I’ve regularly discussed data privacy in this column, as it is one of the most important technology considerations of our time. Over the next few articles, I’d like to consider data privacy from a risk tolerance perspective. And as I examine personal data, I’d like you to consider this through the lens of who you are, where you go, what you buy, who you meet, and how you behave in real-time as you conduct your daily activities. In other words, your right to privacy as you live your daily life.
Identifying data like your social security number, your bank account, your address, your name and so forth are important – but painful as those may be to change, they can be changed. I want to explore the personal data that can’t be changed – who you actually are and the things you do every day.
Today, most of society is highly risk tolerant of giving up privacy in return for goods, services and convenience. As computational power increases, and cybersecurity threats loom, should we rethink that value proposition? And even if we should, is it too late? Is our proverbial cat (daily activity) out of the bag (in the hands of bad actors)?
Some people blame the loss of privacy on the “surveillance state,” and I’ll dig deeper on this concept today. Next week I’ll dive deep into the risks associated with biometric data, and I’ll wrap up in early August with thoughts on how we might mitigate data privacy risks that are rampant today.
George Orwell coined the term “Big Brother” in his dystopian novel, 1984. In that work of fiction, the future holds a totalitarian nation of Oceania, where the government watches and controls all of its citizens. “Big Brother is watching you” reminds everyone that their every action is being recorded by the government.
The good news is that in our real world — 40 years beyond Orwell’s vision of 1984 — the majority of world governments are not behaving badly in the manner of the novel. There is a tremendous amount of data capture about all of us that happens both actively and passively. But in my experience working with local, state and the federal government, the US is extremely diligent in their efforts to manage data ethically and legally.
That is not to say there are no governments that are behaving unethically. There is no question that China is spying on its own citizens, as well as people around the world. It is estimated that China has installed 700 million cameras with facial recognition technology across the country (1 per 2 citizens), and the government actively uses biometric face recognition for people to gain access to doctors offices, public transportation, government services and schools. A data leak in 2019 revealed China capturing 6.8 million face scans per day of adults, children and even infants.
Years ago, I was visiting a state-run electronics manufacturing facility in China. My factory tour ended early ,and when I returned to the conference room, I caught company employees copying my laptop hard drive. Needless to say our team immediately left and never did business with them.
That company, Huawei, happens to be the same one that the US government has banned from providing 5G services in the US. There are extremely compelling patterns of behavior in China to substantiate the US ban on using Chinese technology in the core of our telecommunications system. Similarly, the clear abuses of China, spying on their own citizens substantiates current concerns about TikTok. The app is a social engineering tool to gather personal data for millions of individuals.
If you have traveled to China in the past 10 years, you have definitely been cataloged at a transit entry point and tracked as you visited the country. If you’ve installed Chinese-manufactured security cameras in your business, municipality or home, there is a nonzero chance that those devices are sharing video beyond your intended use. When malware is built as a few malicious circuits at a nanometer scale among the billions of transistors on a semiconductor chip, it is essentially impossible to detect. That’s the foreign government risk we face (and why it is so important to re-shore a lot of our semiconductor manufacturing).
Now, the US also uses facial recognition and camera technology in numerous use cases. And so do all of our allies. But a few big differences exist.
- Face scanning is rarely mandatory in the US. For example, you can opt out of being scanned by a camera at TSA when you travel.
- The US government disallows long-term storage of facial images, except in some limited AI training applications. Government scans and cameras are intended to only conduct transient data capture.
- There is considerable open discussion about regulation of data privacy with a bias towards protecting citizens/consumers. This is a conversation out in the open, with regular debate on privacy regulation.
There is sufficient scale of government capture of personal data to warrant accelerating policy discussions and working diligently to create regulations for data privacy. Simply put, US privacy regulations are not strong enough. But there is insufficient evidence of unethical behavior for true worry that we are headed towards a government surveillance state. Lack of regulation (US) is different from inappropriate and unethical behavior (China).
Surveillance state lies in our commercial sector
I would wager that most people in the US are unaware that since 2018, every new car manufactured has positioning technology that reports to the manufacturer everywhere your car goes. Ford, Toyota, Honda and others collect location information, driving habits, car performance metrics and other data all in the spirit of enabling the manufacturer to make better cars in the future. How much do we trust our auto manufacturers to store so much detail about what we are doing in our day-to-day lives? Why should GM know which grocery stores I frequent, what podcasts I listen to while I drive and how heavy-footed I am when the light turns green?
Google (Android) and Apple (iOS) have similar knowledge of your every-moment position through our smartphones. But they also have access to all the other sensors on your phone, tablet and laptop. Recently, I started to get notifications of “memories” from my camera photo album. I am one of the odd souls who never granted access to automatically put my photos on the cloud when I take a picture with my phone. The terms and conditions for cloud storage give the cloud provider ability to digitally “look at” my pictures, which is an overreach. So I was surprised when I began getting memories from photos that are only stored locally on my device.
It seems that Samsung must have snuck new AI (and updated terms of agreement) onto a recent software update and now they are suggesting photos that I may want to view again, on the anniversary of the photo, or a group of different pet photos, a beach trip and so on. Object identification algorithms are lightweight enough today to run on our phones directly, without need for cloud computation. In one sense, this seems harmless fun.
But through another lens, what right does any company have to inspect the content of private pictures anyone decides to take? Without regulation, consumers have no choice but to accept corporate invasion of their personal privacy. After all, I have no choice but to accept the phone’s software upgrade when prompted. My only other choice is to not use a phone – a complete non-starter in today’s society.
A few years ago, you may remember a craze where lots of camera filters were developed where you pointed your phone camera at your face and it would render a funny hat or a silly beard or some other visual effect onto your face. A number of them were reported to actually be socially engineered tools to get people to make close up scans of their faces to feed facial recognition databases. In many cases, we click-through and give permission to companies to capture our private data, as we install an app. But I think most people don’t consider possible future consequences.
Perfect365 is an augmented reality beauty platform with more than 100 million users. Downloading the app gives permission for the user’s facial characteristics to be scanned and stored. What happens if Perfect365 is purchased by another company? Or goes bankrupt? Or is acquired by a foreign adversary? Do we really believe a beauty app company has implemented iron-clad cybersecurity to prevent our facial data from being hacked? Security regulation for beauty apps, or camera filters greatly lacks that of healthcare or banking, but the data these apps are capturing is just as valuable.
And even those “trusted” sectors are behaving badly. I recently changed doctors and am now working with a physician in the UNC Health system. Like most medical systems, they utilize a consumer-facing “patient portal.” I took the time to read the terms and agreements and found three separate call-outs disclosing that downloading the app gives permission for the company behind it to sell my personal data to third-party providers.
Personal health data regulations give specific protections – preventing insurers from discriminating against people with pre-existing conditions, for example. But if we sign away those rights for the convenience of scheduling appointments at a doctor’s office, who wins? This feels like massive corporate overreach, and I can picture the defense attorney in a future lawsuit, “but folks, they told you THREE TIMES in the user agreement that you were signing away your privacy.”
This isn’t an isolated case. Many companies are behaving extremely unethically. Meta was caught in 2018 capturing biometric data without user consent (a class action lawsuit was settled for $650M). Clearview AI created a tool to scrape more than 2 billion photos of people off social media and websites. They built a massive database connecting what people look like to their names and other data, all without anyone’s consent. Clearview currently sells that data on the open market, primarily to law enforcement organizations.
And while a healthcare provider or insurer may be regulated in their own data capture, security and usage practices, there is very little to prevent companies from learning about you from other non-regulated sources. Grocers capture what you buy (and presumably eat) from your usage of loyalty cards to get discounts at the register. Health insurers are the primary purchasers of grocery store sales data, personalized to each customer.
A good “quick check” if a company is subversively collecting your data (absent actually reading their terms of service and license agreements) is to consider how the company is engaging with hardware that you use. Hardware is where sensors reside, and sensors are the devices that capture and digitize our data and the world around us. I’ll give an example.
Every fast food chain that I’m aware of has a mobile app. They hope you’ll download the app to place orders. In reality, you don’t need to use an app to place an order. You could simply go to the restaurant website and order from there. So why does the company prefer that you order via an app? It is because an app allows the restaurant chain to put unique tracking software directly onto your phone. And app software can be used to access the sensors (hardware) of your device. This allows the restaurant to track everywhere you go, as long as you have your app installed.
The company may claim that the app is useful, because then it can control your phone’s vibrator to buzz an alert when your food is ready. The website can’t do that. This answer is logical, non-threatening and it markets well. But the probable real motive for the app is to enable data capture about you. Apps are expensive to build, maintain, and to market to convince you to download them. If the restaurant only wanted to capture your food order, their website is far simpler.
Your day to day activity data is incredibly valuable information to the restaurant, allowing them to tailor their marketing message to you, to send you promotions, to capture your historical behaviors, diet history and to implement other business-serving use cases. And of course they also build a data set that they might sell to their suppliers or on the open market. There is no reason that a restaurant needs your personal data in order to serve you a hamburger. But that’s the world we’re living in – an arms race by corporations to capture our personal information. As many retail locations go cashless, the opportunity for a truly anonymous meal is quickly going extinct. You can avoid the restaurant app, but still have personal data linked to a credit card transaction at point of sale.
It is urban legend (and perhaps true) that the only product that Amazon ever banned to sell on their e-commerce site is the Google Home. Amazon and Google so desperately want to put their microphones into every household that Amazon found it strategic to make it more difficult to buy the competitor product to their Alexa device. Our personal data is the ultimate corporate prize.
The really unfortunate situation is that most people don’t educate themselves, and therefore give their data away for (as I described above) the value of a hamburger coupon. Talk about an incredibly unfair exchange.
Unfortunately, regulations on the private sector have been extremely slow to roll out, and do not have much strength. To be fair, President Biden has made more effort to regulate big tech than any past president, but our politics are so screwed up that there is no support from Congress – not because there is much debate about corporate overreach into personal data – but simply because we’re dysfunctional. The recent Chevron overrule by the Supreme Court puts industry in a very strong position to continue the trend. Our personal data is “great for business”, so future regulations, if enacted, will face strong legal challenges.
Next week, I’ll dive deeper into the potential consequences of the corporate surveillance state, and why biometric data sets are especially important. It is an equally grim outlook as what I’ve described above. But a week after that we’ll explore where we might look for positive change and what we as individuals can do to be part of a solution.
The post Tom Snyder: Everyday, everywhere your devices are recording data about you first appeared on WRAL TechWire.
