Posted in Security

User profiling businesses operate in plain sight, but don’t obey the law

Today, everyone is aware that Facebook, Google and Twitter, among many other free digital services sell their users’ personal data to advertisers. Many savvy users are protecting their privacy with additional software plugins to prevent this automatic data collection. Behind the scenes, however, is the real action where data brokers, user profiling algorithms, data analytics companies, data scrapers and others collect internet users’ personal data, profile people and sell them to advertisers.

The Norwegian Consumer Council, a government funded organisation, has conducted a research how wide user data collection is on the internet. The conclusion in the Council’s report is that personal data collection is completely out of control. The Council also performed a legal analysis after the results of the tests were available. It concludes that a large amount of data sharing and processing is likely to be illegal under the European Union GDPR (General Data Protection Regulation).

The purpose of the research was to take a look at user data sharing practices. The test team selected 10 mobile apps that they examined thoroughly. Each app was tracked for connections and data they leaked to various parties.

For example, dating app OkCupid shared personal data about sexuality, drug use, political views, and private information with analytics company Braze. Another tested app, Perfect365 for makeup, shared user data with more than 70 advertisers and data brokers. Shared data included the Android Advertising ID, device’s IP address, and GPS location.

The key findings in the Council’s report are as follows:

  • Ten apps that were analyzed transmitted user data to at least 135 enterprises that don’t have anything to do with the functionality of the apps. These businesses are specialized in advertising and user profiling.
  • The most important piece of data for profiling people is the Android Advertising ID. Every Android phone and tablet has the ID. It enables tracking of people across all online services they access. During the tests, an individual Android ID was sent to at least 70 enterprises.
  • Advertising ID was often transmitted along with other personal data, such as device’s GPS location and IP address.
  • All apps shared user data with multiple third parties. All apps, except one, shared additional data beyond the device’s Advertising ID. It included the IP address and GPS location of the device, gender and age, and various user activities.
  • Twitter’s advertising technology subsidiary MoPub was used as a mediator for many of these data sharing transactions. MoPub also passed personal data to a number of advertising businesses, including AppNexus and OpenX. These companies typically reserve the right to further share the data to other business partners.
  • DoubleClick, a Google advertising service, collected data from eight tested apps. Facebook received data from nine apps out of ten.
data brokers collect and categrorise user data. image by Norwegian Consumer Council
Source: Norwegian Consumer Council.

So far, we have been well informed about the ways big internet companies, like Amazon, Microsoft, Facebook and Google collect our private data and make a profit out of it. These companies are only the customer-facing front line, and the back-office (data brokers, profilers, data scrapers) is where our personal data really gets a new life. In theory, EU’s GDPR regulation should protect European citizens from unwanted data collection and profiling, but if a business is located outside EU region, it is not easy to enforce.

The Council’s report is recommended reading for everyone, and especially for people who think they have nothing to hide, and don’t mind sharing their personal data. The ugly truth is that information is power for businesses, governments and everyone else.

The Norwegian Consumer Council concludes:

  • 20 months after the GDPR has come into effect, internet users are still being tracked and profiled. People don’t have no way of knowing who processing their data and how to stop them.
  • The entire industry that is involved in collecting, processing, profiling, selling and buying user data is operating without control.
  • The digital marketing and adtech industry has to change the way they operate to comply with European regulation. At the moment, they don’t respect fundamental human rights and freedoms.
  • Authorities should enforce the GDPR.
user profiling from multiple data sources. Norwegian Consumer Council image.

What can an individual do to prevent data collection?

The only way to avoid transmitting personal data to vast databases that free cloud services, data brokers and analyzers have is not to let them get the data in the first place. Since this means not using Facebook, Google or Microsoft products, it is practically impossible for many people (just a reminder that, for instance, Gmail, Android and Chrome are Google products, and Instagram and Whatsapp are Facebook products).

Installing software plugins, like Privacy Badger or an ad blocker reduces the amount of data the ad industry receives from your daily life. Avoiding apps on a phone and on a tablet that request rights to functionality they really don’t need may reduce leaking of data.

Switching off GPS, Bluetooth, and Wi-Fi on a phone when you don’t need them reduces the amount of data companies get from you.

Replacing a Windows PC with a Linux PC, and an Android phone, for instance, with an eOS phone (or PinePhone or Librem)