If you’re reading this then you probably own a smartphone.
I know this partially because the site's analytics tells me that people read it on smartphones, but the simple fact is that a strong majority of the adult populations in developed countries have smartphones (58% in the U.S. as of January 2014) (1) and even in developing countries that number is rising rapidly, especially among the youth (by spring 2013 69% of 18-29 year-olds in China owned one.) (2)
You’ve probably noticed your smartphone providing suggestions to you based on where you’ve been: how long it will take to get to work or home in current traffic, deals at retailors near you, events at your university, etc. Our nonchalant acceptance that most of us are constantly carrying devices that track our every movement says a great deal about the age we’re living in.
A White House’s report describes it as “a world of near-ubiquitous data collection”, (3) but my personal favorite description of it comes from Federal Trade Commission commissioner Julie Brill, who goes so far as to say that we are at the dawn of what she calls the “Age of Omniscience.”
The appropriateness of the name becomes apparent when one starts to consider just how much of our daily actions are recorded in so many different ways.
Let's start with using phones to track people's locations.
Unless you're using special software to stay off the radar, this site's analytics tells me where the readers are located. I don't even pay for the service--that's how easy it is. A little investment can get one a lot more data.
Unless a cellphone is turned off, it is constantly broadcasting its location to cell towers so that they can determine how calls can be routed. This also conveniently allows for fine-level tracking as long as the phone is turned on. Of course this information goes to the service provider, and any law enforcement agencies with whom they share it.
Most would probably consider this to be typically benign, but the potential for abuse was highlighted in the January 2014 Ukrainian protests, when the embattled pro-Russian government used this data to flag everyone near the location of a demonstration as subjects of interest. In what was clearly a benevolent show of transparency, the government sent everyone there a text message informing them that they had been “registered as a participant in a mass disturbance”—using language that echoed a new law against participating in protests that the courts considered violent. Somehow, many of the protesters interpreted this as a threat. (4)
By the way, phone companies and governments aren’t the only ones who can track location data. Firstly, the signals that they send off to cell towers for triangulation can be picked up by other sensors. This is one of the methods that companies like Path Intelligence sell to malls and other retail outlets, so that they can track locations within stores. (5)
Smartphones provide at least three more methods of tracking, including WiFi and Bluetooth. Both of these involve the phone constantly seeking out network signals and can be picked up by sensors on the ground, which retailors are using to track in-store behavior. The signals being broadcast in all of these cases (including the general cell-tower signal,) are hard-wired with globally unique serial numbers tied to each device, so as long as the phone’s ownership can be linked back to a particular person, that person can effectively be tracked.
The fourth method to track smartphones (and some non-smart phones) is GPS, which receives signals from a network of satellites around the world to triangulate the device’s location internally. Typically, the device just receives signals instead of broadcasting them, so it can’t really be picked up from sensors on the ground. However, this information is often shared in phone apps, such as map services, social networking sites, ride sharing, etc. A study by Juniper Networks from 2011 to 2012 found that 24.14% of free apps on Google Play have permission to track user location (6). The app providers may then use these data for their own purposes or resell them. Intriguingly, the aforementioned report by Juniper Networks notes that the majority of free apps with permission to log user location don’t actually display ads from any of the top five mobile ad networks, which the authors conclude suggests that many of them are collecting the information for purposes other than advertising (6).
So, if you’re reading this book, your location is likely being constantly monitored by a number of organizations at any given time and you have no way of knowing who they are.
In addition to collecting location data, many phone apps collect a variety of information on your phone activity only tangentially related to the app’s operation (or at least have legal permission to do so), including Facebook’s Messenger app that requires users to hand over permission to read their call logs, SMS messages, contact lists, and a variety of personal information (7).
Phone companies naturally get their own cut of information on you.
Naturally, this includes your call records. After all, it’s often necessary to determine one’s billing, and if there’s anything that large companies are extremely thorough about, it’s calculating exactly how much money they’re owed. According to a 2010 investigation by the ACLU, the companies retain these records for a year at the very least (8). In the intervening years the cost of data storage has fallen dramatically and the companies have been finding ways to profit from this data directly, so it would be little surprise if they’re now holding onto this data longer, if not indefinitely.
Verizon, for one, has been selling the use of its customer data as a marketing targeting service through their Verizon Precision Marketing program.
For a more lethal sort of targeting, AT&T was earning more than $10 million per year voluntarily selling the use of call records to the CIA, according to the New York Times in late 2013 (9). It would seem that this program was in parallel to the NSA program, though unlike that program, AT&T’s participation can’t be said to have been legally forced.
Online we’re often tracked just as thoroughly, if not more so.
Firstly, there's HTTP cookies. Everybody likes cookies. For one, they taste great. More relevantly though, these short-lived software programs save useful data on your web browser like the fact that you've already logged into a site.
While cookies might smell like convenience and chocolate chips to you, they smell like money to data miners and advertisers, who savor how they track users who visit their sites. Not only does this allow them to hound you on every future page you visit about getting that one book on Amazon that you were really just looking at briefly, but they can build up profiles about customers so that they can better market things based on your browser histories. High traffic sites like news outlets will often sell the rights for 3rd parties to drop other cookies on their sites, letting them amass browser data for huge swathes of people to resell. It's quite a major industry, with companies earning over $2.25 billion in 2012 in the U.S. alone (10).
And if you like cookies, you'll love permacookies. “Permacookies” or “supercookies” is actually something of a broad category for online tracking methods that are practically impossible to evade. The ones getting the most flak recently are Verizon, who for years has been actually altering the online data streams going to their customers, inserting code that allows them to monitor every customer action even if all normal privacy modes are activated and cookies are cleared (11) (12). Other companies have found ways to piggyback on these permarcookies, using them to regenerate their non-permacookies even after the user deleted them, so by latching onto them everyone can make their own undead supercookies to silently feast on your browsing history (13). AT&T was either experimenting with or actively using a similar system on its users, but said that it was discontinuing the program after the public outcry (13).
Even without cookies, browsers can be identified by their unique “fingerprints,” all of the browser and device settings that distinguish one from another. You might think that there would be a lot of duplicates, but it would seem not. An extensive research study by the Electronic Frontiers Foundation in 2010 of 500,000 self-selecting privacy-conscious web browsers found that 83.6% of browsers could be immediately uniquely identified (14). Browser settings evolve over time, and the fingerprint with them, but the study produced a simple algorithm that could not only accurately connect the fingerprints, but predict how they would change (14). The number of sites using such software is relatively small compared to cookies (only 159 of the 10,000 most visited sites in 2014 (15),) but they may become more popular, as they get around users doing pesky things like clearing their cookie cache.
Substantial effort is also put into connecting online identities with individual people, so that this data can be arranged into more complete profiles. The most obvious ways are prompting users to sign into accounts with their e-mail addresses or social media accounts such as Facebook, Google Plus, and LinkedIn. For linking together online and offline accounts, those three companies respectively earned $488.8 million, $708 million, and $116.5 million in fees in 2012 (10). Sean O’Neal, the president of mobile advertising firm Adaptly went so far as to say “The universal ID today in the world is your Facebook log-in” (16).
These social media sites collect extensive data on their users on their own, of course. The company Rapleaf harvested information from the “surface” of a variety of data on the public side social media pages, though it gave into public demands to delete much of the data after a backlash (though that’s not to say that those to whom they had already sold the data deleted it) (17). Oddly enough, the social media companies who collect this data directly continue to do so unabated, even though they collect data that the user doesn’t make public. Facebook permanently records all chat messages that users have sent, Friend requests (both accepted and rejected), photos uploaded, notes, pokes, and every device used to access the site (18) Google Plus might not be a social media platform in the way that most of us think of it (considering that half of all account holders never actually go to the main site,) but it neatly ties together the data from users’ e-mails, search histories, YouTube activity, the data from Androids, Google Docs, Google Health, Google Wallet,…(the list goes on for some time,) so that a very clear picture of the user (19).
By the way, if you'd like to watch the watchers who are watching you online (and maybe stop them from watching you) there are a few apps that you can use. I use Ghostery myself and have been amazed at how much more quickly web pages load when I don't unknowingly spend all my bandwidth loading 30+ tracking programs on a single news story.
Google Wallet brings up another type of ubiquitous data collection: purchase transactions.
If you bought something legally, unless you used cash, Bitcoin, or select credit providers, both the retailer and at least one other party recorded that you made the purchase. The other parties could be a bank and/or credit company for a debit/credit card or perhaps one of the larger tech companies for any of the trendy new payment methods like Google Wallet or Apple Pay. As with all the other data sources, this purchase behavior can then bought and sold to third parties (who may then sell it to fourth parties, and so forth) (20).
Government records are also often either freely (or cheaply) available for the taking by anyone who asks. Court records, tax records, birth/marriage/death records, license registrations, home address, and financial filings can all be obtained by third parties in the U.S. (20). Governments can gain from this directly, as several state DMV’s have made tidy sums selling vehicle registration records (21).
Even if a group doesn't have all of the data on you that it wants, they can often extrapolate it from the data that they do have. For example, if you have a prescription to a drug that treats Alzheimer's, then it's probably a fairly safe bet that you've been diagnosed with said ailment, which is why Experian all too happy to sell lists of people with prescriptions for over 92 different drugs (as well as direct information on those experiencing clinical depression, erectile dysfunction, and 42 other conditions.)
Statistical analysis has been finding far more (often unexpected) correlations, allowing for far more information about individuals from far less data, but more on that in the next chapter.
So where is all of this information going?
Well, due to limited oversight of the “data broker” industry, it seems that no one is entirely sure.
That might sound concerning.
It certainly concerns privacy advocates, who have been requesting greater transparency among the data brokers for years. In reply, the data brokers have proven that they value their own privacy quite highly, and so they’ve steadfastly resisted efforts requiring them to disclose their practices and transactions. The industry is so murky that FTC Chairman Edith Ramirez has admitted that her agency doesn’t even know how many data brokers exist, let alone what they’re all doing. (22) It would seem that the brokers prefer it this way, as they have repeatedly (and successfully) opposed efforts to clarify the industry, but that’s a whole other rabbit-hole that we’ll dive into later, so let’s stick with what they’re actually doing.
Of the larger firms, Acxiom is perhaps the most transparent. Their Company’s 2013 Annual Report mentioned that they have in their databases “Over 3,000 propensities for nearly every U.S. consumer” and worldwide “Multi-sourced insight into approximately 700 million consumers” (23). In the previous year alone the company updated an estimated 25 trillion elements (data-points) within consumer records (23).
Volume isn’t everything, though, despite what some bands and a few Big Data fanatics seem to think. So, what sort of information is this? More or less, it’s everything.
You can get a (very long) list of some of the types of information through the FTC’s report Data Brokers: A Call for Transparency and Accountability, so I’ll just get into a few of the interesting highlights.
There are generally legal issues associated with selling medical histories directly, but data brokers bypass this through purchase and online search information. As early as 2007, Broker infoUSA sold lists of 4.7 million seniors with cancer and Alzheimer’s, (even after government investigators told the company that they were abetting telemarketing fraud (24)). In late 2013, Broker MEDbase 200 was selling lists of those who had suffered AIDS/HIV, dementia, genetic diseases, and even rape for just 7.9 cents per name (25). As previously mentioned, Experian similarly provided marketing lists that can be based around clinical depression, Alzheimer’s, erectile dysfunction, and 41 other ailments, as well prescriptions for over 92 different drugs (26).
The brokers also barely skirt industry regulations in how they handle financial records. According to U.S. Federal laws (specifically the FCRA), credit scores cannot be used for marketing purposes. Instead the brokers have analyzed similar data to create “Summarized Credit Statistics”, “Aggregated FICO Scores”, and “ChoiceScores” derived from other factors to determine the financial stability of consumers. A congressional committee investigating the industry expressed concern about potential legal violations, as well as the use of such data to predatorily target the financially at-risk (17).
Brokers aren’t just interested in information on people individually, but also their relationships to others. In January 2014, Mike and Shannon Seay found this out personally in one of the most heart-wrenching ways possible. They received a letter in the mail from OfficeMax addressed:
Their teenage daughter had died in a car crash just a year earlier (27). Reacting to the resultant media furor, OfficeMax blamed the incident on a 3rd party data broker (that they declined to identify) and spokesperson Karen Denning insisted that they had not requested personal information (28). So, either OfficeMax is lying (which would be impossible to prove as they don’t divulge their transactions,) or information like the death of someone’s daughter is passed around so commonly that the broker sent it without thinking about it.
If many data brokers keep lists of our recently dead relatives, then they’re understandably quite tight-lipped about it, but they certainly are interested in our general social relationships. Acxiom, for one, sells targeting that quantifies on a scale 1-20 of whether individuals are “social influencers” or are “socially influenced” (17). More generally, many brokers keep records of our spouses, family ties, social media relationships, and participation in social organizations (20).
Other fun data points for sale on the market include home address, religious affiliation, ethnicity, political party, and legal records.
All of this information flows through a completely unnacountable, impenetrable, pathologically secretive network of unknown actors who sell it, lease it, steal it, and share it with governments in an infinite web of transactions to sate the unceasing communal hunger to learn everything about you.
But more on that paranoia-inducing thought in Part 2.
1. Pew Research Center. Cell Phone and Smartphone Ownership Demographics. [Online] January 2014. http://www.pewinternet.org/data-trend/mobile/cell-phone-and-smartphone-ownership-demographics/.
2. —. Emerging Nations Embrace Internet, Mobile Technology. [Online] February 13, 2014. http://www.pewglobal.org/2014/02/13/emerging-nations-embrace-internet-mobile-technology/.
3. Executive Office of the President of the United States. Big Data: Seizing Opportunities, Preserving Values. May 2014.
4. Murphy, Heather. Ominous Text Message Sent to Protesters in Kiev Sends Chills Around the Internet. The Lede. [Online] January 22, 2014. http://thelede.blogs.nytimes.com/2014/01/22/ominous-text-message-sent-to-protesters-in-kiev-sends-chills-around-the-internet/?_r=0.
5. Mobile Device Tracking, Spring Privacy Series. Federal Trade Commission. February 18, 2014.
6. Juniper Networks Mobile Threat Center. Exposing Your Personal Information – There’s An App for That. Juniper Networks. [Online] October 30, 2012. http://forums.juniper.net/t5/Security-Now/Exposing-Your-Personal-Information-There-s-An-App-for-That/ba-p/166058.
7. Dewey, Caitlin. Yes, the Facebook Messenger app requests creepy, invasive permissions. But so does every other app. The Washington Post. [Online] August 4, 2014. http://www.washingtonpost.com/news/the-intersect/wp/2014/08/04/yes-the-facebook-messenger-app-requests-creepy-invasive-permissions-but-so-does-every-other-app/.
8. American Civil Liberties Union. Retention Periods of Major Cellular Service Providers. American Civil Liberties Union. [Online] August 2010. https://www.aclu.org/cell-phone-location-tracking-request-response-cell-phone-company-data-retention-chart.
9. Savage, Charles. C.I.A. Is Said to Pay AT&T for Call Data. The New York Times. [Online] November 7, 2013. http://www.nytimes.com/2013/11/07/us/cia-is-said-to-pay-att-for-call-data.html?pagewanted=all.
10. Deighton, John and Johnson, Peter. Supplementary Spreadsheet to The Value of Data: Consequences for Insight, Innovation, and Efficiency in the U.S. Economy. [Online]
11. McMillan, Robert. Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine. Wired. [Online] October 27, 2014. http://www.wired.com/2014/10/verizons-perma-cookie/.
12. Hoffman-Andrews, Jacob. Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls. Electronic Frontier Foundation. [Online] November 3, 2014. https://www.eff.org/deeplinks/2014/11/verizon-x-uidh.
13. Singer, Natasha and Chen, Brian X. Verizon’s Mobile ‘Supercookies’ Seen as Threat to Privacy. The New York Times. [Online] January 25, 2015. http://www.nytimes.com/2015/01/26/technology/verizons-mobile-supercookies-seen-as-threat-to-privacy.html?_r=1.
14. Eckersley, Peter. How Unique Is Your Web Browser? Electronic Frontier Foundation. [Online] https://panopticlick.eff.org/browser-uniqueness.pdf.
15. Nikiforakis, Nick and Acar, Gunes. Browser Fingerprinting and the Online Tracking Arms Race: Web Advertisers are stealthily monitoring our habits--even when we tell them not to. IEEE Spectrum. [Online] July 25, 2014. http://spectrum.ieee.org/computing/software/browser-fingerprinting-and-the-onlinetracking-arms-race.
16. Bergen, Mark. How Mobile-Tech Players Are Crumbling the Cookie: Microsoft, Google, Apple Look to Track Consumers on Phones, Devices. Advertising Age. [Online] Aoril 14, 2014. http://adage.com/article/digital/mobile-tech-players-crumbling-cookie/292605/.
17. U.S. Senate Committee on Commerce, Science, and Transportation Office of Oversight and Investigations. Review of the Data Broker Industry: Collection, Use and Sale of Consumer Data for Marketing Purposes. 2013.
18. Europe v. Facebook. Facebook's Data Pool. Europe V. Facebook. [Online] europe-v-facebook.org/EN/Data_Pool/data_pool.html.
19. Miller, Claire Cain. The Plus in Google Plus? It’s Mostly for Google. The New York Times. [Online] February 14, 2014. http://www.nytimes.com/2014/02/15/technology/the-plus-in-google-plus-its-mostly-for-google.html?module=ArrowsNav&contentCollection=Technology&action=keypress®ion=FixedLeft&pgtype=article.
20. Federal Trade Commission. Data Brokers: A Call for Transparency and Accountability. [Online] May 2014.
21. Guillen, Joe. Ohio collects millions selling driving records with your personal information. Cleveland.com. [Online] July 12, 2010. http://www.cleveland.com/open/index.ssf/2010/07/ohio_collects_millions_selling.html.
22. Timberg, Craig. Brokers use ‘billions’ of data points to profile Americans. The Washington Post. [Online] May 27, 2014. http://www.washingtonpost.com/business/technology/brokers-use-billions-of-data-points-to-profile-americans/2014/05/27/b4207b96-e5b2-11e3-a86b-362fd5443d19_story.html.