Data, while often useful for tracking our personal goals, is often also a double edged sword when third parties use the data in ways that we cannot control. You may have nothing to hide, but that doesn’t mean that companies should be allowed to track your personal data.
The quantified self movement, also known as the movement that gave us Fitbit, RescueTime, Strava, Mint, Foursquare, 23andMe, etc promised us that by tracking our lifestyle decisions, we would be able to make better decisions on how to improve our habits. If you wear a fitness tracker, for instance, you may already feel a Pavlovian training pressure to take 10,000 steps everyday.
And while data like this has proven valuable in cases where people have clear goals, the data collected by these applications are almost always stored on company servers outside of your control, making it difficult to know who is accessing your data and what it is being used for.
For instance, consider a long distance runner, who uses an app like Strava to track routes. What if the app is unknowingly working in the background to sell data about their runs to shoe companies. What kind of targeting would a company be able to do with that kind of data?
I wish I could say that this was uncommon, but due to the structure and incentives of the advertising industry, this kind of business practice is more common than you’d think. Internet companies that offer a “free service” often provide metadata on their users to third parties to generate a stream of income. The saying “If you aren’t paying for the product, you are the product” rings true here.
And while something like advertising for running shoes may seem somewhat innocuous, remember that the infrastructure in place for advertising can be exploited in much darker, more politically motivated ways. The Russian meddling in 2016 of social networks used the exact advertising infrastructure and data collection to target individuals whose minds could be easily manipulated to believe certain kinds of fake news.
This kind of manipulation is most dangerous when mixed with bad actors that may have a malicious intent to track vulnerable populations, such as the way the Chinese government tracks the communications and movements of activists and dissidents. Ultimately, data collection for improving one’s life is not that different than intelligence that an adversary may want.
Connecting an Alexa or Google Home into your house may provide you with a convenient way to find out if your cat can eat pancakes on the fly, but can also become a physical listening device that can be compromised to wiretap your conversations.
But what if I am an individual who wants to track areas of my life while still being in control of my data? Is it enough to trust companies at their word if they claim to keep your data private? Can we count on policies like GDPR to truly protect the privacy of users?
Unfortunately, with policies and businesses constantly changing, any privacy policies stated by tech companies should be treated more like general guidelines than a permanent guarantee. Thus, in order to better understand what applications you allow / disallow to collect your data requires a cost-benefit analysis between data that is important to you, the value of the service provided, and your risk tolerance.
One common argument I hear often from people is that they feel like they have no reason to take control of their privacy because they “have nothing to hide” and that only criminals should be worried about invasions of privacy.
The truth is, while you as an individual may not see your own data as particularly valuable to anyone else but yourself, there’s also no reason for anyone that doesn’t need access to the data to have access to it. Simply taking part in products that sell your data to third parties means you are supporting business models that can be re-purposed for darker, more problematic intentions.
Data comes in all kinds of types of personal sensitivity, ranging from emotionally sensitive to legally sensitive to financially sensitive to biologically sensitive. All of these factors should be taken into consideration when deciding whether or not to use a service.
As a general rule of thumb, the more sensitive the data is that you may be using a service for, the more security and privacy you should expect from the service. For example, I stopped using Mint after finding out that they did not support 2-factor authentication – leaving much of my private financial data vulnerable to phishing. For many services these days, I have come to expect a minimum of 2-factor authentication, because of how broken passwords are.
Another thing to consider is what data is stored, where it is stored, and how it is stored. On apps such as messaging apps, apps like Signal are fully encrypted, don’t store any data on the servers, and only keep metadata on your phone number and when you made your Signal account.
Privacy vs Security
Oftentimes, the line between privacy and security is not very well defined – a platform like Facebook may be secure, but not very private, and the website of some obscure bank may be private but not very secure.
Both are important considerations for data on the internet. In general, privacy has to do with how much data the company intentionally shares with third parties through APIs or other methods, whereas security has to do with how easy it is for a company to be breached by a third party.
The questions that I like to ask when thinking about my personal data online are:
- What is the business model of this company? Is it a business model that depends on advertising or selling my data to third parties? (Privacy)
- What is the likelihood that a third party would want to break into this service to obtain my data? (Security)
Let’s say that you’ve considered the risks and decide that you still want to use the service because of the benefits they provide. There are a few ways to improve your privacy.
Let’s take a service like 23andMe for example. As a company that analyzes your DNA, one of the most private things about yourself, a breach would be utterly disastrous. One strategy for mitigate the risk of personal loss in the event of a breach at a service like 23andMe is to not use your real name, birthday, address, payment information, or anything else that could be personally identifiable. That way, although your personal DNA may be exposed, it is a little more difficult to map the data back to you.
Another thing to that helps maintain privacy is simply turning off the features that you don’t use. If your profile doesn’t need to be public, make it private. Don’t share personally identifiable information that you don’t have to. Don’t use facebook or twitter to log in, and use a separate email address whenever possible.
When it comes to security, mitigating risks means to turn on as many of the security features that you can, whether that be 2-factor authentication, security questions, etc. These will only protect you against breaches to your own account – leaving the possibility of a breach to the entire service as we’ve seen a few examples of.
Ultimately, there are risks associated with every piece of data shared online, and while there is no way to be completely safe from breaches and invasions of privacy, a small bit of literacy goes a long way.