Meet the digital you
News that a political research company Cambridge Analytica mined Facebook data to try to sway elections has sparked global outrage. But should we really be so surprised? looks at what really happens to your digital data.
Such was the seriousness of the occasion, Facebook boss Mark Zuckerberg ditched his usual T-shirt and jeans for a shirt and tie.
Fronting up to the United States Congress this week to defend his social network against growing disquiet about its privacy and ethics, Zuckerberg’s mea culpa was well practised. But the unexpected personal questions of Senator Dick Durbin met with awkward hesitation.
‘‘Would you be comfortable sharing with us the name of the hotel you stayed in last night?’’ Durbin asked.
‘‘Um,’’ Zuckerberg floundered. ‘‘No.’’
‘‘If you’ve messaged anybody this week, would you share with us the names of the people you’ve messaged?’’ Durbin continued.
‘‘Senator, no, I would probably not choose to do that publicly here,’’ Zuckerberg replied.
‘‘I think that might be what this is all about – your right to privacy, the limits of your right to privacy, and how much you’d give away in modern America,’’ Durbin said.
That is exactly what this is all about. What started with an innocuous-sounding Facebook personality quiz has provoked a full-force storm of outrage, as people have twigged to just how much of their digital life is being tracked, stored and analysed. How everywhere you go, everything you buy, every email or message conversation you have is another brush stroke adding definition to your digital portrait.
The so-called Cambridge Analytica scandal involved the political consultancy mining the Facebook data of 87 million people and assigning them personality types based on what they like and how they behave.
The idea was to use those profiles to design personalised political messages to help swing the Trump campaign, although the extent of its use remains unknown. The data breach raised several red flags - how was the quiz app able to mine the data of the quiz responders’ Facebook friends, and what are the implications for democracy if social media profiles can be used to manipulate elections?
This is your digital life
The Cambridge Analytica quiz app was called This is Your Digital Life. Where better to start then, than a stocktake of your digital life?
We asked four volunteers of different ages, stages and social media activity to download the data Facebook and Google has on them.
The size and content of the data dumps varied wildly, according to how much each person used the services. I’m a relative social media hermit, so it’s not surprising my Facebook archive was a tiny 47MB - the equivalent of about 146 Microsoft Word documents. Wellington Girls’ student Elyse Smaill meanwhile had 1.4GB of data - the equivalent of about 4400 Word documents.
The 17-year-old doesn’t post that often, but uses Facebook Messenger to keep up with friends overseas, and Facebook groups to organise events. ‘‘I am on Facebook a lot,’’ she laughs, slightly guiltily, as she watches the slow download of her mountain of data.
The volume and detail was surprising. Every Facebook Messenger conversation you’ve ever had; every Facebook photo you’ve ever liked, posted or been tagged in; audio files sent as part of Messenger conversations. Every email you’ve ever sent via Gmail, every YouTube video you’ve ever watched, or searched for; every Google Drive document. And, in one case, a to-the-minute map record of exactly where you went on your English holiday.
There were laughs - Facebook had curiously decided 65-year-old Grant Sidaway should receive ads about women’s issues, while I was apparently into The Beach Boys and an English band I’ve never heard of. Seventeen-year-old Katie Bonne was down to receive ads relating to 1965 Julie Christie movie Darling.
There was nothing as sinister as the log of a phone conversation with his mother-in-law, which Wellington developer Dylan McKay discovered in his Facebook data, fuelling global fears. But there were unnerving details. Katie’s Facebook data included an audio clip recorded on her phone, but never shared with Facebook or Messenger.
Elyse discovered a clutch of gaming apps had uploaded her contact info, although she couldn’t recall ever using them. I found unfamiliar Facebook photos, and that Facebook somehow knew which of its advertisers had my contact information, although I never log in to apps or sites with my Facebook login.
And that’s just Facebook and Google. If you’ve ever signed up to a store’s email to get that 15 per cent off your next purchase, chances are that store is now tracking your behaviour. Amazon records everything you’ve ever bought, every product review you’ve written. And stop to think about the playlists served up by Spotify or the apps that recommend books especially for you, and you’ll realise the only way they can do that is by mining the data of millions of other users to find people who seem to have similar tastes.
Should we really be surprised?
‘‘Privacy?’’ asks marketing lecturer James Richard. ‘‘There’s no such thing.’’
‘‘Everything you do or say, your networks, your contacts, everything about you is collected and exists somewhere. The laws we enact around privacy I consider similar to the locks you put on the doors of your house. It makes you feel safe, but if someone wants to break into your house, they’re going to do it.’’
Study Google’s privacy policy and you’ll see they read your emails, and even record phone data. But the Victoria University academic says people don’t read terms and conditions, which can stretch to 30+ pages. And they don’t realise tech behemoths such as Facebook, Google and Yahoo own multiple businesses, and move data between them. Google owns YouTube; Facebook owns Instagram and messaging app WhatsApp.
Richard says businesses have always tried to predict what people want, from the village butcher who has your Friday steaks ready before you walk in the door. Personalisation has always been the holy grail of marketing.
Facebook ads already marry your interests with your location, which they can work out from our IP address even if you’ve left your profile location blank. So if you’re into horseriding they’ll post ads for saddleries in your home city.
What seems to have upped the creep-out factor in the Cambridge Analytica case is the fact they purportedly used people’s Facebook profiles to predict personality type, and then presented political messages tailored to that way of seeing the world.
It’s not science fiction - a 2015 Cambridge University study found an app could predict personality better than family and friends, based purely on Facebook likes. A second study found using a single ‘like’ associated with introversion or extraversion, and designing ads to suit that personality type, could increase sales by up to 50 per cent.
Richard says with the evolution of big data and artificial intelligence, predictive targeting will only get better.
‘‘You’ll have a personal agent embedded as part of a phone or watch. You’ll say ‘I want to buy a new car’, the agent will find a car that fits your budget and the type of person you are, and will negotiate a price with another AI. It will know enough about you and what you like.’’
Richard argues it’s not unethical to mine data to send people information that’s relevant to them - that’s good marketing.
‘‘What I vehemently oppose is unethical marketers who use this data to manipulate or take advantage of vulnerable people.’’
Ryan Ko runs Waikato University’s Cyber Security Lab. He presents an equally sobering picture of just how much information is being collected about every internet user.
You know that wonderful Google Maps feature that tells you trip times, taking into account current traffic? They do that by GPS tracking people on the roads.
You’ve heard of cookies, which record your identity and track your internet surfing patterns? What about zombie cookies – cookies that come back to life after you’ve deleted them, track down your earlier self and keep adding to your history.
And it’s not just what you like or write online that gives you away. Ko’s lab can tell from what, how – and how fast – people type, whether the typist is a middle-aged man and a left- or right-hander.
While five years ago everyone was worried about governments spying on them, now people are realising that companies like Google and Facebook have the computing power and talent to undertake mass surveillance, Ko says.
Privacy Foundation deputy chairman Gehan Gunasekara says while everyone now knows not to diss their boss on Facebook, data mining is a whole new frontier.
‘‘People are happy to click ‘agree’ but what they don’t really realise is that you’re essentially allowing a Trojan horse into your smartphone or computer, which can then snoop around and collect a whole bunch of stuff.’’
A threat to democracy?
It’s hard not to notice you’re being tracked on the internet when you check out a pair of shoes and 30 seconds later an ad for those shoes appears on an entirely different site. Yet people seem surprised and alarmed the same concept could be used for political marketing.
While no party in New Zealand is known to have used Cambridge Analytica, political parties have been trying to personalise marketing for decades.
In the past you’d work out your best target was women under 40 who were household shoppers, look for television programmes with similar demographics and then advertise during Roseanne and Shortland Street, says National party pollster David Farrar.
Then along came Facebook, which allows parties to advertise just to women aged 30 to 50 who live in Northcote.
Parties also try to target psychological profiles, Farrar says. You segment populations into types - such as President Bush’s ‘‘Nascar dads’’ and ‘‘Soccer mums’’, and then use focus groups to better understand how to appeal to them.
‘‘If you get big enough datasets and you find 80 per cent of people who vote National also like Led Zeppelin, and 78 per cent like South Park. If you can find someone who likes five of those things, you’ve probably got a reasonable scientific basis to say ‘There’s someone we want to target’. That’s all Cambridge Analytica was doing.’’
The Obama campaign also mined the data of Facebook users and their friends to target advertising, but did not use a third party or the ruse of a quirky quiz.
Stuff asked National, Labour, the Greens and NZ First about their use of Facebook ads and data profiling.
National says it uses Facebook’s targeting tools to maximise value for money, tailoring messages or policy to people who ‘‘like’’ their Facebook page, to young voters, senior voters, or voters in a particular place. However, they still find getting out and talking to people more effective.
Labour created a range of election adverts across Facebook, YouTube, Google, and Grindr. General Secretary Andrew Kirton says they don’t use Cambridge Analytica-style personality typing. They do use electoral rolls, census and other public data, combined with door knocking and phone surveys, to try to understand who their target voters are. For example, possible students who might be interested in the party’s free tertiary study policy. But they also favour doorsteps and phone lines.
‘‘Yes engaging with voters online is important, but in my view the effectiveness of it is almost always overrated.’’ The Green party says it does not use Cambridge Analytica or anything similar, but does target ads using Facebook’s interest tags.
NZ First leader Winston Peters confirmed NZ First did create different political messages for different groups, but did not use data or personality profiling.
Parties also collect their own data – signing a political party’s petition is as stupid as doing a Facebook personality quiz, Farrar warns. And he expects parties to continue using data to make political messages ever more personalised.
Tech commentator Ben Kepes thinks Facebook’s algorithm – which prioritises posts in your timeline based on what it thinks you want to see – is a greater threat to democracy than personalised political messages.
‘‘The echo-chamber effect is much more of an issue than the advertising aspect, I think.’’
What can you do about it?
There’s an old saying, that if you’re not paying for the product, you are the product.
The problem with the internet is users expect everything to be free, so data-mining has become Facebook and Google’s business model.
At present, you can join #deletefacebook and opt out altogether, turn off Google chrome tracking and location services, and switch to a private email provider that promises not to read your emails. But that’s about it. If you want to buy anything you still have to provide credit card details, a name and shipping address. If you want to connect with friends, you’ll have to design and fund your own social network, and drag all your mates with you. In short, the opt-out options are limited.
There was general agreement – both among commentators and our volunteers – that internet users deserve more clarity about how their data will be used. Sidaway suggested five or six bullet points, in place of the current impenetrable screeds.
That’s one of two priority changes suggested by Privacy Commissioner John Edwards, who has deleted his Facebook account following the data breach. He rejects marketer Richard’s view that privacy is an illusion.
‘‘Has the horse bolted? Do we care anymore? Is privacy dead? I don’t believe any of those things are true.’’
His second recommended change is robust regulation to protect data privacy and security, including significant penalties – something New Zealand currently lacks.
‘‘The reason your kid’s toy box is not filled with lead-covered things is because there are really significant consequences for producers putting those things into the market place. If they are unsafe, if they don’t meet the standards, then they are prosecuted. We are now in an age in which data can be misused in ways which are just as unhealthy or unsafe.’’
Enforcement is likely to require international consensus. However, Edwards does not accept industry protestations that tracking data breaches would be just too hard.
‘‘There’s an intellectual dishonesty in saying that protecting large commercial interests’ intellectual property rights across an open internet is legitimate, necessary and doable but protecting individual privacy is not. I’m calling out double standards. They say it’s too hard, but actually it’s not too hard when you’re trying to protect your new movie, or Rihanna’s new single or whatever.’’
Ko is leading a $12 million government-funded cyber security project called Stratus, to return control of data to the people it belongs to.
Ko argues real control would require three things: a way of tracking your own data, and receiving notifications if someone tries to access it; keeping data encrypted while it’s analysed (it can be done at present, but slows processes down); implementing a kill switch, so that when Jennifer Lawrence discovers her nude photos have been hacked, she can immediately retrieve them.
Gunasekara likes the new European law’s requirement for privacy by design, and privacy by default, putting the onus back on developers.
Richard argues for better education, so people understand what they are agreeing to, and can see through things like personalised political messages.
In the end, though, every internet user will have to decide how much of themselves they’re prepared to sell to pay for the convenience of freely connecting with family and friends, sharing and using their documents wherever they are, and getting journey times based on current traffic.
‘‘I would love to have a medical chip embedded in me with my personal history,’’ Richard says.
‘‘If I was ever knocked unconscious, hit by a car, someone could pick me up, scan it, and know everything. But there’s a downside to that – my insurance company is going to know all about my health.
‘‘There is a tradeoff. There always is.’’