The PRISM and other surveillance projects have raised public awareness of the extent to which NSA in the US – and similar agencies worldwide – conduct surveillance or collect metadata associated with individuals’ communications.
While security agency or law enforcement activities capture international attention, we ought to be equally wary of data collectors other than these. If security agencies are the devils we know, commercial data collectors are truly the devils we don’t know.
We come into contact with them every day. They gather not only metadata but content as well, often with little or no disclosure of what data they collect, how they use or store the data, or with whom they share. And we willingly – if unwittingly – consent to them doing so!
In most daily encounters where our metadata or content is collected or shared, we have little or no clue about who the data collectors are.
The majority of users don’t ask questions each time they agree to a Terms of Service, subscribe to a forum, or download an app. Seriously, do you know:
- Who develops the apps you downloaded? The games you play on Facebook? The forums you join using your Twitter or Facebook account?
- Have you ever investigated who funds them? What country they operate from?
- Do you know what uses the social media or web site host makes of profile information you obligingly offer when you sign up?
- Do you take note of what metadata or content they will collect as a condition of use?
Metadata or Content?
If you are confused over the difference between metadata and content, the brief answer is that metadata are data that describe your activities, such as the phone calls you make, the people or businesses you call, and the dates, times and duration of your calls. Content is your conversations. These same distinctions apply for email, surfing, or watching movies over the Internet. Privacy by Design published a very thoughtful and thorough report explaining metadata versus content; do read it.
Read the Fine Print
Each time you authorize an app or game using a social media account, take time to know what metadata or content you are committing to share.
Each time you use a social media account to log in to comment or engage in a forum, read the challenge.
Let’s consider what we see:
Social engineering or Notice and Consent? Notice and Consent is a good thing. How Notice and Consent is phrased may be important as well. Look carefully at the entire notice before you consent. Is the data collector’s claim that they won’t see your password or post messages for you a disclosure or is it an attempt to persuade you that “it’s OK” or distract you from the fact that they will be able to read tweets from your timeline but haven’t disclosed what they will do with them, i.e., will they grab your tweets and use them in endorsements based on your “consent”? Is the positioning of the button “Play Game” for convenience or is it optimized to exploit impulsivity?
Your choices will affect your friends. If a data collector is asking access to your friends or contacts lists, it’s a safe bet that they will be targeted for advertising or solicited to “join in” (and perhaps with “your” recommendation). This works both ways: think about how their choices will affect you. This is repetitively obvious on Facebook, where apps relentlessly hound you to sign up – often, because your friend Likes them.
Criminal actor data collectors love “Public.” Sharing to “public” promiscuously (i.e., your profile, all your posts and activities) exposes you to spammers or scammers who are just as voracious for your metadata or content as commercial data collectors. The more criminal actors can collect about you, the better they can impersonate you and spear-phish your friends, family, or colleagues
Don’t be a threat to your own privacy
In an earlier post, I explain that there are only three true threats to Internet Privacy: public sector actors (e.g., governments), private sector actors (data collectors, legit or criminal), and you. While recent events suggest you have less control over your metadata or content than you imagined, you can avoid self-inflected wounds. Read the fine print. Know the devils.
You can follow this conversation by subscribing to the comment feed for this post.