Can we stop megacorps from using and abusing our data? That ship has sailed, ex-NSA lawyer argues in new book Cyber Privacy: Who Has Your Data and Why You Should Care is the title of a new book from April Falcon Doss, a former associate general counsel for intelligence law at America's NSA. Doss spoke to The Register about her concerns with pervasive data collection and its potential for harm. These days the author is chair of …
Don't think you're any safer using paid services. Any company will eagerly store and monetize your private data -- regardless of whether you're paying for their product or service.
Microsoft is an obvious and egregious example. You pay for a Windows license when you buy a PC, you pay for Office 361, yet they still aggressively track you and exploit the collected data.
You pay for cellular service, yet carriers monetize your web and location activity*.
You pay for your cell phone, yet phone makers are regularly caught embedding spyware, adware, and trackers in their OS "enhancements." That has also happened with PC hardware (looking at you, Lenovo).
You pay for merchandise in stores, yet they also monetize your transactions with them.
You (indirectly) pay swipe fees to use credit cards, yet credit card banks and processors whore out your data relentlessly.
Free or not doesn't matter. You're always the product now.
* At least in the US, but probably elsewhere too to varying degrees.
The one thing that's good about that Borg (sorry, Amazon) Ecosystem is that it exists to sell you stuff. It does harvest your data so it can sell you more stuff but there's no reason why they'd sell or rent your data to a potential competitor. Everyone else harvests your data as a valuable product, preet much their only product, and they do Heaven only knows what with it. This probably accounts for why Amazon is so successful -- their website is easy to navigate, finds what you want quickly and gets you to buy it using one-click. In and out in seconds. Everyone else gums up their websites with excessive scripting and third party spyware.
Is this an entirely satisfactory situation? Of course not, but since the data horse left the privacy barn a good couple of decades ago we're not going to be turning back any clocks (apart from Daylight Savings Time, of course). Even the "security services" are in on the act -- assuming you were paying attention post-9/11 you would have picked up the idea that the vast bulk of data collection by the guvmint was most cost effectively done by purchasing it from the brokers. Its a win/win for everyone and it dovetails nicely with the idological urge to prvatize any governemtn function that's worth a buck or two.
"It does harvest your data so it can sell you more stuff"
Given the stuff that it suggests, presumably on the basis of that data, there seems to be a gap between intent and achievement.
BTW, folks, give Neil the upvotes he deserves. I'm embarrassed to have got more than him..
" there's no reason why they'd sell or rent your data to a potential competitor."
That's naive. Amazon is a corporation with the sole goal to maximize profits. Selling stuff did not require them to create aws.
If there is a viable business case, they will use or sell that data. Amazon is competing with every. single. one. of its product vendors for a slice of the revenue - they're just doing it in a co-operative manner.
China turned back the clock. No one is saying you can't go out and run down that horse - just that western democracies are poorly set up to do it.
"Everyone else [other than Amazon] gums up their websites with excessive scripting and third party spyware."
Amazon itself also makes requests to all sorts of mysteriously named hosts on its own domains too. There are a few obvious media CDNs (fair enough), but also strange hosts such as "unagi" and "fls".
As a general rule, I don't permit scripts to run (using NoScript) unless they seem to be necessary for the functioning of the site. Not permitting scripts from any of these hosts doesn't seem to affect the functioning of the site for me, but part of me is curious as to what all these other hosts are actually trying to do...?!
These privacy policies are obscure by design and so long that most give up reading them - the companies that have them do not want people to understand them.
There needs to be an agreement written to be easy to read and given aka kite mark which shows that it is reasonable, fair, etc. There should be several varients to cover different sorts of relationship and be capable of having a schedule attachment to cover things like "how many days to deliver", "postage", etc.
From a presentation I have seen from somebody writing such policies, they are not particularly designed to be obscure, but rather to not actually restrict anything. These are words that can be used against them, so they never write "we will not do this", because there's too much risk that they may change their mind on what they want to do, or even that it can be interpreted differently from what they want (e.g some interpret "showing personalized ads" as a subset of "selling private data", and you can bet that Facebook doesn't see it that way, but they still won't dare to write "we will not sell you private data" because some judge might disagree). They don't want to paint themselves in a corner.
So you end up with open-ended descriptions of what is done with the data instead. "We will use your data to give you a better user experience, such as... and... and..." but the list is never implied to be exhaustive, so that they can always claim that whatever it is they are doing was implied as possible by the list.
"a presentation [...] from somebody writing such policies" would almost certainly disavow any intent to be obscure, but were that true how would one justify these two examples from our current research project? A well known software house privacy policy of around 32,600 words and a recruitment business (that also seems to also do targeted advertising) with a 40,600-odd word privacy policy that specifically attempts to deny data subjects their statutory rights of complaint.
That's naive.
In places where privacy laws require disclosure, obscuring that disclosure is a clear solution for a corp to break the law. You can google cadillac farivew Anonymous Video Analytics for a recent example, but here are some of the headline statments:
" a user on Reddit ... posted a picture of a malfunctioning wayfinding screen ... . The screen displayed lines of code that appeared to reference facial recognition programs. "
“An individual would not, while using a mall directory, reasonably expect their image to be captured and used to create a biometric representation of their face, which is sensitive personal information ... ”
" the relevant information was buried in the middle of the 5,000-page document, was described in overly broad language, and when investigators did ask for a copy at the Eaton Centre’s guest services kiosk, they were met with confusion."
"Cadillac Fairview “expressly disagreed” with the findings of the privacy commissioners’ offices, and refused to commit to obtaining express, opt-in consent if it decides to use similar technology in the future"
I will again offer up this most excellent Freefall cartoon.
There's a shocking amount of truth in it as there is in truth little legislation to curtail such an approach.
I recall there was once a project that gave policies and terms a TL;DR readability score, but I cannot find it now. A shame, because it was a laudable idea, but maybe it floundered because our definition of what is "normal" and "acceptable" has experienced a wrenching, IMHO near tectonic shift..
While we might have it at the moment, how long before Boris/Cummings paymasters demand that we remove it from our laws?
I think Jan 2nd 2021 might be the start of the attempts to water down and ultimately removed any GDPR protections we might currently enjoy.
BREXIT, the unwanted child that keeps stealing the limelight.
The demented looking Dom already is planning big things.
“One of the many advantages of Brexit is we will soon be able to bin such idiotic laws,” Cummings wrote. “We will be able to navigate between America’s poor protection of privacy and the EU’s hostility to technology and entrepreneurs.”
https://www.theneweuropean.co.uk/brexit-news/europe-news/uk-trade-threatened-by-cummings-data-protection-plans-96114
.
Bloody freak.
If users can't meaningfully consent to data collection / re-use then it should be more tightly restricted; e.g no transfer to third parties without separate consent. This will challenge the business models of the "user-as-the-product" advertising companies and bring their true costs and values to light.
People used to pay to communicate via telephony, telegraphs, telegrams, postage. The only reason why we can't put some cost back into the equation is that people haven't woken up to what it's actually costing them and they think it's free.
Essentially GDPR is designed to do that. Part of the trouble is that they can only be caught in breach when someone goes after them. I suggested in the Eperian thread that we need to start at the other end: large scale* data brokers and aggregators should require a licence to operate. Conditions of the licence including a requirement to provide regular statements of data held to each data subject and regular audits. The statement would have to include by what right each item was held and there would be an obligation to correct errors and delete - and not re-collect - items for which there was no consent or for which the subject wished to withdraw consent. The statement should also include a statement of categories of data added and deleted since the last statement, and perhaps an ability to demand an interim statement of the exact holdings at some point in time of the subject's choosing**. Failure of an audit, including demonstrable failure to abide by statement rules could result in immediate suspension of the licence with it being a criminal offence to oversee continued processing after a suspension. Suspension remains in effect during any appeal.
If this makes the business model unprofitable, tough. You have a right to run a business but to to mess with others' individual rights. The ICO pointed this out quite clearly in the Experian case.
* Best defined as a function of number of data subjects, volume of data and sensitivity of data.
** If they want to permanently delete data before the first statement, fine, but unchecked they'd simply delete data before a statement and re-collect it afterwards.
An unknowable fraction of the population is aware but there is no alternative except for disconnection. Complete disconnection is not practical for most people - e.g., where have all the payphones gone? I'm sure it is already the case in China that the street camera data is combined with cell phone data to find those individuals who are not carrying an active cell phone - very suspicious behaviour. That will come here eventually if it isn't here already.
Honey, the NSA has done a brilliant job of replicating the principle of government surveillance on its own, no export needed.
I'm glad that someone knowledgeable has penned a tome that is dearly needed, but stop pretending that government surveillance is a threat from abroad.
That bird is roosting on your chimney right now.
hang on ...ex-NSA employee has concerns with pervasive data collection and its potential for harm, isn't it a bit late to be worrying about this considering that's what your employer was all about and you were happy to do it while picking up your pay cheque ???? Hypocritical comes to mind, but I'm sure their is more accurate and stronger term out there !
Me? Why would I be? Just look at my profile, I've been say this exact thing on El Reg for years. The issue is actually physiological: thanks to Orwell, we've been trained to worry about governmental Big Brothering but not to doubt the power of Big Business. To the contrary, in any modern 'first-world' capitalist system (UK, US, EU, Japan, South Korea, Taiwan) we've been taught just the opposite, that Big Business will save your freedoms from want, solve your problems of sustenance, provide you with a good life of that 'first world' living standard, all with little to fear. Anything they do, they do with the 'market' overlooking their shoulders and therefore they only have the best intentions at heart, lest the market punish them for going astray.
It's all a pipe dream delusion - Big Government is bad, but Big Business is good because they'll always act in your, the customer's, best interests. Laissez-faire is the best outcome, because everyone will only act for beneficial reasons! Yes! Who needs those ugly laws, they only get in the way of the purity of a true capitalist's grand and noble intentions!!
And the 1800's are calling. They want their millions of injured and dead workers back - they can work instead in our Grand Future, they'll be familiar and comfortable there.
I think people underestimate the ways in which their data is used to manipulate and shape their opinion, their thinking, their intentions...
Approaching it from another direction on a different level of understanding, what people need to realise is that it is impossible to overestimate the ways in which their data is used to manipulate and shape their opinion, their thinking, their intentions... although of course so many will be severely limited in that department by virtue of their lack of intelligence and imagination. Not all though are so confined or contained/captured and quarantined.
No, that's only the US approach adopted in the past few decades, it's not at all "traditional" elsewhere. For example here ISP are now barred to force their modem/routers on users even if they give them away for free. Because it hampered choice of models, damaging independent sellers able to offer other models, and not allowing users to use more powerful models albeit pricier. The incumbent telco was fined for using price dumping in an attempt to put out of market a dangerous competitor. In both cases if price is the only metric, you look at your finger and not at the gorilla behind it....
Especially when you avoid to teach and explain it. For example I see schools in many different nations to be very bad at explaining people the basics of law and business/economy to understand how to protect their rights and avoid to be easily exploited. It's quite useless just to learn just about the high principles in a "Constitution" when you need to know a lot more about actual laws governing every day life. I meet people barely know what a contract is and thereby how to avoid to be conned. It's that those who are at the top exactly because they could climb over other people without the right knowledge don't want them to learn and understand. What companies are doing with data is not hard to explain. Sure how they do it in detail is far more complex, but a deep knowledge of it is not important , just like you don't need to know how a computer works internally to type this.
Why do people always talk about China and Russia when referring to surveillance but not the United Kingdom where on the current trajectory cameras will outnumber people, the police retain ANPR data for 2 years, the spooks are about to be permitted to legally break the law if bozo gets it through parliament. The UK is a totalitarian nightmare that is more than comparable with anything Russia and China can throw at individuals.
Big companies love Big Data aggregators where they can buy a cheap subscription and snoop on their employees and potential hires. They can also snoop on key people working at their competitors. Marketers love to be able to buy up to date lists of relevant people to market at. The best time to bombard somebody with ads for baby stuff is the last couple of months of pregnancy so being able to buy a list of pregnant women in a region lets them direct the advertising most efficiently. A renter doesn't care about putting a new roof on, but the owners might be in the market, so you only want contact info of people that own homes if you are in the roofing business. All of those customers for detailed data are driving how well these information companies are doing.
Pay cash. Don't sign up for anything. Stay away from "apps". Turn your BT and WiFi on your phone off when out shopping or not using them. Don't let your car insurance company talk you into installing their tracking module in your car's OBD port. If you are handed a form on a clipboard to fill out, question each item to see if it makes sense for them to have that information.
Shurely, Shirly, we all know that the privacy statement means "we will collect as much data on you as we like and do whatever we like with it".
Tedious to avoid, but:-
No smartphone.
No Facebook, twitter et al, unless with a false identity and location.
A VPN.
uBlock origin - I haven't seen adverts for years.
Cookie Autodelete - just keeps the few (four companies) and automatically deletes the rest,
And of course, Linux Mint, no Microsoft, Apple or Google (and coming chinese ones) operating systems.
And Duckduckgo.
I said it was tedious.
John.
xx
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
