April 23

‘…but I like them! Who cares who their friends are?’: Partners Matter in the Data Collection Game of Pass the Parcel

By Tristan John-Jangles, Joshna Joseph, Jayden Personnat, Sara Kadam, Bilal Siddiqui, Tamara Turchetta

To use or not to use… an app….that is the decision…It’s one that many of us arrive at with tremendous conviction backed by an equally tremendous lack of meaningful information, often in the form of some cleverly wordsmithed Tweet or social media post that most of us could do little more than meaninglessly parrot if asked to explain. The notion of being able to navigate the indecipherable verbiage of privacy policies and control of your own personal information on the internet independently is inconceivable. In fact, our relationship with data collection and privacy policies can probably best be described as “akrasia” a relatively uncommon but in this instance relevant term for individuals who act against their better judgement because of a lack of will. We are resigned to scrolling as numbly and nimbly as possible to the only word we can be sure we will recognize and understand, “AGREE” where we quickly place an x and click to reach the holy grail — immediate access.

This is especially true in the realm of data collection where consent is implied or assumed and where the same people who have energy and tools to bargain with the customer service representative at Walmart stand befuddled and unarmed when looking to address perceived violations or concerns with the company that simultaneously has access to their bank information and universal log-in credentials…. And this is just around the violations and concerns they actually know about! What about  those they don’t?  

To address our general lack of understanding paired with our (initial) general lack of concern around rampant unchecked data collection and unintelligible privacy policies, we invited author, educator, speaker, and renowned cyber security genius Claudiu Popa to an open discussion. We wanted to learn whether it’s indeed possible for mere mortals (like us) to understand and control what is happening with our own personal data. Beyond that, we wanted to know, “where are we headed?”

Well, to begin, we were given some good reason to possibly rethink our cavalier “who cares if we have nothing to hide” stance on data collection, and that we must — not just should — care about who has our information and how it is being used, because we, the consumers, have the most to lose. Despite the clear evidence that we would all prefer to cross our fingers, close our eyes, and take our chances than read a privacy policy, our conversation revealed just how important they are, and just how crucial it is that we read them. A company’s privacy policy on their website explains which of your data that company has access to, and how it can use it. It would then seem to follow that if you trust a company (let’s say FritO Lay because who doesn’t love chips), then you would think it’s okay to give them (FritO lay) access to your data, since after all, you already “know” them and love their potato chips! But maybe, not so fast!

Privacy policies are about assessing the trust you can have in a company through their website — this can be companies you don’t know and ones you already know. It likely goes beyond simply assessing the trust you may already have in that particular brand/company (i.e. Frito Lay)) because of your positive and longtime experience with their products or services. Whether you are on a site of a “trusted” company that you know or whether you are on an entirely new site, it is important to understand whether the company themselves (Frito Lay, in this case) uses your data exclusively, or whether they share it with anyone else. 

You can learn this through scanning their privacy policy for important keywords — ones that validate continued  trust or ones that should bring up red flags.  “EXCEPT” is one of those words…in the general context of  ‘we don’t share any of the data we collect here with anyone EXCEPT’ and often followed by the word “PARTNERS”…. What that means is that what you may not have considered is that FritO Lay (your innocent snacking pal) is owned by Pepsico…oh, and Pepsico also owns Starbucks, Papa John’s, Aunt Jemima Mixes, Quaker Oats,…err basically a bevy (pun entirely intended) of soft drink companies (Gatorade, Mountain Dew, Crush), and…well, you get the point. Claudiu shared that often each of these smaller companies share one privacy policy with their parent company. Soooo now, all of a sudden, sharing your personal information with the Frito Lay website has helped BeyondMeat (through the PepsiCo-BeyondMeat partnership) decide whether or not your community’s burger joint should sell plant meat. So then, it’s not just your friendly snack partner Frito Lay that will have access to your data…hmmmm It’s all of their snacking friends, too! 

Unfortunately this is not even the extent of the tracking and use of your information. To add to the infiltration of your information, companies can use digital advertisements as marketing tools to promote products and services and to collect personal information and data, specifically metadata—which includes your search history, time and location, how long you spend on a website, the links you click, what you download, and what you purchase. To the average consumer, metadata appears insignificant. However, to corporations, metadata illustrates a person’s routine, affiliations, interactions, living style, etc., and allows companies to create a personalized Internet experience for each customer. For instance, applications like Youtube and Netflix often provide users with a recommended list of videos, shows, and ads to click on. 

Although these examples may seem  like creative, relatively harmless, and even positive use of your data (and so, may not elicit large red flags), consider the data privacy implications of our ubiquitous consent to Google Maps to help us get where we’re going (…because the art of planning our route through learning it or using an actual map has been long lost).  The information about the route you use to get places becomes a saleable commodity to companies, and when combined with a whole lotta other people’s routes, it provides insights on the best places to potentially build retail outlets and fast food chains. Yikes! TMI…literally!The upshot, at the end of the day, is your information is worth something and  “partners matter” in evaluating the level of trust you can place on any site requesting your information.

How can you check what companies know about you? On Google Chrome, you can check Manage Ads Settings and turn on Ad Personalization. From there, you will be able to view the list of topics that Google believes you like and gauge how accurately those topics align with your interests and activities. On Facebook, you can download the app’s archive which includes comments, posts, photos, connections you made with other users, and even content that you previously deleted. 

To limit the collection of your metadata, you can use ad-blockers. There are several different types of ad blockers including:

1. Virtual Peer Networks (VPNs): VPNs can protect you from multiple kinds of tracking. A VPN directs your device’s data       traffic through a chosen private server rather than your internet service provider (ISP). This redirection of your data effectively       hides your IP address—the numerical label your ISP gives your device—and prevents third-party trackers from pinpointing             your location.
2. Browser Add-ons and Extensions: Extensions on chrome like AdBlock, uBlock, Privacy Badger, Ghostery prevent advertisements from appearing as you search the web. They can also show you the particular “invaders” on a particular website who have access to your visit and interest in both the information you share and ways you interact on that site.
3. Tor: This is a free software that enables anonymous communication like a VPN. Tor directs internet traffic through an onion network where messages are enveloped in layers of encryption akin to the layers of an onion. Ultimately, this software conceals your location and internet usage from trackers and anyone conducting network surveillance and traffic analysis. 

Certainly the overwhelming evidence points to the fact that the onus for protecting our information and controlling access to it, is currently on us, the consumer, rather than on  corporations or  governments. Traditional laws involving privacy have consistently been built against the consumer with no penalty to companies that are negligent with user data. Canada and the United States specifically have had historically outdated and nonexistent data protection regulations: in fact, even today, the United States does not consider data privacy a universal right. The significance of this gaping oversight and its need to be addressed affects everyone’s internet usage as well as how the internet itself operates. It’s the reason that Ad Blockers, VPNs, and other protection software have become so popularized in the last few years. Until governments step in and recognize data and data privacy as a universal right, consumers will continue to rely on third parties to keep themselves secure online. 

There is hope for change however, as more countries are adopting legislation that will force companies to invest more in technology built for data protection and transparency. The DPA (Data Protection Act) now forces Canadian companies to disclose to all clients any potential and ongoing data breaches. Before the DPA was established in Canada, Canadian corporations essentially had no reason to prioritize protecting user privacy. This need to prioritize user privacy has led to an increase in establishing effective cyber security, a trend that is consistent with the pace of many countries adopting similar legislation, if not quite “cutting edge”. One of the strongest current sets of data collection and privacy regulations is the one created by the European Union (EU); the General Data Protection Regulation (GDPR) spells out the specifics of personal information that can be collected on residents of any of the EU’s 28 member states. According to this new privacy policy, personal data is regarded to be information that either is associated with an ‘identified’ or ‘identifiable living individual.’  Because the definition itself is fairly vague, corporations have to be extra cautious in order to avoid inadvertently violating its mandates. Although the GDPR is aimed at protecting EU citizens’ privacy protection rights, the globalized nature of the internet and corporations means that almost any company with any sort of international profile will eventually be compelled to take notice and upgrade the understandability of the privacy policy it puts forth to users, and transparency around the data it collects from them. The GDPR is characterized by the three following principles:

1. Direct, informed consent is a requirement for companies to acquire user data.
2. Data must only be collected if it is directly related to the company’s products and how it operates. This requires businesses to make significant changes to their user interfaces to give consumers more control over how their data is being collected and used.
Explicit parental consent is mandatory for those under the age of 16.

Negligence is punishable by steep penalties, which can amount to up to 4% of the yearly profit of the liable company. As Claudiu further explains, at this point in Canada, responsibility still falls only moderately on corporations to ensure there is no negligence regarding privacy, but transparency is an important first step. Disclosing the use of collected data is still a murky process built to protect companies first and foremost, but Canadians can now use the privacy commissioner to file complaints or even flat out call for a deletion of their data if they feel that the company was negligent with their information. The law requires that companies comply with this. Canadian companies no longer ‘own’ your data, so users can utilize the privacy commissioner as an aggregator to help with the enforceability of the law. When companies are forced by law to acknowledge the ethical aspect of privacy and see that it can affect their bottom line, they increase the care and sensitivity around how they collect and manage user data in order to avoid the financial and commercial consequences for breaches.

At the end of the day, how does this all really affect you? The prospect of  reading Apple or Microsoft’s seventeen page long privacy policy every time you update a software or download an application will probably still seem like a cumbersome and pointless task, since, let’s face it, you’re going to check the box — so ultimately you will still get access and they will still get information. The idea is not to ‘NOT interact’ or somehow be afraid of interacting, but more just to s-l-l-l-o-w the whole process down.  There are good reasons, and easy ways, to know the names of  companies’ “partnering friends” or websites’ “uninvited guests” involved in this internet game of Pass the Parcel. To paraphrase our overwhelmingly favourite takeaway from the discussion with Claudiu, “the opposite of security is convenience”. In a world where access to information gets faster and easier, and information gets more time consuming to look at and harder to decipher, it becomes routine to prioritize convenience over security — and ignore or justify this choice as simply the cost of having access to everything always. The reality is we can all be confident and clear about if and how we choose to interact on sites and why. It just takes a little more time.



Iwrin, L. (July 30, 2020). The GDPR: Understanding the 6 data protection principles. 

it Governance. https://www.itgovernance.eu/blog/en/the-gdpr-understanding-the-6-data-protection-principles

Nicole, O. (January 5, 2021). Minors and Your Privacy Policy. Privacy Policies.

Porup, J.M. (October 15, 2019). What is the Tor Browser? And how it can help protect your identity. CSO. https://www.csoonline.com/article/3287653/what-is-the-tor-browser-how-it-works-and-how-it-can-help-you-protect-your-identity-online.html

Protect your privacy: How Ad Blockers can protect your privacy. (April 15, 2019). Tapmydata. 

Retrieved April 2021. https://tapmydata.com/protect-your-privacy-how-ad-blockers-can-protect-your-privacy/

Wadell, K. (June 3, 2015). The NSA’s Bulk Collection Is Over, but Google and Facebook Are Still 

in the Data Business. The Atlantic.

What is VPN? How It Works, Types of VPN. (n.d.) kaspersky. Retrieved April 2020.

Wolford, B. (2020). What are the GDPR Fines? GDPR. https://gdpr.eu/fines/