All Your Data Are Belong to Us
You’ve heard the expression, “When something is free, you’re the product.” And, while you may think it’s no big deal to give away your personal data in exchange for free online services, how can you know that what you get for what you give is a fair trade?
Go here for the World Privacy Forum’s list of the Top 10 Most Important Opt-outs.
Mozilla also has a few suggestions on how to manage the data privacy challenge discussed in this episode.
For more on this episode, including editorial commentary, visit Mozilla’s Internet Citizen blog.
Dave: Free cookies. Free cookies, you’re welcome.
Woman 1: Thank you so much.
Dave: I say we follow them.
Kevin: Let’s do it.
Dave: Let’s do it.
Veronica: Give free cookies to a stranger, and apparently you can follow them anywhere. This is Dave and Kevin.
Dave: They’re two 20 something, 30 something looking girls. So they’re going to buy alcohol.
Veronica: I paid these guys to follow these women, by the way.
Dave: One of them is short, one of them’s tall. We just got a bad look from a guy who looks like he works at the mall. Definitely questioning what we were doing. So should I just tell them what we were doing?
Veronica: Yeah, do it. I’d love to hear their reactions.
Dave: Did you notice that we were kind of following you a little bit?
Woman 1: Oh really? No, not at all.
Dave: Soon as we gave you the cookies, we’ve been following you around.
Woman 1: Oh.
Woman 2: Oh, wow, that’s really creepy.
Veronica: Okay, so my friends just handed cookies out to strangers so we could follow them. It’s basically the real life version of something that happens to you when you’re on the internet.
Dave: So what we were doing an experiment on … Internet privacy and the idea that companies just follow you around on the internet and track your behavior.
Woman 2: Oh, I totally know that.
Woman 1: Yeah, I’m totally aware of that.
Dave: Are you okay with that?
Woman 1: No, definitely not.
Veronica: Corporations do it with online cookies. Those cookies are like little tracking devices that they stick inside your computer or phone, except they don’t confess and they never stop following.
Woman 2: It’s kind of like they’re violating you in some way. You have no control over your privacy anymore, you know?
Veronica: No control over our privacy? No control over our data, basically. You know that’s a thing right? You know that’s the deal when we go online. You’ve heard the expression: When something is free, you’re the product. You might think it’s no big deal that giving away your data in exchange for free services is a fair trade, but if you don’t know how deep the data mine goes, how can you know that what you get for what you give is a fair trade? Welcome to IRL, an original podcast from Mozilla. Sometimes we do stuff online we’d never do in person, like posting comments we’d be too scared to say to someone’s face, or being reckless with our secrets, or signing away our rights without a glance at the fine print. But the fact is, there’s no real distinction between our online and offline lives. We only have one life. So, on IRL I’ll help you sort the good and the great from the bad and the suck of our online lives, and see what we can do together to make everything awesome, because online life is real life. I’m Veronica Belmont and if you know anything about me, not saying that you should, you know I loves me some internets. It’s been my passion and it’s been my career forever, which means however that there’s a ton of data about a certain Veronica Belmont just ready for the harvesting. I know there are companies out there making tons of coin by taking my data, packaging it, and selling it to the highest bidder, or any bidder I guess. Well, let’s see what this data industry is up to. Let’s sort out the things we should worry about from the things worthy of only a well-placed meh. When I first started thinking about this episode, I thought it might be fun to see what a total stranger could dig up about me with a little googling. I share a lot of data online, so I figure this could be pretty fun. So we found a stranger, but not just any stranger, someone who’s killer good at this.
Steven: You are the poster girl of oversharing. We’ll talk about that in a second.
Veronica: He is a legit private eye. He’s a real PI in New York City. And his name is Steven Rambam.
Steven: R-A-M-B-A-M. First name is Steven with a V. I’m a detective, I have been for 32 years and 90% of what I used to do, by going out into the field and knocking on doors and looking through musty archives I can do sitting at home in my underpants drinking a beer.
Veronica: That’s amazing.
Steven: I know everything there is to know about you, and I really mean everything.
Veronica: So you have said in the past that privacy is dead and that we should all get over it. What does that even mean? How do we get over it?
Steven: The problem with all of this oversharing is that once you’ve done it, it’s like virginity, you can never get it back. Anything that you later want to conceal, you can’t. It’s death of a thousand cuts. By the time even six months of you posting photos and showing what news sources you’re interested in, and what articles you linger over and who your friends are, it is out there, it will never go away. I can assure you, you can not get that data back.
Veronica: I have to know because I feel as though I’m pretty much an open book, as you said I’m the poster child for oversharing. But I feel like I do it very intentionally.
Steven: Well, I don’t know what you were looking to share but I can tell you that there’s nothing that is not available about you. You drink. Your tastes in booze are the same as mine, red wine and bourbon.
Veronica: That’s exactly right. That is exactly right.
Steven: Of course it’s right. I’m a detective. It took me about four seconds to get your social security number, which starts … you can bleep that.
Veronica: My heart is actually pumping really hard. It’s like beating out of my chest for some reason.
Steven: I have your brother’s identity. I have your husband’s identity. I have everywhere you’ve ever lived. I have where you’re living right now … Avenue … Since you’re gonna bleep it.
Veronica: That’s bleepable, yep.
Steven: Before that … street … street are you gonna be bleeping all this?
Veronica: Yes, I am.
Steven: You’re related, I don’t have it in front of me, are you related to Daniel Boone?
Veronica: Not that I know of.
Steven: Something like that. Well, somebody said that they are your relative, before that, they said that they were related to Daniel Boone, so you’re related to Daniel Boone. Surprise!
Veronica: This is kind of a weird question maybe, is it okay for someone to be okay with the way things are? To just say, “I’m not committing any crimes, or I’m not doing whatever.” Is it okay for me to just be out in the open?
Veronica: Or is that never a good idea?
Steven: No. Because you may … First of all, because you may change your mind. Second of all, because the world may change. You never know what is going to be tomorrow considered inappropriate. You don’t know what tomorrow may bring. You also don’t know what you want to do with your life. If you think you’re hired today without people looking at your social networking presence, you’re wrong. I can tell you that there are things in people’s social networking profiles and social networking posts that have prevented me from subcontracting cases out to them.
Veronica: Like red wine and bourbon.
Steven: No, I would hire you much quicker and we would debrief every night in a bar.
Veronica: I like that idea actually. Okay, well if I can’t find another job in the future, I know who to call.
Steven: I mean, I could have mentioned that you’re a Dodgers fan. I could have mentioned-
Veronica: No, No! You are so wrong. You are the opposite of correct with the Dodgers.
Steven: Excuse me, excuse me.
Veronica: The opposite of correct.
Steven: Giants, Giants. Sorry. I knew it was … Sorry, wrong. Giants. I didn’t look at the page.
Veronica: I love it, I love it.
Steven: It’s true, I am a die-hard Giants fan. Rambam was definitely not going to get away with that one.
Veronica: So yeah, I knew he would find some of that information out there, but being confronted with it all at once, it’s a bit overwhelming. It only took Rambam a few mouse clicks to gather that little bit of data about my life and history. Imagine if he had access to a giant vacuum cleaner and just was able to hoover up the entire internet instead. That’s basically what these data companies are doing. The data market is massive, how big? Well the going estimate puts it at over 130 billion dollars now and maybe as much as 200 billion in the next three years. Those in the business of buying and selling data, we call them data brokers. My producer pal, David Swanson, interviewed one to find out more about how this all works. Hey, David.
Dave: Hey, Veronica.
Veronica: So David, how are we going to figure this out?
Dave: A little thought experiment. I want you to pretend that we’re starting a business, and we want to market our business to potential customers.
Veronica: All right, well we started the episode with the free cookie stunt, so maybe we should continue with that theme. How about we pretend we’re starting a cookie business?
Dave: And I love cookies, so that just makes sense.
Veronica: Okay, is this just a fancy way to get you talking about data brokers?
Dave: Yep, definitely. You caught me there. And Zora Senat, she’s going to help us out too.
Zora: A data broker is similar to a mortgage broker, or any sort of broker. We are the bridge between our clients and users who are businesses using data for marketing purposes and the data aggregator.
Veronica: So, who does Zora actually work for?
Dave: Zora is the president of Exact Data in Chicago.
Zora: Exact Data, sorry I call it Data, you call it Data. Potato, potato.
Veronica: So, what kind of potatoes could we get for our cookie business?
Dave: That depends on what we want to ask for exactly, because exact data, data, has a lot of potatoes.
Zora: We have a consumer database of 240 million individuals. In that consumer database, we have over 700 elements that are associated with each individual.
Dave: I hope you got that. Exact Data knows 700 things about every single person in their database. That’s just one company.
Zora: So, name, address, city, state, zip, age, ethnicity, level of education, income, we can tell you whether you own or rent your home, and how long you’ve lived there. We also have a variety of interests data, include people who like woodworking, or motorcycling, or-
Dave: If you have grandchildren, if you’re interested in public affairs and politics, or dieting and weight loss, but yeah you get the point.
Veronica: That’s an extreme amount of data.
Dave: So, so far, this probably feels pretty straightforward, but it does get a little more interesting when we start talking about something called propensities.
Dave: Yeah, it’s just a fancy word to explain how data brokers package and repackage us into different categories and lists For example, a dog owner living in Brooklyn, who buys a certain brand of toothpaste and gets her vegetables from a local grocer, she’s more likely to vote Democrat.
Veronica: I’m pretty sure she was my college roommate.
Dave: Yeah, maybe. I actually just came up with that example.
Veronica: Some people might also find this a little bit creepy.
Dave: People basically have to trust that these companies are being careful with how they package and how they sell our personal data, and to whom they’re selling it to.
Veronica: So what if I want out? What does Zora say about that?
Zora: In most cases, you can opt out, if you contact these data aggregators and tell them you want your name and your information off of their list. All of the data providers we work with and our company maintains a global suppression file and honors those requests.
Dave: The trick is here, you have to approach each company individually.
Veronica: Okay, so I’m not really getting a good sense of how many companies there are.
Dave: Yeah, I don’t have a good sense of that either, and it doesn’t really seem like anyone does. But in the research that I did, the estimates that I saw were from between two and four thousand companies.
Veronica: Oh my God. I have to say I’m feeling a little bit guilty about buying these marketing lists for our imaginary cookie business.
Dave: We shouldn’t feel guilty because it’s just a cookie business, but that doesn’t mean that some people aren’t still uncomfortable with the idea, and that some people are just outright against it all together. It doesn’t mean that sometimes something could go wrong, right? Zora says that their company is really careful, but she knows that the industry still has some problems.
Zora: You’re right, if you have enough information about someone, it could lead to … That could have negative effects, which might need to be controlled by a system that doesn’t benefit directly from having this information. I definitely think there are opportunities for exploitation that we’d need to be aware of.
Veronica: So basically, my take away here is that these data brokers have a ton of information on us, they can slice it up into these really specific propensities, and at the end of the day, opting out is basically … It’s possible, but it’s really, really hard to do.
Dave: Yep, you got it.
Veronica: Okay, well thank you for all this data David, I guess.
Dave: You’re gonna call me tomorrow about that cookie business though, right?
Veronica: This is IRL an original podcast from Mozilla, because online life is real life. Okay, so a bunch of data brokers out there are selling our data. Your data, my data, your parents data, if dogs could type, their data would be packaged and sold too, but just how much are they selling our data for exactly? Well, that’s a really hard number to come up with. Here’s an example though. To get the names, addresses, and emails of 5,000 people in Chicago, who live in a five mile radius of your cookie store, and who all have kids under 15, who might like to buy chocolate chip cookies, a list like that costs $600 bucks. In this example, your data is worth $.12. Not much, right? But then again, that’s just for cookies. I’d like to think I didn’t sign up for this, but maybe I did. It’s not like I ever read the terms and conditions of the services I use, like everyone else I just click accept so I can get the free app, you too right? That’s exactly what Kyle Zak did, and what happened next, led him to sue the Bose corporation for allegedly data mining it’s customers. He hired the law firm Edelson, and they filed a class action suit. So here’s the deal, Kyle bought some wireless Bose headphones for $350. To make those headphones work even better, he installed the Bose connect app on his phone. You can use it for things like adjusting the headphones noise canceling levels and it can even monitor your heart rate. Kyle soon decided that the app should actually be called “Spy Tunes”
Kyle: I had been looking for noise canceling headphones, because I realized that living in Chicago and going to school, it’s going to be loud and I’m going to be around people all the time. I went on Amazon and found the Bose Quiet Comfort 35 headphones, which promised to provide me a quiet, secluded listening experience.You had to download to use with the headphones, which I thought was excessive, but if it meant it was the only way to use my headphones, I said, okay why not? Light bulb in the head thought, “Okay, I want to find out where my data is going. I know now that I’m generating it, where is it going?” So, Edelson was a firm that had a data lab where they would work on things, because they’re very dedicated to protecting consumer privacy. After a bit of research and tinkering with their experts, we found out that it us song titles, it is album titles, it is artist names, it is podcast titles, podcast series names, podcast authors, duration, what time of the day you’re listening to them, with what frequency, was all begin recorded, was all being cataloged, and was being sent to a data mining company. It was as if I was in a dark room and suddenly a curtain was drawn and I found out that I have thousands of people staring at me, creating marketing data from me without my consent, without my say so, and without my knowledge. The headphones are now off. They’re in the case, in the back of my closet. A former friend of mine asked, “Why haven’t you just resigned yourself to the fact that you’re always plugged in and everyone is watching everyone all the time? And everyone knows everything about everyone.” And I was horrified. I have never resigned to that fact. You can be an exhibitionist, or you can be as private as you want, but the issue is, everyone, regardless of how much or how little they value privacy, should have the right to choose how private or not private to be.
Veronica: You know, I own a pair of Bose headphones, just not the ones featured in Kyle’s lawsuit, and I want to believe that this company, which I’ve been a fan of for decades isn’t taking all of us for a ride. I did ask Bose what they have to say about this. Here’s what a spokesperson emailed back.
Bose Rep: We will fight the inflammatory misleading allegations. We don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you, or anyone else by name. If there’s anything else we think you should know, you’ll hear it straight from us.
Veronica: Hopefully they’ll whisper updates to us through the headphones. Whether or not Kyle’s lawsuit is successful, what’s clear is that he doesn’t trust the company anymore, he feels violated and helpless. So he’s fighting back, and he’s not alone. Companies keep getting their hands caught in the data cookie jar. Here are a couple of my favorite examples. Unroll.me is a free service that unsubscribes you from emails. I really liked unroll.me too, but they got caught selling their customers Lyft receipts to Lyft’s competition at Uber. And then there’s the company that sells smart vibrators. Yes, you heard me right, smart vibrators. WeVibe faced a class action lawsuit for selling their customer data. What data, you may ask. WeVibe tracked the exact times people used their vibrators and what setting they used, whether it was pulse, peak, and swear to God, a setting called ‘ChaChaCha’. Wow. Companies really can get your data from anywhere. Now, it looks like the companies you pay to access the internet pipes are about to join the data for sale game. You’ve heard of ISPs like Comcast, AT&T, and Verizon. This spring the congress voted to kill federal privacy rules that were about to be imposed on ISPs, so if they want to, they too can sell your data. Massachusetts congressman, Michael Capuano was astounded by the congressional vote, and he speaks for all of us when he said this on the floor of congress.
Con. Michael: What the heck are you thinking? What is in your mind? Why would you want to give out any of your personal information to a faceless corporation for the sole purpose of them selling it?
Veronica: Congressman Michael Capuano, sharing his inner thoughts about private data in a public forum. In case you’re wondering like I am, all of this data collecting is totally legal, basically. Back in the day, before the internet changed everything, you could pass laws for specific things like health data and credit data. Every now and again the federal trade commission might fine a data broker or two for breaking those specific laws. Otherwise the industry largely policies itself.
Pam: The problem is, is that we don’t have any overarching law, just for privacy, that cuts across all topics. As a result, privacy laws just hit data brokers tangentially.
Veronica: This is Pam Dickson, she’s the executive director of a non-profit called The World Privacy Forum.
Veronica: She’s a wonder woman who testifies in front of the US congress and tries to get governments to pass laws to protect us common folk from data abuse.
Pam: When people think about privacy, they tend to think in linear terms, but if you think about how we live our lives, our lives are really nonlinear. We are in a sea of information. It’s like a ball of yarn, and we’re all in the center of it. It’s all connected. As a result, any solution that has to do with privacy, is just going to have to be as interconnected, and work in all those areas.
Veronica: It kind of sounds like the data is just so rich these days that they can make these assumptions about us, without actually needing the exact information.
Pam: Yeah, I think that it’s very … Let me put it this way. We get a lot of calls from people who have been harmed by privacy problems. People calling who have really terrible cases of identity theft, or medical identity theft, problems I worry about are the problems that people don’t know about and can’t directly prove. We found a study where it showed that there was a national health plan, but the plan was not named. They had scoured through all these different pieces of information to find out was the most predictive about a person in terms of their health and how much they were going to cost the health plan. Of course, smoking was a huge predictor, right? We can all understand that. Another really, really big predictor that they kept on the top 25 list was how many online retail purchases you made of clothing items. I’m like, “Wait, what?”
Pam: Right. So, who would ever imagine that what we’re purchasing online is going to impact that. That what we pay for healthcare, or our assumed risk in healthcare. It’s that kind of thing that I’m talking about. We can’t keep track of it anymore. Because we can’t keep track of it anymore, it’s really important that business has rules to play by, and the government has more ability to look under the hood. A person needs to be able to make the choice. If you don’t have the means of knowing that you’re being tracked, if you aren’t able to make a meaningful choice, that’s a whole different thing, that’s not right, that’s not human autonomy.
Veronica: Healthcare costs and online shopping habits. Who knew they went together like peanut butter and chocolate. So that’s the way the cookie crumbles, the data industry knows more about me than by own mother does. My ISP, my Google, my Facebook know more about my hopes, and dreams, and schemes than my closest friends, maybe even my husband. Data is the new oil. People are getting rich by stealing your oil. Every time we click join and like and subscribe and add to cart and buy now and free two day shipping and rate your experience, data companies are sucking up all this intel.
Steven: Privacy is dead.
Veronica: That’s Rambam again. I think he says that because he remembers when our privacy was so full of life. He knows private used to mean something special. Privacy used to be priceless. IN the past the FTC and some members of the US congress have tried to introduce regulations or laws to tackle this data business. Those efforts have led nowhere. We haven’t made it clear that this matters. Some activists are fighting back. When that ISP bill was passed, a non-profit, pro-privacy group called Fight for the Future, posted billboards that showed the names, faces, and phone numbers of politicians who sold us out. The billboards also pointed out exactly how much money the telecoms gave them in quote, unquote donations. Actions like that just might get things moving in the right direction, Pam Dickson has high hopes.
Pam: It would be great if we marched on the streets for our data rights. We need collective action, and we need a collective voice to say, “Look, we care about privacy. It’s not dead. It’s alive, and we want to protect it.”
Veronica: Okay, short of pitchforks and torches though, she has another suggestion. The World Privacy Forum has a list of the top ten most important opt outs. It will help you lock down at least some of your data, so it’s a start. Mozilla’s also put together a few suggestions on how to manage this data privacy challenge. Check out this episode’s show notes at IRLpodcast.org to find out more. So remember, when you’re online, you’re never really alone. For data companies it’s “All your data are belong to us”, but our privacy and our data is much too precious to leave to them. In real life, you draw your curtains at night so people don’t peek into what you’re up to. Online, maybe you want to draw the shades there too. IRL is an original podcast from Mozilla. Listen and subscribe through your favorite app, or on our website IRLpodcast.org. leave a rating and a review on Apple Podcasts so we know what you think. Hear this music? IRL’s theme is composed by Roberto Angel Dweyer and Daniel Burn. It’s available under creative commons license, learn more on our website and feel free to take the theme and remix at will, let me know if you do. Next time on IRL, an internet topic that seems to be on everyone’s minds these days. The battle to save net neutrality. I’m Veronica Belmont, see you online until we catch up again IRL. Is it potato, potato … Am I saying data and he’s saying data and are we both right? Am I wrong?