The Post

Government flagging on privacy

News that political research company Cambridge Analytica mined Facebook data to try to sway elections has sparked global outrage. But should we really be so surprised? Nikki Macdonald looks at what really happens to your digital data.

As concern grows over Facebook’s handling of personal data, the Government’s proposed Privacy Bill already looks behind the times.

Privacy Foundation deputy chairman Gehan Gunasekara said new rules to protect European residents revealed gaps in the bill.

The General Data Protection Regulation (GDPR) will take effect across the European Union on May 25 and includes, among other things, a prohibitio­n of profiling.

That is the banning of automated processes to target political messages, hate speech, or other messages that may have legal consequenc­es – a provision not included in the Kiwi bill.

It was through automated profiling that Cambridge Analytica was able to construct 30 million ‘‘psychograp­hic’’ profiles of voters, used for targeted messaging in Donald Trump’s presidenti­al campaign, The Intercept reported .

‘‘It’s not clear how that would apply to advertisin­g. For example, they might be able to get around it by saying they are targeting a category of people,’’ Gunasekara said.

The GDPR would also weaken the hold Facebook had on users.

A data portabilit­y requiremen­t would allow users to demand their informatio­n in a transferab­le format, which would make it easier to leave Facebook for a competitor.

‘‘There’s no real competitor, and even if there was a competitor they would have to start up from scratch, and users have a whole lot of historical stuff they might want to keep. Friends, messages, pictures.’’

New obligation­s of having ‘‘privacy by design and default’’ also put new obligation­s on Facebook and other social media organisati­ons to operate with privacy in mind.

Whether companies like Facebook being subject to Kiwi laws is a grey area. Privacy Commission­er John Edwards insists it is, NetSafe chief executive Martin Cocker says it is not.

Minister of Justice Andrew Little, who put forward the new bill, said because Facebook had staff operating in New Zealand, it was subject to Kiwi laws, and the new bill would make the situation more explicit.

Little was open to incorporat­ing many of the new European rules.

‘‘Our current privacy legislatio­n is becoming more and more obsolete.

‘‘I made the judgment call to get the bill in, in whatever state it’s in at the moment, so then we will have a debate.

‘‘There will be changes through the parliament­ary process.’’

If Kiwis failed to get a handle on their data, Little said they would individual­ly lose control over their identity, and their sense of personal autonomy.

The new bill will give the government new powers to hand out fines of up to $10,000 and, because the fines were per offence, the costs could quickly rack up.

Demanding data portabilit­y and providing users greater autonomy to leave Facebook for competitor­s was an attractive idea.

‘‘I’d be keen to see that issue discussed when it goes in front of a select committee,’’ Little said.

Debate on the Privacy Bill began this week, and Little expected it would take six months before it was finalised.

Whether Kiwis will be covered by European law by default remains vague.

Facebook previously said because Kiwi services were run from Ireland they were not bound by New Zealand law.

‘‘Our current privacy legislatio­n is becoming more and more obsolete.’’

Minister of Justice Andrew Little

Such was the seriousnes­s of the occasion, Facebook boss Mark Zuckerberg ditched his usual t-shirt and jeans for a shirt and tie. Fronting up to the United States Congress this week to defend his social network against growing disquiet about its privacy and ethics, Zuckerberg’s mea culpa was well-practised.

But the unexpected personal questions of Senator Dick Durbin met with awkward hesitation.

‘‘Would you be comfortabl­e sharing with us the name of the hotel you stayed in last night?’’ Durbin asked.

‘‘Um,’’ Zuckerberg floundered. ‘‘No.’’

‘‘If you’ve messaged anybody this week, would you share with us the names of the people you’ve messaged?’’ Durbin continued.

‘‘Senator, no, I would probably not choose to do that publicly here,’’ Zuckerberg replied.

‘‘I think that might be what this is all about – your right to privacy, the limits of your right to privacy, and how much you’d give away in modern America,’’ Durbin said.

That is exactly what this is all about. What started with an innocuous-sounding Facebook personalit­y quiz has provoked a full-force storm of outrage, as people have twigged to just how much of their digital life is being tracked, stored and analysed. How everywhere you go, everything you buy, every email or message conversati­on you have is another brush stroke adding definition to your digital portrait.

The so-called Cambridge Analytica scandal involved the political consultanc­y mining the Facebook data of 87 million people and assigning them personalit­y types based on what they like and how they behave. The idea was to use those profiles to design personalis­ed political messages to help swing the Trump campaign, although the extent of its use remains unknown. The data breach raised several red flags – how was the quiz app able to mine the data of the quiz responders’ Facebook friends, and what are the implicatio­ns for democracy if social media profiles can be used to manipulate elections?

This is your digital life

The Cambridge Analytica quiz app was called This is Your Digital Life. Where better to start then, than a stocktake of your digital life?

We asked four volunteers of different ages, stages and social media activity to download the data Facebook and Google has on them (see sidebar).

The size and content of the data dumps varied wildly, according to how much each person used the services. I’m a relative social media hermit, so it’s not surprising my Facebook archive was a tiny 47MB – the equivalent of about 146 Microsoft Word documents. Wellington Girls’ student Elyse Smaill meanwhile had 1.4GB of data – the equivalent of about 4400 Word documents.

The 17-year-old doesn’t post that often, but uses Facebook Messenger to keep up with friends overseas, and Facebook groups to organise events. ‘‘I am on Facebook a lot,’’ she laughs, slightly guiltily, as she watches the slow download of her mountain of data.

The volume and detail was surprising. Every Facebook Messenger conversati­on you’ve ever had; every Facebook photo you’ve ever liked, posted or been tagged in; audio files sent as part of Messenger conversati­ons. Every email you’ve ever sent via gmail, every YouTube video you’ve ever watched, or searched for; every Google Drive document. And, in one case, a to-the-minute map record of exactly where you went on your English holiday.

There were laughs – Facebook had curiously decided 65-year-old Grant Sidaway should receive ads about women’s issues, while I was apparently into The Beach Boys and an English band I’ve never heard of. 17-year-old Katie Bonne was down to receive ads relating to 1965 Julie Christie movie Darling.

There was nothing as sinister as the log of a phone conversati­on with his mother-in-law which Wellington developer Dylan McKay discovered in his Facebook data, fuelling global fears. But there were unnerving details. Katie’s Facebook data included an audio clip recorded on her phone, but never shared with Facebook or Messenger.

Elyse discovered a clutch of gaming apps had uploaded her contact info, although she couldn’t recall ever using them. I found unfamiliar Facebook photos, and that Facebook somehow knew which of its advertiser­s had my contact informatio­n, although I never log in to apps or sites with my Facebook login.

And that’s just Facebook and Google. If you’ve ever signed up to a store’s email to get that 15 per cent off your next purchase, chances are that store is now tracking your behaviour. Amazon records everything you’ve ever bought, every product review you’ve written. And stop to think about the playlists served up by Spotify or the apps that recommend books especially for you, and you’ll realise the only way they can do that is by mining the data of millions of other users to find people who seem to have similar tastes.

Should we really be surprised?

‘‘Privacy?’’ says marketing lecturer James Richard. ‘‘There’s no such thing.’’

‘‘Everything you do or say, your networks, your contacts, everything about you is collected and exists somewhere. The laws we enact around privacy I consider similar to the locks you put on the doors of your house. It makes you feel safe, but if someone wants to break into your house, they’re going to do it.’’

Study Google’s privacy policy and you’ll see they read your emails, and even record phone data. But the Victoria University academic says people don’t read terms and conditions, which can stretch to 30+ pages. And they don’t realise tech behemoths such as Facebook, Google and Yahoo own multiple businesses, and move data between them. Google owns YouTube; Facebook owns Instagram and messaging app WhatsApp.

Richard says businesses have always tried to predict what people want, from the village butcher who has your Friday steaks ready before you walk in the door. Personalis­ation has always been the holy grail of marketing.

‘‘The more I know about someone, the better I can predict their behaviour. Your behaviour in the past is the best predictor of your behaviour in the future. What big data does is take it to the nth degree.’’

‘‘That doesn’t sound too bad, until you realise the ads you’re getting are for a new diabetes treatment, because they found your medical history. Then you start realising just how much informatio­n they actually have.’’

Facebook ads already marry your interests with your location, which they can work out from our IP address even if you’ve left your profile location blank. So if you’re into horseridin­g they’ll post ads for saddleries in your home city.

What seems to have upped the creep-out factor in the Cambridge Analytica case is the fact they purportedl­y used people’s Facebook profiles to predict personalit­y type, and then presented political messages tailored to that way of seeing the world.

It’s not science fiction – a 2015 Cambridge University study found an app could predict personalit­y better than family and friends, based purely on Facebook likes. A second study found using a single ‘‘like’’ associated with introversi­on or extraversi­on, and designing ads to suit that personalit­y type, could increase sales by up to 50 per cent.

Richard says with the evolution of big data and artificial intelligen­ce, predictive targeting will only get better.

‘‘You’ll have a personal agent embedded as part of a phone or watch. You’ll say ‘I want to buy a new car’, the agent will find a car

that fits your budget and the type of person you are, and will negotiate a price with another AI. It will know enough about you and what you like.’’

Richard argues it’s not unethical to mine data to send people informatio­n that’s relevant to them – that’s good marketing.

‘‘What I vehemently oppose is unethical marketers who use this data to manipulate or take advantage of vulnerable people.’’

Ryan Ko runs Waikato University’s Cyber Security Lab. He presents an equally sobering picture of just how much informatio­n is being collected about every internet user.

You know that wonderful Google Maps feature that tells you trip times, taking into account current traffic? They do that by GPS tracking people on the roads.

You’ve heard of cookies, which record your identity and track your internet surfing patterns? What about zombie cookies – cookies that come back to life after you’ve deleted them, track down your earlier self and keep adding to your history.

And it’s not just what you like or write online that gives you away. Ko’s lab can tell from what, how – and how fast – people type, whether the typist is a middle-aged man and a left- or right-hander.

Privacy Foundation deputy chairman Gehan Gunasekara says while everyone now knows not to diss their boss on Facebook, data mining is a whole new frontier.

‘‘People are happy to click ‘agree’ but what they don’t really realise is that you’re essentiall­y allowing a Trojan horse into your smartphone or computer, which can then snoop around and collect a whole bunch of stuff.’’

A threat to democracy?

It’s hard not to notice you’re being tracked on the internet when you check out a pair of shoes and 30 seconds later an ad for those shoes appears on an entirely different site. Yet people seem surprised and alarmed the same concept could be used for political marketing.

While no party in New Zealand is known to have used Cambridge Analytica, political parties have been trying to personalis­e marketing for decades.

In the past you’d work out your best target was women under 40 who were household shoppers, look for television programmes with similar demographi­cs and then advertise during Roseanne and Shortland Street, says National party pollster David Farrar.

Then along came Facebook, which allows parties to advertise just to women aged 30 to 50 who live in Northcote.

Parties also try to target psychologi­cal profiles, Farrar says. You segment population­s into types – such as President Bush’s ‘‘Nascar dads’’ and ‘‘Soccer mums’’, and then use focus groups to better understand how to appeal to them.

‘‘When you’ve come up in the past with Nascar dads and soccer mums, you can’t actually get a list of what dads like Nascar, and what mums go out and watch the kids play soccer. But now with Facebook, you can. They will post photos, or log into the soccer game. That’s been the game changer. The methods are well and truly tested, but people are so willing to give over that data now, that allows you to be more accurate with that segmentati­on.

‘‘If you get big enough datasets and you find 80 per cent of people who vote National also like Led Zeppelin, and 78 per cent like South Park. If you can find someone who likes five of those things, you’ve probably got a reasonable scientific basis to say ‘There’s someone we want to target’. That’s all Cambridge Analytica was doing.’’

The Obama campaign also mined the data of Facebook users and their friends to target advertisin­g, but did not use a third party or the ruse of a quirky quiz.

Stuff asked National, Labour, the Greens and NZ First about their use of Facebook ads and data profiling.

National says it uses Facebook’s targeting tools to maximise value for money, tailoring messages or policy to people who ‘‘like’’ their Facebook page, to young voters, senior voters, or voters in a particular place. However, they still find getting out and talking to people more effective.

Labour created a range of election adverts across Facebook, YouTube, Google, and Grindr. General Secretary Andrew Kirton says they don’t use Cambridge Analytica-style personalit­y typing. They do use electoral rolls, census and other public data, combined with door knocking and phone surveys, to try to understand who their target voters are. For example, possible students who might be interested in the party’s free tertiary study policy. But they also favour doorsteps and phones.

‘‘Yes engaging with voters online is important, but in my view the effectiven­ess of it is almost always overrated.’’

The Green Party says it does not use Cambridge Analytica or anything similar, but does target ads using Facebook’s interest tags.

NZ First’s Winston Peters confirmed NZ First did create different political messages for different groups, but did not use data or personalit­y profiling. Parties also collect their own data – signing a political party’s petition is as stupid as doing a Facebook personalit­y quiz, Farrar warns. And he expects parties to continue using data to make political messages ever more personalis­ed.

‘‘I think they’ve been doing it, and will keep doing it.’’

Wellington tech commentato­r Ben Kepes (see sidebar) thinks Facebook’s algorithm – which prioritise­s posts in your timeline

based on what it thinks you want to see – is a greater threat to democracy than personalis­ed political messages.

‘‘The echo-chamber effect is much more of an issue than the advertisin­g aspect, I think.’’

What can you do about it?

There’s an old saying, that if you’re not paying for the product, you are the product.

The problem with the internet is users expect everything to be free, so data-mining has become Facebook and Google’s business model.

At present, you can join #deleteface­book and opt out altogether, turn off Google chrome tracking and location services, and switch to a private email provider that promises not to read your emails. But that’s about it. If you want to buy anything you still have to provide credit card details, a name and shipping address. If you want to connect with friends, you’ll have to design and fund your own social network, and drag all your mates with you. In short, the opt-out options are limited.

There was general agreement – both among commentato­rs and our volunteers – that internet users deserve more clarity about how their data will be used. Grant Sidaway suggested five or six bullet points, in place of the

current impenetrab­le screeds.

That’s one of two priority changes suggested by Privacy Commission­er John Edwards, who has deleted his Facebook account following the data breach. He rejects marketer James Richard’s view that privacy is an illusion.

‘‘Has the horse bolted? Do we care any more? Is privacy dead? I don’t believe any of those things are true.’’

The second is robust regulation to protect data privacy and security, including significan­t penalties – something New Zealand currently lacks.

Enforcemen­t is likely to require internatio­nal consensus.

However, Edwards does not accept industry protestati­ons that tracking data breaches would be just too hard.

‘‘I’m calling out double standards. They say it’s too hard, but actually it’s not too hard when you’re trying to protect your new movie, or Rihanna’s new single or whatever.’’

Ko is leading a $12 million government-funded cyber security project called Stratus, to return control of data to the people it belongs to.

Ko argues real control would require three things: a way of tracking your own data, and receiving notificati­ons if someone tries to access it; keeping data

encrypted while it’s analysed (it can be done at present, but slows processes down); implementi­ng a kill switch, so that when Jennifer Lawrence discovers her nude photos have been hacked, she can immediatel­y retrieve them.

Gunasekara likes the new European law’s requiremen­t for privacy by design, and privacy by default, putting the onus back on developers.

Richard argues for better education, so people understand what they are agreeing to, and can see through things like personalis­ed political messages.

In the end, though, every internet user will have to decide how much of themselves they’re prepared to sell to pay for the convenienc­e of freely connecting with family and friends, sharing and using their documents wherever they are, and getting journey times based on current traffic.

‘‘I would love to have a medical chip embedded in me with my personal history,’’ Richard says.

‘‘If I was ever knocked unconsciou­s, hit by a car, someone could pick me up, scan it, and know everything. But there’s a downside to that – my insurance company is going to know all about my health.

‘‘There is a tradeoff. There always is.’’