US Privacy Heads into the Abyss

Privacy is having an existential crisis in the United States, in the shadow of the US Congress passing a bill that would block an important FCC policy. That policy, yet to go into effect, would have prevented ISPs from sharing individual browser histories with marketers, political campaign managers and other third parties without consent.

The question is, do citizens care?

Arguably, the evisceration of privacy is something that citizens have been tacitly involved in creating; simply put, our digital footprints are out of control. We put all kinds of things out on social media, we install apps without wondering about the permissions they ask for and we take all kinds of online quizzes and such that can collect our info. So, can we really blame companies for sensing an opportunity to make an incredible amount of money from “personalization” and targeting? Not with a straight face. However, opting not to have a European-style regulatory framework meant to protect us from ourselves can’t be a good thing for individuals, and it’s going to be a field day for businesses, politicians and marketers.

“The vote to repeal FCC broadband privacy controls is a sad day for consumers, businesses and the United States," Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), and former director of product security and privacy at Microsoft, said in a statement. “While the rest of the world is increasingly recognizing privacy as a basic human right, Congress has failed the US and society as a whole. Not unlike global warming and pollution, the long-term impact of giving our data to internet service providers and wireless carriers will be significant.”

Not that being tracked is anything new. ISPs make an enormous amount of money off of targeted ads that are served based on browser histories and always have—the decision by Congress changes nothing in the short term. But the future is scary, because technology for tracking and targeting will only get better over time.

Earlier this week my editor flagged a concerning tweet from the “Prof. Carroll” handle: “Guessing that folks who went to #WomensMarch or #InaugurationDay did not realize that an adtech company was tracking their attendance.”

Carroll was retweeting something from an ad tech company called Sense360, which said: “Our data: Women's March on Wsh 3x bigger than Presidential Inauguration. Marchers came from NY, NJ, MA, Inauguration from FL & TX”.

Now, one has to wonder how they know that (and why Pres. Trump didn’t catch wind of it, which he hasn’t, considering he hasn’t sent any angry tweets calling the assertion a lie).

A quick perusal of the company’s website lays it out: It collects info from dozens of mobile application providers that they partner with, across 2 million devices that generate more than a terabyte of sensor data every single day.

These apps ask for access to location and other data upon install—and often, the answer has to be yes if it’s an app that relies on location info for basic functionality, like ride-sharing apps and so on. But once a user clicks yes, the apps can start sending data to Sense360. Of course, the user doesn’t know where that data is being sent, or for what purpose—and probably doesn’t even know that it’s happening. The apps are required to clearly state in their privacy policy that they will share the data—but in practice, who reads privacy policies? This is a clever CYA move that doesn’t make a true effort to ensure that citizens know what they’re opting into.

The company explains what kinds of information it collects:

“Sensor technology…uses the mobile sensors built into smartphones to understand a user’s location and activity. We have trained our algorithms with hundreds of thousands of labeled data points and incorporate data from GPS, accelerometer, gyroscope, barometer, Wi-Fi, ambient light and many other sensors. This provides us with an anonymous, but highly accurate understanding of where, how, and when people interact with physical locations and businesses.”

It adds that it captures “not just location, but also activity and context.”

Sense360 focuses only on anonymized data, and it stipulates that the apps not combine personally identifiable information (PII) with raw sensor data. So while it might feel a little creepy that your phone is silently, in the background, sharing your activities with marketers and others, likely unbeknownst to you, technically it’s not privacy freak-out time for the average citizen. It feels icky, but it’s not quite Big Brother level.

But Sense360 looks positively ACLU-like in comparison to Cambridge Analytica.

The election of Donald Trump baffled many—all the polls were wrong, the gut feelings were wrong. How? Why? His coalition for the win was disparate and contradictory: How did he win the Cuban vote in Miami, for instance? Not to mention the much-publicized win of the traditionally Democrat rust-belt vote? Plus the majority of white women, despite the public outing of his penchant for nether region-grabbing?

Well for everyone who has had a dark night of the soul over this, the answer lies in turning inward. We did it to ourselves.

To wit: Facebook "likes" are private by default. But as broken down in this rather wonderful, terrifying and detailed article on Vice’s Motherboard, many apps and online quizzes require access to private data like Facebook information in order for users to access them. Just like the location-based apps that feed information to Sense360. Then, that information is sold to interested parties.

Trump’s campaign used this kind of data—willingly exposed by citizens—to become an “opportunistic algorithm,” targeting different groups with perfectly tailored messages to speak directly to their single-issue fears and hope. It engaged a company called Cambridge Analytica, which claims to have used "surveys on social media" and Facebook data to “profile the personality of every adult in the United States of America—220 million people,” its founder told Vice. Who could be targeted down to individual city blocks and addresses.

Using hundreds of data points, spurred along by Big Data analytic engines, the company was able to create an incredibly detailed psychographic data gleaned from what we put out there ourselves, combined with voter registration info and PII like names and addresses. And from there, it’s not much of a leap to creating highly effective person-by-person targeting. Sometimes this means a slicing up of a broader issue, as in this example from the article: Gun aficionados that are concerned with the big bad world might get a message featuring scary home intruders; those more interested in “tradition, and habits and family” might be hit with nostalgic images of a family duck-hunting in a field at sunset.

These individualized efforts were quite crafty and often aimed at suppression: Certain Black Democrats for instance were shown “dark posts” on Facebook—videos that are only seen by certain profiles—featuring Hillary Clinton characterizing African-American men as “predators.”

The point is, this hyper-targeting opens the door for total manipulation by marketers—and campaign managers. And out-of-left-field wins for the highest office in the land by an incredibly unsuitable candidate.

The OTA points out that the info that ISPs will be allowed to continue to collect goes deeper than surfing histories too—most ISPs in the US are also pay-TV providers, so viewership data could allow the profiling to become even more granular over time, as platforms for data-crunching become more sophisticated.

“It is important to recognize that broadband providers have a unique line of sight into our personal lives.  When this data appended with our TV habits and physical address, the resulting ‘dossier of our lives’ is redefining the definition of Big Data,” said Spiezle. “In an era of the US government focusing on alleged wiretaps and cyber-spying, we are now effectively handing this same data over to broadband providers to sell and share as they like.”

Our digital footprint—across social media, across those fun quizzes testing our knowledge of 80s movies, across the apps we install on our phones—is a bonanza for the people in this business. No wonder Congress has cleared the way for even more information to flow into these psychographic efforts. But while we can take steps to reduce the information we share with apps, what’s the answer when it comes to using the internet? Being a member of modern society now carries a requirement to open one’s personal data to, well, anyone. It’s not a conflict that’s going to be resolved soon—but one has to wonder how deep the manipulation needs to go before citizens demand better safeguards. Or any safeguards at all.

What’s Hot on Infosecurity Magazine?