Data Privacy: What’s Really Going On & Why It Matters

Let’s start with the basics, Carl. What tends to happen when you hand over a bit of personal information online?
Well, I looked into this during an investigation I did for the BBC and I was surprised by what I found. Thanks to GDPR, which you might remember coming in a couple of years ago, and something called a ‘subject access request’, each of us has the right to see a copy of all the personal data that companies hold about us. I asked every company I could think of and about 20 came back to me. These companies weren’t the likes of Google or Facebook; they came from a shadow world of data brokers, data enrichers and data sellers. One of the misconceptions people have is that the primary data gatherers are companies they’ve heard of and have a relationship with – Google, Amazon, Uber and so on – but what I learnt was that most of the data about me was held and traded by companies I’d never heard of before.

What sort of data do these shadowy companies hold and what do they do with it?
From those companies, I got back around 7,000 pages worth of data about myself – and remember that’s only 20 companies. I requested data from around 80 in total. You might think this data is simply the data that’s been collected in the course of you using a service. Actually, a lot of it is a next level of data: it’s data that’s been generated on the basis of the data you’ve handed over as you use that service; what you hand over has been used to predict things about you that you haven’t revealed. Data companies are modelling you, trying to segment you, to establish probabilities and likelihoods about you. This is where this data can go off in some extremely weird directions. I’m looking at my data now and it’s telling me there’s a 23% chance I’m interested in gardening, yet my animal and nature awareness level is low. There’s a prediction about the age of my boiler in here. The data even told me I had no regular interest in book reading, which was a little hard to take as I was writing a book. On the basis of my online browsing habits, I was also included in a segmentation for a Netmums ‘Women Trying To Conceive’ event.

If the predictions are wildly inaccurate, is there anything to worry about?
What I found was a very distorted, Alice in Wonderland version of myself. It was often very funny and it says something about how these companies are often selling garbage rather than amazing insights about us. But some of the analysis was a bit sharper. I saw probabilities for me using the internet to gamble and spending money on alcohol. These are things you probably don’t want unscrupulous companies using to target potentially vulnerable people.

Where do they get the original data from?
Just have a look at the number of cookies that are tracking you on the average news website – there are a lot of different actors collecting your data. There are also a lot of companies whose business models aren’t what they seem. Free apps on your phone are often monetised by their owners passing on the data they gather. Navigation service apps, for example, often exist primarily to track large amounts of people travelling around, say, London and identifying travel hotspots. None of this is necessarily that sinister, but my biggest gripe about the whole industry is its secrecy. What’s actually happening is very hidden from most people and we have very little opportunity to understand it, to challenge it or to opt out of it. In Europe, GDPR now governs a lot of what’s going on and makes it a lot riskier for companies to do this in Europe, but the situation’s a lot worse for consumers in the US, China and Russia.

Also right now, the Internet of Things (from smart fridges to fitness trackers) is creating vastly more data sources. During the investigation, I spoke a lot to the Systems & Algorithms Lab at Imperial College London. They were studying a robot hoover, which was running around the lab, collecting information about the floor plan and sending it off to China. But you only knew it was sending data to China if you had dug into the software like they had in the lab. One of the more sinister things they showed me was a webcam that was hard-coded (i.e. couldn’t be altered) to send streams to a location in China.

So what about the big names we mentioned in our introduction? Google, WhatsApp, Facebook – they’re part of the data industry too, right?
Those tech giants are a super important part of the online ecosystem of personal data. They are first and foremost data companies. Thanks to network effects, they hold huge amounts of data that give them a vast advantage over pretty much any other actor in the modern economy. But they are the visible tip of the iceberg. Because they are so visible, because they are consumer-facing businesses, they attract a lot of scrutiny. They are secretive and they are protected by very strong legal and technical defences, but there are lots of journalists looking at every transgression by Facebook. Investigators are crawling all over these companies all of the time. They have public profiles (and share prices) and they need to appeal to consumers, so they have a pretty strong incentive to avoid the worst excesses of some of the data sellers and compilers I mentioned before, who can stay hidden and don’t particularly care about their reputation.

The big question, then: why does all of this matter to the man in the street?
Researchers often make appeals to lofty, grandiose ideas about liberty, autonomy and human rights, but I think there are some much more practical points to make. First, greed! Your data is really valuable and you’re not getting anything for it. You’re giving away a commodity far too cheaply. Second, fear! The really strange alternative ‘Carl’ that I saw in my personal data is likely to be impacting my real life in ways I will never see and never be able to understand. It might be as innocuous as me seeing lots of boiler ads online at a time when I don’t actually need a new boiler. But someone else might be a recovering alcoholic and they’re being served a stream of alcohol ads. The automated decision making that governs the ads we see is also moving more and more into higher stakes parts of our lives. Credit ratings are determined algorithmically now – you could potentially not get a mortgage because of a total falsehood in your personal data. Other companies are starting to use algorithms to filter out job candidates before they get to interview. In the US, the ‘bail/no bail’ algorithm is in widespread use across the judicial system. A data-driven algorithm is deciding whether people go to jail or are bailed out.

How worried should we be about all of this?
I don’t think ad tech companies throwing inaccurate personal data around is an existential threat, but it certainly raises important questions about concepts we have always cherished, like autonomy and privacy. Ad tech and the companies that have grown out of it also make possible so many of the free services we now enjoy every day and can no longer imagine life without. Data is only going to become more valuable as it spreads into more areas of our lives, so I would love to see us become more conscious of what’s going on. It would allow us to become more powerful consumers and give us more of a say in shaping the technology that surrounds us. If we can claw a little bit of power away from the massive, sophisticated actors who hold it now and return it to the little people, I never think that’s a bad thing. Interestingly, just before Covid hit, there was a lot of excitement around data unions and data brokers. These are new organisations that are going to bring people together into much more powerful collective bargaining positions.

What can individuals do to safeguard their data better?
I’d recommend anyone spends a quiet Sunday afternoon finding out what information about them is out there. Put yourself in the shoes of a potential attacker who is trying to find out information about you: mother’s maiden name; pet names; your eye colour – is it possible to find out any of your password reset questions? Can you find out where you live? Or who your family members are? Google ‘OSINT’ or ‘open source intelligence’. There are plenty of sites that can point you towards tools that can help you identify and clean up any information you don’t want out there.
 
For a privacy-first web browser, check out Brave. Googling ‘privacy tech’ will give you lots of ideas for browser plugins you could also use to protect your data. Privacy International is an NGO doing great work in this space. Just remember there will be trade-offs! The search results from alternative browsers might not be what you’re used to from Google and denying every single cookie will make websites less user-friendly. It’s about finding the right balance between privacy and convenience for you. I know hackers who use multiple VPNs and who change passwords every day. Those passwords are extremely long and non-repeating, they have to scribble them down on notepads, and the whole process is deeply inconvenient.

Finally, Carl, how optimistic are you that the situation will get better?
In 20 or 30 years’ time, I think our children and grandchildren are going to look at us as a bunch of idiots who gave away our data so freely and cheaply. 

 
Carl Miller is research director of the Centre for the Analysis of Social Media (CASM) at Demos, the cross-party think tank. He is also the author of the prize-winning The Death of the Gods: The New Global Power Grab. Read his BBC investigation into his own personal data here and find links to more of his writing at CarlMiller.co.