Privacy in a modern context may seem like something of a nebulous context to many.
To be a truly private individual in the world today would mean the eschewment of the vast majority of the world’s largest social networks, entities which have become utterly entwined with a person’s identity for huge swathes of the global population.
Why should those networks and portals be avoided given they all have intricate privacy settings?
There is a very simple answer - Facebook and Google, to cite the two most oft-referred-to corporates in terms of the consideration of privacy, exist in their purest form as collaterals and sellers of advertising data.
Those companies - worth a combined eyewatering total of roughly €1.3 trillion between them in 2020 - have amassed that enormous value in one manner alone - by marketing their users’ data.
The ubiquity of the tech giants - well-represented by their presence in (and importance to foreign and domestic policy of) Ireland - can be summed up by a small comparison. Thirty years ago the list of the biggest companies in the world was dominated by motoring and petroleum conglomerates like Exxon Mobil and General Motors. In 2020, the top five most valuable companies on the planet - Microsoft, Apple, Amazon, Alphabet (parent of Google), and Facebook - are all tech-based.
Not all of these companies provide the same service. As evidenced by certain privacy concerns posited regarding virus tracking apps in the age of Covid-19 for example Apple (which exists primarily as a purveyor of innovative hardware as opposed to a data harvester) and Google’s business approaches are fundamentally different.
The majority of privacy concerns surrounding those applications are focused on Google Android devices because those units are attuned to gathering user data as a pre-requisite for their operation, whereas Apple iPhones are not.
A rejoinder to accusations of privacy-opacity regarding the State-sponsored apps that have been rolled out to battle the coronavirus (which include Ireland’s own Covid Tracker) are that all applications operating under Android submit data back to Google (one possible response to that being that perhaps they shouldn’t - there is no evident need for a civic-minded virus tracker to do so for example).
This is a not-too-distant relative of the justification that most people have for allowing big tech the access to their private lives that they do: that the convenience and service received negate any potential downside.
Many people are comfortable enough with the trade-off between paying nothing for an app and having it access large tracts of their phone’s internal real estate while bombarding the user with unsolicited advertising.
This is an easier argument to make in the case of Google given the indisputable utilities that the company provides, from GPS maps to translation services, music-identifying to its all-conquering search engine.
Facebook, which is fundamentally a photo-sharing site, monetises people’s time online and copyright’s their photos while at the same time facing routine accusations of providing no tangible service.
So is ignorance bliss? Just how much do Google and Facebook know about their users?
The answer to that question is, of course, dependent on what we allow them to know. But assuming that at some point the companies have been allowed to access some manner of information on someone, the data itself is easily accessed. It’s the sheer volume of it that can be disconcerting.
For starters, Google records everything. Everything.
Think back to when you first set up a Google account. Everything has been recorded. Every search you’ve performed on Google (or its subsidiary Youtube) has been recorded. It’s comprehensive to the point of irrelevance.
But data is rarely irrelevant. And more than anything, before we even scratch the surface of the questionable actions made possible via a person’s harvested data, in purely capitalist terms your data is valuable.
While there are options to delete your search history, a more in-depth approach needs to be taken in order to erase it comprehensively forever. And even then, who knows.
Some of this may feel intuitive. If you’re a serial relier on Google Maps to tell you how long your journey is going to take, or to describe to you the best route for reaching an unknown destination, a certain quid pro quo is implied - live traffic data is provided by receiving GPS input from all Google devices updated constantly.
But why does it need to be stored? It needs to be stored to satisfy the company’s successful business model.
There is an option within Google to have the search engine update you on your whereabouts on a regular basis. In preparation for this article your writer asked for said update to be delivered.
As it happens, I am an example of someone who uses GPS (and Bluetooth) sparingly and only when needed, more as a battery saver than due to any high-minded concerns regarding Big Brother.
But we live in extraordinary times, and the need to run Ireland’s Covid Tracker in the publicly-spirited desire to do my civic duty and help battle the coronavirus has led to both Bluetooth and GPS being switched on on my phone 24/7 since the app launched at the beginning of July.
Google itself has a near monopoly over the online search engine market - roughly 90% of all searches performed online are via its portal.
To give an idea of the sheer volume of data Google holds on you, you merely have to inspect the takeout option it offers to all users (www.google.com/takeout). Be warned, files can be downloaded by individual category, but they are likely to be large, at least several GB in size. The scale is dizzying.
As mentioned above, if you’ve GPS tracking enabled, the company files your location history away.
A random scan of 2011 in your writer’s case brought back to mind almost-forgotten trips to Scotland and Barcelona, both of which are significant in that the use of GPS was necessary in order to navigate unfamiliar territory. All of this was recorded.
While this applies only for when GPS is enabled, the vast majority of apps on Android devices routinely submit phone numbers, IP addresses and other information, which could be used to approximate location, back to Google also.
The company likewise stores every mail you have ever sent or received via Gmail, although long deleted mails appear to be exempt from what is available for download.
Every document created via Drive, Google’s virtual desktop, is preserved, including all deleted files.
Along with your entire web search history, all your Youtube searches are preserved.
Should you use Google Calendar all events you’ve attended are detailed. Should you use Google as a photo backup, every photo you’ve taken will be recorded.
In summary, if you use Google for anything, from workouts to browser history to your history of Android app usage, you can be sure that your relevant activity is being recorded.
The scale is breathtaking. And all of this has arisen in the past 15 years, a period which has seen the idea of what constitutes privacy and data protection change beyond recognition.
Facebook app interactions meanwhile, which naturally feel harmless on the surface, were the basis for the initial Cambridge Analytica data grab - the infamous data hack which led to the targeted advertising perpetrated by Donald Trump’s successful 2016 run for the American presidency.
In that case, the app in question was a simple personality test which allowed political consultants Cambridge Analytica access to not only to the personal data of those who took the test, but their Facebook friends also. Eventually the profiles of 87 million people were harvested.
Data is both valuable and has consequences.
Naturally, the option exists to delete all of this information, although there are several caveats, not least the fact that deleting data from one device may not encompass that held on older units.
In Facebook’s case, the only way in which to permanently delete your data is to completely close your account.
Plus, with so much going on beneath the hood as it were in terms of interaction with smartphone apps and their ilk, it’s at best implausible to suppose that nothing untoward could be achieved with access to that data.
Concerns over surveillance culture have obviously not been lost on Google. The company stated in June of this year that henceforth new accounts will have some of their data deleted automatically after a period of 18 months, and 36 months in the case of Youtube, with prompts to follow for existing users in order to allow them to alter their settings. Auto-deletion was first introduced by the company in 2019 - however, the option was opt-in rather than opt-out.
In only applying automatic deletion to recently created accounts however the impact may well be negligible, while the principle does not apply to photos, mail, nor Drive files - none of which the company says are used for advertising purposes.
“We know that information makes our products helpful,” Google product manager David Monsees said in June.
“Data minimisation is one of our important privacy principles. Google will no longer keep activity indefinitely unless you ask us to.”
Meanwhile, speculation regarding smartphone applications and smart devices listening to people’s conversations via in-built microphones has been rife for years.
Both companies subsequently shelved such activities. However, such stories all feed into the notion that useful though such smart devices may be, the public at large is willingly giving away unparalleled access to private companies in a manner that could scarcely be conceivable were the State to perpetrate same.
In terms of app permissions meanwhile, who among us can say they haven’t skipped over a needed app’s request for data access in order to get the information we need at that time?
Ireland will shortly play host to the first European data centre for TikTok, the embattled Chinese video sharing app.
The data gathering practiced by the app, which recently fell foul of President Trump primarily off the back of its nation of origin, is the stuff of nightmares.
Last week, Google invested $450 million in a Florida-based security corporation ADT with a view to partnering in pioneering smart home security systems, a marriage of convenience for both given the prevalence of smart speakers in homes and the latter’s established security network.
With Google apparently seeing home security as the wave of the future, as well it might, the data revolution will only get more pervasive, and possibly intrusive, as time goes by.
In fact, to give a quick example of how the world is changing before our eyes, a recent IBM study estimated that 90% of the data accessible online has been produced within the past four years, a staggering figure.
All of which begs the question - should we care more about what is happening to our data? And is it ok for the citizens of an entire planet to be monetised in the manner that they are?
Well, for starters, the common notion that people are completely happily oblivious to the marketing of their own idiosyncrasies may be a misnomer. The issue is not necessarily with the fact that data is shared between institutions, which many accept as a necessary evil in order for a digital society to progress smoothly, but rather how transparent the action is.
A 2018 study by communications and messaging platform Viber found that four in five people pay scant attention to privacy settings on common social media apps with a view to controlling how their personal data is used.
However, the same study found that more than half of the people involved would stop using an application if they felt their data was being viewed by third parties without their consent. The contradiction is inescapable.
Meanwhile, closer to home in a European context Eurostat - the EU’s statistical office - found earlier this year that significant swathes of Europeans are sufficiently concerned over data security to limit the information they are willing to give to social networks.
Some 25% of the adult population surveyed said they would avoid or limit their use of such networks - in Ireland the figure was 20%. Nearly half of the respondents said they had limited their recent internet use in a similar manner in 2019.
“We are becoming more concerned as time goes on,” said Simon McGarr, a privacy solicitor and director with Data Compliance Europe.
“As things stand the gap is one of power - people are concerned but they feel powerless to do anything about it. That is not the same thing as being happy with everything that Facebook or Google knows about us.
“I wouldn’t agree that people have no concerns about their data, things have improved greatly over the past 15 years. People have begun to sit up and think,” says Deputy Commissioner for regulatory activity at the Data Protecton Commission Tony Delaney.
“It’s frightening to think of the carelessness with which manual records were being handled before then.
“More and more people are rightly tuned in and concerned and happy to draw attention to where it needs to be, to ask the question: ‘why are you doing that?’” he says.
Interestingly, one situation that perhaps best highlights the power that Joe Public can bring to bear on big tech and how it handles our data is the aforementioned Covid Tracker app - the civic-minded project designed to empower citizens to make a difference in the fight against coronavirus via one simple download.
The app went through a three-month agony of gestation, with a decidedly less than privacy-centric initial foray abandoned in favour of an anonymised exposure notification system based upon a template drawn up via a joint effort by Apple and Google, the first time the two companies had joined forces to such an end.
“The fact they came together, two companies which are such natural competitors, shows they understood how important it was to get, this app above all, to get it right from a privacy point of view,” says one industry source.
Ireland’s app went from one extreme to another, the final product being a model of how such a project should be designed in terms of privacy-considerations, with the application’s source code and data protection impact assessment (DPIA - a core pre-requisite for all data projects under the EU’s General Data Protection Regulation) published before its launch - an unheard of compromise in terms of an Irish State data project.
“The point of the Covid app was that people wanted their data to be used properly, it dominated the discussion long before the application had been launched and led to an about face from the health authorities,” said Mr McGarr.
“I take my hat off to the HSE who tried to do things that no one had done previously despite a relative lack of expertise in the area.”
A niggle remained - the Google / Android version of the app required location access to function, despite the exposure notification system being entirely based off bluetooth functionality in order to allay fears of location tracking.
Google argued that this was a consequence of the Android tech standard, which uses the GPS function to kickstart bluetooth beacons.
Similarly, it emerged that the tracker, in common with practically all other commercial Android apps, was sending data regarding phone numbers, IP addresses, and handset serial numbers to Google via its Google Play Services application as a matter of routine.
Google again argued that such data sharing is industry best practice, but the fact remained that the app as it exists on Google’s platform behaves in the same manner as commercial applications, despite its altruistic raison d’etre.
A fix was released inside 48 hours to plug the hole, which reportedly stemmed from the HSE app denying a data access request to Google that is routinely answered by commercial apps.
“The Android platform is inherently linked to an advertising agency,” says McGarr. “And that weekend showed just how critical the reliance on Google Play Services really is.”
“On Android very significant things have been subcontracted out to Google. Google went looking for data that had been turned off, which left the request caught in a loop and caused the drain. Which shows that if the Covid app had the problem and others didn’t it’s because the others are willingly pumping that data back to Google.”
While the Covid app may represent a high water mark for Ireland in terms of State-sponsored projects with the capability to affect private citizens’ privacy, standards fluctuate wildly across the public service.
With controversial projects like the Public Services Card still very much in train, not to mention repeated breaches by the likes of child and family agency Tusla and individual hospitals, there is much room for improvement in the public sector also.
Deputy Commissioner Tony Delaney, asked which entity tends to be more egregious in its approach to data protection and privacy, the public or private sector, answers that it’s a “hard question” to answer.
“It depends on where you’re talking about. The private sector has a lot of resources to direct towards such actions,” he says.
“A lot of what bothers me most about the public sector is that citizens don’t have the choice they have when dealing with private entities. When you’re dealing with a public body broadly speaking you have no alternative in order to get the things done that you need done.
“In the private sector you have a choice. If I don’t like one bank I can go to another. But public sector organisations are in a very privileged position. If you’re dealing with them then you’d have an expectation that they’d behave in an exemplary manner towards data.”
Are some entities worse than others in the private sphere?
“Trends would suggest that some entities are a great deal less compliant than others that’s for sure,” he says.
Read More
One of the most consistent privacy staples in the era post-May 2018, following the institution of the EU’s powerful General Data Protection Regulation (GDPR), is cookie consent forms on websites - the standard preamble to a visit to a new cyber-platform, with the site requesting permission to take note of and track your activity there in order to drive targeted advertising and “improve your browsing experience”.
The practice of using a customer’s activity for the goal of providing valuable consumer data to third parties is not a new one - in the offline world supermarket chains like Tesco have been doing it aggressively for years via different variants of clubcard schemes for example.
Nevertheless, in light of heightened privacy standards put in place at EU level, the use of cookies across the web is now firmly in the spotlight.
Many people will be well-versed in the practice of clicking an ‘allow’ button as a form of cookie-monitoring consent as a matter of course when viewing a new site.
But under GDPR, the standard for given consent when negotiating such a request is greatly heightened. And this is not a standard necessarily being well met by Irish sites, per a review or ‘sweep’ of the practice by the DPC from August 2019.
Of the 38 sites considered by the review, “it is our view that almost all of the sites continue to have compliance issues, ranging from minor to serious”, the DPC said.
Issues found include implied consent to cookies, that is the presumption of acquiescence just by visiting a site, which falls far short of the consent standards set by GDPR, along with pre-checked boxes and sliders.
More egregious, however, were media organisations and banking and financial institutions boasting a “significant” number of third-party advertising trackers, including social media trackers for adtech purposes.
One media organisation noted its use of a third-party GPS cookie installed on mobile devices to enable tracking based on location without consent, while a bank admitted to combining information entered by site visitors into lending product calculators with targeting cookies for advertising purposes.
“While this sweep was conducted on just a small number of ocntrollers, it has highlighted a significant landscape of tracking of users of Irish-based websites,” the DPC said, adding that bringing all sites into compliance with EU privacy regulations would represent “a significant challenge”.
All of this does show a heightened sense of willingness on the authority’s part to action privacy concerns in the near term.
Coupled with this is the advancement of legislation on both sides of the Atlantic Ocean with the goal of elevating privacy standards, the GDPR having set the template for same.
But perhaps the most striking blow for privacy rights across the globe was handed down by the Court of Justice of the European Union (CJEU) in July of this year, when it struck down with one blow the controversial Privacy Shield understanding between the EU and the United States enabling the transfer of data between the two.
This stems from the seeming incompatibility of data protection standards in place in the two territories given the surveillance perpetrated as a matter of course by US intelligence agencies.
The case, which originated in an action taken by the Irish DPC against Facebook on foot of a complaint to the Irish regulator from Austrian privacy activist Max Schrems, will have enormous consequences for how business is conducted in the tech spheres in the immediate future.
Further there doesn’t appear to be any avenue for the judgement to be struck down.
The effect this will have, once enacted into Irish and European law, is hard to either quantify or downplay. It will require a fundamental reimagining of how big tech does business, not least because initial American attitudes to the decision were less than enthusiastic.
That is not to say that it’s application will necessarily be smooth. The sheer complexity of the 63-page decision is such that all parties, even those apparently set to be discommoded by it like Facebook, “welcomed” the decision in its immediate aftermath.
But it points to a future where the data landscape, which appears so scattered at present due to the sheer scale of the explosion internet usage, will be brought to heel by regulators. For those concerned about their privacy and the safety of their personal data that can only be good news.