Click to learn more about author Ram Sivasankaran.

Would you willingly pay to own a device that constantly transmits information on your activity to the manufacturer? Would you provide details as private as your name, birthday, phone number, gender etc., to a service that makes that information publicly available? Would you bank with a financial institution that uses your spending behavior to improve its marketing engines? 

My guess is one or all of these questions might have rung a bell with regard to a product or service you use in everyday life. Whether you answered any of these questions with an affirmative, or a resounding ‘no,’ your data footprint, as a consumer, is in the crosshairs of everyone you directly do business with (and some you do not).

In this article, we will address how companies gather your information, what they do with it, and how you can better protect your data and privacy by understanding the various categories of, and motives behind, data gathering. 

Data is the Gold of Today

In today’s world, the manufacturers and providers of popular products and services are finding increasingly innovative ways to also mine data from their customers – so much so that some of them possibly consider their more tangible products and services only to be a means toward getting a consumer “hooked” onto their platforms and becoming one of their data sources. Data thus obtained is directly or indirectly translatable to primary or secondary streams of revenue for the manufacturer or service provider.

Take the smartphone, for example. A device we carry everywhere, and one which rarely leaves our persons, is the primary bridge between ourselves and the outside world. It also tells much about our habits, activities, and everyday state of living, including our states of health, where our cars are parked, our home and work locations, travel routes, app usage, screen time, diets, who we connect with and how often, websites we visit … phew! And we have only touched the tip of the iceberg here.

Another tool/machine that we rely extensively on but that also collects and transmits a plethora of information is the automobile. From capturing data from road performance to onboard amenity usage, car manufacturers rely on this information to help improve fuel efficiency, engine design, and other features.

Whether a person is a typical technology user, i.e., one who uses devices such as smartphones and smart TVs, or a more advanced user, i.e., one who is conversant with the installation and use of smart home devices, it is important to understand the ramifications of choosing to bring such technologies into one’s life. It is not just the technology one signs up for, but also the company that has clear goals on what it plans to do with the information it collects from the millions of users of its products and services.

Always consider three factors while pondering over your relationship with modern-day networked tech.

• Terms of Anonymity & Privacy

If this section may be summarized in one line, I would say: Users need to be aware of what kind of data is being collected and who that data is being exposed to. Consumers have a right to keep their lawful activities private, whether they are browsing the web, reading articles, watching videos, or chatting with loved ones. We engage in many of these activities under the assumption that we are not being monitored, recorded, or logged by those who have no business having such information.

Yet, there are many indications that our activities over the web may not be entirely private. For example, if I have an item lying around in an abandoned cart on an ecommerce website, I might start seeing enticing ads and deals for that very item pop up all over the place – from the search results on my web browser to the ads lining my social media news feed. How could this have happened unless the three companies – the ecommerce company, the company that created the web browser, and the one that owns the social media platform, were tracking my commercial activity on the web? How could they know I was interested in an item – one I showed an interest to purchase – but have not purchased yet?

This boils down to what is called Personally Identifiable Information (PII). Examples of PII include name, phone number, address, email, etc. These are pieces of information that may be traced back to a specific person. It may go without saying that, in order to offer re-marketed ads of the nature I have just described, one needs to map a certain kind of generic activity with a very specific user, or, perhaps, a very specific machine/computer. However, there are often rigid and stringent software infrastructure and protocols in place for each of the players in the aforementioned scenario – the ecommerce company and the companies that built the web browser and the social network – to use a person’s data without infringing on that person’s privacy. These protocols allow retargeting algorithms to kick in and consume user data in a siloed and automated fashion, i.e., without exposure to or intervention from other humans.

In fact, many companies go to great lengths to scrub or mask the PII on their systems and have them substituted for by unique, alphanumeric user identifiers that may not be traced back to the personal details of any particular user. What results is a customized, online shopping experience for the user, better visibility for the merchants who paid for the ads, and revenue for each of the three companies mentioned. In fact, financial institutions also use a user’s financial activity (there are few things people consider more private than their finances) in order to predict a possible need for services. For example, if I made online payments to a real-estate service to help in my search for a new home, a financial institution might want to start placing mortgage banners on my online banking page to help pay for the home.

Of course, disclosing PII to third-parties without express permission from the owner of that information is amoral at best and unlawful at worst. Despite the best privacy protocols, user privacy has the potential to be breached, albeit unintentionally, at times, during the person’s use of smart devices, particularly those that are voice-activated. A rather interesting example of this was revealed in 2017 when a New Mexico man inadvertently triggered a phone call to the sheriff’s department during an escalating altercation with his girlfriend. According to a report from the New York Post, the man’s Alexa device called the police by piecing together and misinterpreting words the man was using while demanding to know whether his girlfriend had previously called the authorities in an attempt to report him.

While the story had a happy ending in that the police showed up and prevented a situation of domestic violence, it started an ethical debate similar to the one raised in Minority Report,the 2002 Sci-Fi thriller where “pre-crime” keywords recorded and transmitted from private homes resulted in pre-emptive arrests. The unintentional compromise of one’s privacy, if not freedom, regardless of the virtue of the end-result, presents a very real concern in the modern free world, and particularly in the use of smart home devices. 

A thorough read-through of any product or service’s data privacy policy should be everyone’s concern. However, clauses that document such practices are often buried in voluminous terms and conditions that most users don’t read. Many reputable companies now offer exemptions from such hard-to-find disclosures, which allow consumers to “opt-out” by calling a toll-free number, or through a settings page on the application. Companies that store sensitive information are required to have the requisite security infrastructure to protect user data from unauthorized access.

This leads directly into the next criterion that users must explore in order to assess their relationships with entities that gather data.

• Proficiency and Track Record in Data Security

Let us start this section with three examples aimed at highlighting the gravity of personal data breaches.

1. Most of us are fairly well aware of the infamous Equifax data breach of 2017, where the personal information of nearly half the American population was exposed to hackers. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax also reportedly admitted that it was aware of the security flaw a full two months before the company says hackers first accessed its data – which many may consider an act of negligence.
2. The Equifax data breach was costly for the company. CEO Richard Smith was forced to resign and a settlement of upwards of $750 million was paid out to state and federal regulators. The greatest loss, however, was the irreversibly compromised customer identities.
3. Another unfortunate incident, which exposed the personal and financial information of nearly 340 million guests, occurred at Marriott Hotels. Reportedly, Marriott admitted that the hack had begun in 2014, but was only discovered in November 2018. Marriott faces fines, settlements, and class-action litigation for failing to adequately protect its customers’ data. Once again, the customer is the bigger loser.
4. A third massive breach which just occurred in September reportedly exposed the personal information of nearly the entire population of Ecuador to hackers. According to the report, security watchdog vpnMentor noted the breach originated on an Elasticsearch server based in Miami and owned by an Ecuadorean company, Novaestrat. The exposed data came from a variety of sources, including an automotive association, an Ecuadorean national bank, and several government registries. 

Information compromised as a result of breaches of this nature often includes deeply personal data such as names, birthdays, contact information, and tax identification numbers (to name a few). Much of their data is immutable and intrinsic to the very core of a user’s identity and once stolen is either extremely difficult or even impossible to salvage or replace. The worst part of these data breaches is the inability for the impacted customers to predict when, how, or if their private information will be exploited.

Given the reputable businesses that have fallen prey to hackers over the last several years, and the gravity of the data that was compromised, consumers must exercise caution in every aspect of their online presence. As security software evolves, so does a hacker’s capability to detect and exploit a hole, however small, in any given database before it’s plugged by the good guys. Most flaws in system security are addressed only after is has been discovered that a bad player has exploited them at least once.

It is nearly impossible to avoid disclosing some form of PII in today’s world. Almost every app, service, software product, and government agency requires registration of such information.  For consumers, it is simply smart to maintain a conservative online presence. If you are ordering items from an ecommerce platform or online store with poor brand recognition or using a service you do not expect to use often, it might be worthwhile to consider logging in and out as a guest. The idea here is to minimize your footprint across a host of products and services on the web. Allegorically speaking, the fewer footprints you leave, the lower the probability of a hacker “tracking” your information down.

Another smart move would be to do your bit in protecting your individual accounts, regardless of how robust the security of the platforms where they reside is. Follow all possible best practices to protect your individual online accounts by setting strong passwords, changing them periodically, and not sharing any sensitive PII or login credentials over the phone or through suspicious websites or emails.

Most importantly, stay abreast of events of data security lapses just in case you recognize yourself to be one of the victims so that you can take time-sensitive remedial measures.

• Intent of Data Use

Lastly, users must keep themselves educated and cognizant, to the extent possible, regarding how her or his data is being used by the companies that collect it. Many of us are only too familiar with the dialog box that pops up soon after a system crash or when a productivity software app unexpectedly shuts down. Companies often request users to submit anonymized error logs and reports so they may analyze what went wrong and possibly why. They use this input to mitigate future instances of similar errors. These reports, more often than not, feed back into customer experience in future iterations of the products concerned.

In fact, Tesla Motors often pushes realtime software updates to cars owned by its customers to address data gathered from collision reports and performance logs. As an example of one such occasion, Tesla released an update that allowed its cars to automatically increase ground clearance, while operating at freeway speeds, to mitigate incidents caused by collision with road debris.

Several apps also track user behavior and navigation through their workflows to identify bottlenecks in them and consequently, to improve user experiences. Ecommerce platforms such as Amazon and ad giants such as Google and Facebook often feedback learnings from user behavior to improve their targeting algorithms so users see the most contextual ads.

While it may seem like most companies have stringent practices and the best intentions when it comes to collecting user data, they also occasionally fall prey to bad actors. A case in point is the well-known incident between Facebook and Cambridge Analytica, a political data firm. Cambridge Analytica scraped and harvested data from Facebook users, including details on user identities, friend networks, and ‘likes.’ Only about 270,000 users of nearly 50 million raw profiles accessed had actually agreed to take a personality survey and have their data harvested for ‘academic use.’

This was in clear violation of Facebook’s privacy policies, which prohibit the sale or transfer of such data to “any ad network, data broker, or other advertising or monetization-related service.”

Given the above-mentioned incident, it is critical for users to limit the disclosure of personal data on social network profiles, regardless of the user-controlled privacy settings regarding the exposure of that information. There is absolutely no need for one to share details such as phone numbers, emails, full address, employer name, etc. on any social network (employer names are OK for professional networks). Such information is better suited for more private forms of communication such as direct messages.

On the other hand, social networks should also set adequate safeguards to prevent the harvesting of personal information from the profiles of users who have given them their trust. Facebook has, since the Cambridge Analytica debacle, upped the ante on the enforcement of its security and privacy policies. They have also embargoed data harvesting via quizzes and questionnaires and have begun educating users on the need to restrict or hide sensitive information from their public profiles. Several other social networks seem to be following suit.

Conclusion

In conclusion, the rapid acceleration of this aptly-called “Information Age” requires that we recognize privacy and data security as integral parts of enjoying many modern products and services. While the benefits of the transfer of information at the speed of thought are many, so are the risks of privacy and personal data being compromised and misused. Using all our smart devices, apps and services, with a full understanding of what their respective terms of privacy, security, risk, and fair use mean to us as users, is essential to the protection of our private data and our very identities. Let us, as informed users, reap the benefits of this world, knit together by all of these information networks, in a safe and secure manner.