1 of 69

The Politics of Technology

Spring 2019: Using Your Data for Fun and Profit

1

Terry Gray, PhD www.TerryGray.org

gray@uw.edu

CRI May 2019

Week 3

2 of 69

Outline

Week 1

Inconvenient Truths
History & Headlines

Week 3

The Data Economy
Tracking & Targeting

Week 2

Privacy
Personalization

2

Week 4

Impact on Democracy
Trends & Takeaways

3 of 69

Topic 5: The Data Economy

3

You are the product

4 of 69

4

Business

Model

Tensions

5 of 69

Business Models Evolve...

5

Business trends: Goods → Services → Finance → Data

6 of 69

Mixed Models

Selling Goods / Services

Apple, Microsoft, Amazon

Google, Facebook�

Selling Ads… “Free” Svcs

Google, Facebook

Apple, Microsoft, Amazon

Selling Data

Acxiom, Experian��

Selling Upgrades

“Freemium” --most apps

6

7 of 69

“Free” = Fuel for Internet Growth

“Free” (ad-based) services bring:

Wide availability of useful services
Rapid growth
Targeted ads
Click-bait
Viral spread of toxic content
Massive data collection
Incentives for “attention addiction”
Attention & data → Corporate assets

Gratis vs. Libre

Free as in Beer
Free as in Speech
Free as in Puppy

7

8 of 69

“Free” Services

8

User

Service

Advertiser

Data Broker

Data

Dollars

Who is the Customer?

And what is the product?

You → Attention → Data

9 of 69

Ad-Tech: The Beginning...

9

October 27, 1994: the website HotWired (now Wired.com) displayed the first online banner ad, paid for by AT&T.

10 of 69

Google Changed the Game

AdWords: Google sells ads based on search keywords� → then displays on search results page (2000)

AdSense: Google buys space on web pages � → then fills with ads based on page content (2003)

10

Impact: Google started collecting and analyzing a lot of data to improve its ad business.

Pg 117, “In the Plex” by Steven Levy

“Though the internet was different from other media, most internet companies were still selling ads the Way Madison Avenue had always done it. Google saw the entire exchange differently. Advertising in Google was less comparable to television or print that it was to computer dating. Google was a yenta -- the Yiddish term for the pesky, persistent matchmakers who linked brides and grooms in the shtetl. It matched advertisers with users. “

https://www.wordstream.com/articles/interactive-history-of-adwords

AdWords (selling SERP ad space to business, based on search keywords) introduced Oct 2000

AdSense (selling your ad space to Google) launched June 2003

October 2009 – “Mesothelioma” becomes the most expensive keyword in paid search, with a cost-per-click of $99.44. The keyword would later reach CPCs of more than $900.

11 of 69

Data Economy: the Dark Side

Data breaches -- e.g. Equifax, Yahoo
Data inaccuracy
Fake ads --created to attack users via embedded malware
Fake users --created to attack advertisers via “click fraud”
Third-party data abuse -- e.g. Cambridge Analytica

Personal data “leakage” via misuse of ad bids or covert apps
Brokers selling personal data to unscrupulous “clients”
“disinformation operators are typically indistinguishable from any other advertiser” --from “Facebook enables 'fake news' by reliance on digital advertising”

Information = asset: commodification → asymmetry, inequality

11

12 of 69

Data Economy Dystopia

12

13 of 69

Evolution of Capitalism (Zuboff)

Industrial capitalism: commoditize land / resources / labor
Financial capitalism: commoditize investments
Information capitalism: commoditize personal data

Surveillance capitalism: extract info assets w/o consent / compensation
When your business is to sell data, you always need more data
Big worry: information asymmetry, inequality, and influence

13

Maximizing attention / engagement == Subliminal advertising redux?

14 of 69

Data Collection Motivations

Service improvement (especially for “assistants”)
Commerce (Ad revenue; “Feed the Machine”)
Surveillance
Control / Influence

14

Is personal data collection inherently bad??

Depends on how it is used!!

15 of 69

Who Do You Trust? Faith-based Privacy

15

Trust Graph� Enforced by contract

Data Broker

App Developer

Platform

User

Advertiser

16 of 69

16

Duh!

People say they care about privacy but they continue to buy devices that can spy on them

“Some 63 percent of people find connected devices to be “creepy,” and 75 percent don’t trust the way their data is shared”

“Nearly 70 percent of survey takers said they own one or more connected device, which include smart home appliances, fitness monitors, and gaming consoles.“ By Rani Molla @ranimolla May 13, 2019

17 of 69

Who do you trust? Privacy Policies

17

We don't sell any of your information to anyone, and we never will. We also impose strict restrictions on how our partners can use and disclose the data we provide.

Google does not sell your personal information, which includes your Gmail and Google Account information. We also do not share your personal information with advertisers, unless you have asked us to.

Google will not target ads based on sensitive information, such as race, religion, sexual orientation, health, or sensitive financial categories.

Information about our customers is an important part of our business, and we are not in the business of selling it to others. We share customer information only as described below ...

https://www.amazon.com/gp/help/customer/display.html?nodeId=468496#GUID-1B2BDAD4-7ACF-4D7A-8608-CBA6EA897FD3__SECTION_3DF674DAB5B7439FB2A9B4465BC3E0AC

Does Amazon.com Share the Information It Receives?

Information about our customers is an important part of our business, and we are not in the business of selling it to others. We share customer information only as described below and with subsidiaries Amazon.com, Inc. controls that either are subject to this Privacy Notice or follow practices at least as protective as those described in this Privacy Notice.

Affiliated Businesses We Do Not Control: We work closely with affiliated businesses. In some cases, such as Marketplace sellers, these businesses operate stores at Amazon.com or sell offerings to you at Amazon.com. In other cases, we operate stores, provide services, or sell product lines jointly with these businesses. Click here for some examples of co-branded and joint offerings. You can tell when a third party is involved in your transactions, and we share customer information related to those transactions with that third party.
Third-Party Service Providers: We employ other companies and individuals to perform functions on our behalf. Examples include fulfilling orders, delivering packages, sending postal mail and e-mail, removing repetitive information from customer lists, analyzing data, providing marketing assistance, providing search results and links (including paid listings and links), processing credit card payments, and providing customer service. They have access to personal information needed to perform their functions, but may not use it for other purposes.
Promotional Offers: Sometimes we send offers to selected groups of Amazon.com customers on behalf of other businesses. When we do this, we do not give that business your name and address. If you do not want to receive such offers, please adjust your Customer Communication Preferences .
Business Transfers: As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise). Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.
Protection of Amazon.com and Others: We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property, or safety of Amazon.com, our users, or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction. Obviously, however, this does not include selling, renting, sharing, or otherwise disclosing personally identifiable information from customers for commercial purposes in violation of the commitments set forth in this Privacy Notice.
With Your Consent: Other than as set out above, you will receive notice when information about you might go to third parties, and you will have an opportunity to choose not to share the information.

18 of 69

What about Data Brokers?

18

[Image by Cracked Labs]

19 of 69

About

Data Brokers

(2015)

www.webfx.com

19

https://www.webfx.com/blog/general/what-are-data-brokers-and-what-is-your-data-worth-infographic/

https://www.webfx.com/blog/wp-content/uploads/2015/04/data-broker-infographic1.png

What Are Data Brokers – And What Is Your Data Worth?

[Infographic]

Have you ever received an advertisement in the mail and been impressed by eerily relevant it was to your exact interests or situations? You may have chalked it up to coincidence, but that kind of accuracy probably didn’t happen by chance. What’s more likely is that the business purchased your information from a data broker.

If you’re familiar with data brokers, this won’t come as a shock. But if you’re not already aware, data brokering is a multi-billion dollar industry made up of companies who collect consumer data and sell it to other companies, usually for marketing purposes.

So what do they know about you? And how much do they make off of your personal information? Check out our infographic for all of the details.

The data on data brokers

Let’s start with some background information on data brokers. Essentially, they are companies who collect information from public records, online activity, and purchase history and re-sell it to other companies for marketing purposes. The more companies know about consumers, the more targeted (and successful) they can make their advertisements, so data brokers try to collect as much information as they can.

section 1

Today, there are over 4,000 data brokering companies worldwide. Acxiom, one of the largest, has 23,000 servers collecting & analyzing consumer data, Data for 500 million consumers worldwide, and up to 1,500 data points per person – and that’s just one company.

But where do they get this information? Over 1,400 “leading brands” sell information from store loyalty cards to data brokers, meaning that if you’ve ever signed up for a loyalty or store credit card at one of your favorite stores, there’s a good chance the data you provided was sold to a broker. Depending on the store you signed up at, you could be added to a variety of different databases. For example, if you signed up for a loyalty card at a pet store, your information might be sold to companies looking to market to pet owners.

Although it is a relatively new industry, data brokers already have information for a pretty sizable amount of the population. In fact, 80% of U.S. email addresses are on file on Towerdata, and 38% of employed Americans’ pay stub information is available on Equifax. In addition, databases like CampaignGrid and ProPublica have political information including party affiliation and campaign contributions for 80% of registered American voters.

It’s pretty safe to assume that at least some of your data is on file with brokers. Now let’s look at how much that information is worth to data brokers – and what it might be worth to you.

What is this information worth?

middle section

To data brokers:

As it turns out, consumer data is worth a lot of money. The average email address is worth $89 to a brand over time, so it makes sense that they are willing to pay for that kind of information. In 2012, the data brokering industry generated $150 billion in revenue – that’s twice the size of the entire intelligence budget of the United States government. Now, data brokering is a $200 billion industry, and it isn’t showing any signs of becoming any less profitable.

But how do they make their money? Different companies operate in different ways, but they generally sell information in the form of lists contact information for people that fall into specific categories. Most of the time, these lists are sorted by interests and characteristics like “fitness enthusiasts” or “new parents.” In some cases, however, the lists are a bit more questionable. One company actually sold lists with information from 1,000 people with health conditions like anorexia, substance abuse, and depression for $79.

To consumers:

Although consumers don’t stand to gain as much as data brokers from their personal information, they aren’t completely powerless. 43% of data brokers allow consumers to opt out for free, which can be time-consuming, but worth the effort if you don’t like the idea of your data being sold. If you’re really serious about your privacy, for $99/year, reputation.com will keep your data out of databases entirely.

On the other hand, if you’re fine with it and just want to get in on the profits – there are ways to do that, too. Datacoup paid consumers $8/month for access to their social media accounts and credit card transaction data in a trial, and although that program is no longer running, there’s a chance that other companies will follow their lead in the future. For now, though, Luth Research pays consumers up to $100/month to participate in surveys and digital tracking.

If you fall into the category of consumers uncomfortable with having their data collected, you’ll find this next section helpful.

Want to opt out from having your data collected?

section 3

While not all companies allow you to see what they know, some offer consumer reports. One of the most notable is Acxiom’s site, About the Data, which allows you to see all of the data points they have for you and correct any information that is incorrect. And although most of the others do not provide the same service, here are some of the biggest data brokers you can contact to opt out of having your data collected:

411.info – allows full opt-out

Acxiom – allows partial opt-out

CoreLogic – allows full opt-out

DataLogix – allows full opt-out

eBureau – allows full opt-out

Epsilon – allows full opt-out

FICO – allows partial opt-out

Harte Hanks – allows full opt-out

infoUSA – allows full opt-out

Instant Checkmate – allows full opt-out

Intelius – allows full opt-out

LexisNexis – allows full opt-out

What is your personal information worth?: the full infographic

data-broker-infographic

Share This Graphic On Your Site

Created by <a title=”WebFX” href=”https://www.webfx.com”>WebFX</a>

Were you surprised by any of this information? Will you take any action to keep your data out of databases? Let us know in the comments below!

20 of 69

Your

Profile

20

In 2017, data giant Acxiom provided up to 3,000 attributes on 700 million people. In 2018, the number was 10,000, on 2.5 billion consumers [Image by Cracked Labs]

Here are the data brokers quietly buying and selling your personal information

03.02.19

Here are the data brokers quietly buying and selling your personal information

You’ve probably never heard of many of the data firms registered under a new law, but they’ve heard a lot about you. A list, and tips for opting out.

[Source image: ksenia_bravo/iStock]

BY STEVEN MELENDEZ AND ALEX PASTERNACKLONG READ

It’s no secret that your personal data is routinely bought and sold by dozens, possibly hundreds, of companies. What’s less known is who those companies are, and what exactly they do.

Thanks to a new Vermont law requiring companies that buy and sell third-party personal data to register with the Secretary of State, we’ve been able to assemble a list of 121 data brokers operating in the U.S. It’s a rare, rough glimpse into a bustling economy that operates largely in the shadows, and often with few rules.

Even Vermont’s first-of-its-kind law, which went into effect last month, doesn’t require data brokers to disclose who’s in their databases, what data they collect, or who buys it. Nor does it require brokers to give consumers access to their own data or opt out of data collection. Brokers are, however required to provide some information about their opt-out systems under the law–assuming they provide one.

If you do want to keep your data out of the hands of these companies, you’ll often have to contact them one by one through whatever opt-out systems they provide; more on that below.

Related: A landmark Vermont law nudges over 120 data brokers out of the shadows

Types of consumer data and data companies. Some companies included in the chart may not be covered by the Vermont law. See a larger version. [Image by Cracked Labs]

The registry is an expansive, alphabet soup of companies, from lesser-known organizations that help landlords research potential tenants or deliver marketing leads to insurance companies, to the quiet giants of data. Those include big names in people search, like Spokeo, ZoomInfo, White Pages, PeopleSmart, Intelius, PeopleFinders, and the numerous other websites they operate; credit reporting, like Equifax, Experian, and TransUnion; and advertising and marketing, like Acxiom, Oracle, Innovis, and KBM. Some companies also specialize in “risk mitigation,” which can include credit reporting but also background checks and other identity verification services.

Still, these 121 entities represent just a fraction of the broader data economy: The Vermont law only covers third-party data firms–those trafficking in the data of people with whom they have no relationship–as opposed to “first-party” data holders like Amazon, Facebook, or Google, which collect their own enormous piles of detailed data directly from users.

WHAT THEY KNOW

By buying or licensing data or scraping public records, third-party data companies can assemble thousands of attributes each for billions of people. For decades, companies could buy up lists of magazines subscribers to build targeted advertising audiences. These days, if you use a smartphone or a credit card, it’s not difficult for a company to determine if you’ve just gone through a break-up, if you’re pregnant or trying to lose weight, whether you’re an extrovert, what medicine you take, where you’ve been, and even how you swipe and tap on your smartphone.

(Browser cookies and trackers are a major part of this infrastructure, and like many websites, Fast Company’s site relies on them in order to serve content and ads. To curtail that tracking, you can use a web browser with tracker-blocking software.)

In 2017, data giant Acxiom provided up to 3,000 attributes on 700 million people. In 2018, the number was 10,000, on 2.5 billion consumers [Image by Cracked Labs]

All that information can be used to create profiles of you—think of them as virtual, possibly erroneous versions of you—that can be used to target you with ads, classify the riskiness of your lifestyle, or help determine your eligibility for a job. Like the companies themselves, the risks can be hard to see. Apart from the dangers of merely collecting and storing all that data, detailed (and often erroneous) consumer profiles can lead to race or income-based discrimination, in a high-tech version of redlining.

Piles of personal data are flowing to political consultants attempting to influence your vote (like Cambridge Analytica) and to government agencies pursuing non-violent criminal suspects (like U.S. Immigration and Customs Enforcement). Meanwhile, people-search websites, accessible to virtually anyone with a credit card, can be a goldmine for doxxers, abusers, and stalkers.

People in the U.S. still struggle to understand the nature and scope of the data collected about them, according to a recent survey by the Pew Research Center, and only 9% believe they have “a lot of control” over the data that is collected about them. Still, the vast majority, 74%, say it is very important to them to be in control of who can get that information.

Related: The data firms ICE hires raise alarms about an unseen industry

“DELETING” YOUR DATA

For companies regulated under the Fair Credit Reporting Act (FCRA), including traditional credit bureaus, you have the right to request your personal data and request corrections of anything that’s wrong.

But for other companies that deal in data, like marketing and people finder companies, U.S. law mostly doesn’t make any such guarantees, though that may change in the future as state and federal legislatures consider further rules. Those could ultimately bring protections like the right-to-be-forgotten and other safeguards granted to European residents under the General Data Protection Regulation (GDPR), probably the strictest international consumer data policy.

To try to remove yourself from a company’s databases: Click on the name of the broker below, click “Filing History,” and then click “DATA BROKER REGISTRATION.” You’ll get a document in PDF form that contains details from the company on how to opt out–provided the company allows you to opt-out.

You can also consult various online guides listing opt-out procedures. Griffin Boyce, systems administrator at Harvard University’s Berkman Klein Center for Internet and Society, has compiled one such opt-out guide. Another guide is put together by Joel Winston, an attorney known for his work on data privacy and consumer protection. At Motherboard, Yael Grauer compiled another list of brokers with tips for opting out. If you’re a resident of the European Union, opt-out.eu has a guide to sending GDPR Erasure Requests.

You can also use the Data & Marketing Association’s DMAchoice program, which is primarily designed for opting out of direct mail and email messages, but is also used by some organizations to remove consumers from their lists entirely. It costs $2 to sign up for the program, and registration lasts two years.

If you’re part of a “protected class,” which includes victims of domestic violence, stalking, sexual assault, identity theft, or people who work in law enforcement, some states like California offer Safe at Home, a program that lets victims remove their contact info from databases with a single request. The National Network to End Domestic Violence has also assembled a guide to data brokers.

If you’re concerned about how a company is handling your personal data, you can file a complaint with the Federal Trade Commission, which has issued millions of dollars in penalties over unfair or unlawful behavior by credit agencies and data brokers.

You can limit data loss by deleting unnecessary apps, using browsers with ad blockers or tracker blockers, adjusting your privacy settings, using privacy tools like a VPN, and limiting what you post online.

In order to control your data, you may need to hand over some basic info to verify that it’s really you. But be careful about what you turn over. As Boyce writes, “other than credit reporting agencies such as Equifax, no one should ask for your Social Security number or tax ID while opting out. When sending a copy of your ID, mark out the ID number and draw a line across the photo.”

21 of 69

Personal Data: Kinds of Tracking

WHO you are (PII)
WHAT you do (e.g. web visits, video or article views, purchases)
WHEN you do it
WHERE you do it (or where your computer, phone, or car is)
FINGERPRINT of your computer (DII)
“Anonymous” categorization (e.g. “audience segments”)

21

Inferred desires and intents → Merchandising or Minority Report?

22 of 69

Acquisition and Access

REVIEW QUESTIONS FROM LAST WEEK:

What personal info is subject to search warrant, subpoena, or court order?

What can be collected / used by 3rd parties?

What can be collected in a public place?

What is a public space ? � (e.g. Facebook; AR, VR worlds?)

Who can know, correct, delete, control use?

First party data is the information collected directly from an audience or customers by a company or website publisher.

Second party data is someone else’s first party data, bought directly from the collector of it.

Third party data is data that <a publisher> buys from outside sources that are not the original collectors of that data.

Source: lotame.com

22

23 of 69

Data Sources

Databases

Real Estate, financial (loan), or court records
Voting and campaign contribution records
Loyalty, warranty, and credit cards
Subscriptions and customer lists

Online behavior

Web site interactions (e.g. accts, “Likes”, ad or article clicks, purchases)
Media viewing (e.g. Neilson or smart TVs)
Location and browsing data from ISPs

Surveillance systems, IoT sensors, Smart Speakers

Cameras, driving monitors, FitBits, Alexa, ...

23

24 of 69

24

25 of 69

Identity Resolution Companies

“We maintain the largest people-based identity graph that connects more than 500 platforms, data owners, and publishers to brands and agencies. Our graph matches PII-based data—like emails, postal addresses, and phone numbers—with anonymous identifiers—like cookies and devices ID—in a privacy-conscious way. “

“We offer services that create value for consumers, including lower prices, greater access, and better interactions with brands.”

25

26 of 69

Identity Resolution Examples

“Keeping vehicle recalls on the down low”
“Suppressing insurance ads with people-based search”
“Targeting a rival DIY supplier’s customers”
“Identifying your next product line”
“People-based marketing to people you don’t know”

26

https://liveramp.com/identity-resolution-use-cases/

1. Keeping vehicle recalls on the down low

When it comes to vehicle and part recalls, you need to let the owners of your vehicles and parts know they're being recalled. Thing is, you need to make sure only those people know about it.

Some of the biggest automotive companies are onboarding their offline data so they can resolve their customer identities and specifically target the people who own vehicles that need to be recalled.

The result – they've lowered their media spend. And they aren't going around the Internet, inadvertently worrying other buyers. Neat.

2. Targeting sports and music fans — everywhere

Brands have been looking for smart ways to target people based on their preferences for some time now.

The trouble is, you either have to target folks in the same walled gardens where they share their preferences, or you need to use cookie data without much context beyond their browsing history. Option one limits the channels you can use. And option two relies on data that isn't really persistent.

Identity resolution has given brands the ability to reliably target people interested in specific events (like the Superbowl and Coachella) – across channels. Two neat examples.

A travel company targeted people interested in the Fifa World Cup with offers on trips to Brazil (where the tournament took place).

In another case, a health brand is using it to market to the users of weight and calorie tracking apps, even beyond the apps themselves. It's become a reliable, omnichannel way to find people with preferences that match your product.

3. Suppressing insurance ads with people-based search

You know that thing where you get targeted for products you already own? That sucks. But it's a whole lot worse if you stumble across an offer on something you own when you're searching for something similar.

In the insurance business, you might have new offers on certain policies like home insurance, and you really don't want to be flogging them to people who already have them.

One insurance company is using people-based search to adjust their keyword targeting for existing policyholders through Google Adwords.

This way, they can suppress the ads for policies their customers already own and offer them upsells on complementary policies instead. And save a bunch in media spend, too.

4. Targeting a rival DIY supplier’s customers

Competition is fierce in the home improvement game. One of the biggest retail chains has partnered with Ibotta (a cash rewards app) to target the customers of its biggest rival.

By resolving the identities of the app's users, it can target its rival's customers with competitive discounts, while sharing loyalty-based discounts with its own most regular customers.

Best of all, they can see whether or not their rival's customers converted and whether or not they've increased their own most loyal customers' share of wallet.

5. Identifying your next product line

Picture this: you're a market researcher working for one of the world's biggest lingerie brands. And you're looking to expand your product set beyond the one line.

What do you do? The people-based marketers at one global brand in this situation decided to get a broader view of their customers' preferences. Specifically, they wanted to know what other product categories their customers were fans of – even if they didn't sell those products.

Using third-party data and identity resolution, they found the answer – athletic sports wear. Not only was that an interesting new insight into their customers – the company acted on their recommendation.

These are the kinds of insights that become possible when you take a people-based approach to analyzing your data and understanding your customers.

It's a brave new day for marketers.

6. Pushing the right content to motor heads

When people start searching for their next car, they're usually looking for something with specific features. Like adaptive cruise control. Or those seats that warm themselves up.

One car company decided to target their prospects based on the specific features they cared most about.

So if you've been searching for cars with cruise control, they're using identity resolution and third-party data to spot that preference.

This way, they can promote their best content about adaptive cruise control to you, across their digital channels.

7. People-based addressable TV

Media buying used to be about demographic insight. If you were buying a spot on TV, you needed to know which shows 18-24 year olds watched.

One cable TV network is taking this insight to a whole new level.

They're using identity resolution to tie their customers' (the media buyers) first-party data to third-party consumer data on stuff like car lease expiration dates.

That means they can tell media buyers precisely which shows the people on their lists are watching – and where to spend their money. These are segments that can be addressed on TV and are likelier to convert.

This is people-based targeting. For TV.

8. Personalizing in-app ads

People-based marketing works well in tight spaces – saturated markets where competition is brutal.

That's good news for telcos, where one company is using a neat, people-based tactic to target its customers on mobile.

Using identity resolution, they're personalizing their in-app ads to give customers specific recommendations for phone and plan upgrades.

This way, they can use the relationships they've already developed with their customers to keep the competition away – and personalize wherever their customers go.

9. Treating hardcore foodies and casual diners differently

There are two kinds of people who book tables at restaurants – hardcore foodies who do it all the time and casual diners who go once in a while.

An online restaurant reservation service is using identity resolution to send these two groups different incentives.

The company wants their power users to use the service when they travel, so they're sending them discounts for booking restaurants outside their home regions.

And they want to nudge casual users to use the service more so they're sending them discounts for restaurants that are closer to home.

Oh, and they make more money when people book through the app (as opposed to through the restaurants' websites). So they've made sure their display ads, emails and push notifications take both segments straight to the app.

10. Identity-based targeting — in email

What do you do when your highest value prospects aren't opening your emails? It's a tricky situation. But one big arts and crafts retailer found a smart way around it.

Here's what they did. First, they started working with LiveIntent – a company that manages newsletters for around 900 different interest-specific publications with a total audience of over 130 million people.

Then, the retailer used identity resolution to match their list of high-value prospects (the ones who weren't opening their emails) to LiveIntent's audience.

Now they could see the topics prospects really cared about. They wouldn't open emails from the retailer – but they were opening emails about things like tech gadgets.

They used identity resolution to track conversions from these emails, and even in-store sales.

Most important, they now have the insight they need to spend more strategically. That interior design fan? They know they can target them more effectively with a full-page ad in a tech magazine.

What started as a tricky situation turned into a huge advantage.

11. People-based marketing to people you don’t know

Being one of the world's biggest producers and distributors of soft drinks is great. But it doesn't mean your customers hang out on your website.

In fact, it's incredibly hard to even figure out who your customers are when most of them buy your products from supermarkets, vending machines and restaurants.

So how do you do people-based marketing when you don't know your own customers? You partner up.

In this case, the drinks company used the loyalty card data of a giant, multinational supermarket. Because of their loyalty program, the supermarket has information related to the buyer's drink preferences and purchases. And because the drinks company uses identity resolution, they can target that list in a privacy-compliant way across the digital ecosystem.

The retailer gets a new revenue stream by monetizing its loyalty card data. And the drinks company gets to run targeted campaigns they can attribute back to in-store sales.

There's nothing sweeter than a win-win.

12. Taking people-based marketing offline

People-based marketing is definitely an online phenomenon. But a few innovators are bringing its benefits to offline channels too.

Two great examples:

One retailer targets its highest lifetime value shoppers with digital billboards based on location data. Since the billboards are smart enough to be dynamic, they can use identity resolution to deliver super-targeted offers.

In another case, an insurance company uses personalized direct mail to retarget high-value website visitors. If one of these visitors goes to their site and requests a quote, the insurer sends them a personalized direct mailer as well as personalized messages across its digital channels.

People-based marketing is literally happening everywhere.

13. People-based beacons

You know that old marketing vision about people walking past a store and getting tailored recommendations delivered to them?

A chain of department stores is making it real.

They're using in-store beacons and identity resolution to figure out when one of their customers is browsing in their store.

Then, they're delivering ads that are personally relevant to that customer through third-party apps.

The best part – they can then use identity resolution to see the effect this is having on their in-store and online sales.

Location-based, people-based gold.

27 of 69

Data Broker Accuracy

“How a data mining giant got me wrong” --Tom Bergin

“LONDON (Reuters) - I’m 57, with a 30-year-old wife, a fairly new hot water boiler, an old-style television, a petrol car and no kids.

Actually, none of that is true. But that is what you might believe if you purchased access to my data from the world’s largest information broker by market value.”

27

Annoying to you, REALLY annoying to advertisers!

28 of 69

Summary 5: The Data Economy

Takeaways

Business models: varied & evolving
Ad-based economy has pros & cons
Your data is everywhere
Not all of it is accurate
Ad-Tech has little reason to be trusted

Little transparency
Few regulations
Poor track record

Questions

How “real” are the worst-case privacy scenarios, e.g. personal health info sold to highest bidder (likely insurance provider)?
How can we determine whether collected data is innocuous or dangerous?
Is the data economy an existential threat to society?

28

29 of 69

29

How data brokers sold my identity | Madhumita Murgia

30 of 69

Topic 6: Tracking & Targeting

30

How They Do It

31 of 69

How Personalization is Done

31

Personalize by…

What appears
How it appears
Where it appears
When it appears

“Does the change increase conversion rates?”

32 of 69

IP Addresses
HTTP Referrer + web bugs

e.g. “Like” or “Share” buttons

Cookies & Tracking Scripts
Super Cookies
User Agent
Browser Fingerprinting

Other tracking techniques

Logins / subscriptions
“Feed” games, surveys, etc.
Installed applications
In-store bluetooth radio beacons
Email web bugs
Location-based ads (cf. “ADINT”)

32

https://www.howtogeek.com/115483/htg-explains-learn-how-websites-are-tracking-you-online/

The Many Ways Websites Track You Online

CHRIS HOFFMAN @chrisbhoffman

SEPTEMBER 28, 2016, 11:00AM EDT

cctv cameras header

Some forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how do tracking networks build up profiles of your browsing activity across multiple websites over time?

Tracking is generally used by advertising networks to build up detailed profiles for pinpoint ad-targeting. If you’ve ever visited a business’ website and seen ads for that business on other websites later, you’ve seen it in action.

IP Addresses

The most basic way of identifying you is by your IP address. Your IP address identifies you on the Internet. These days, it’s likely that your computer shares an IP address with the other networked devices in your house or office. From your IP address, a website can determine your rough geographical location – not down to street level, but generally your city or area. If you’ve ever seen a spammy ad that tries to look legitimate by mentioning your location, this is how the ad does it.

image

IP addresses can change and are often used by multiple users, so they aren’t a good way of tracking a single user over time. Still, an IP address can be combined with other techniques here to track your geographical location.

HTTP Referrer

When you click a link, your browser loads the web page you clicked and tells the website where you came from. For example, if you clicked a link to an outside website on How-To Geek, the outside website would see the address of the How-To Geek article you came from. This information is contained in the HTTP referrer header.

The HTTP referrer is also sent when loading content on a web page. For example, if a web page includes an ad or tracking script, your browsers tells the advertiser or tracking network what page you’re viewing.

“Web bugs,” which are tiny, one-by-one pixel, invisible images, take advantage of the HTTP referrer to track you without appearing on a web page. They’re also used to track emails you open, assuming your email client loads images.

Cookies & Tracking Scripts

Cookies are small pieces of information websites can store in your browser. They have plenty of legitimate uses – for example, when you sign into your online-banking website, a cookie remembers your login information. When you change a setting on a website, a cookie stores that setting so it can persist across page loads and sessions.

image

Cookies can also identify you and track your browsing activity across a website. This isn’t necessarily a big problem – a website might want to know what pages users visit so it can tweak the user experience. What’s really pernicious are third-party cookies.

image

While third-party cookies also have legitimate uses, they’re often used by advertising networks to track you across multiple websites. Many websites – if not most websites – include third-party advertising or tracking scripts. If two different websites use the same advertising or tracking network, your browsing history across both sites could be tracked and linked.

Scripts from social networks can also function as tracking scripts. For example, if you’re signed into Facebook and you visit a website that contains a Facebook “Like” button, Facebook knows you visited that website. Facebook stores a cookie to save your login state, so the Like button (which is actually part of a script) knows who you are.

Super Cookies

You can clear your browser’s cookies — in fact, we’ve got a guide to clearing your browser’s cookies. However, clearing your cookies isn’t necessarily a solution – “super cookies” are increasingly common. One such super cookie is evercookie. Super cookie solutions like evercookie store cookie data in multiple places – for example, in Flash cookies, Silverlight storage, your browsing history, and HTML5 local storage. One particularly clever tracking method is assigning a unique color value to a few pixels every time a new user visits a website. The different colors are stored in each user’s browser cache and can be loaded back – the color value of the pixels is a unique identifier that identifies the user.

When a website notices that you’ve deleted part of the super cookie, the information is repopulated from the other location. For example, you might clear your browser cookies and not your Flash cookies, so the website will copy the value of the Flash cookie to your browser cookies. Super cookies are very resilient.

image

User Agent

Your browser also sends a user agent every time you connect to a website. This tells websites your browser and operating system, providing another piece of data that can be stored and used to target ads. For more information about user agents, check out our explanation of what a browser user agent is.

image

Browser Fingerprinting

Browsers are actually pretty unique. Websites can determine your operating system, browser version, installed plug-ins and their versions, your operating system’s screen resolution, your installed fonts, your time zone, and other information. If you’ve disabled cookies entirely, that’s another piece of data that makes your browser unique.

The Electronic Frontier Foundation’s Panopticlick website is an example of how this information can be used. Only one in 1.1 million people have the same browser configuration I do.

image

There are surely other ways that websites can track you. There’s big money in it, and people are brainstorming new ways to track every day – just see evercookie above for evidence of that.

To surf as anonymously as possible, use the Tor Browser Bundle.

For information on tweaking your browser’s privacy settings and determining what exactly each setting does, see our guides to optimizing Google Chrome, Mozilla Firefox, Internet Explorer, Safari, or Opera for maximum privacy.

Image Credit: Andy Roberts on Flickr

Chris Hoffman CHRIS HOFFMAN

Chris Hoffman is Editor in Chief of How-To Geek. He's written about technology for nearly a decade and was a PCWorld columnist for two years. Since 2011, Chris has written over 2,000 articles that have been read more than 500 million times---and that's just here at How-To Geek. READ FULL BIO »

33 of 69

Two Views of Cookies

I have heard that cookies are bad for privacy - is that true?

This is a myth - cookies are a friendly internet tool primarily used by the advertising and e-commerce industry to make surfing easier and quicker. They have several roles, none of which can compromise your privacy:

Protection - to ensure you are a genuine visitor and not someone else using your password.
Authenticate and speed up your identification and e-commerce transactions.
Recognise preferences e.g. remember user names and passwords for websites.
Cap the frequency of ad serving and to make sure that advertisements are rotated and not duplicated during any one visit to a site

Tracking Cookies are a specific type of cookie that is distributed, shared, and read across two or more unrelated Web sites for the purpose of gathering information or potentially to present customized data to you. Not all cookies are tracking cookies.

Tracking cookies are not harmful like malware, worms, or viruses, but they can be a privacy concern. As an example, if you go to a Web site that hosts online advertising from a third-party vendor, the third-party vendor can place a cookie on your computer. If another Web site also has advertisements from the third-party vendor, then that vendor knows you have visited both Web sites. Nothing malicious has occurred, but the advertising company can determine indirectly all the sites you have been to if they have cookies present on those sites.

33

34 of 69

DII: Browser Fingerprinting

the User agent header
the Accept header
the Connection header
the Encoding header
the Language header
the list of plugins
the platform
a picture rendered with WebGL
the presence of AdBlock
the list of fonts

cookie preferences (allowed or not)
the Do Not Track preferences (yes, no, or not communicated)
the time zone
the screen resolution and its color depth
the use of local storage
the use of session storage
a picture rendered with the HTML Canvas element

34

https://restoreprivacy.com/browser-fingerprinting/

35 of 69

Web Beacons

web bug, tracking bug, tag, web tag, page tag, tracking pixel, pixel tag, 1×1 gif, or clear gif

“Invisible” image, button, etc, placed on web page for tracking
Your computer sends request to display image
Request includes identifying info, e.g. IP address
Your info is recorded by ad server hosting the beacon image
Also used in email to confirm you opened the message

35

Different: in-store bluetooth beacons send radio signals to apps on your smartphone

36 of 69

The Facebook “Pixel”

“The Facebook pixel is code that you place on your website. It collects data that helps you track conversions from Facebook ads, optimize ads, build targeted audiences for future ads, and remarket to people who have already taken some kind of action on your website.

It works by placing and triggering cookies to track users as they interact with your website and your Facebook ads.”

36

37 of 69

Facebook Connect Convenience vs. Privacy

“Facebook gave GateGuru the following information about me: My name, gender, birthday, all my friends’ names, my employers, my schools, all my status updates, every Facebook group I belong to or page I like, my events, photos I’ve uploaded or been tagged in, my religious and political views, my hometown, my current city, my videos, my website URL, the content and member list of the Facebook groups I manage, and my relationship status …”

37

https://medium.com/s/trustissues/find-out-what-google-and-facebook-know-about-you-31d0fa6d7b61

Find Out What Google and Facebook Know About You

How to do a data detox, in a zillion easy steps

Go to the profile of Baratunde Thurston

Baratunde Thurston

Jun 4, 2018

Hackers obtained the Social Security numbers of more than 145 million Americans. Paid political chaos monkeys allegedly harvested data from at least 87 million Facebook profiles in an effort to influence the 2016 U.S. election, the Brexit vote, and possibly more. In a practice that could easily become discriminatory, police departments are mining social media profiles in the name of public safety.

These stories are all connected by a common denominator: data. Nearly everything we do online leaves a trail of data that is then combined and analyzed on servers across the globe in a kind of decentralized dossier of human behavior.

To many of us, that may sound abstract, or benign, or both. But is it?

To bring the issue out of the heady headlines, I tried to get a handle on how much of my own data was out there. This prompted just what you might expect: confusion, panic, and rage, followed by a strong urge to purge — to perform a data detox of my own.

Broadly speaking, my detox game is already on point. I’ve done the Master Cleanse juice detox (mercifully for my roommates, it was while they were out of town). I’ve been to sweat lodges. And every year or so, I do a clean install on my laptop and smartphone, wiping all the stored data and manually reinstalling apps and software, rather than recovering them from a backup. I know how to detox IRL and digitally. I’ve even written about it before.

Not a problem, I thought. I got this.

I focused on the platforms I use most — Google and Facebook — as well as my my favorite note-taking app, Evernote. Like many people who have taken a sudden interest in their digital privacy, I was startled by what I learned. It turns out I didn’t have this. None of us do.

I’m someone who’s been online since the mid-1990s. I’ve worked in the digital media and advertising businesses. I understand that our data is being collected to make products more useful to us and to make us more useful to advertisers. But seeing the surveillance economy all in one place made that truth more stark — and more unsettling.

During the course of my data detox, there were practices that surprised me and practices that did not. I was not surprised, for instance, to discover that Alphabet knows more about me than any other company in the world. But to get a more granular understanding of how that breaks down, I started by listing all the Alphabet-owned services I use: Google Docs, YouTube, Gmail, Calendar, Drive, Photos, Contacts, Translate, Chrome, Maps, Wallet, and, of course, the O.G. Google — the search engine.

Illustration: Tiago Galo

Next, I made a list of the kinds of information these services might capture. That list was long and included things like my creative dreams (Google Docs with future book ideas), my embarrassing questions (YouTube demos on how to tie a Windsor knot), and my fears (Google searches for “How do you know if you have cancer?” Also: “How long did it take for Rome to collapse?”). There was also all my personal and professional correspondence (Gmail),a log of how I spend my time (Google Calendar), and my photos (Google Photos). Most alarming to me was a log of my up-to-the-minute location (Google Maps).

Depending on your settings, visiting myactivity.google.com can bring the company’s background tracking into the foreground. There, I saw every search query I’d ever run, most of the websites I’d visited, and almost every literal step I’d taken.

Saturday, September 2, 2017: Google stalked me around London, even noting if I was traveling by ferry, bicycle, bus, or foot, presumably by my speed.

Horrified, I then completed the Google Privacy Checkup. There, I was able to see my default settings for logging and sharing. For example: “Let people with your phone number find and connect with you on Google services, such as video chats.” I don’t think having my phone number means you get to interrupt me with your face whenever you choose, so I turned that off.

YouTube was set to automatically show videos I liked and channels I subscribed to. Disabled.

Google+ was set to share my photos and likes and restaurant reviews. I had completely forgotten about Google+. (I have now mentioned Google+ more times than any single person in the past two years, and for that, Google should pay me. They can just put the money in my Google Wallet, which they have access to.) I disabled all that, too.

How accurate do I want my data portrait to be if it is being used primarily to encourage me to part with my time, attention, and money?

Next, I reviewed all the locations from which my account had been accessed. When I didn’t recognize one of them, I decided to reset my password and turned on two-factor authentication.

In the section for advertising settings, I was able to edit the list of topics Google thinks I’m interested in and against which they sell my attention to advertisers. But even though I could update that list — Google thinks I like dance music; I hate dance music — there’s no way for me to know why Google thinks what it thinks. I decided to disable any and all information-sharing with the “2+ million websites and apps that partner with Google to show ads.”

In Google’s ad settings, I can see the topics it thinks I am interested in, and I can turn them off if I wish. Mostly, Google is correct.

To its credit, Google offers a centralized and relatively user-friendly place from which to view and control your account, but I found the breadth of the data collection more unnerving than the relief I got from being able to exert a little control over it.

I finished my Google-data detox with a mixture of satisfaction and wariness. But it turns out Google was entry-level detox. When I moved on to Facebook, I pretty much lost it.

It was relatively easy to figure out some of what Facebook thinks it knows about me, thanks to a Chrome browser extension called What Facebook Thinks You Like. Whereas Google listed 28 things I appear to like, Facebook listed 713: “New York metropolitan area,” “Step Up (film),” “observational comedy,” “law school,” “motorsport,” “Michelle Obama,” “global warming,” and, oddly, “missing person.”

Facebook’s accuracy was spotty. I do love New York, the Step Up films (teen dance movies are my jam), and Michelle Obama (because I’m a patriot). I do not like “motorsports” or “law school.” No one likes law school. I also don’t like “global warming.” Nor “missing person.”

I was briefly amused by the discrepancies between the real me and the picture painted by Facebook, but it also prompted a question: How accurate do I want my data portrait to be if it is being used primarily to encourage me to part with my time, attention, and money? I toyed with the idea of whether or not, in the interest of my own privacy, I ought to obscure the real me with misleading signals.

What if I started liking Facebook pages about guns and engaging with content about white nationalism (or, worse, electronic dance music)? Of course, if I did that, I would also hinder the platform’s ability to provide value by knowing as much as it does about me.

Did I want to spend my time and energy making Facebook less efficient and more chaotic for myself? Is that what it would take to be truly free—to inconvenience myself by pretending to be someone else?

Like Google, Facebook has a settings page from which I can view and adjust my security and privacy settings. I also decided to look at the “Apps and Websites” and “Ads” settings, which are not listed in a way that suggests they are related to security and privacy, even though they obviously are. (Since Mark Zuckerberg was hauled before Congress in April 2018, this section of the settings page has changed, so your experience may vary slightly from mine.)

Given recent headlines, I was compelled to scrutinize the section about apps. When I got to that page, the first thing I saw was a monster of a disclaimer:

On Facebook, your name, profile picture, cover photo, gender, networks, username, and user id are always publicly available to both people and apps. … Apps also have access to your friends list and any information you choose to make public.

It has become central to an international news story that Facebook shares user data with linked apps, but I think it’s safe to bet that very few of Facebook’s two billion users had any idea until recently that this was part of the terms of service.

As another point of clarification: in Facebook-speak, “apps” refers to multiple things. They are the apps you launch from within Facebook (remember those?), the services you log in to with your Facebook ID, and the services you’ve “connected” to your Facebook account, including some websites. When I popped over to the Apps tag, I saw more than 400 listed. I literally screamed out loud. (I mean literally literally.)

To get our heads around why this matters, let’s look at one particular app on the list. Years ago, I discovered a mobile app called GateGuru. It’s operated by TripAdvisor and lets me browse airport maps and directories from my phone. This is obviously more convenient than hunting down information kiosks—which are, it seems to me, always inconveniently located.

I logged in to the app with my Facebook account because it was faster that way and I was hungry. That decision marked the beginning of a trilateral trade relationship between me, GateGuru, and Facebook: I used my Facebook identity to quickly access GateGuru. In exchange, GateGuru helped me find the Shake Shack closest to my departure gate.

In that deal, Facebook gave GateGuru the following information about me: My name, gender, birthday, all my friends’ names, my employers, my schools, all my status updates, every Facebook group I belong to or page I like, my events, photos I’ve uploaded or been tagged in, my religious and political views, my hometown, my current city, my videos, my website URL, the content and member list of the Facebook groups I manage, and my relationship status, which I would describe in this instance as “Super Fucked.”

Even if GateGuru doesn’t abuse my data, there is no way for me to know how robust its security is — or that of the 400-plus apps that have been collecting my data for years.

Horrified by the what-ifs, I spent more than an hour going through all the apps I had authorized, and I removed hundreds of them. No surprise, there was no bulk removal option when I did this—this feature has since been added—so I had to go through each and every one of them in a rhythm of click, scroll, remove, wait, curse, click, scroll, remove, wait, curse.

Deleting an app, however, doesn’t change what data it already has collected about you. I realized this after removing the ESPN app. Feeling empowered by the user choice I just exercised, I was presented with a pop-up screen stating: “ESPN may still have access to info you previously shared, but can’t make additional requests for private info…Contact ESPN for details on how to delete your info.” And when I clicked on “Contact ESPN,” I was redirected to the general privacy policy for the Walt Disney Company. Facebook hurled me at a generic legal page for a $148 billion corporation. Is that how the company plans to “bring the world closer together”?

I then downloaded all my data from an easy-to-miss link on the settings page (it’s here). I deleted three years’ worth of search history, location history, and video-watching history that I didn’t know the company was holding. I turned the sharing defaults from “public” to “friends” or “just me” on just about everything. I made myself harder to find. I deleted the contact information for more than 3,000 people I had unwittingly uploaded to Facebook. (I discovered this on a random page nowhere near the privacy settings.)

We’re the raw material for the next phase in computer science: The computers study us and then take that data and run with it.

Facebook has long enabled and encouraged this system of data collection, sometimes under the guise of user empowerment: “We give you the power to share as part of our mission to make the world more open and connected” is how the company has put it in the past.

But a company that has spent billions in acquisitions and invested heavily in everything from virtual reality to drones can get different things done when it wants to. Facebook has 25,000 employees and generated more than $40 billion in revenue in 2017. This same company knew about the Cambridge Analytica data abuse in 2015 and didn’t act on it until it was reported by the press.

In response to massive and unrelenting global pressure, the company is finally starting to deploy some of its resources to secure users’ privacy on the platform. It has announced initiatives like Clear History and launched an investigation and audit of apps that had access to our data.

But Facebook investigating app makers for data abuse is like Breaking Bad’s Walter White investigating Jesse for all that meth he made in Walter’s lab using Walter’s scientific knowledge. Those apps would not have our data without Facebook in the first place. Nowhere in these newfound data-protection solutions has Facebook acknowledged its role in creating the problem.

Knowing all this, it’s hard to take seriously the man who in March testified before Congress and then posted this on, yes, Facebook: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”

Once I’d looked closely at Google and Facebook, my thoughts moved to the apps I had installed on my iPhone. Curious what data they have the ability to collect, I picked one — Evernote, since I use it daily — and decided to take a look at the most dreaded and inscrutable copy on any product: the terms of service (TOS). Cue thunder, lightning, organ music.

Illustration: Tiago Galo

I had put off this portion of the data detox because I prioritize time with my girlfriend, watching Atlanta, and living my life. Still, I was curious to learn how another tech company might be storing and using my data. I chose Evernote because I use it for everything from political strategizing to recipe tracking. I think of Evernote as a user-friendly operation with a business model that doesn’t depend on selling me to marketers. Evernote even has a human-readable “Three Laws of Data Protection:” your data is yours; your data is protected; your data is portable.

Evernote appears to try harder than most companies to help users understand how their data is stored and used.

Feeling optimistic, I started with the company’s Data Usage article. It looked short, but it linked deep, pointing to Cookie Information, Transparency Report, and Third Party Applications pages, plus the Privacy Policy, which hyperlinked to the Terms of Service. I found it to be filled with all-caps, screaming words like “INDEMNITY” and “DISCLAIMER” and “INJUNCTIVE RELIEF.” The game of Hyperlink Hot Potato continued as I moved over to the company’s Commercial Terms, Business Agreement, IP Compliance, User Guidelines, and the page describing what this note-taking software shares with law enforcement. (Good thing I keep a notebook titled “Blue Lives Matter!” just in case).

All told, the terms run nearly 29,000 words, which is about half the length of your average paperback. I dumped the text into an unlisted Medium post to see the estimated reading time: 109 minutes. (You can read some of my real-time reaction notes in this public read-only Google Doc.)

What I learned is that Evernote uses encryption to transmit my data, which I appreciate. I also noticed that Evernote considers me its customer and largely collects data to make using the service easier. That means gaining access to my camera and photo library when I want to add images to my notes, or ingesting my contacts database to make auto-completing easier when I want to share notes with other people. It’s convenient, but it made me uncomfortable, and I’m not so lazy that I can’t type in a full email address, so I turned it off.

I was curious under what conditions Evernote employees might be able to access my notes. Like, if I leave the app, what happens to the files? Similarly, what if I leave planet Earth? If I stop using the product voluntarily, all the notes must be manually deleted before closing my account if I don’t want the company to store them. As to the more morbid question: It turns out I need to designate some poor sucker as custodian of my brainstorms and musings if I want them removed after I die. (The full explanation is worth a read.)

All told, it took me about three solid hours to get through the TOS for my favorite app. Now I understand why Facebook thought I was interested in law school. I have 313 apps on my phone. If they’re anything like Evernote, I could spend roughly 940 hours reading various terms of service—or I could use that time to accrue enough credit hours for 10 Juris Doctor degrees.

This “data detox” I’ve done reveals just a few steps of a much larger journey. I’m saving for later my experience with creepy trackers that monitor our website behavior, and I just didn’t have the mental energy to dive into the world of credit reports or smart-home appliances. (Alexa, stop snitching!)

All this matters, because our data is being used to impact things far beyond the ads and content we see. It is already being used to determine job opportunities, loan rates, dating matches, and criminal sentencing guidelines. Follow Dr. Safiya Noble and her concept of “algorithms of oppression.” Read Cathy O’Neill’s book, Weapons of Math Destruction for a deeper understanding.

All this also matters because the Next Big Things — artificial intelligence, machine learning, speech and facial recognition — will be powered by more of our data. We’re the raw material for the next phase in computer science.

To be clear, not all data collection is bad. Much of it is essential for a service to operate well—to be worth your time and money. Data collection and tracking enables Evernote to know that I’m the same user on my iPhone, iPad, and web browser and enables GateGuru to remember who I am and that I like Shake Shack. Processing all this data allows Google to recommend shortcuts on my commute and Twitter to suggest interesting tweets I may have missed and Facebook to remind me of my friends’ birthdays.

But this same construct goes too far by offering up my religious beliefs, contacts database, location history, and hundreds of other bits of intel under the bad-faith claim that I granted permission and fully understood some rat’s nest of legal documents.

So what do we do? As individuals, we have options. First, as I’ve demonstrated, we must understand what we’re giving up. “Data” isn’t some vague thing we can’t understand, and “technology” isn’t a magical gift bestowed only upon the wise and elevated engineers in Silicon Valley. We have seen the consequences of data falling into the wrong hands, so let’s do something about it.

As much as this data-detox business sounds laborious, it’s important. Consider it a form of hygiene akin to your annual household spring cleanings and your daily showers. At a minimum, I recommend everyone take the following steps:

Tune your settings on all major tech platforms, starting with those that sell targeted advertising (Google, Facebook, Instagram) and moving on to those that treat you as the primary customer (Amazon, Apple, Microsoft). Each of these company’s products has a settings page. Start there, click, read, edit, curse — and download your data if you’re so inclined.

Secure your network connections with a virtual private network, and encrypt your browsing sessions with HTTPS Everywhere so your ISP can’t snoop on your website activity. The Electronic Frontier Foundation offers a good starting point.

Read a few Terms of Service agreements. Know that this may take you hours, and that you will encounter information — AND WORDS IN SCREAMING ALL-CAPS — that you don’t understand, but do it anyway. This Lost In Small Print tool can help you get started.

Use less data-grabby services like those recommended by Alternative App Centre. The site highlights less data invasive options for all sorts of software.

Conduct your own data detox. Here is the one I found, made by Tactical Technology Collective in partnership with Mozilla.

We’re still in the early stages of the networked age, and we can fight for a different future. In the meantime, for ideas on how we might wage that bigger fight, see my companion piece, humbly titled “A New Tech Manifesto: Six Demands, from a Citizen to Big Tech.”

Baratunde Thurston is a futurist comedian, writer, and activist. He would like to acknowledge the Data & Society Research Institute, Surya Mattu, Belinda Thurston, and Elizabeth Stewart for their contributions to the thinking in this article. If you’re feeling inspired, moved to complain, or simply want to stay connected, Baratunde welcomes a chance to respectfully collect your data. Text him at +1-202-902-7949 with the message: #datadetox (really—it’s a public number) or visit Baratunde.com.

Go to the profile of Baratunde Thurston

WRITTEN BY

Baratunde Thurston

AUTHOR: How To Be Black. FORMERLY: Fast Company, The Onion, Daily Show. BOARDS: BUILD, Brooklyn Public Library. HALL OF FAME: SXSW. text me @ +1 (202) 902–7949.

38 of 69

38

The Complete Guide to Facebook Ad Targeting

5 Facebook Ad Targeting Tips

39 of 69

Ad Placement

HOW EXACTLY FACEBOOK decides who sees what is one of the great pieces of forbidden knowledge in the information age, hidden away behind nondisclosure agreements, trade secrecy law, and a general culture of opacity.

They appear to deliver certain ads, including for housing and employment, in a way that aligns with race and gender stereotypes — even when advertisers ask for the ads to be exposed a broad, inclusive audience.

39

40 of 69

Ad-Tech’s Eternal Triangle

40

USER is OK with ad content and web content

ADVERTISER is OK with adjacent web content

Web PUBLISHER is OK with ad content

41 of 69

Ad-Tech Under Fire

41

https://www.adweek.com/programmatic/privacy-advocates-say-ad-auctions-leak-sensitive-data-about-users/

In a sign of potential woes to come in the U.S. media sector, privacy advocates in the European Union are going after the very fundamentals of online media monetization, claiming the ad auction process used by companies like Google broadcasts highly sensitive user information in a way that violates the member states’ General Data Protection Regulations.

In a new legal complaint filed in Poland Monday, privacy advocates charge that the Internet Advertising Bureau’s ad auctioning system RTB 3.0 and Google’s RTB “Publisher Verticals” may let advertisers profile and target users based on sensitive information, including religious affiliation, sexual orientation and medical conditions.

The complaint argues that much of the backbone of ad tech could be found to violate GDPR, underscoring ongoing confusion over how the GPDR hammer will come down on the industry. As more federal and statewide data privacy regulation come down the pike in the U.S., legal experts expect similar dynamics could soon be at play in North America.

When it comes to privacy, are the fundamentals of ad tech flawed?

The complaint, which the Warsaw-based Panoptykon Foundation filed with Poland’s data protection authority, charges that IAB and Google’s ad auctioning systems fail to ensure that users’ personal data—such as what kind of content they are consuming and their IP address—is protected from “unauthorized access” because of the way that personal information about users is broadcast through a bid request in an online ad auction. The complainants say the exposure of personal information without the prior consent of a website user is a violation of GDPR.

The Panoptykon Foundation also contends that some of the labels included in the two systems, when combined with the other personal data in the bid request, should be considered “special category personal data,” described in Article 9 of the GDPR.

For instance, one category defined by the IAB Tech Lab categorizes content based on “incest/abuse support,” which the complainants said could be used to both target and profile an internet user as a victim of incest or abuse.

Google’s “Publisher Verticals” is a similar list to the IAB’s RTB 3.0 that classifies web content based on keywords and allows advertisers to make decisions about their ad buys based on the content near which their advertisements will display. That list, which publishers can opt out of, includes categories like “eating disorders” and “substance abuse.” The complaint alleges that that information could be combined with users’ personal information in the bid request and that companies could target and profile internet users based on it.

The complaint joins earlier complaints filed by other privacy advocates, including from the Open Rights Group and the privacy-centric web browser Brave, in Ireland and the U.K.

Dr. Johnny Ryan, the chief policy and industry relations officer of Brave, said the only way for the industry to address the privacy issues the complaint raises is to institute a major overhaul of the ad-tech ecosystem that takes personal data out of the equation.

“The way forward is for ad auction companies to remove personal data from their bid requests,” Ryan told Adweek. “Marketers need to protect themselves from the risk they are exposed to by the ad auction system and press the IAB and Google to strip personal data from ad auctions. The use of personal data—such as your pseudonymous IDs, latitude & longitude, IP addresses [and] specific device details—needs to stop.”

Regulators are starting to issue heavy fines

The ad-tech sector has increasingly come under scrutiny and strain since the passage of GDPR, and complaints that ad-tech companies have failed to complybegan rolling in since the opening day of its enforcement last year. Last week, France’s data protection authority CNIL handed Google a $57 million fine.

42 of 69

Real-time Bidding (RTB)

“Real-time Bidding (RTB) is a way of transacting media that allows an individual ad impression to be put up for bid in real-time. This is done through a programmatic on-the-spot auction, which is similar to how financial markets operate. RTB allows for Addressable Advertising; the ability to serve ads to consumers directly based on their demographic, psychographic, or behavioral attributes.”

https://www.iab.com/guidelines/real-time-bidding-rtb-project/

42

43 of 69

How Real-Time Bidding Works

43

44 of 69

Controversial Content Categories

113 /People & Society/Ethnic & Identity Groups/Lesbian, Gay, Bisexual & Transgender 144 /Beauty & Fitness/Face & Body Care/Unwanted Body & Facial Hair Removal 171 /People & Society/Ethnic & Identity Groups/Indigenous Peoples/Native Americans 195 /Health/Reproductive Health 198 /Health/Reproductive Health/Birth Control 202 /Health/Reproductive Health/Male Impotence 235 /Beauty & Fitness/Hair Care/Hair Loss 236 /Beauty & Fitness/Weight Loss 237 /Health/Nutrition/Vitamins & Supplements 238 /Health/Medical Facilities & Services/Medical Procedures/Surgery/Cosmetic Surgery 241 /Beauty & Fitness/Fitness/Bodybuilding 245 /Health/Oral & Dental Care 246 /Health/Vision Care 257 /Health/Substance Abuse 401 /People & Society/Family & Relationships/Family/Parenting/Pregnancy & Maternity 409 /News/Politics/Right-Wing Politics 410 /News/Politics/Left-Wing Politics 420 /Health/Health Conditions/Skin Conditions 421 /Health/Reproductive Health/Sexually Transmitted Diseases 429 /Health/Health Conditions/Cancer 437 /Health/Mental Health 499 /Health/Alternative & Natural Medicine

44

https://brave.com/Google-publisher-verticals-marked-up.pdf

https://developers.google.com/authorized-buyers/rtb/downloads/publisher-verticals

113 /People & Society/Ethnic & Identity Groups/Lesbian, Gay, Bisexual & Transgender 144 /Beauty & Fitness/Face & Body Care/Unwanted Body & Facial Hair Removal 171 /People & Society/Ethnic & Identity Groups/Indigenous Peoples/Native Americans 195 /Health/Reproductive Health 198 /Health/Reproductive Health/Birth Control 202 /Health/Reproductive Health/Male Impotence 235 /Beauty & Fitness/Hair Care/Hair Loss 236 /Beauty & Fitness/Weight Loss 237 /Health/Nutrition/Vitamins & Supplements 238 /Health/Medical Facilities & Services/Medical Procedures/Surgery/Cosmetic Surgery 241 /Beauty & Fitness/Fitness/Bodybuilding 245 /Health/Oral & Dental Care 246 /Health/Vision Care 257 /Health/Substance Abuse 401 /People & Society/Family & Relationships/Family/Parenting/Pregnancy & Maternity 409 /News/Politics/Right-Wing Politics 410 /News/Politics/Left-Wing Politics 420 /Health/Health Conditions/Skin Conditions 421 /Health/Reproductive Health/Sexually Transmitted Diseases 429 /Health/Health Conditions/Cancer 437 /Health/Mental Health 499 /Health/Alternative & Natural Medicine

45 of 69

Ad Industry: “Nothing to see here”

NAI response:

the existence of this taxonomy and the fact that it includes sensitive categories does not imply that companies are using sensitive personal data to target advertising to various individuals. Rather, the content categories IAB has standardized for use in digital advertising are primarily used by websites, mobile apps, and other online platforms to communicate to advertisers what kind of content they host on their properties. This allows them, for example, to sell space for contextual advertisements that are not tailored to particular web browsers or devices. In practice, this would enable a website that publishes general information about the symptoms of and treatments for sensitive health conditions to tag its own content with categories in the IAB taxonomy. This in turn would allow advertisers (like, e.g. health clinics or pharmaceutical companies) to advertise on the site without targeting individual site visitors. Content tags also allow brand advertisers to make decisions about where their ads will appear for brand integrity purposes. For example, some advertisers may be particularly interested in advertising on, or particularly keen to avoid advertising on, a site that has tagged its content with certain religious or political categories.

45

NAI = Network Advertising Initiative

https://www.networkadvertising.org/blog-entry/how-nai-protects-consumers-sensitive-information-digital-advertising/

Tony Ficarrotta's blog ›

How the NAI Protects Consumers' Sensitive Information in Digital Advertising

Submitted by Tony Ficarrotta on Wed, 02/27/2019 - 7:56pm

Fortune recently published an article expressing concern about the potential misuse of sensitive personal data in digital advertising. User activity online and across mobile apps is often highly personal and potentially sensitive, and the NAI agrees that any potential misuse of sensitive information, in advertising or otherwise, raises serious privacy concerns.

The protection of sensitive data has long been a key pillar of the NAI Code of Conduct, which prohibits NAI member companies from using sensitive data for interest-based advertising without opt-in consent. Even if a user does provide opt-in consent to receive interest-based ads based on sensitive data, NAI members are prohibited outright from using or sharing any information collected for interest-based advertising for eligibility purposes. For example, an NAI member could not disclose to a life or health insurance company that a user is associated with a cancer interest category for insurance or coverage eligibility purposes, nor to an employer or prospective employer for employment eligibility purposes.

Of course, the concerns raised in the Fortune article do not exist in a vacuum. The article references a European complaint brought by privacy advocates relating to a “taxonomy” of digital content developed by the Interactive Advertising Bureau (IAB). The taxonomy provides publishers and other digital content creators with a standard system to classify what kinds of content they provide through their websites, mobile apps, and other online platforms. The categories in the IAB taxonomy range from benign, such as “amusement and theme parks,” to highly sensitive, such as “sexual health conditions.” The sensitive categories identified in the article broadly overlap with categories the NAI treats as sensitive under its Code of Conduct. These include, but are not limited to, health categories such as cancer, mental health, and sexually transmitted diseases.

However, the existence of this taxonomy and the fact that it includes sensitive categories does not imply that companies are using sensitive personal data to target advertising to various individuals. Rather, the content categories IAB has standardized for use in digital advertising are primarily used by websites, mobile apps, and other online platforms to communicate to advertisers what kind of content they host on their properties. This allows them, for example, to sell space for contextual advertisements that are not tailored to particular web browsers or devices. In practice, this would enable a website that publishes general information about the symptoms of and treatments for sensitive health conditions to tag its own content with categories in the IAB taxonomy. This in turn would allow advertisers (like, e.g. health clinics or pharmaceutical companies) to advertise on the site without targeting individual site visitors. Content tags also allow brand advertisers to make decisions about where their ads will appear for brand integrity purposes. For example, some advertisers may be particularly interested in advertising on, or particularly keen to avoid advertising on, a site that has tagged its content with certain religious or political categories.

The NAI and our membership go to great lengths to prevent the misuse of sensitive data in interest-based advertising. However, we also recognize that there are some bad actors who don’t adhere to our high bar. That is why NAI membership, adherence to the NAI Code of Conduct, and accountability through annual compliance reviews by the NAI staff are so important for building and maintaining trust in the digital advertising ecosystem. Further, the NAI ensures that consumers can choose whether to participate in interest-based advertising using our central, easy-to-use opt-out tool. Finally, the NAI strongly supports a federal privacy framework that would require all companies to adhere to the privacy-protective practices established by our Code. That framework should leverage existing industry self-regulation by creating a strong safe harbor program, which would assist the FTC with enforcement efforts and provide certainty to companies with a compliance mindset.

Tony Ficarrotta's blog

46 of 69

Ad Re-Targeting

You visit website #1, which connects to ad server via “pixel”
Ad server creates cookie on your computer, records your IP
Website #1 sends list of customers to ad server
You visit website #2
Ad server matches cookies from website #1 and #2
Advertiser places ad targeting you on website #2

46

The ad industry continues its quest toward fewer cookies and more consistent user IDs

The IAB Tech Lab's DigiTrust and the Advertising ID Consortium chart different, but � intersecting, paths toward the goal of an industry-wide identity resolution.

Barry Levine on January 17, 2019

https://www.quora.com/How-would-you-explain-cookie-matching-to-a-5-year-old

https://www.adopsinsider.com/ad-exchanges/cookie-syncing/

https://clearcode.cc/blog/cookie-syncing/

https://developers.google.com/authorized-buyers/rtb/cookie-guide

https://martechtoday.com/the-ad-industry-continues-its-quest-toward-fewer-cookies-and-more-consistent-user-ids-229754

In the real world, everyone can taste a cookie. But, in the world of web browsers, only the domain that drops a cookie — a small identifying text file — into a user’s browser can read that cookie.

That fact — and the dominance of “walled gardens” like Facebook, Amazon and Google — has led to two major initiatives to create a user ID around a single cookie: the Advertising ID Consortium and the Interactive Advertising Bureau (IAB) Tech Lab’s DigiTrust. Though separate, they share a central goal: avoiding the complicated process of cookie matching and improving the speed at which ads load.

How cookie syncing works

If Site A sends a cookie to a visitor’s browser, for instance, only Site A can read that cookie. Site B and Advertiser A both create and deposit their own cookies, but they cannot read Site A’s or each others’.

As a result, demand side platforms (DSPs), data management platforms (DMPs), supply side platforms (SSPs) and others need to sync their cookies to each other — so they know when they are dealing with the same user for ad targeting.

Let’s say a visitor goes to a website that serves ads. The website sends an ad request to a DSP, which drops into the visitor’s browser its third-party cookie that contains the DSP’s ID for that visitor.

The DSP also calls to a DMP for targeting info, and includes its DSP visitor ID in the call. The DMP creates its own cookie for the visitor’s browser, or sees if it already has one there. Its cookie contains its own DMP ID, which it now matches to the DSP’s cookie/ID.

Similarly, the DSP matches its cookie/ID to the DMP’s. The DSP and DMP then also exchange cookie-matching tables in large batch files at specific times, such as once daily.

This cookie syncing allows an advertiser to retarget a visitor with an ad for blue sneakers when they go to a new site, for instance, after earlier looking at a product page for blue sneakers on a previous site.

The problem with cookie syncing

That this system works at all, much less in a few fractions of a second, is remarkable. But it has several key flaws.

First of all, every part of the ad ecosystem has to cookie-match with every other part, which represents a tremendous amount of data updating overhead.

Second, the cookie match rate is not perfect. Match rates of about 60 percent are considered decent, but this means about 40 percent or more of all users are not matched in a given pass by a given ad tech vendor. This greatly diminishes the accuracy of targeted marketing.

Third, while the matching is done within fractions of a second, it can delay the prompt loading of a page with its ads, thus potentially affecting user experience.

“The key area in which publishers lack control,” says DigiTrust on its web site, “is in all the third-party requests from ID syncs.” A typical publisher’s web page can receive dozens — if not a hundred or more — third-party requests, including many for syncs.

“If we eliminate the need for ID syncs, then publishers can take back control of their pages and only let the vendors they trust appear on their websites,” says DigiTrust.

Fourth, cookies are used only in web browser environments, and there are serious limitations on third-party cookies — like those from DSPs and DMPs — in mobile web browsers.

And, finally, login-based massive platforms like Facebook don’t have this problem within their environments. Since they track logins, they can accurately track users within these “walled gardens” — but, outside, it’s a mess of cookies.

The Advertising ID Consortium

Because of these issues, a variety of ad tech players decided they were tired of letting the big walled gardens have all the fun, while they were left to endlessly sync up all those cookies.

In 2017, the Advertising ID Consortium was born, initially founded by LiveRamp, MediaMath and AppNexus. While the impetus was doing away with all this cookie syncing and finding a common ID, the mission now includes the idea of “people-based” identity across all devices, based on the IdentityLink solution from identity resolution provider LiveRamp.

IdentityLink connects a variety of datasets about millions of users, including offline data, to create an anonymized profile of a single user that is based on the idea that a real person is living in the real world and online.

The Consortium has now focused on using a few cookies, notably ones from DSP The Trade Desk, from ad tech platform AppNexus and from the non-profit initiative, DigiTrust. The identifiers in those cookies are made available to a publisher’s exchange partners through the Index Exchange’s header wrapper, so individual cookies do not need to be read. Participating organizations can also connect the identifiers to the IdentityLink ID, in order to track a user across channels.

The IAB Tech Lab’s DigiTrust

DigiTrust, a non-profit collaboration of ad tech platforms and publishers that became part of the Interactive Advertising Bureau (IAB) Tech Lab last year, is participating with the Consortium but also has its own ecosystem.

It issues a cookie whose identifier can be read by participating companies through the DigiTrust ID via API. Additionally, the same DigiTrust cookie can be issued by a given web site from JavaScript on the site’s pages, allowing that cookie to be considered first-party by browsers.

The DigiTrust cookie contains an encrypted token that provides an identifier for the user, which can include the user’s preferences for consent. Both DigiTrust and the Consortium say that they comply with the European Union’s General Data Protection Regulation (GDPR).

DigiTrust claims it has close to 100 percent accuracy in identifying a user, a much more accurate rate than what is available through cookie matching. And, of course, that is comparable to the 100 percent recognition in Facebook, Google and other walled gardens.

While the Consortium intends to provide cross-device, cross-channel identification, DigiTrust founder and IAB Tech Lab SVP of Membership and Operations Jordan Mitchell told me his organization’s immediate interest is the web browser. But he allowed that DigiTrust might, someday, extend its identifier to non-web devices.

Audience coverage

Currently, DigiTrust has about 50 platforms — such as DSPs, DMPs or SSPs –participating in its initiative, Mitchell said, plus “millions” of publisher websites. Overall, he said, DigiTrust’s cookies reach about 95 percent of the globe in terms of ad volume and about 65 percent of users.

“But it takes a long time for platforms to change their reliance” on their legacy systems, he said, so DigiTrust’s approach has not yet reached its potential.

The Consortium is backed by more than a dozen ad platforms. While it didn’t provide its coverage stats, Mitchell told me “it’s pretty clear” that DigiTrust has a “much greater” audience coverage than the Consortium.

47 of 69

Shadow Accounts

47

1. Social plugins, like the "Share" or "Like" buttons, which you can find on outside websites, like shopping pages and news articles.

2. Facebook Login, which lets you log into outside apps using your Facebook account so you don't have to create a new password or username.

3. Facebook Analytics, which gives website owners information on how and when people interact with their site.

4. Facebook ads and measurement tools, including Facebook Pixel. The tool measures how effective ads are, by giving Facebook information on when you visited certain sites and took specific actions, like buying something.

"When you visit a site or app that uses our services, we receive information even if you're logged out or don't have a Facebook account,"

https://www.cnet.com/news/heres-how-facebook-collects-your-data-when-youre-logged-out/

The social network's Share button is on 275 million web pages.

When Facebook CEO Mark Zuckerberg testified before Congress last week, he was asked about the information the social network collects on users -- even if they aren't signed into Facebook.

Zuckerberg began to explain a few of the basics, but eventually said his team would follow up with more information later.

On Monday, the company went into more depth about how it tracks you around the internet.

"When you visit a site or app that uses our services, we receive information even if you're logged out or don't have a Facebook account," David Baser, a product management director, wrote in a blog post. "This is because other apps and sites don't know who is using Facebook."

Facebook's data collection practices have come under scrutiny following a controversy involving Cambridge Analytica, a digital consultancy with ties to the Trump presidential campaign that improperly obtained data on up to 87 million Facebook users without their permission. The data originally came from a Cambridge University researcher named Aleksandr Kogan, who collected the information legitimately through a personality quiz app, but then broke Facebook's terms of service by passing it onto Cambridge Analytica.

Specifically, here are the developer tools that allow Facebook to track you:

Social plugins, like the "Share" or "Like" buttons, which you can find on outside websites, like shopping pages and news articles.

Facebook Login, which lets you log into outside apps using your Facebook account so you don't have to create a new password or username. This is the tool Kogan was using for his personality quiz app.

Facebook Analytics, which gives website owners information on how and when people interact with their site.

Facebook ads and measurement tools, including Facebook Pixel. The tool measures how effective ads are, by giving Facebook information on when you visited certain sites and took specific actions, like buying something.

48 of 69

ADINT: Advertising Intelligence

Research done at UW
Idea: Track someone by buying ads
You need their MAID (not too hard to get)
You buy geo-targeted ads; get notified when they are shown
You can choose which apps the ads are shown on…

Thus you may infer which (perhaps sensitive) apps your subject uses

48

“For $1000, anyone can purchase online ads to track your location and app use”

49 of 69

Threat Review: How Would You Rank Them?

TECHNOLOGY

Phone Apps
Ad Tech
IoT / Digital Assistants
Surveillance Devices
Social Media

PEOPLE

Hackers
Government / Law Enforcement
Facebook
Google
Data Brokers
App Developers
Insurance companies
Big Pharma

49

50 of 69

Summary 6: Tracking & Targeting

Takeaways

Your data is tracked in many ways!
Facebook “pixels” gather great detail
Real-time bidding is controversial
Shadow accounts never go away
Rogue apps are hard to identify

Questions

Are the complaints about RTB valid?
How often is PII used in RTB matches, vs. anonymized group data?
Is Ad-Tech fundamentally flawed, or is it a question of transparency?
Should shadow accounts be permitted?
Are rogue apps your biggest worry?

50

51 of 69

Week 4 Preview

Killing Democracy

Info Wars
Criminality
Economics & Policy Making
Corruption by policy

Saving Democracy

Fair district boundaries
Liquid Democracy

Trends & Takeaways

Business trends
Tech trends
Trend-spotting
Bottom Line
Discussion / Feedback

51

52 of 69

Bonus 3: More Background

52

53 of 69

Current Research

ADINT: Using Targeted Advertising for Personal Surveillance

“For $1000, anyone can purchase online ads to track your location and app use”

“Solid” (SOcial LInked Data) system

Decentralized Identity Platform

Distributed Ledger Systems and dApps

Some blockchain enabled digital identity solutions...

53

“I think it will very much be an uphill battle for Solid. When the web appeared, it entered a vacuum needing to be filled. Now Solid is entering a space dominated by massive corporations who make a living by harvesting and selling user data. They’re not going to let go of that flock of golden geese easily”.

54 of 69

54

Facebook Sues Analytics Firm Over Data Misuse

Facebook revealed last Friday that it has filed a lawsuit alleging South Korean analytics firm Rankwave abused its developer platform's data, and has refused to cooperate with a mandatory compliance audit and request to delete the data. TechCrunch reports:

Facebook's lawsuit centers around Rankwave offering to help businesses build a Facebook authorization step into their apps so they can pass all the user data to Rankwave, which then analyzes biographic and behavioral traits to supply user contact info and ad targeting assistance to the business. Rankwave also apparently misused data sucked in by its own consumer app for checking your social media "influencer score." That app could pull data about your Facebook activity such as location checkins, determine that you've checked into a baseball stadium, and then Rankwave could help its clients target you with ads for baseball tickets.

The use of a seemingly fun app to slurp up user data and repurpose it for other business goals is strikingly similar to how Cambridge Analytica's personality quiz app tempted millions of users to provide data about themselves and their friends. TechCrunch has attained a copy of the lawsuit that alleges that Rankwave misused Facebook data outside of the apps where it was collected, purposefully delayed responding to a cease-and-desist order, claimed it didn't violate Facebook policy, lied about not using its apps since 2018 when they were accessed in April 2019, and then refused to comply with a mandatory audit of its data practices. Facebook Platform data is not supposed to be repurposed for other business goals, only for the developer to improve their app's user experience.

55 of 69

55

Simple Opt Out is drawing attention to opt-out data sharing and marketing practices that many people aren't aware of (and most people don't want), then making it easier to opt out. For example:

Target "may share your personal information with other companies which are not part of Target."
Chase may share your "account balances and transaction history … For nonaffiliates to market to you."
Crate & Barrel may share "your customer information [name, postal address and email address, and transactions you conduct on our Website or offline] with other select companies."

This site makes it easier to opt out of data sharing by 50+ companies (or add a company, or see opt-out tips). Enjoy! http://simpleoptout.com/

56 of 69

Intro

To

RTB

56

57 of 69

Data Breaches

The New

Normal

57

58 of 69

Which data?

58

59 of 69

59

https://www.nytimes.com/2018/05/19/technology/phone-apps-stalking.html

KidGuard is a phone app that markets itself as a tool for keeping tabs on children. But it has also promoted its surveillance for other purposes and run blog posts with headlines like “How to Read Deleted Texts on Your Lover’s Phone.”

A similar app, mSpy, offered advice to a woman on secretly monitoring her husband. Still another, Spyzie, ran ads on Google alongside results for search terms like “catch cheating girlfriend iPhone.”

As digital tools that gather cellphone data for tracking children, friends or lost phones have multiplied in recent years, so have the options for people who abuse the technology to track others without consent.

More than 200 apps and services offer would-be stalkers a variety of capabilities, from basic location tracking to harvesting texts and even secretly recording video, according to a new academic study. More than two dozen services were promoted as surveillance tools for spying on romantic partners, according to the researchers and reporting by The New York Times. Most of the spying services required access to victims’ phones or knowledge of their passwords — both common in domestic relationships.

60 of 69

“Facebook already tracks people online, even when they're logged out or don't have an account, through tools like the Facebook Pixel and plugins like the Share button on pages.

The social network's Share button is on 275 million web pages. It collects data allowing advertisers to see what kind of content you're viewing.”

60

https://www.cnet.com/news/facebook-is-still-tracking-you-after-you-deactivate-your-account/

I thought deactivating my Facebook account would stop the social network from tracking me online. But Facebook kept tabs on me anyway.

Over the past year, I've tried to minimize my presence on Facebook. I deleted a 10-year-old account and replaced it with a dummy account that I use as little as possible. I deleted the app from my phone.

As of January, I started deactivating my dummy account every time I used it, rather than just log out. I couldn't break up completely with Facebook because I needed it to sign up twice a week for a workshop.

I thought the precautions would reduce how much data Facebook gathered about me. Turns out, I was wasting my time.

Even when your account is deactivated, the social network continues collecting data about your online activities. All that data gets sent back to Facebook and is tied to your account while it's in this state of limbo. It's as if you'd changed nothing.

Facebook says it only removes all of your data if you permanently delete your account. Deactivating isn't as extreme, the company says, and the social network continues collecting your data in case you change your mind and want to return to your profile. Facebook expects deactivated users to return and wants to continue serving them ads relevant to their new interests.

Read more: How to delete yourself from the Internet

Watch this: Deactivating your Facebook account doesn't stop data...

2:15

'A deceptive practice'

On the site, Facebook explains that deactivating is a half-step to complete deletion. But it says little about how data collection works during the period. In its data policy, Facebook suggests deactivation to manage your privacy but doesn't mention that it still collects data during that period.

The ongoing collection of data from deactivated accounts could be considered misleading, privacy experts warn.

"Most people would expect less or no data collection during a deactivated period," said Gabriel Weinberg, CEO and founder of private search engine DuckDuckGo. "Deactivated means cease to operate, and you wouldn't expect all the wheels to be turning."

For consumer transparency purposes, I would be concerned that this is a deceptive practice.

Kathleen McGee, former chief of New York State attorney general's Internet Bureau

The average person would assume that Facebook pauses data collection when your account is deactivated, said Kathleen McGee, the former chief of the New York State attorney general's Internet Bureau.

People could look at deactivating accounts and mistake it for an opt-out when it isn't, she explained.

"For consumer transparency purposes, I would be concerned that this is a deceptive practice," said McGee, now a technology counsel at the Lowenstein Sandler law firm.

The vague disclosure the social network provides is another point of concern about its privacy protections.

In March 2018, Facebook found itself in hot water after Cambridge Analytica, a British consultancy, was collecting information about people on the social network through several personality quizzes. The backlash prompted a campaign encouraging people to delete their Facebook accounts. The Pew Research Center found that 42 percent of Americans have taken a break from the social network at some point during the last year.

Active tracking

Facebook already tracks people online, even when they're logged out or don't have an account, through tools like the Facebook Pixel and plugins like the Share button on pages.

The social network's Share button is on 275 million web pages. It collects data allowing advertisers to see what kind of content you're viewing. That's why you're likely to see ads for sports in your Facebook feed if you've been visiting a lot of sports websites.

If you aren't a member, the social network can identify you through your browsers and deliver ads using its Facebook Audience Network, the company detailed in 2016. The service uses your browsing habits to target ads as you surf the internet, just as it would if you were on Facebook. Even if you don't have an account, Facebook is following you.

Facebook said deactivating your account was never intended to be a measure for data privacy but rather for privacy from other people on Facebook.

Watch this: Facebook, Instagram, Twitter: What's your relationship...

5:14

It makes sense to deactivate your account if you're trying to hide from people online because other users won't see your profile, posts and previous comments. You're essentially invisible to everyone on the social network. Except Facebook. It does nothing to prevent Facebook from collecting data on you.

Your best bet to stop the data collection is to delete your account. You'll get 30 days to change your mind. During that period, Facebook will continue gathering data about you, the company said.

Weinberg suggested that Facebook either change its data collection for deactivated accounts or explain that caveat better to people.

"Companies should always try to match user expectations to whatever feature they're providing," Weinberg said.

Surprising consumers is usually a cause for alarm for regulators, McGee said. With Facebook failing to explicitly explain that your data is still being collected, even when your account is deactivated, the former prosecutor argued, a reasonable consumer is being misled.

"Facebook should remedy this by not collecting information when someone has deactivated their account," McGee said.

61 of 69

61

The evidence comprises category lists from Google and IAB, which allow advertisers to target people according to characteristics such as being an incest victim, having cancer, having a substance-abuse problem, being into a certain kind of politics or adhering to a certain religion or sect.

http://fortune.com/2019/01/28/google-iab-sensitive-profiles/

Google and Ad Industry Accused of “Massive” Abuse of Intimate Personal Data

By DAVID MEYER

January 28, 2019

Last September, a coalition of privacy activists and browser-makers targeted Google and the advertising technology industry with complaints about “a massive and ongoing data breach that affects virtually every user on the web” — the broadcasting of people’s personal data to dozens of companies, without proper security.

Now, on International Privacy Day, they’ve released new evidence showing this data includes information about people’s ethnicity, disabilities, sexual orientation and more. The data is so sensitive that it even allows advertisers to specifically target incest and abuse victims, or those with eating disorders.

How does this information get shared? The online ad industry often uses a technique called behavioral advertising, which basically means they track you around the web and build a profile based on what you look at. When you then visit a webpage that runs behavioral ads, there’s often an automated auction with the winner getting to show you an ad that supposedly matches your profile.

The real-time bidding system means broadcasting the details of your profile to the advertisers in so-called “bid requests” — and these details get really, really personal.

Last year’s complaints were lodged by Jim Killock of the U.K.’s Open Rights Group, tech policy researcher Michael Veale of University College London, and Johnny Ryan of the pro-privacy browser firm Brave. They complained to privacy regulators in the U.K. and Ireland, claiming Google and other ad-tech firms were breaking the EU’s strict General Data Protection Regulation (GDPR) by unlawfully profiling people’s sensitive characteristics.

Now Poland’s Panoptykon Foundation, another rights group, has hopped on board, complaining to its local data protection authority. The targets include Google and the Interactive Advertising Bureau (IAB), which is the industry body that sets the rules for ad auctions.

The evidence comprises category lists from Google and IAB, which allow advertisers to target people according to characteristics such as being an incest victim, having cancer, having a substance-abuse problem, being into a certain kind of politics or adhering to a certain religion or sect.

“Actors in this ecosystem are keen for the public to think they are dealing in anonymous, or at the very least non-sensitive data, but this simply isn’t the case,” said Veale (who has also made a GDPR complaint against Twitter over opaque tracking.) “Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t: and it both needs to and can stop.”

A Google spokesperson said the company has “strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories such as race, sexual orientation, health conditions, pregnancy status, etc.”

“If we found ads on any of our platforms that were violating our policies and attempting to use sensitive interest categories to target ads to users, we would take immediate action,” the spokesperson said.

The IAB said in a statement that its categorization protocols came from its non-profit partner organization, the IAB Tech Lab. It also said it was up to companies to choose how to use the protocols, in line with “applicable laws, regulations, and consumer preferences,” and the protocols were “not themselves subject to GDPR.”

This article was updated to add Google and the IAB’s responses, and to clarify that it’s the real-time bidding mechanism being complained about, rather than behavioral advertising as a whole.

62 of 69

Content Scanning

62

The company’s data collection practices also include scanning your email to extract keyword data for use in other Google products and services and to improve its machine learning capabilities, Google spokesman Aaron Stein confirmed in an email to NBC News. “We may analyze [email] content to customize search results, better detect spam and malware,” he added

only Gmail apps "directly enhancing email functionality--such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)" will be authorized to access inbox data.

63 of 69

Ad Placement Exclusions

63

64 of 69

Some don’t like the trade...

64

https://restoreprivacy.com/secure-browser/

65 of 69

Voice: the next influence frontier

65

How to monetize voice assistants?
Pay to play?
How to disclose “promoted results” per FTC?
Recommendations? Promotion ⇔ Targeting ⇔ Privacy

66 of 69

66

“Access to internal tools is highly controlled, and is only granted to a limited number of employees who require these tools to train and improve the service by processing an extremely small sample of interactions,”

67 of 69

67

Geoffrey A. Fowler / Washington Post:

Alexa keeps recordings of conversations triggered by its wake word but doesn't allow a user to opt out of the collecting of recordings, unlike Google Assistant

When Alexa runs your home, Amazon tracks you in more ways than you might want. — Would you let a stranger eavesdrop in your home and keep the recordings?

68 of 69

68

69 of 69

69

Verizon, T-Mobile, Sprint, and AT&T hit with class action lawsuits for selling customer location data — The lawsuits come after a Motherboard investigation showed AT&T, Sprint, and T-Mobile sold phone location data that ended up with bounty hunters, and The New York Times covered an instance of Verizon selling data.

Joseph Cox / Motherboard: