Savvy in a digital world
Most of us don’t have the time or energy to keep track of all the information we’re sharing online. We just trust regulators are doing their jobs and keeping us safe. Is that naive? Katie Kenny reports.
Istart my day, almost every day, with the same three words: ‘‘Hey, Google. Stop.’’ I then roll over and go back to sleep, until a second alarm jerks me awake.
It’s the first of more than 100 interactions I have with the search giant during an average
24-hour period. More than half of these interactions are via the search bar, around 30 per cent are websites visited, and the remaining portion is made up of YouTube videos watched and voice assistant commands.
Google has long allowed users to view and download data collected from and about them. Through Google Takeout, you can export your information, from search history to emails to chat logs to photos. But if you just want to see an overview of what you’ve done on Google’s products, head to My Activity.
I can’t tell you whether my Google activity is normal. Google can’t tell me, either. (‘‘We don’t provide this information,’’ a spokesman said.)
Anyone who’s ever cleared a browser history or had an embarrassing Spotify recommendation knows what it feels like when technology throws us back at ourselves. My Google data, combined with my bank card transactions, social media messages, health records, and more, could tell you more about me than I could.
That’s not necessarily a bad thing. Data allows companies, and governments, to make their services faster, smarter and more personalised. It’s the tradeoff we make – but do we gain more than we lose? It can be hard to say, when we don’t know how much we’re giving away.
Most of us don’t have the time or energy to keep track of all the data we’re shedding online, or read all the terms and conditions when downloading an app.
But policy makers are struggling to keep up with the pace of technological advances. The number of devices collecting and analysing information in real time, otherwise known as the internet of things, is expected to exceed 50 billion by 2020.
Recent, high-profile data breaches, such as Uber’s loss of
57 million users’ information, and Cambridge Analytica’s misuse of Facebook data relating to nearly 90m users, show we’re not always safe from harm.
Legislation has the tricky job of balancing business needs and individuals’ expectations, says Mike Flahive, founder of consultancy Simply Privacy. The speed at which it’s become possible, and cheap, to collect and store huge amounts of data has meant organisations have rushed ahead without pausing to consider the consequences.
Europe’s General Data Protection Regulation (GDPR), possibly the world’s toughest data protection rules, came into effect in May. Beyond Europe, companies around the world have updated their policies to meet the new requirements, which allow individuals to request their data and restrict how businesses collect and use the information.
New Zealand’s own privacy bill is making its way through Parliament, set to repeal and replace the 25-year-old Privacy Act. However, some public submissions say the bill doesn’t go far enough in strengthening individual privacy.
‘‘I think it’s fair to say Europe’s ahead of us,’’ Flahive says. ‘‘We’re not far behind . . . But I think as a culture – that’s about people’s understandings and expectations in that space – we haven’t quite caught up yet.’’
More data means more responsibility for those collecting it, he says. As individuals, we also don’t exercise enough scrutiny of who’s collecting our data and what they’re doing with it.
‘‘It’s incumbent on us to understand what we’re getting into . . . And if it looks too good to be true, then it probably is. Nothing’s free.’’
But even if we read the fine print, it’s often too vague to be helpful. And given many apps and mobile network operators repackage and sell data, there’s no knowing where it ends up.
Online privacy matters because so much of what we like, what we dislike, and what we care about, is held online, says Andrew Cushen, of Internet NZ. ‘‘That information is valuable to us. It’s also valuable in terms of companies wanting to target and advertise things to us. And, unfortunately, it’s valuable to people who wish to use it for nefarious purposes.’’
Sean Lyons at NetSafe, New Zealand’s independent online safety organisation, agrees. While he acknowledges there’s ‘‘a degree of complacency’’ among the public, ‘‘naive’’ is a ‘‘troublesome word’’.
‘‘It suggests that people are not thinking things through, and I don’t think that’s what drives people to make the mistakes they make.
‘‘But should we be investing extra time and effort into this? Absolutely. I see the downstream effects when people don’t.’’
Even with the ‘‘Location
History’’ on my smartphone turned off, Uber rides, bank card transactions, public library loans, gym checkins, and New World Clubcard purchases do a pretty good job of tracking my movements.
I examined my Clubcard results with a forensic interest. On May 22, 2016, I paid $3.89 for a 250g block of Pams Colby cheese
at New World. I buy a lot of chocolate and chardonnay. What’s that doing for my demographic profile?
It took 30 days, and multiple emails and phone calls, to get a copy of that spreadsheet. For some requests, such as applying for my credit score, I had to provide more personal information (passport details, phone numbers) to access data already held about me. That seems unfair, doesn’t it?
While it’s an inconvenience to prove my identity to access historical data, it’s only because systems are set up to save me having to do that regularly, says Privacy Commissioner John Edwards. If I had to authenticate my identity every time I scanned my Clubcard, I wouldn’t bother using it. But to see data about me, I have to prove I really am Katie Kenny.
The same sort of aversion to hassle is why people don’t enable two-factor verification, Edwards says. Also known as two-factor authentication, the added security layer requires a code, sent by text or from a special authenticator app, to be typed in after you fill in your password.
In 2014, a phishing scam targeted Jennifer Lawrence and other Hollywood stars, illegally accessing private information, including nude photos and videos. A two-factor authentication on their Apple iCloud accounts would have prevented the scam, Edwards says.
Opting out completely is also an option. When Kendall Flutey was in her final years of school in Christchurch, her friends were uploading ‘‘everything’’ on to Facebook, which was just becoming popular in New Zealand. ‘‘From what I recall, there was no consideration of privacy . . . I didn’t really like the idea of that.’’
Facebook has 3.2m monthly active users in New Zealand. But Flutey, now 27 and co-founder and CEO of financial education platform Banqer, is a ‘‘Facebooknever’’.
At school, her peers were surprised she didn’t create a Facebook account, given she was known as ‘‘one of the students most into tech’’. She admits not having one was, at times, socially isolating. ‘‘But it also made it a lot more obvious when someone really wanted me to come to an event, or catch up, or get to know me.’’
She’s quick to say her decision to stay off Facebook wasn’t ‘‘a revolution of some kind’’. She uses Gmail, Twitter, Snapchat, LinkedIn, and Instagram (which is owned by Facebook, so it kind of does have her data).
‘‘It’s hard to explain, but I think the rationale here is that I like the microservices approach. Think about Facebook – it’s this monolithic social media platform that will take any kind of data on you it can, and that is very time-consuming to keep updated. It wants you to upload photos, text, videos, locations, relationships, friend networks, all in one place.
‘‘I’d rather break those services down and have a more intentional audience and voice on each platform.’’
British philosopher Onora O’Neill, in a 2001 paper on informed consent, anticipated some of the issues relating to personal data that society is navigating today. When individuals are swamped with information so complex in content and in organisation, few are in a position to provide ‘‘genuinely informed consent, or informed dissent’’, she wrote.
‘‘If I am right in this surmise, we are likely to face a deep tension between the limits of available human capacities and the sorts of choices about policies and cases that will actually arise and require justification or rejection.’’
So who’s responsible for finding a solution – technology companies, governments, or us?
It’s easy to become fatalistic about our privacy online. Updating social media settings can feel like bailing buckets of water from a sinking ship. ‘‘It’s inevitable that we, or others with the right skills, can find out information on you, no matter how hard you try to lock it down,’’ says Mike Gillam, of private investigative firm The Investigators.
‘‘The instant cash loan you tried to get five years ago, that left a footprint. When you moved house and redirected your mail, that left a footprint. Everybody’s got a footprint.’’
But most people aren’t private investigators, or even capable of finding much other than ‘‘surface-level information’’, he says. ‘‘I would always say it’s absolutely worth watching social media settings and hiding friends lists, that sort of thing.’’
Towards the end of my day, my Google activity tends to drop off, save for the odd flurry of keyword searches. Take a random evening: ‘‘spiralizer’’; ‘‘julienne peeler’’; ‘‘julienned, define’’; ‘‘julienned’’; ‘‘wide peeler’’; ‘‘how to julienne carrots’’. No prizes for guessing what I was preparing for dinner. Later on, more interactions are via voice command.
Google and Amazon, the leading sellers of smart speakers, say the assistants store audio only after they hear specific keywords, such as, ‘‘OK, Google’’, or, ‘‘Alexa’’. By default, they’re always listening. I’m aware I waive a certain amount of privacy for the convenience they provide.
‘‘You can believe or not that they don’t store this information,’’ an artificial intelligence engineer tells me. ‘‘But people put these tools in their bedrooms, because they’re convenient, completely ignoring the fact they’ll never have a private argument with their partner ever again.’’
Later that day, I unplug my Google Home. But my routine – from waking up, to listening to podcasts, to winding down with a bedtime playlist – is thrown off. It’s not that I can’t live without the device, but simply that it makes my life easier.
Privacy matters because so much of what we like, what we dislike ... is held online.
This article is part of Data for Sale, a Stuff series about personal data and privacy. It was made with funding from Te Pu¯ naha Matatini, through the Aotearoa New Zealand Science Journalism Fund.