Online trackers know a lot more about us than we do about them.
Online privacy is something that is becoming a more important part of broader discussions around the internet, particularly as the general public become more cognisant of how free-to-use social networks and search engines use and monetise their data.
Ahead of GDPR, Facebook announced it would be launching new privacy tools to help people make more informed decisions about their information, and it is not the only major tech company spearheading awareness campaigns around personal data. Companies such as Google employ user data in their business models, in ways most people are not yet aware of. According to eMarketer, the average US citizen is worth approximately $250 annually to digital advertisers.
Ghostery is a browser extension that aims to make web browsing cleaner and safer by detecting and blocking thousands of third-party data-tracking technologies for more privacy-conscious users. Since it launched in 2009, Ghostery has more than 7m monthly active users who access the tool via the free apps or browser extensions.
Siliconrepublic.com spoke to head of product at Ghostery, Jeremy Tillman, about handing the power back to users and how GDPR will affect people’s perception of what privacy means in the digital age.
Why is there a danger in shifting responsibility to users of social media sites in terms of their data?
The danger is that it requires users to take active measures to exercise any control over their data, which of course would require that they even have the awareness or wherewithal to do so.
As long as Facebook is collecting personal data by default without affirmative and explicit consent, the inertia of these default settings and the general lack of widespread understanding of how to manage privacy settings will result in the vast majority of users continuing to unwittingly give away troves of personal information. That they would also do so across all the websites that Facebook has a third-party tracker on (up to a third, per our study) would only compound this problem exponentially.
Does there need to be more education around the value of an average person’s data and how companies monetise it?
The average consumer has no idea that the data they are giving away for free is worth this much. That’s why it is so important for internet users to make an informed choice on what data to make private. With tools to help them detect which tracking services are mining their personal information, and to block these trackers if desired, they are able to make a more informed value transaction. Is this content valuable enough for me to make it worthwhile to give up all the personal information digital advertisers are requesting from me?
Right now, digital advertisers have the upper hand over consumers, and the bottom line is that all internet users should have control over what data they want to share.
Will GDPR have a major global effect on these firms?
Absolutely. Because GDPR and its penalties impact any company that does business in Europe or with European citizens, it effectively becomes a standard for all international companies. The biggest challenge that companies face will be the need to change their approach to personal data collection. Under GDPR, consent for personal data collection has to be clearly affirmative, unambiguous and freely given, meaning that implicit opt-ins using pre-checked boxes or implied consent notices (like the classic ‘you agree to our privacy policy by using this site’ notice) are no longer going to cut it.
GDPR also considers any online identifier, even pseudonymous identifiers, as personal data, which means that any use of cookies or trackers needs to comply with the new law. Because the use of these technologies is ubiquitous across the web, websites will need to implement a different kind of consent mechanism that meets the letter of GDPR.
An interesting twist to these more stringent consent rules is the requirement to honour user-selected browser settings that would qualify as an affirmative choice to grant or withdraw consent. This includes the setting that most browsers have to automatically send a ‘do not track’ request to each website a user visits, which would effectively withdraw that individual’s consent from websites to collect personal data.
Beyond this requirement, companies are required to make all personal data portable as well as respect the right to erasure. The former simply means that companies need to store personal data in such a way that a user can transfer it to a platform of their choosing while the latter is an evolution of the right to be forgotten, a directive that requires companies to delete the personal data of anyone that requests it.
Both of these requirements imply that some companies will have to make major changes in their data storage infrastructure. Beyond the technical costs, the GDPR also stipulates that companies staff specific personnel, including a data protection officer, a role that will be new for the vast majority of companies.
What kind of problems do third-party trackers and covert tracking present in general?
As evidenced by our Tracking the Trackers study, trackers are all over the internet and everyday consumers have no idea that trackers exist and are collecting much of their personal data. We found that there’s at least one tracker prowling around 77.4pc of our tested page loads, monitoring consumers’ every web-surfing move, and that 10 or more trackers that amass personal data were found on 21.3pc of the sites (unique domains) analysed. It goes beyond just the basics like obtaining demographics and shopping behaviours or preferences; trackers have the ability to dig deep and create highly personalised profiles, detailing aspects of consumers’ lives like sexual orientation, health, political views and religious beliefs.
What are the most pressing privacy issues online in your view?
Overall, it’s the lack of transparency around the third-party trackers that are chronicling users’ activities on a website. Even scarier is that, oftentimes, site operators themselves have no idea which specific tracking scripts and pixels are on their website. Additionally, some of the biggest companies in the world – Google, Facebook etc – monitor users the most. Per our study, Google owns five of the top 10 of the most widely used trackers, based on page loads with five services, and Facebook has three. For instance, Google Analytics alone was found on nearly half of all loaded pages (46.4pc) and Facebook Connect was on more than a fifth (21.9pc).
Do you sense a change coming in terms of how the public views ‘free’ social networking sites and apps?
The public is still largely unaware that these ‘free’ social networking sites extract a high price from them in terms of personal data collection, and there is little evidence that overall privacy awareness is increasing or that social media usage is decreasing. Fortunately, there is an increasing awareness that social media sites and apps are alarmingly addictive, almost certainly by design, and there is a growing sense that our constant compulsive need to check our screens for the latest tweet, like or pic is something akin to a drug addiction.
Considering the tremendous amount of personal user data that social media apps can harvest, one wonders if the public will ultimately make the connection that Facebook and Google are pushing addictive products that individuals can’t say no to and that they’re extracting a tremendously steep price in data collection in exchange for heady yet empty social media hits.