IS NOTHING PRIVATE ANY MORE ?
REVEALED Shocking extent of how big firms trade your data ++ Children’s voice recordings, passport details and even mothers’ due dates are harvested
THE disturbing scale of the personal data harvested and traded by multinationals can be revealed today.
Health details, children’s voice recordings and copies of passports can be at risk when customers tick an online consent box.
Analysis by the Mail found that Marriott International, Facebook, Asda, Paypal, BT and Tesco engaged in hidden data harvesting and sharing. Giant firms can use personal data to build a profile of customers for targeted adverts or to pass to other organisations. Examples include:
Pregnant women’s due dates being farmed out by Asda to mystery thirdparty companies for marketing;
Children’s voices recorded on the YouTube Kids app being used by Google to promote other apps;
Passport copies given to PayPal for account verification purposes being shared with Microsoft for facial recognition products;
Health details, ethnic origin and political views of Facebook users being used by the social network for targeted advertising;
Viewers of BT television being profiled for advertisers according to
profiles of their television watching and telephone call records.
Emails detailing how Facebook accepted cash in exchange for access to its users’ data were published by Parliament last night.
The firm’s staff discuss whitelisting companies including AirBnB, Tinder and Netflix – allowing them to retain access to Facebook user data if they placed enough advertising.
Mark Zuckerberg, Facebook’s chief executive, wrote in a private email that access to user data could be licensed to advertising buyers. But he adds: ‘If the revenue we get from those doesn’t add up to more than the fees you owe us, then you just pay us the fee directly.’
Last week Marriott International announced that hackers had breached its database of 500million guests, with the attackers having ‘some combination’ of passport numbers, names, addresses and bank card details.
The hotel group also routinely stores the names and ages of its guests’ children, room service orders, social media accounts and employer details and shares this across its operations in 150 countries including Venezuela, Gabon and Libya.
By ticking an online ‘accept’ box, Marriott guests consented to giving up this data and to acknowledge having read the 5,600-word privacy policy which said that ‘no storage system is 100% secure’.
The hotel chain faces investigations from the Information Commissioner’s Office in the UK, as well as the FBI and five separate American states.
Marriott International is one of a dozen companies investigated by the Mail to assess the full scope of the data taken from customers – details of which are buried within thousands of words of legal jargon.
Last night a spokesman from the ICO said its enforcement team was examining the material we provided.
It has the power to fine companies up to £17.7m or 4 per cent of a company’s global revenue for data breaches.
Tory MP Damian Collins, who chairs the Commons digital committee, which published the Facebook emails, said: ‘This investigation clearly demonstrates that there is a complete data free-for-all where big companies are building up huge banks of data on their customers who, on the whole, are largely unaware of what they are giving away and what happens to it.’
All companies analysed by the Mail state that they keep customer details secure, according to new European Union GDPR rules, and that the information is encrypted.
But the Marriott hackers were able to access encrypted data, suggesting a new layer of security was needed.
There are also concerns over the companies hoarding profiles on their customers to target them with advertising and sell them more products. The ‘tick to accept’ box is presented when purchasing or signing up for a service online, for example booking a flight, creating an email account or registering for a grocery delivery.
Richard Lloyd, director of consumer action group Resolver and former director of Which?, said: ‘No one understands the extent of what happens to their data.
‘A firm will say you have to opt in, tick this box, but what sits behind that is massively opaque or hidden. Individuals are being ripped off, scammed, hacked and having their data used and misused by firms that we all know are making mega profits. The terms and conditions are enormous and unintelligible – but you’re forced to tick. And forced to lie, effectively by saying you’ve read it all.’
Facebook’s privacy policy details how it uses highly sensitive information people share on its network to target them with adverts even when they are
500million guests hit by Marriott hotel data hack From Saturday’s Mail
logged out. It states: ‘We use the information that we have to deliver… ads and make suggestions for you… on and off our product’ – and that this includes data ‘with special protections’.
Facebook specifies elsewhere that special-protection data includes ‘life events about your religious views, political views or your health’ and ‘racial or ethnic origin, philosophical beliefs or trade union membership’. Facebook refused to comment on the record.
Children’s voice searches and watch history are stored by Google via the YouTube Kids platform, a version of YouTube with childappropriate content.
Tesco gives its customers’ data to Sky so the TV giant can target them with tailored advertising. It also links its Clubcard shopping data to insurance offers from its financial services arm.
Sky, meanwhile, cross-references the data of its own customers with Experian, Royal Mail and ‘public sources’ to create profiles of them and their households. These profiles form the basis of its ultra-targeted advertising Sky Adsmart product.
Sean Humber, who is head of data protection at law firm Leigh Day, reviewed the Mail’s findings and said some company practices were ‘unlawful’.
Arne Sorenson, the chief executive of Marriott International, said of the data hack: ‘We are doing everything we can to support our guests, and using lessons learnt to be better moving forward.’
Sky said no ‘personally identifiable’ information is shared between the companies it works with and that it does not target individual households. Microsoft declined to comment.