Privacy or Lack Thereof

29-Mar-2017

Lots in the news today about Congress passing a CRA (Congressional Review Act; along a party line vote) that repeals the rules put in place by the FCC last year that limits how ISPs (Internet Service Providers) are able collect and sell their customer's browsing history, app usage, and other data.

​So this is a good time to go over how various parties (ISPs, sites you visit, etc.) collect your data, what kind of data they collect, what they do with it, and finally, what you can do to minimize that -- if utmost privacy is important to you.

Intent

When discussing ways that your private data or browsing habits are collected and used, it's also important to discuss intent. Not all collection and usage is bad. e.g. Virtually all email systems scan your emails in order to ferret out spam and malware. That's a good thing, right?

Social networks like Facebook and many websites also track what you click on. If you click on nothing but videos of cats playing in paper bags, then you'll start to see more of those on your social networks. Things you click on also indicate what types of ads to display -- targeted ads that are relevant to you. So you might see ads for pet toys, food, vets, and rescue organizations, for example.

The next level of privacy concern is when "big data" collects and sells your information. Depending on the privacy policy of the site in question and the data buyer's needs, that information may be anonymized or it may be individually identifiable. The latter is what makes most people nervous.

What can your ISP see about you?

Your ISP can log every web page you visit. Even if the web page is encrypted (https at the beginning of the address line), your ISP can still see and log the domain name of the site. If the web page is not encrypted (no https), then the ISP can see and log everything that you do on that site. That doesn't mean they are logging it -- just that they can. This is one reason Google searches are all encrypted now.

Types of data that your ISP can see:

  • Names of sites you visit even if the site is encrypted (https). That can reveal a lot right there.

  • Your username and password if the web site you are visiting uses an insecure (non https) login page. That's rare, but some do.

  • Your IP address which identifies your region and, in the case of an ISP, you specifically.

  • All data displayed or input by you that isn't on an encrypted (https) web page


Here are some ways to reduce what your ISP can see and log about your browsing behavior:

HTTPS Everywhere: This is a browser extension that forces a secure (https) connection on many web sites. This hides the data on the URL that follows the domain name (the .com), but the domain name itself is still visible. It also hides from the ISP the content of those web pages.

TOR Anonymizing Browser: Using TOR (The Onion Router -- think peeling away layers of an onion), your ISP won't see squat except that you are, in fact, using TOR. But they won't see anything in regard to what sites you actually visit. TOR can be very slow and has other pesky problems, such as some web sites not allowing visitors who use TOR. That's because TOR is often used nefariously even though TOR itself is a legitimate product. Also, a TOR browser works only for web pages. Other apps like Skype can't use TOR.

VPN: Your ISP will know you're using a VPN, but like TOR, they can't see anything else. This technology hides all types of traffic (not just web sites) and, as an added bonus, can make you appear to be in a region or country of your choice. e.g. If you are in Europe and want to access content that's only available in the US, a VPN can make that happen. But as always with any cat and mouse game, some content providers, like Netflix, are wising up to VPN use. Your surfing habits are still hidden from the ISP, so from a privacy perspective, that's a good thing.

TOR and VPNs each have their own purposes, pros, and cons, but they accomplish pretty much the same thing from a privacy perspective. There are some other important differences, but that's beyond the scope of this article. TOR is free to use. Most VPNs are not.

Free to use web sites

Lots of the really great free things on the internet are free because we consent to allow these services to observe and log some of our activity. Facebook, Twitter, Google, and thousands of others. A lot of what's logged is anonymized and aggregated -- not necessarily individually identifiable. And some of it is.

Gmail (in my opinion the best email system around), like many others, has technology that scans your email. To be clear, no human is reading your email and they don't copy and save what they see for later use. The automated scanning does a couple of things: It helps email providers serve you relevant ads (which you may not like), but that exact same technology also identifies spam and malware (which is a good thing) and deals with it. That's one reason Gmail is so bloody good at finding spam. Google is using their powerful search kung fu to suss out spam. I mean, Google is all about search, right?

Types of data that your email provider can see:

  • ​Who you send email to and receive email from (metadata)

  • Your IP address which identifies your region or city

  • Email (that's not encrypted) is scanned in order to display ads (sometimes) and eliminate spam and malware


Facebook and other social networking sites

Make no mistake, on sites like Facebook, you are not the "customer", you are the product being sold. Your clickstream and eyeballs are sold to advertisers. You "pay" for Facebook by seeing ads and having your browsing habits monitored and sold. You don't even have to click on the ads for Facebook to make money, but if you do, Facebook makes even more money. This is the deal we made when we signed-up. Facebook lets us do stuff and we pay for it by being shown ads and having no privacy.

While nobody particularly likes ads, it's what makes the internet run, pure and simple. Without advertising the internet would be a dramatically different place. e.g. You'd have to make a micropayment for pretty much all web sites you visited except for shopping sites. Who wants to do that?

The Like button? That is nuclear-powered marketing gold for Facebook! You may think you are just affirming a post made by a friend, but the Like button serves many purposes that you probably aren't aware of. It's one of the most important Facebook-benefiting features they ever implemented.

Types of data that your social network sites can see and suss out:

  • Who your friends are and how popular you are

  • Your IP address which identifies your region or city

  • What you like to do

  • How wealthy or poor you are

  • Your level of education based on your writing style and the people and pages you like and that like you.

  • Your political views

  • What you look like (accomplished through photo tagging)

  • Determine medical conditions, family issues, and other highly sensitive topics, simply by scanning your posts and what others are posting about you

  • Places you visit and travel to. Every time you access Facebook, it knows where you are. Tagging a location also contributes valuable info to your whereabouts and movements.

  • Everything that you included in your profile, to the extent it's truthful.

  • And countless other insights gained


Facebook is the 800 lb gorilla when it comes to data collection and is a huge aggregator in its own right. They sell all this information to other data aggregators, advertisers, research firms, and whoever else wants it. A lot of is anonymized but a lot of it isn't. It depends on the needs of the buyer.

 

Privacy Red Herring

When Facebook discusses privacy, how important it is, and how much and with whom you are sharing, and the dozens of options that you can turn on and off controlling how much you share, it's mainly regarding how your data is shared with other users of Facebook -- your Facebook friends, their friends, the public at large, etc. There's some (fairly minor) value in being able to control access to other users, but that's just a distraction. It's not the main event. The big prize for Facebook is all behind the scenes. You really have no control over what Facebook does with your data or how and when they sell your data to other parties.

Facebook even tracks people that are not and have never been Facebook users!

There's very little you can do to protect yourself from what Facebook and other social networks do with your data. You can quit Facebook and that might slightly slow the flow of newer information, but that's it.

Photo Tagging

Facebook photo-tagging is unbelievably powerful. It's so much more than just what happens on your newsfeed. Ever see the movie Minority Report when Tom Cruise's character was electronically recognized on the train, the department store, and other places he went? Users of Facebook and other social networks that tag photos with names may be unknowingly contributing to photo identification databases. Stores could mount cameras outside their doors and scattered inside that can track you and by tying into these databases, they can learn your identity. They may use this to target advertising, to spot known shoplifters, or simply to sell the data -- because, hey, they can. It's not yet commonplace, but some stores are experimenting with this now.

That same technology can be used for law enforcement as well. Just as LPRs (License Plate Readers), located mostly on police vehicles, can scan hundreds of license plates per second in search of stolen cars, open warrants, etc., so too could similar camera systems be used to identity people for law enforcement purposes. Airports are already experimenting with this technology to identify travellers with suspected connections to terrorist groups. Few would argue that spotting potential terrorists is a bad thing (and that's an abuse right there for discussion at another time), but these are the sorts of anonymizing-busting technologies that exist today. And virtually all of it is profit-driven.

Users of social networks contribute hugely to such databases. Facebook is a data-collecting goliath. It doesn't give two shits about you or your privacy.

Opting out of Big Data

 

Big Data is going to do what Big Data does, but there are some opt-out mechanisms available to you. I can't common on how effective they are or to what extent an opt-out offer is legally mandated or not, but it's probably better than nothing at all.

Direct link to page with instructions on how to opt-out of dozens of big data brokers.

https://www.stopdatamining.me/opt-out-list/

Their home page with other intersting stuff

https://www.stopdatamining.me/