Recently there have been stories in the national news about digital privacy violations: messages being intercepted by social media platforms, phone data being collected by the government, and internet users having their online behaviors tracked without consent. Due to breaches in internet privacy, U.S. legislators are calling for restrictions on data use by advertisers. It seems that the issue of privacy is not about to blow over anytime soon. As such, it may be useful to examine how we think about privacy – not what our individual positions are on privacy, but rather the process of evaluating the uses and users that cause us to define our individual positions.
When evaluating privacy, there are two questions to consider:
- Is the information that another party can request or acquire about me potentially harmful, if used in an unacceptable manner?
- Can the party that requests the information use it in an unacceptable manner or transfer it to another party that might use it in an unacceptable manner?
For example: does the National Security Agency (NSA) have or collect any information that could be used to harm someone? The answer is: they have names, addresses, and current GPS coordinates. If they wanted, they have the capability to send someone to Guantanamo based on information gathered – inappropriate “humor” or a number of suspicious followers. Another question: does the NSA have the ability to transfer consumer information to someone else? Think FBI, LAPD, and Edward Snowden. Those names, phone numbers, and addresses are personally identifiable information (PII) and they can be used to find anyone in the physical world. All police departments, private detectives, and ex-significant-others can receive, understand, and use information connected to a person by these tags. Finally, would they ever do it? Would a government agency or someone within a government agency ever use the information against you (think George Washington Bridge traffic). Do you trust the NSA or your significant other? This is a personal and complex question that only you can answer. Let’s move on to another example: the Interactive Advertising Bureau (IAB).
The IAB is a representative organization made of up over 600 media and technology companies in the industry. Since the IAB doesn’t track or engage in behavioral targeting, let’s use third party advertisers as a more accurate label for the collective group under consideration. Do third party advertisers have or collect any information that could harm you? Typically the information they keep is reasonably harmless, but let’s take a closer look. These advertisers may see that a browser has been accessing adult content (potentially embarrassing), a dating site (embarrassing depending on relationship status), or a recipe for incendiaries (rare, but potentially compromising). In light of these examples, let’s say third party advertisers do collect potentially harmful data.
Do third party advertisers have the ability to use the information in an unacceptable manner or transfer it to someone who could use it in an unacceptable manner? Collecting third party data is very difficult and it requires the cooperation of many large business entities. Third party data providers enroll the cooperation of many publishers to observe web traffic through the use of third party cookies. However, they don’t employ behavioral advertising. That is done by advertising companies, which must first synchronize their cookies with the very separate and isolated third party cookies of data providers. This is a complicated process that must be done one cookie at a time. It takes many months to synchronize the cookies of an entire audience and must be continually refreshed. This process requires the use of redirects. Browsers limit the number of redirects that are allowed, which naturally restricts the number of entities that can cooperate in this way. Those that do so are well known and under constant scrutiny.
While it is conceivable that some nefarious entity could, with great difficulty, share the data, it is unlikely that it will happen and almost guaranteed to be detected. Even if it were (by some finite chance) to happen, the end result is a cookie. The good news is that a cookie is anonymous and cannot be linked to a physical address or name or phone number. In fact, your cookie data is meaningful for showing you relevant ads, but useless for connecting you as a person with your online behaviors. Therefore, your online behaviors, as odd or revealing as they may be, aren’t useful for much except online advertising to your device. The answer to the second critical question, therefore, is a pretty reasonable “no” in the case of online behavioral data.
There are plenty of ways that data can, intentionally or accidentally, harm you. Medical records, financial records, online logins, shopping transactions, and account information all contain personally identifiable information. Thus, all that data might be used in an unacceptable manner. We should be taking steps to improve online privacy, no doubt, but we need to also focus these efforts on the types of data and the data collectors that matter.