We’re trading our privacy for trinkets.
Big businesses are using Americans’ personal information to make money — it’s collected and bundled and sold over and over — and we’re giving it away for email accounts and Facebook likes and fuel points and insurance discounts.
In March, twin Facebook scandals jolted many Americans to realize they don’t understand how their private information — siphoned from services they take for granted — can be sold, manipulated and used against them.
In the less scandalous of the two, Android users discovered the social media giant had been scraping their text message and phone call metadata, in some cases for years, without their knowledge.
Worse was the revelation that Cambridge Analytica, a research firm linked to the Trump campaign, had harvested and misused the data of 50 million Americans — via Facebook — to build psychological profiles of voters and target them with personalized political advertisements. Cambridge Analytica employees were recorded boasting about using fake news and manufactured sex scandals to swing elections all over the world.
The Federal Trade Commission announced Monday that it is investigating Facebook’s data privacy practices. But investigations will unfold slowly and in the meantime, information security experts say the onus is on Americans to understand how the deck is stacked against them when it comes to data privacy.
The starting point: There’s no such thing as a free lunch, a free app or free email.
“Any time that you get a service that you do not pay for, it costs money for the company to put that service out there,” said Christopher Gorog, lead faculty in cybersecurity at Colorado Technical University. “So these big companies like Facebook use the information you give them, put it all together, sell it in bulk, and that’s how they make money to pay for your free stuff. So yes, we are using our privacy as a currency.”
Yes, you have a right to privacy, says Rodney Gullatte Jr., founder of Springs-based Firma IT Solutions, “but when you jump on Facebook, that’s done. When you hop on to Google, or if you have a smartphone, that’s done. If you want to participate in the grid, then you are giving up your right to privacy. That’s the reality of it.
“Google makes as much money as it does because it sells your stuff. They have a lot of really nice enterprise technology, like Google Drive and the G Suite for business — and the cost is really low, if there’s any cost at all. How do you think they’re affording to do that? They’re selling all [your information].”
Exactly how much data is being mined? Gorog is blunt: “All of it.”
Most consumers are still grappling with what losing control of their data means, and how companies are getting hold of it.
“I don’t think people even grasp the value of their information or even know what those companies are doing. We often don’t think about it,” Gorog said. “Why do we get the thing we’re looking for marketed to us everywhere we go, and we might not even know it. It’s because of that data collection.”
An example: The most valuable demographic on the planet, Gorog said, is a couple during their first pregnancy. For data aggregators, knowing somebody is pregnant is as easy as mining their Google searches, their clicks on baby-related topics or the supermarket records that show they bought a pregnancy test.
“They sell that information on those high-dollar demographics because they know people will turn their lives upside down,” Gorog said, “and the faster they can get to them, the more money they make on impulse buying.
“They know which single-line search items are the most valuable,” he added. “If you search that, they are making $10,000 off of you.”
And the harvesting of personal information takes place in even more unexpected ways.
“Your photos — that’s a big one that people don’t expect,” Gorog said. “They have made very capable image recognition software that catches everybody’s face. Have you ever noticed if you put something up on Facebook they say, ‘Do you want to tag this person?’ Wow, how’d they realize that’s one of my friends? They can also tell [from photos] where you’re at, what you’re doing. And that is a gold mine.”
Other companies use novelty value to snare users via Facebook apps, Gullatte said.
“The most recent one I saw was ‘What would I look like on a movie poster’ — it made a whole movie poster, a little review at the bottom, and it had your picture and it looks all glamorous,” he said. “But dude, what did you just give up to be able to make that one post? Your entire Facebook account. The whole thing.
“That’s how Cambridge Analytica got people. They had the same type of setup — and they got at least 50 million people,” he added. “And that’s enough.”
Facebook Login, which allows users to log into an app or website using their Facebook account instead of creating a new username and password, was crucial to Cambridge Analytica’s huge data haul. People using Facebook Login grant app developers access to information from their Facebook profiles — including their name, email, location or friends list.
In 2015, about 270,000 people used Facebook Login to sign in to the “thisisyourdigitallife” app, and at that time Facebook allowed developers to collect data on users’ friends.
From 270,000 people, Cambridge Analytica ended up with the data of about 50 million Facebook users, according to a report from The New York Times.
Both Gorog and Gullatte said with the petabytes of data available from phones, GPS, tracking devices provided by auto insurers, smart home devices like Alexa, social media check-ins and photo geolocations, there’s more than enough information out there to build detailed psychological profiles of individuals.
What’s more, once companies gather your personal information, they own it. That’s partly because of the way data privacy laws work — or don’t — in the United States.
“We have taken the opposite approach [regarding information privacy and ownership] to the rest of the world,” Gorog said. “Even in … current legal precedent, we have enforced that corporations own data if you give it to them.”
Does it matter if you didn’t realize you were handing over so much information? Not a bit.
Is that contract for consent eight pages long, vaguely-worded, overly broad and slanted in favor of the app developer or service provider? Probably. And under current U.S. law, your only alternative is to decline to use the service at all.
“That customer rewards card — you want to sign up? I need your name, your address, your phone number…” Gullatte said. “I’m like, ‘No, I’m good. I’ll pay the extra dollar for a bar of soap. I’m not going to give you all my information so you can make millions and millions of dollars off it.’
“You’ve got to be careful where you give that information. It’s hard — if you want to participate in this digital world you’re going to have to give up some of that. But you don’t have to give up as much as you are giving up already.”
The upshot is that consumers need to protect themselves and be more vigilant about how and where they agree to share their information.
“It’s something that you can’t say somebody else is going to do for you,” Gorog said. “There is no advocate of individual privacy that has you as an individual’s interest [at heart]. You’re it. You against the world; what are you going to do? It’s kind of like you don’t walk around with your money tacked to your shirt.”
“The corporations aren’t going to stand up and protect your data, and they have no financial reason to do that,” he said. “They want to sell your stuff. So it’s up to the consumer to protect themselves.”
For too many consumers, he said, ignorance is bliss.
“People are like, ‘I don’t want to think about it. I just want Amazon in the house, I want to be able to ask Alexa what time it is and she tells me, I want to be able to order some bathroom tissue just by asking it’ — in cybersecurity I see it all the time,” he said. “A lot of the viruses that get on people’s computers, they don’t read the agreements — they just want to download.
“We still think our stuff is private — that’s a problem, and that’s going to be a cultural shift,” he added. “And Facebook is big enough for us to see this play out on a big screen.”
Citizens of the European Union are protected by vastly different information privacy laws, and the EU is tightening its data security rules even further as the strict General Data Protection Regulation goes into effect next month. Gorog said it remains to be seen whether the stringent new rules covering consumer consent, data processing and breach reporting will have any influence on how privacy is viewed in the United States.
“It’s hard to say, because when you’ve gone so far in one direction, how do you turn that train around?” he said. “Are you going to go against the monetary might of Google and Facebook? … The biggest money is in opposition to individual privacy. So can you change that? I don’t think you change it right away.
“It’s probably the defining battle in our age right now. … If there’s a social question that is answered through this new technological era, it’s what we’re talking about right now: privacy vs. corporate power.”
Gullatte is optimistic that greater awareness can help.
“If people start following these kinds of stories, it could create a shift on how users feel about their privacy,” he said. “And if the people push back on it, then the companies are going to have to adjust.”