‘…but I like them! Who cares who their friends are?’: Partners Matter in the Data Collection Game of Pass the ParcelBy Tristan John-Jangles, Joshna Joseph, Jayden Personnat, Sara Kadam, Bilal Siddiqui, Tamara Turchetta
To use or not to use… an app….that is the decision…It’s one that many of us arrive at with tremendous conviction backed by an equally tremendous lack of meaningful information, often in the form of some cleverly wordsmithed Tweet or social media post that most of us could do little more than meaninglessly parrot if asked to explain. The notion of being able to navigate the indecipherable verbiage of privacy policies and control of your own personal information on the internet independently is inconceivable. In fact, our relationship with data collection and privacy policies can probably best be described as “akrasia” a relatively uncommon but in this instance relevant term for individuals who act against their better judgement because of a lack of will. We are resigned to scrolling as numbly and nimbly as possible to the only word we can be sure we will recognize and understand, “AGREE” where we quickly place an x and click to reach the holy grail — immediate access.
This is especially true in the realm of data collection where consent is implied or assumed and where the same people who have energy and tools to bargain with the customer service representative at Walmart stand befuddled and unarmed when looking to address perceived violations or concerns with the company that simultaneously has access to their bank information and universal log-in credentials…. And this is just around the violations and concerns they actually know about! What about those they don’t?
To address our general lack of understanding paired with our (initial) general lack of concern around rampant unchecked data collection and unintelligible privacy policies, we invited author, educator, speaker, and renowned cyber security genius Claudiu Popa to an open discussion. We wanted to learn whether it’s indeed possible for mere mortals (like us) to understand and control what is happening with our own personal data. Beyond that, we wanted to know, “where are we headed?”
Privacy policies are about assessing the trust you can have in a company through their website — this can be companies you don’t know and ones you already know. It likely goes beyond simply assessing the trust you may already have in that particular brand/company (i.e. Frito Lay)) because of your positive and longtime experience with their products or services. Whether you are on a site of a “trusted” company that you know or whether you are on an entirely new site, it is important to understand whether the company themselves (Frito Lay, in this case) uses your data exclusively, or whether they share it with anyone else.
Unfortunately this is not even the extent of the tracking and use of your information. To add to the infiltration of your information, companies can use digital advertisements as marketing tools to promote products and services and to collect personal information and data, specifically metadata—which includes your search history, time and location, how long you spend on a website, the links you click, what you download, and what you purchase. To the average consumer, metadata appears insignificant. However, to corporations, metadata illustrates a person’s routine, affiliations, interactions, living style, etc., and allows companies to create a personalized Internet experience for each customer. For instance, applications like Youtube and Netflix often provide users with a recommended list of videos, shows, and ads to click on.
Although these examples may seem like creative, relatively harmless, and even positive use of your data (and so, may not elicit large red flags), consider the data privacy implications of our ubiquitous consent to Google Maps to help us get where we’re going (…because the art of planning our route through learning it or using an actual map has been long lost). The information about the route you use to get places becomes a saleable commodity to companies, and when combined with a whole lotta other people’s routes, it provides insights on the best places to potentially build retail outlets and fast food chains. Yikes! TMI…literally!The upshot, at the end of the day, is your information is worth something and “partners matter” in evaluating the level of trust you can place on any site requesting your information.
How can you check what companies know about you? On Google Chrome, you can check Manage Ads Settings and turn on Ad Personalization. From there, you will be able to view the list of topics that Google believes you like and gauge how accurately those topics align with your interests and activities. On Facebook, you can download the app’s archive which includes comments, posts, photos, connections you made with other users, and even content that you previously deleted.
To limit the collection of your metadata, you can use ad-blockers. There are several different types of ad blockers including:
1. Virtual Peer Networks (VPNs): VPNs can protect you from multiple kinds of tracking. A VPN directs your device’s data traffic through a chosen private server rather than your internet service provider (ISP). This redirection of your data effectively hides your IP address—the numerical label your ISP gives your device—and prevents third-party trackers from pinpointing your location.
2. Browser Add-ons and Extensions: Extensions on chrome like AdBlock, uBlock, Privacy Badger, Ghostery prevent advertisements from appearing as you search the web. They can also show you the particular “invaders” on a particular website who have access to your visit and interest in both the information you share and ways you interact on that site.
3. Tor: This is a free software that enables anonymous communication like a VPN. Tor directs internet traffic through an onion network where messages are enveloped in layers of encryption akin to the layers of an onion. Ultimately, this software conceals your location and internet usage from trackers and anyone conducting network surveillance and traffic analysis.
Certainly the overwhelming evidence points to the fact that the onus for protecting our information and controlling access to it, is currently on us, the consumer, rather than on corporations or governments. Traditional laws involving privacy have consistently been built against the consumer with no penalty to companies that are negligent with user data. Canada and the United States specifically have had historically outdated and nonexistent data protection regulations: in fact, even today, the United States does not consider data privacy a universal right. The significance of this gaping oversight and its need to be addressed affects everyone’s internet usage as well as how the internet itself operates. It’s the reason that Ad Blockers, VPNs, and other protection software have become so popularized in the last few years. Until governments step in and recognize data and data privacy as a universal right, consumers will continue to rely on third parties to keep themselves secure online.
1. Direct, informed consent is a requirement for companies to acquire user data.
2. Data must only be collected if it is directly related to the company’s products and how it operates. This requires businesses to make significant changes to their user interfaces to give consumers more control over how their data is being collected and used.
3. Explicit parental consent is mandatory for those under the age of 16.
Negligence is punishable by steep penalties, which can amount to up to 4% of the yearly profit of the liable company. As Claudiu further explains, at this point in Canada, responsibility still falls only moderately on corporations to ensure there is no negligence regarding privacy, but transparency is an important first step. Disclosing the use of collected data is still a murky process built to protect companies first and foremost, but Canadians can now use the privacy commissioner to file complaints or even flat out call for a deletion of their data if they feel that the company was negligent with their information. The law requires that companies comply with this. Canadian companies no longer ‘own’ your data, so users can utilize the privacy commissioner as an aggregator to help with the enforceability of the law. When companies are forced by law to acknowledge the ethical aspect of privacy and see that it can affect their bottom line, they increase the care and sensitivity around how they collect and manage user data in order to avoid the financial and commercial consequences for breaches.
Iwrin, L. (July 30, 2020). The GDPR: Understanding the 6 data protection principles.
it Governance. https://www.itgovernance.eu/blog/en/the-gdpr-understanding-the-6-data-protection-principles
Porup, J.M. (October 15, 2019). What is the Tor Browser? And how it can help protect your identity. CSO. https://www.csoonline.com/article/3287653/what-is-the-tor-browser-how-it-works-and-how-it-can-help-you-protect-your-identity-online.html
Protect your privacy: How Ad Blockers can protect your privacy. (April 15, 2019). Tapmydata.
Retrieved April 2021. https://tapmydata.com/protect-your-privacy-how-ad-blockers-can-protect-your-privacy/
Wadell, K. (June 3, 2015). The NSA’s Bulk Collection Is Over, but Google and Facebook Are Still
in the Data Business. The Atlantic.
What is VPN? How It Works, Types of VPN. (n.d.) kaspersky. Retrieved April 2020.
Wolford, B. (2020). What are the GDPR Fines? GDPR. https://gdpr.eu/fines/