Apps are fun, but read their policies before downloading
The scandal involving Facebook and data mining company Cambridge Analytica dramatically confirms the old adage of “no free lunch.” The only way to protect one’s data is vigilance by all, though that may well be the equivalent of closing the barn door after the proverbial horse escaped.
News reports that Cambridge Analytica swept up details on millions of Facebook users jolted industry, regulators and users. Yet users consented to data exchanges, often impatiently, without reading pages of small print of terms-of-service agreements. Many companies profit handsomely from knowing the range and length of users’ phone calls, driving patterns, family history and genetics, purchase details through credit cards and store discount cards, insurance claims for health problems, and games that measure frustration levels or ability to follow rules.
Collecting data to assess target groups is not new. Decades ago, telemarketing firms relied on typists to go through phone books, cross-listing names and numbers with other public lists. Librarians understood the potential privacy pitfalls early on and endorsed policies to protect confidentiality – before computers became widespread, libraries stopped using cards listing individuals who had previously borrowed books. Likewise, the college application process has long been a data-mining exercise to determine which applicants are likely to enroll and graduate.
Patients, borrowers, students who fill out offline application forms are not exempt from becoming targets. Paper forms are quickly scanned into computer files. Large community events and fairs offer opportunities for data gathering. Hundreds of vendors attending large home shows hold contests to gather potential customer contacts, and job fairs collect resumes to study the evolving job market and reap new employer contacts.
Computers made data collection easy. Any type of data can be packaged and marketed. Cities already provide data on properties, taxes and public health as a public service, and the World Economic Forum suggests communities could do more to distribute data on assets from traffic to waste collection. Associations offer services and information on how to research and package data. To improve efficiency, utilities in India, Europe and the United States rely on smart meters to monitor and predict patterns of energy and water use. Committees and policies for monitoring data use and information governance so far are not keeping up with the growing numbers of organisations gathering and trading data.
Data products can be specific, offering details about individuals, or aggregated to relay broad trends. Laws in the United States and Europe protect individual health, education or financial information, but do not ban aggregation as described in privacy policies, terms of agreement and license agreements. For example, the Common Application — an online form required for applying to many US colleges — details its policy: Third parties and contracted researchers may have access to application and related information which can then be packaged as “non-personal identifying demographic, historical, generic, analytical, statistical or aggregate data obtained from other sources, and/or data.”
Health is an especially sensitive area, and privacy laws, even the strict new data protections to be imposed by the European Union in May, include exceptions. The EU law requires that patient data “be collected for a specific explicit and legitimate purpose” but allows that same data to “be re-used for research” for the public-interest purpose of driving innovative treatments.
Apps take advantage of the universal desires to play, understand ourselves, or compare how we perform with others. Experts analyse user choices, associating interests as detected by searches and clicks with individual behaviour, hunting for patterns and correlations. Some companies offer discounts to customers deemed as credit-worthy; other firms hunt for gullible, impulsive spenders.
A lesson emerging from the Cambridge Analytica and Facebook debacle is that those who refuse to surrender data cannot evade the consequences especially when so many other users do share. Millions of friends whose data was harvested may not have given specific consent, but in the end that did not matter.
Unfortunately, users who refuse to surrender data cannot evade the consequences especially when so many others do share