How Online Privacy Works?
What is the “Data About You”?
Data is facts. A fact is something that is said to be true because it has been observed or can be verified. The most basic set of facts about you are those you were born with: name, age, ethnicity, height, weight and eye color. Other basic facts include your parents, siblings, where you live, social security number, phone numbers and email addresses.
As your life unfolds there are facts about your education, military service and employment. There are facts about your finances, including your credit score. All your purchases, loans and payments are recorded. There are facts about your health and well-being, from the insurance you buy to the claims you file. The diseases you are diagnosed with, the procedures you go through and the prescription drugs you take are all data about you. There is also a citizen you set of facts, including your marriage/divorce, voter registration, tax payments, government benefits, and interactions with law enforcement and the court system.
Each email you send has data about you. Instant messages and tweets, too. All your internet searches, both the search terms you start with and the links on the search results you click on, are data about you. How you are connected to the internet as well as the browser and the computer you use are data about you. All your social media behavior and contacts are data about you. Your photos, likes, dislikes, songs and videos are data about you. Where you are at any point in time, your physical location, is data about you. All the TV programs you watch through your cable or satellite are recorded data about you.
What makes the data “personal” is that it can be directly linked to you. Personal information is facts about you, your relationships and your behavior that have been observed or can be verified. The IP address of your connection to the internet and the unique “fingerprint” of the browser you use to access websites on the internet are two “personal identifiers.” They are pieces of data that are collected from you that can be used to identify you and connect your identity to your profile and activity using a website.
Where Does Data About You Come From?
Data about you is recorded in many places. Local, state and federal governments keep records about citizen you. Public and private educational institutions may have data about student you. The businesses that provide home services like gas, electricity, phone, cable and internet have data about you. If you borrow money or open a bank account, financial institutions have data about you. Any time you buy something and use a bank card or provide a customer number, email or phone number, the vendor has data about you. If you purchase car, home, life or health insurance, the insurance company has data about you. All the interactions of patient you with the healthcare system are documented by providers and often shared with insurance companies and government agencies.
Data brokers are in the business of collecting, compiling and selling all the data about you cited above. In 2014 the Federal Trade Commission (FTC) issued a report titled DATA BROKERS A Call for Transparency and Accountability. Please refer to APPENDIX B: Illustrative List of Data Segments and Data Elements to see a partial list of what data brokers collect about you according to the FTC.
The “Global Data About You Network”
A global network collects, stores, transfers and processes your personal information. First, there is a connection from your home to the internet, the “connection.” Then there is the network itself, the “internet.” The internet is the global system of interconnected computer networks that speak a common language to transfer data. In this example the “website” is a place to get health information. The browser you open and type into that returns the “webpage” from the website is the “application” (or app). You use an app that has a connection to the internet to return a webpage from a website. You do not need to know anything else about how the network works or where the WebMD website is located to get a response back in seconds.
In these descriptions we use the example of searching for health information on a website like Health.com or WebMD. However please note that the process is the same for all of your interactions when connected to the internet. Your presence is detected, your identity confirmed where possible and then a decision is made automatically on how to respond to your request or motivate you to take a particular action. Advertising revenue, as the primary means to make money over the internet, drives the process. So in many cases the decision made is what set of ads to show you on the next web page rendered. The challenge is that the ability to recognize your presence and identify you extends to every aspect of your life. And the decisions made automatically also extend to every aspect of your life and use personal information about you that you have no knowledge of or control over.
In the ongoing auction to display ads your search terms and personal information about your internet connection are shared with hundreds of advertisers and advertising technology companies. It’s hard to get your head around, but all of this happens in milliseconds of computer processing and data transfer time. Your profile together with your search terms is literally put up in a real time auction to the highest bidders. The winners send the ads they want to put in front of you to your web browser as the next page loads.
Computers automatically carry out this five step processing dance every time you click on a link in your browser (or show up anywhere else as a “node” on the global data about you network). Recognize, record, decide, respond and measure. In the health information example because advertising revenue drives profit – decide is what ad to show, respond is the ad itself and measure is whether you clicked (and the website gets paid!). Recognize is your search terms, IP address, browser “fingerprint”, login information and cookies when available. All of this data is recorded by every vendor participating in the network which is literally hundreds all over the world recording your personal information.
Scores that predict behavior play a leading role in the decision part of the process. The score to predict whether you will click on a specific ad in WebMD uses facts about you that have nothing to do with your website visit. You don’t know how the score works, which facts about you it uses, or who sells and who buys the opportunity to gain your attention. Your “interest” in that ad may follow you around the internet or into your home. That ad may be displayed on your phone when browsing a website that has nothing to do with health information. Or perhaps the ad shows up in the program guide on your TV.
The business focus on digital advertising, the ability to locate individuals in real time, and the merging of online and offline data records creates a situation that resembles surveillance.
As more people spend more time using smartphones and connecting to the internet advertisers, advertising technology vendors, data brokers and websites (particularly social media and publishers) have become the “global data about you network.” Literally everything about you, from online and offline sources, is loaded into massive databases that are used to decide not just what ad to show you, but whether to approve your loan application, lease you an apartment or offer you employment. What used to be separate streams of marketing, customer and credit data have all been combined into a largely unregulated data broker industry.
Collecting data about you happens all the time, and it is often invisible to you. Yahoo (part of Oath) lists more than 300 partners in its advertising network, each of which collects information about your behavior on thousands of websites.
Technology advances in collecting and using data have morphed into electronic surveillance. This global data about you network recognizes, records, decides and responds to people at nearly every moment of their everyday lives. Data collected for one purpose is used for completely different purposes than that which it was collected. For example, all the data collected to determine your credit score is being used to target you online for advertising, just as all the data collected about your online behavior is being used to evaluate the risk that you will default on a credit card or loan. Context gets lost. The website says a company is collecting data to present an ad, but finance and insurance companies use the data for loan approval. Similarly, the financial data collected by credit bureaus is used by advertisers to qualify you as a potential customer and send you a particular ad or offer.
Business Obligations to Protect Privacy
Business fulfills its obligations to protect the privacy of your personal information by implementing “Fair Information Practices” (FIPs). According to Robert Gellman in Fair Information Practices: A Basic History: “FIPs are a set of internationally recognized practices for addressing the privacy of information about individuals.” First developed in the 1970s, these practices are reflected in the legislation cited above. Simple ideas first outlined almost 50 years ago still make sense.
- Personal record-keeping systems should never be secret.
- You should consent to collection and use of your personal information.
- You should be able to see the information about you, know how it is used and make corrections.
- Your personal information should only be used for the purpose to which you agree.
- The organization that collects and stores your personal information must make sure your personal information is secure.
Privacy scorecards measure how well business meets their obligations to protect your personal information in seven evaluation categories; disclosure, collection, consent, processing, access, security and oversight.