An ocean of data…and of ears

How much data is produced every day? A quick Google search will tell you the current estimate stands at 2.5 quintillion bytes. For those of us that don’t know the difference between our zettabytes and yottabytes, that’s 2.5 followed by a staggering 18 zeros! Basically, the simple answer is a lot. A lot of data is produced and collected every day – and it is growing exponentially.

It might be hard to believe but the vast majority of the world’s data has been created in the last few years. Fueled by the internet of things and the perpetual growth of connected devices and sensors, data continues to grow at an ever-increasing rate as more of our world becomes digitized and ‘datafied’. In fact, IDC predicts the world’s data will grow to 175 zettabytes by 2025. It’s mind-boggling to think that humans are generating this, particularly when looked at in the context of one day. Or is it?

Data captured and stored daily includes anything and everything from photos uploaded to social media from your latest vacation, to every time you shout at your Google Home or Amazon Echo to turn on the radio or add to the shopping list, even information gathered by the Curiosity rover currently exploring Mars. Every digital interaction you have is captured. Every time you buy something with your contactless debit card? Every time you stream a song, movie or podcast? It’s all data. When you walk down the street or go for a drive, if you’ve a digital device, whether is your smartphone, smartwatch, or both – more data.

The majority of us are aware, possibly apathetic, that this data is collected by companies – but what might be more pernicious is the number of listeners out there and the level of granular engagement that is tracked. From device usage to Facebook likes, Twitches, online comments, even viewing-but-skipping-over a photograph in your feed, whether you swipe left or right on Tinder, filters you apply on selfies – this is all captured and stored. If you have a Kindle, Amazon knows not only how often you change a page but also whether you tap or swipe the screen to do so. When it comes to Netflix, yes, they know what you have watched but they also capture what you search for, how far you’ve gotten through a movie and more. In other words, big data captures the most mundane and intimate moments of people’s lives.

It’s not overly surprising that companies want to harvest as much about us as possible because – well, why wouldn’t they? The personal information users give away for free is transformed into a precious commodity. The more data produced, the more information they have to monetize, whether it’s to help them target advertisements at us, track high-traffic areas in stores, show us more dog videos to keep us on their site longer, or even sell to third parties. For the companies, there’s no downside to limitless data collection.

Data management: Data protection is weak

The nature of technology evolution is that we moved from ephemeral management of data to permanent management of data. The driver of that is functionality. On the one hand, the economics of the situation make it so that there is very little cost to storing massive amounts of data. However, what of the security of that data – the personal, the mundane, the intimate day-to-day details of our lives that we in some cases unwillingly impart?

Many express concerns about Google, Facebook and Amazon having too much influence. Others believe it matters not what information is collected but what inferences and predictions are made based upon it. How companies can use it to exert influence like whether someone should maintain their health care benefits, or be released on bail – or even whether governments could influence the electoral – Cambridge Analytica, I hear you shout. However, while these are valid concerns, what should be more troubling is the prospect of said personal data falling into the wrong hands.

Security breaches have become all too common. In 2019, cyber-attacks were considered among the top five risks to global stability. Yahoo holds the record for the largest data breach of all time with 3 billion compromised accounts. Other recent notable breaches include First American Financial Corp. who had 885 million records exposed online including bank transactions, social security numbers and more; and Facebook saw 540 million user records exposed on the Amazon cloud server. However, they are certainly not alone sitting atop a long list of breaches. Moreover, while it is certainly easier to point the finger in the direction of hackers, well-known brands including Microsoft, Estee Lauder and MGM Resorts have accidentally exposed data online – visible and unprotected for any and all to claim.

COVID-19 has only compounded the issue, providing perfect conditions for cyberattacks and data breaches. By the end of Q2, 2020 it was said to be the “worst year on record” in terms of total records exposed. By October, the number of records breached had grown to a mind-boggling 36 billion.

Brands and companies – mostly – do not have bad intentions. They are guilty of greed perhaps, but these breach examples highlight how ill-prepared the industry is in protecting harvested data. The volume collected along with often lack-luster security provides easy pickings for exploitation. In the wrong hands, our seemingly mundane data can be combined with other data streams to provide ammunition to conduct an effective social engineering campaign. For example, there is a lot of information that can be “triangulated” about you that may not be represented by explicit data. Even just by watching when and how you behave on the web, social engineers can determine who your friends and associates are. Think that doesn’t mean much? That information is a key ingredient to many kinds of fraud and impersonations.

One could postulate that the progress of social engineers should not be thought of merely as an impressive technological advancement in cybercrime. Rather these criminals have peripherally benefitted from every other industry’s investment in data harvesting.

Data management: Rethinking data exposure

We give up more data than we’ll ever know. While it would be nearly impossible, if not unrealistic, to shut down this type of collection completely, we need to rethink how much we unwittingly disclose to help reduce the risk of falling foul to cybercrime.

Are we thinking about Surveillance Capitalism the right way?

I recently purchased a greenhouse from a well-known catalogue retailer – now I’m swamped with Google and Facebook ads for greenhouse accessories and all manner of gardening paraphernalia. Ever wonder why this happens? The answer is that our data is systematically captured and then used to market to us, in a broad-scale set of processes known collectively as surveillance capitalism – a set of processes that are both pervasive and here to stay. While many of us dismiss the bombardment of ads as trivial, there are those who would argue that we need to be more au fait about this use of our data. While many people debate the intentions of those who conduct and profit from surveillance capitalism, the real concerns may be not simply the amassing of an incredible volume of personal data and its unprecedented synthesis; but moreover, the normalization of the surveillance techniques themselves that can fall into anyone’s hands.

What is surveillance capitalism?

The term surveillance capitalism was coined in 2014 by Shoshana Zuboff – a Harvard Business School Professor. In a book of the same name by Zuboff, she imparts that surveillance capitalism is an economic system centered around the commodification of personal data with the core purpose of profit-making. She states that surveillance capitalism claims our private digital experience as its source of free raw material and translates that raw material into behavioral data. In layman’s terms, surveillance capitalism outlines how commercial corporations – such as Google and Facebook – use data harvested from us to sell advertising, goods, and services. If anything, surveillance capitalism could be described as the business model of the internet.

Big Brother is watching, and we appear to be okay with it

Google pioneered surveillance capitalism – they were the first company to tap into this new form of profit-making. Now, it dominates the market. Tech companies, data brokers and other players continuously capture as much user data as possible not only to predict our behavior but also to influence and modify it so that it can be further used for commercial purposes. With so much to gain from digital data, surveillance capitalism is a trend that has spread far beyond big tech companies. Every bank, insurance company, supermarket, mobile phone operator, etc., now has its own surveillance capitalism strategy in place. Zuboff believes that this surveillance by private firms is a crisis as serious as climate change. She argues that it is a visible power grab that wields enormous economic and political influence. Should we really be more concerned about this state of affairs?

Many of us know and are aware that our data is being taken without our knowledge. We know big companies use data to manipulate us into becoming more predictable and more reliable consumers. As consumers we recognize that privacy concerns must be balanced against other societal goods. Some might say that what they are doing is really just marketing that has been adapted and updated for the digital era.

Many digital companies have been upfront about the trade-offs involved in using their products. Even Zuboff herself notes, “Privacy, they said, was the price one must pay for the abundant rewards of information, connection, and other digital goods when, where, and how you want them.”

It is interesting how the public view of privacy can quickly change based on our perception of who is collecting information and why. Generally, when it appears that we are getting back some perceived economic value, we have a mixed response to surveillance. But when it comes to government surveillance, the public broadly disapproves of invasions of privacy – even though the government utilizes the same core technology and collects the same sorts of data as the private sector. Events like the Cambridge Analytica scandal and Edward Snowden’s historic leak of US surveillance efforts highlighted the risk of political manipulation through data exploitation and reinforced public concerns around government surveillance and inference, weakening public trust.

The real security risk of surveillance capitalism

The morality and legality of commercial and governmental surveillance is often in the news. Less discussed, however, are the increased security risks the surveillance capitalism model creates for companies, governments, and individuals. Commercial and government data troves are, simply put, targets for social engineers. And the wealth of data underpinning surveillance capitalism is not just itself susceptible to attacks: it enables more effective social engineering crimes when accessed, in large part by adopting the same targeting techniques used by cutting-edge marketeers.

Data captured via surveillance capitalism can include details pertaining to finances, personal interests, consumption patterns, medical history, career path – in short, the raw material needed to carry out crimes like identity theft, business email compromise and even extortion and blackmail. It helps threat actors reach users across the web with ease and little oversight, since so much of the synthesis is automated. The bottom line is surveillance capitalism makes it relatively easy for bad guys to get their hands on rich data sets of highly personal information. It provides them with a substantial search facility to find and profile their next target and victim.

Data is not necessarily dangerous by itself. We all leave data trails as we live our digital life. Unconnected bits of data in an ocean of similar data don’t provide much of a foothold to cyber criminals. But surveillance capitalism has created an incentive to be much smarter about the synthesis of data. Now companies (and governments) are pulling all those data trails together to create a fuller picture of ‘you.’ Suddenly, everything is in one place. It is the concentration and rationalization of the data that now provides bad actors an easy way to steal identities and worse.

And the risk doesn’t end there. The science and techniques for surveillance, tracking and synthesis are being constantly improved. These same techniques can easily be weaponized if they fall into the wrong hands. So, whether or not a commercial enterprise has the intent to do harm or manipulate you may miss the larger point. Social engineers are like bees to honey for the data and methods of surveillance capitalism. The real concern is whether the many “well-intentioned” companies now storing gobs of sensitive information can keep your personal data secure.

Surveillance capitalism: The bigger picture

There is no denying that we’re fundamentally willing to exchange some measure of privacy for convenience. We also know that steps, albeit baby ones, have and continue to be taken around privacy and the right to be forgotten. But we also need to acknowledge the bigger issue of surveillance capitalism: it is not immune to surveillance itself and the personal data that it reaps may put us all in danger.

How much control have we given up just to enjoy the digital life?

We all enjoy life in the digital age and the Internet provides us connectivity, efficiency and fun. By submitting some of our personal data into online interfaces, we enjoy significant benefits in the form of services tailored to our needs; from banking to work, ecommerce, transport, dating, social media and everything in between. But, by using our personal information, and sometimes posting it in the public domain, we have created a problem. Who owns this personal data once it leaves your keyboard? And if it is misused, who is the negligent party? It might be you.

A day in the life of data: Just how much information do you give away?

Before the development of computer databases, we had certain expectations about privacy and accepted a certain level of public disclosure of personal information. And it seems this statement still rings true. Americans say they care deeply about protecting their data. Pew Research found that being in control of who can get information about us is “very important” to 74% of Americans. However, when it comes to online, a lot of people do not consider data privacy as an important issue. The irony!

With the advent of social media and messaging platforms we offer information about our personal life freely and voluntarily on a daily basis – and we rarely realize or question it. We regularly post personal (and sometimes compromising) pictures. We share our current location (and indicate where we are not!). We share our relationship status, where we went to school, where we live, work history, birth dates, phone numbers – the list goes on.

And we don’t even stop to think about it. We are too busy reaping the benefits.

“In general, there has never been so much personal information about individuals as readily accessible as there is today with the Internet,” says Kevin Werbach, professor of legal studies and business ethics at Wharton. “However, what most of us fail to recognize is that once content is posted online, it can be difficult to maintain total control over where it is eventually used, shared, or modified.”

Personal or private – data is open to misuse

Many consumers are unaware how their data is used or by whom. They operate with an assumption of trust. But data is regularly leveraged in ways the consumer never imagined. The data a user scatters can be harvested and analyzed to reveal a wide variety of personal attributes that, while seemingly innocuous by themselves, can add up to form a skeleton key that social engineers can use to unlock real personal assets or corporate secrets. Shopping habits, political affiliation, relationship status etc., can all be used as steps in the ladder of a cybercrime.

Adding a sad face to a post about stray dogs, for example, can reveal what charities you might support. “You may not say much about your salary, but your ‘likes’ on brands or restaurants say a lot. Your daily routines and whereabouts can be deduced from your posts – especially if they’re geo-tagged,” says Maria Fasli, Director of the Institute for Analytics and Data Science, University of Essex.

And when it comes to email and messaging services, most of us blindly accept that this information is private. But privacy and the internet don’t go hand in hand. Just who, other than the intended recipient, will receive or have access to the information you provided? Will it be shared with other parties? Is it at risk of being used in ways you did not consent to?

Anita L. Allen, professor of law and philosophy at the University of Pennsylvania and a leading expert on privacy issues, says the core questions raised by misuse of the Internet are not new. “It goes way back to the general problem that people will use personal information that they can collect through surreptitious or open means to advance their interest at our expense. What is new is the ease with which information can be collected and shared, and the ease with which it can be maintained for indefinite periods of time.” So, if we know our online data, both private or professional, can be misused, who is the negligent party? Are you to blame? The more fundamental question is not whether you own your personal data. The real question is whether or not you can control your personal data once it’s out there.

Who owns your personal data and who controls your personal data?

There are definitely blurred lines when it comes to data ownership – and negligence. If you post your social security number online, it’s pretty clear that if something bad happens, you are the negligent party. But when it comes to other personal data shared or communicated, it’s not so black and white.

Way back in the 2006, Kevin Werbach, who already was concerned about data ownership when using third parties, stated, “There’s a difference between putting information on a purely public site, like your own website that’s accessible to anyone in the world, and putting something on a site like Facebook, which is a controlled, private site available only to its members,” Werbach notes. “The question of who owns the information on these sites is a very interesting one. Most have policies saying they have ownership of anything posted there, but clearly that doesn’t give them leeway to do anything they want with that information. And they have privacy policies that impose limits on how they can use that data. But there’s no simple answer as to whether the information belongs to me or to the site.” And that was more than a decade ago.

Personal Data Security: How can we better protect ourselves?

In the early days of eCommerce, it was common for some people to have misgivings about entering their credit card into a website. What has taken a bit more time to emerge, however, is awareness of the Internet’s increasing threat to personal privacy.

Today, the technologies behind websites that collect data have become very sophisticated. But this is a little like when cars first made an appearance. People stepped into these hulking, loud and very fast fun machines and there was absence of speed limits, seatbelts, and not even a thought of an air bag. It took many tragedies to change laws and promote the development of safety technologies to keep us safe. When it comes to the Internet, we are basically speeding down the highway, standing in the bed of a pick-up truck. It has been fun, but now is the time to start thinking about the parameters that will keep us safe. We are in need of digital seat belts and air bags to help minimize risk and misuse of our personal data.