone.
Fortunately, under scrutiny, these stories aren’t as sensational as they first appear. However, in our connected world, location data, purchase history, and microphone data are all vulnerable to collection.
Which got me curious...
Time for an Experiment
With GDPR compliance beginning to offer us users access to our data, I was curious to see exactly what companies know about me. So I set out to download my data footprint
I’ve been using Facebook for eight years. When I downloaded my data archive, it was 508mb compressed. Unsurprisingly, it contained all my photos, posts and messages. More surprisingly, it had a full list of names and numbers from the contact list in my phone (likely gleaned from Messenger), a list of locations where I’ve logged in, and a section eerily titled, “facial recognition.”
Most concerning, however, Facebook had a list of 191 advertisers who “Uploaded a Contact List With Your Information.” These third-party advertisers on Facebook didn’t just target me using demographics, but rather uploaded a name, phone number, or some other identifying information to reach me specifically.
Now, this wouldn’t be cause for concern if the list only included services I’ve signed up for and use regularly. And, in fairness, some of the advertisers I do recognize. What worries me are the dozens and dozens of bizarre advertisers I’ve had no affiliation with: advertisers like, 2 Chainz, Allstate Latino, and PediaSure. I am neither Latino nor do I have a newborn. And with all due respect to Mr. Chainz, I’m not his biggest fan.
Although the distribution of my data is not necessarily Facebook’s fault, this list of advertisers provides a revealing insight into the hidden world of data brokering. Somewhere along the line, a website collected my data and connected it to a demographic-- let’s say 2 Chainz fans, for example. Later, when Mr. Chainz wanted sell an album, his representatives likely went to that data collector and bought a large (and probably poorly verified) list of 2 Chainz aficionados. That data was then uploaded to Facebook, where reps could pay to show me an ad.
Now to be fair, 2 Chainz promotion is harmless. But I do find it unsettling that I had no idea any of this was going on.
Now that we’re warmed up: Google
I’ve had my Gmail account since 2008—even longer than I’ve been on Facebook. Considering the age of the account, combined with Google’s “big brother” reputation, I expected to find even more than I did on Facebook.
But I was surprised. Although Google might know more, it shares less. Google’s new Ad Settings manager provides is a list of demographics it has assigned to me, many of which are vague or inaccurate. It thinks I’m 40 years old (I guess understandably, as that’s the age I listed when I created the account).
Also among my top demographic labels are “Agriculture and Forestry,” “American Football,” and “Bars, Clubs, and Nightlife.” None of these labels are necessarily inaccurate, but I can’t imagine they would be particularly helpful for successful ad targeting.
But wait! If you’re disappointed not to find anything creepier, hang on.
Google has many sources of data that aren’t represented directly in its Ad Settings manager. Google Maps, for instance, provides a feature called Location Timeline that displays all your location data with alarming accuracy. I own an iPhone, but in 2016 I sported a Moto X. When I go back in my timeline to that period, Google shows me everywhere I started, everywhere went, and the paths I took in between. It provides this information along with Google business matches for my destinations and minute-accurate timestamps.
Another source of data in my Google account, “Voice and Audio” also shows activity from this period in 2016.
There are close to 100 short audio clips recorded from my phone. In a summary of the data, Google claims to only record when a user presses the microphone icon on its assistant or says, “ok Google.” Strangely though, many of the recordings contain only white noise and snippets of ambient conversation. In one recording, I actually hear my father say “Alexa, play NPR.” Perhaps I accidentally engaged the assistant, but the fact that I could do so repeatedly without noticing is, in itself, troubling.
In the Android vs. iPhone debate, this collection of sensitive information deserves serious consideration.
Besides Facebook and Google, I couldn’t find any other major service set up yet to divulge what it knows about me. Experian and public government records are other obvious sources of online data, but I don’t have much to see in terms of credit history or legal record.
Increasingly, the line between internet company data and traditional data providers is becoming blurred. Often now, getting a loan, buying insurance, or applying for a job is as much a factor of your online record as it is of your criminal record or money management history.
So to answer our original question of why GDPR is necessary: GDPR it’s necessary because it helps defend our attention.
In and of itself, it doesn’t bother me that Google knows where I go, or that online services track my interests. What bothers me is that the intent of this tracking, at the end of the day, is to manipulate my behavior. Whether the goal of data collection is to nudge me to a purchase a product, convince me to vote for a candidate, or fine tune a content platform so that the cycle of targeted advertising can continue, the single-minded purpose of this system is to reduce my autonomy.
How do we make it better?
Our first tool to take back the attention economy is to actually use the new tools GDPR provides. Take a moment and see what companies like Facebook and Google know about you. Disable the data collection you object to.
Finally, understand that we can’t really blame companies for what’s happened. We as users want everything to be free, and companies need to make money—it’s what they do. If we want privacy, the reality is that we’re going to have to pay for it. And you can do this by supporting subscription-based business models.
All this advice could is summarized by two age old pieces of wisdom: “If you’re not the consumer, you’re the product,” and “if it’s free, you probably can’t afford it.”
Our Latest Podcast Episode
Check out one of our latest podcast episodes where I sit down with the rest of the Pixel & Hammer team and dive deep into GDPR & internet privacy!