“Data Shadows” and online privacy

By Sunfell

I learned a new word yesterday: “Data Shadow”. It’s the footprint your activity data makes on the infosphere- your credit, cell phone and banking records, and your tracks on the Internet. I’ve been online for over 15 years, so my Internet ‘data shadow’ is quite long, I’m afraid. There isn’t much I can do to make it go away, as a lot of that information is stuff I can’t get my mitts on, as it’s squirreled away in databases of credit companies and banks. It should stay there. It should not escape, or be ‘mined’ by people who want to ‘profile’ me. We exist in a delusion that we have privacy. We do not. The Quechup debacle that is making its rounds on the web is a prime example of spamming and privacy violation going nuclear. Quechup asks you to provide your email address and password (!) to find your friends online.

Woops. You should never ever give some marketing firm the keys to your contact book. They’ll raid it every time. That information is gold to them. (It’s too bad we can’t make them pay dearly for it. Instead, they steal it from us.)

A few months ago on my personal blog, I recommended the company “Rapleaf” as a means to build your reputation if you’re selling stuff online. The lure was to provide your basic information for them to post, and then your friends could find you there, and build your online reputation. Hey, that was cool- while I do not sell stuff online, it couldn’t hurt to have good feedback from friends.

If it had just been that, I would have been fine with it. But imagine my horror when I discovered that it had linked to my Amazon wish list and my Flickr account- two things that I did not provide to it, and had no way (at the time I signed up) to block from its prying eyes. So, for a while, my private address was visible for the world to see. I went to Amazon and made all my wish lists private, and I also wrote to Rapleaf and told them to take me out of their database. Happily, they did so quickly. (I had to write to them, as they did not have any online means to remove your data from their files.) And they now have means of hiding those social networks you belong to from public view, but again, they’d ‘improved’ their site to include them without warning me that they would do this.

I’m a fairly private person. It isn’t because I have anything to hide- it’s just that I am not willing to put my whole life online- just the parts of that I choose to. And therein lies the rub: I am not permitted this choice by these busy-body data-miners who want to ‘profile’ me and Sell Me More Stuff. I don’t want to be ‘profiled’. I don’t want people peddling Yet More Stuff to me. But that is their ultimate goal:

Privacy advocates, of course, have complained about aggregation of personal content like this for years. Put this information in the wrong hands–of say, a stalker–and you could have a problem. In the hands of a government, it’s a means to spy; in the hands of a hacker, it’s an opportunity for identify theft; and in the hands of a marketer, it’s a potentially lucrative business.

That’s particularly true because this coalesced data could be personally identifiable–tied to names, e-mail, physical and IP addresses and other details on the person’s habits. At a time when the heat is on search engines like Google and Microsoft to regularly purge personally identifiable and search history data on users, sites like Rapleaf are amassing detailed profiles from publicly available data.

“There’s no question we’ve entered an era where people are simultaneously living their lives online. But there’s a naive quality here that these sites have set up. The sites appear to be cool, but what lurks underneath is a powerful force designed to stealthily observe and collect data about you, and develop a marketing campaign to get you to behave the way they want,” [emphasis mine] said Jeff Chester, director of the Center for Digital Democracy, a Washington-based consumer advocacy group.

I went to a private meeting a couple of weeks ago that had a lot of high-level information about identity theft, and what compromises ‘personally identifiable data” (PID) and discovered that our laws are a mess where this is concerned. It shouldn’t be this bad: Europe and other countries have much tighter privacy laws, and the mining and use of PID is much more closely monitored and regulated.

Not in the US. Sites like Amazon keep information about us hanging out in the clear by default, for people like Rapleaf and its kin to sweep up and consolidate in a single place for anyone to use. We really need to start putting pressure on both the government and private industry to put the brakes on this sort of thing. It should be an escalating action: investigations by the FTC, demands for data to be held private and no PID of any sort permitted, and even class-action lawsuits. These are tools that citizens can use to take back our privacy. Identity theft is rampant, and sites like these are ripe for the picking.

Is there a solution- besides nagging and suing and being a thorn in their sides? Maybe. Here’s one: These companies should pay for this information. And I don’t mean pay other companies- I mean pay us for permission to use our information. If we hit them in the pocketbook, they might think twice about data-scraping (more like data-raping) us. It could be a ‘reverse subscription’: they could pay us monthly for the privilege of following us around and learning our habits so they can Sell us More Stuff. That would permit people who like being followed to get their share of the ‘gold’ and let folks like me be left alone.

So consumer, beware. You’re being watched and monitored- both online and off. Don’t think that even anonymous surfing will protect you: it won’t. In fact, it’ll make people suspicious. Just watch where you go, and carefully investigate anything you decide to join. Some things are not what they seem.

25 replies »

  1. Amazon’s policy is the reason I will never do business with them.

    A few years ago, it was in the news that any information they collected in the course of business was their’s to do with as they pleased. Such as sell it, collect it, aggregate it, whatever they decided. There was an public outcry on this but Amazon won in the end.

    Selling personal information is a source of revenue for companies. That’s why corporations have always made it difficult for consumers with regards to personal information. And that’s why it’s opt-out rather than opt-in.

    Another for instance, credit checks are required in in some states to get auto insurance. Pretty ridiculous.

    That’s how the Corporatocracy has taken over and become widespread.

  2. Amazon’s policy is no different from Visa’s policy, Barnes and Nobel’s policy, Toys R’ Us’ policy, or the policy of any major retailer – any time you buy using credit, you’re putting your name on an indeterminate number of mailing lists and you’re giving away your privacy. Amazon is no better or worse than any of the others.

    Convenience has its price – if you want to buy online, expect that your purchases will be tracked. Working exclusively in cash is the only way to prevent your purchasing activities from being tracked and databased.

  3. I’m really considering ‘going green’ in the majority of my transactions. Carrying cash is a pain in the patoot, but it would be nice to ‘monkeywrench’ the system in some small way.

  4. Cash & money orders & Privacash prepaid credit card where I can and Powells for books.

    I’ve been practising how to be invisible to the system everywhere I can with a set of strategies to minimize my personal info provided.

  5. Maybe it’s just me, but why bother? Seriously. Going to cash, etc. cuts you out of the very benefits that these new technologies provide. And it’s simply not possible in the developed world to not develop a credit and purchase trail. It strikes me as more reasonable to work actively to limit the kinds of information that can be collected, how it can be shared, that sort of thing.

    Admittedly, I’m a bit of technophile, but I’m unwilling to be so paranoid that I destroy my own enjoyment of life in the process. To me, living in fear of corporations is as bad as living in fear of terrorists, and I refuse to do either. But at the same time, concern about both is absolutely warranted.

  6. Here’s the thing: I understand that by the act of living, I become part of the aggregate data these folks collect. I don’t mind that. Statistics are their life. But I -do- mind when they use personally identifiable information when gathering that data. That is like stalking in my eyes, and having been stalked (thank goodness before the Internet age), it makes me very uncomfortable.

    It isn’t paranoia- it’s simple personal safety. You don’t know who looks at those sites- or why. I love the convenience of the technology, but dislike the price paid in my safety and privacy. Plus, the hazards of data breaches and the lack of responsibility by those corporations in keeping the data safe (and informing the customers) makes living one’s life in the digital mode a lot more risky.

    The need is to limit -or eliminate- personally identifiable information, and the onus should be upon the corporations to make sure that is done. If not, they should be heavily fined, because nothing makes them pay attention better than a grab at their pocketbook.

  7. Brian, you might be surprised at what information about you is available.

    If corporations had ethics, they’d understand that personal information is personal information, and not some commodity to be sold to profit them.

    Did you know you can get Colin Powell’s or Tom Delay’s or Jeb Bush’s social security number off the net if you know where to look? It’s put out by by state documents. Yours too I bet. Some states are more careless than others about what they post on the local & state govt sites.

    The US’ privacy approach is driven by what’s best for the corporations, not individuals.

    You don’t have to be paranoid about things like this, but it doesn’t hurt to use precaution.

    I can say with 100% certainty that old phone numbers I’ve used 5-6 years ago are still being called by companies selling stuff.

    The question I often ask myself is if companies understood what a waste of time & resources they spend on out-of-date information, they’d start to question whether all the hype about data mining & data marketing was worth it for them. They don’t and I still protect myself.

  8. Here’s a something else to think about. Last year the federal government was proposing to let tax preparers like HR Block and the like, sell people’s tax return information. Kinda unbelievable, yet true.

    There’s just a boundary here that keeps being crossed over in the name of profits. Data mining has always been oversold by corps like IBM, Microsoft, Oracle, and the like who sell databases & data mining tools, because overall, there’s a lot of junk in databases. They’re like lists. Once a list is made, it immediately out-of-date. Trouble is, it’s rarely updated after that.

    The whole approach that businesses use has been wrong, but they’re too stupid to realize that.

  9. Brian,

    I seem to recall you having a paranoid fit about Google’s privacy policy for photo-sharing, which is no more or less egregious than others of its type. 🙂 This actually plays to my point–you should investigate any company you plan to do business with online before taking the plunge. If their policies scare you, do business elsewhere and warn others of the potential risks. If you are comfortable with the trade of security for convenience, lay on.

    Honestly, I don’t agree with the idea that security and convenience even have to be a tradeoff. You CAN have both without losing profit or scaring your customers away.

  10. There’s very little about my life I hide, either in “real life” or online, so no, I don’t think I’d be surprised about what might be available online.

    I’ve always taken the WarGames maxim “I don’t believe any system is completely secure” and applied it to everything I do. Every online transaction is tracked and databased. Every government document is tracked and databased. Every speeding infraction, every accident, every medical visit, every food purchase, everything is tracked and databased. I’ve accepted that the level of privacy both of you are calling for is an illusion, and has been an illusion since before I was even born. The only difference is that the tools to pierce that illusion are now cheaper, more powerful, and easier for everyone to acquire and use.

    IMO, more people potentially having access to some of your personal information doesn’t make you less safe. It’s only ever taken one sufficiently motivated individual to ruin another person’s life.

    I certainly won’t complain if laws were passed to strip out my personal information based on your activities. I just don’t think a) it’ll happen or b) it’ll matter even if it does. The most valuable information in those databases is your name, address, phone number, etc. And companies will find ways around everything you do to stop them. You’d probably be better off figuring out ways to restore a sense of ethics into the various database/data mining companies than in fighting them directly.

  11. Martin, if the issue was myself only, my “paranoid fit” would have been phrased quite a bit differently. But it potentially impacts my ability to protect my kids from pedophiles. And if I was starting a new business based on trademarked, copyrighted, or patented materials, Google’s policies affect my livelihood.

    Weird as you may find this, I take copyright, trademark, and patent law FAR more seriously than I do my own personal information. And I take my duties to properly raise my kids and protect them as my highest concerns, bar none.

    Security and convenience have a fundamental, unavoidable tradeoff. If you make something so secure that it cannot be breached by anyone, you’ve also made it so secure that it cannot be breached even by the people who need to use it. This is true of physical security and internet security. That’s not to say that we shouldn’t be concerned that we’ve trended too far toward convenience and away from security, but rather that we need to develop a “happy medium.”

    Of course, if you talk to the companies, they’d probably say that, given the relative dearth of complaints about these things, they’ve already found that “happy medium.” Personally, I think it’s a lack of education of the populace instead.

  12. Brian,

    You’re right. I do find it weird, not to mention more than a bit paranoid and intellectually disordered.

    Consider this–what if a sex offender uses personally available information gleaned about you from one of these mailing lists or search engines and uses that to move next door? Or what if an identity thief uses personal data of yours to open up new accounts and wreck your credit rating, or just steal money from your account? Your kids and your livelihood are just as messed up as they might be if your Google doomsday scenarios came to pass. More so, actually, since there’s more evidence to back up my scenarios than yours.

    I certainly applaud your desire to protect your kids, but I think you’re pointing at the wrong targets. You’re much more vulnerable to identity theft and fraud from information reselling–and your children are much more in danger from the availability of your personal data–than from someone stealing your Google photos.

  13. I thought this was a great quote from Naomi Klein’s new book, “The Shock Doctrine: The Rise of Diaster Capitalism”.

    “Part of the problem is that the disaster economy sneaked up on us. In the 80s and 90s, new economies announced themselves with great pride and fanfare. The tech bubble in particular set a precedent for a new ownership class inspiring deafening levels of hype – endless media lifestyle profiles of dashing young CEOs beside their private jets, their remote-controlled yachts, their idyllic Seattle mountain homes. That kind of wealth is being generated by the disaster complex today, though we rarely hear about it. While the CEOs of the top 34 defence contractors saw their incomes go up an average of 108% between 2001 and 2005, chief executives at other large American companies averaged only 6% over the same period.

    Peter Swire, who served as the US government

  14. What was to prevent your sex offender scenario from happening before? Nothing. What was to prevent an identity thief from stealing my personal information before? Again, nothing. The difference isn’t one of threat to my livelihood or my children, it’s a difference of degree. The ultimate threat to my family is no different in either case.

    Perhaps what we need here is the electronic equivalent of a personal shredder. I put all my credit card offers and receipts with my signature on them through a shredder as a reasonable precaution. But really, if someone is sufficiently motivated to mess with me, even a cross-shredder won’t keep them working out the puzzle and from opening accounts under my name or forging my signature. Again, it’s a question of degree, not of threat.

    And I found when I became a parent that I worry a lot about things that don’t necessarily qualify as “intellectually organized” in the sense you’re using. You might not think that having an unpublished photo of my kids out there being used to make money for Google or being used by a sicko to masturbate to isn’t a real threat, but I consider that possibility far, far, far more frightening than I do someone screwing with my credit rating. My credit rating can be fixed. My kids potential for loss of innocence can not be recovered.

  15. Even though we’re disagreeing on a great deal here, I hope you’ll understand that I do greatly appreciate that people like you do focus on personal information issues as much as you do. I’ve learned over the years that I have only a very limited amount of time and energy to spend on advocacy of one kind or another, and because I don’t consider it a high priority personally, I’ve focused my own energy on very different areas (global heating and energy supplies, reframing politics with progressive language, education, etc.). I appreciate that people like you three (Sunfell, DomPierre, and Martin) focus on issues like these because it means that I don’t have to.


  16. Pingback:
  17. Brian,

    I appreciate the kind words, but I still think your priorities are messed up. The problem with you not focusing on these issues is that there are far, far too many people out there like you, and as a result, it makes it harder for people like Sunfell and I to actually raise awareness on these issues. So in a very real way, you’re making my job more difficult.

    I guess we’ll have to just agree to disagree on this, but make no mistake–I think you would better serve yourself AND your kids by protecting them from the very real possibility that data shadowing could ruin your life, as opposed to paranoia about pervs masturbating to your kids’ photos or someone stealing your property for a company you’re probably never going to build.

  18. Something else to consider, Brian: your kids’ activities on the web might come back to haunt them when they are adults. Already, potential employers look at online social networking sites like “My Space” and “Facebook” and google the names of potential employees. If your kid was in a compromising pose at a frat party, and that got published online, it could greatly damage their chances of getting (or keeping) a good job.

    And- as minors- their online activities have a great potential to get you- or any other adult guardian- into deep trouble, too.

  19. Actually, the Facebook/MySpace thing is something I do worry about quite a bit, and every time I hear about kids getting into trouble for their online activities, I blame their parents for poor parenting. Young minors should be taught that there are good and bad ways to behave, and going online doesn’t turn something bad into something that’s OK (P2P music downloading without the artist’s permission, for example). And my concerns about the ubiquitousness of online access is something that my kids will learn about as they start going online. It’s my job as a parent to make damn sure that my kids know the risks of their online behavior BEFORE they’re allowed online without me sitting right next to them. (see this post on my personal site for more)

  20. I knew I should have read those links before I commented….

    In both cases you illustrated, I think the problem is actually a screwed up Puritan culture that expects perfection out of the next generation all the while conveniently ignoring the oats that the current generation sowed. In both cases, I think that the issue is rank hypocrisy.

    That doesn’t make your point any less accurate, however – adults can get in trouble for the activities of their children, and I could easily have been denied my own job because of the length of my own data shadow had my current employer chosen to do so (and, given that Colorado is a right to work state, I could still be fired because of it). But I think that the solution to idiocy like this is standing up to the hypocrisy (I hope the teacher wins her federal lawsuit – she should) and publicly shaming the people who engage in it.

  21. Ohhhh, I was sooo hoping to use this today, but I guess I’ll wait for another time. 😉

    But you can