WHO WANTS YOUR PRIVATE DATA?
Nathan Taylor reveals the critical whos and whys around internet data harvesting.
Nathan Taylor reveals the critical whos and whys around internet data harvesting.
Have you ever bothered to go into the Google, Microsoft or Facebook account settings to download your profile, which should (in theory) contain everything the company has on you? Most people will be quite shocked if they do — the amount of data the companies collect on their users is staggering. With Google, for example, every search you’ve ever performed, every result you’ve clicked on, every time you’ve logged in (and from where), every YouTube video you’ve watched, every relationship and contact you have, the complete movements of your mobile devices and more is collected and stored forever in Google’s database, unless you explicity ask it to delete the information.
And that’s just what internet services are tracking. Lots of others organisations are looking to track your online activity and communications as well: governments, ad networks, criminals, businesses and more. So let’s break it down and look at some of the organisations that are tracking you online and why they do it.
GOVERNMENTS
Governments obviously have a keen interest in monitoring the communications of citizens, both foreign and domestic. Many of the world’s most devastating recent malware outbreaks came from government-sponsored skunkworks, particularly from Russia, China and North Korea, which have highly active cyberwarfare units.
The motivations of governments vary. In more authoritarian regimes it may be political, but even in democratic countries there are considerable demands from law enforcement and intelligence agencies for more power and capability to monitor communications.
As software to prevent spying has gotten better, governments around the world have started pushing back harder and harder. For many years it was mostly broad monitoring of internet communications that served the governments, with massive data centres that monitored web traffic as it traversed the internet’s backbones. As end-to-end encryption has become more prevalent, governments have turned to new methods — malware development, and legislatively enforced cooperation from communications providers and software developers.
The Australian government is no exception. In 2015 it passed data retention laws that came into effect last year, requiring that all communications network providers (such as your internet service provider, or ISP) keep metadata logs for at least two years. That is, your ISP logs every site you visit and when, and it must
hand over that information on request. Recently it also introduced the draft Assistance and Access Bill, which requires all tech companies to (secretly) assist the government and crack into their customers’ communications on request.
Criminals have obvious reasons for wanting to grab your personal data — they want to make money from you. Personal data can be used for fraud and identity theft, allowing them to make purchases from your credit card for example, or sign up for new credit cards in your name. It can allow them to break into your other services and monitor your email and send spam, or to harvest the information of friends and family as well.
Personal information can also be used in spear phishing attacks, where scams and attacks get targeted specifically at you, making them seem plausible. If they learn that you use a particular bank, for example, that can make a bank phishing attack more successful.
AD NETWORKS
Most of the world’s internet advertising is actually dominated by a small handful of companies. This gives them tremendous power to monitor and track a person’s internet usage. From those usage patterns they develop a user profile to deliver advertising, since targeted ads command a premium. If you visit a lot of surfing-related sites, for example, you’ll start seeing a lot of ads for surfboards appear, even when you’re not on a surfingrelated website.
Here’s how it works:
1 A web page owner would like to make some money off that page, so they go to an ad network. Ad networks pay site owners for a “slot” on their page, with rates often determined by clicks or visits.
2 The ad network will provide the website owner with a bit of code that they can embed on the page. When someone visits the webpage, that code grabs an ad from the ad network, which gets loaded into the page.
3 Often a cookie gets uploaded to the visitor’s browser to indicate they visited the site. So if you’re browsing a surfing site, an you see will upload a cookie (called a tracking cookie) to your browser.
4 Then you visit another site, and it also has an ad in it from
the same ad network as the first site. The ad code from this new site can grab the cookie that was uploaded earlier and is updated to this second site. Now the ad network knows that you’re the same person that visited the surf site.
5 As you visit more sites, the cookie gets updated again, letting the ad network know every site you visit. From that, it can create a complete picture of your interests and likes to deliver targeted ads.
OTHER INTERNET BUSINESSES
Internet businesses as a whole love to gather information on their users. Any information they can get, they want — demographics, personal information, relationships, software, site activity, websites visited. Just visiting a regular website — not filling out forms or giving up personal information — gives a site your IP address, which in turn provides your general location and ISP. They know your browser and operating system. A site can upload cookies, which keeps a historical log of your visits to that site.
When you start filling out forms, things can get really intrusive. Sites often ask for unnecessary information just so they can get a better bead on your personality and wants.
There are varying degrees of intrusiveness. For example, Google by default will hoover up vast amounts of information, but gives you fairly accessible tools for opting out of its data gathering. Google’s revenue primarily comes from ads attached to search results — as such it’s doesn’t need to gather personal information to make money off you. If you use Google Search, they’re already making money off you.
Then you have companies like Facebook whose entire business model is built on analysing your personal information to deliver targeted advertising. The opt-out features for these services tend to be more arcane and less accessible, designed to make it as hard as possible. Like ad networks, many of these services can also track you across multiple sites, thanks to widgets embedded in web pages (such as Facebook Like buttons) that can monitor what sites you visit and relay that information back to the company.
Of late, the European General Data Protection Regulation (GDPR) has curbed some of the worst excesses of companies, but most still gather as much as they can get away with and make it hard to be forgotten.
As with all tracking, the key is to know what kind of information you’re giving away, to understand how you can avoid giving it away, and taking measures to insulate yourself against overly nosy internet denizens.