by Marc Goodman
“Where” is determined by a number of techniques—by your phone’s GPS antenna, by triangulating your mobile’s location and distance between cell-phone towers, and even by the Wi-Fi networks you connect to. These locational data are increasingly being appended to more and more of your online transactions in so-called file metadata—that is, data that provide data about other information. For example, when most people take a photograph with their mobile phones, their locational data (GPS coordinates, longitude and latitude, and so forth) are embedded in the image file. When you upload those photographs and videos to Craigslist, Flickr, YouTube, Facebook, and hundreds of other services, those revealing locational metadata can be passed right along with the original file. For some apps, the request for your location is perfectly logical, such as with Google Maps or GPS navigation tools. But for others, capturing your locational data is just another way for app makers to sell your data at greater value.
Your postings on Facebook, your tweets, and your searches on Yelp all use locational data. Moreover, there are an increasing number of location-based service (LBS) start-ups that are incorporating your “where” into everything from shopping to real estate. Perhaps one of the fastest-growing niches in LBS apps are those involving romance and love, especially “love” of decidedly limited duration. Apps like Tinder and Grindr have been downloaded millions of times and may be responsible for more than fifty million hookups, according to Tinder’s CEO. Ah, love apps … a many-splendored thing.
But with all the potential benefits of these new streams of locational data come new risks as well. In 2012, a Russian company launched an app called Girls Around Me, which was approved for inclusion in both the Apple App Store and Google Play. Girls Around Me took advantage of all those public postings, status updates, photographs, and check-ins with locational metadata that women had been posting on services like Facebook and Foursquare. When a user launched the Girls Around Me app on his phone, he need only press a single button to be presented with an interactive map showing the faces of young women in his vicinity and their exact locations. Using the app’s “radar mode,” anybody could geo-locate these women and see their Facebook profiles.
For example, if a man used Girls Around Me and saw that a young attractive woman had just checked in at the local Starbucks, he could track her, access her Facebook profile, see what high school or college she had attended, learn that she recently vacationed in Las Vegas, and find out the names of her parents, her favorite drink, and the fact that earlier that day she had watched Orange Is the New Black on Netflix. Armed with this information, the man, a stranger, could casually walk up to the woman as she stood in line ordering her daily grande extra-hot soy latte and strike up a conversation discussing how much he loved Vegas and Orange Is the New Black. A very useful tool for dating, as well as for stalkers and rapists searching for women of interest.
For advertisers, “where” is not just about your current location; it’s also about where you were yesterday and last month and where you are likely to be tomorrow. Locational records detail exactly how much time you spend in Macy’s versus Best Buy, and the sequence of these movements tell much more. In today’s world of location-based advertising, when a woman takes her smart phone and its apps with her to the gynecologist’s office, an interesting data point is registered across the mobile advertising ecosystem. But when the same woman three weeks later walks into a Babies “R” Us, a much deeper truth is potentially revealed. By aggregating your locational data over time, advertisers can deduce whether you go to church or synagogue, work out at a gym, drink often at the local bar, see a psychologist, or are cheating on your spouse. But who exactly are these people collecting all of this information, how much of it do they have, and what do they do with it? As you are about to discover, vast amounts, growing at an exponential rate for uses we and they haven’t even begun to identify.
CHAPTER 5
The Surveillance Economy
In digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous?
AL GORE
Leigh Van Bryan was looking forward to his first American holiday. A few days before his trip to Los Angeles, the twenty-six-year-old Brit checked in with a friend on Twitter and asked if she was “free this week for quick gossip/prep before I go and destroy America.” Van Bryan’s use of the word “destroy” would easily have been understood by any of his U.K. mates in their twenties as being British slang for “getting trashed and partying.” Unfortunately, Van Bryan did little partying upon his arrival in America.
The Department of Homeland Security had been broadly monitoring social media for threats against America, and now Van Bryan was caught in its web. Upon his arrival in Los Angeles, Van Bryan and his travel companion, twenty-four-year-old Emily Bunting, were greeted by armed Customs and Border Protection agents, handcuffed, and put in a cell with alleged Mexican drug dealers for twelve hours. Though the pair attempted to explain their slang usage of the word “destroy,” U.S. officials would have none of it. Federal agents repeatedly searched the couple and their suitcases, inexplicably looking for shovels. It turns out another tweet about “diggin’ Marilyn Monroe up”—a nod to an episode from the cartoon Family Guy—had also raised serious flags with Homeland Security, which feared for the late starlet’s remains. After an uncomfortable night in separate cells, Van Bryan and Bunting were reunited, just in time to be thrown on a plane back to the U.K. The couple had been denied entry to the United States and deported back to Britain. In the end, the only things destroyed were their visas and vacation.
You Thought Hackers Were Bad? Meet the Data Brokers
Acxiom, Epsilon, Datalogix, RapLeaf, Reed Elsevier, BlueKai, Spokeo, and Flurry—most of us have never heard of these companies, but together they and others are responsible for a rapidly emerging data surveillance industry that is worth $156 billion a year. While citizens around the world reacted with shock at the size and scope of the NSA surveillance operations revealed by Edward Snowden, it’s important to note that the $156 billion in annual revenue earned by the data broker industry is twice the size of the U.S. government’s intelligence budget. The infrastructure, tools, and techniques employed by these firms rest almost entirely in the private sector, and yet the depth to which they can peer into any citizen’s life would make any intelligence agency jealous with envy.
Data brokers get their information from our Internet service providers, credit card issuers, mobile phone companies, banks, credit bureaus, pharmacies, departments of motor vehicles, grocery stores, and increasingly our online activities. All the data we give away on a daily basis for free to our social networks—every Like, poke, and tweet—are tagged, geo-coded, and sorted for resale to advertisers and marketers. Even old-world retailers are realizing that they have a colossal secondary source of income—their customer data—that may be even more valuable than the actual product or service they are selling. As such, companies are rushing to profit from this brand-new revenue stream and transform their data infrastructure from a cost center into a profit center. Though credit bureaus such as Experian, TransUnion, and Equifax have been with us for decades, our increasingly digitally connected online lifestyle enables new firms to capture every drop of data about our lives previously unthinkable and impossible.
Just one company alone, the Acxiom Corporation of Little Rock, Arkansas, operates more than twenty-three thousand computer servers that “are collecting, collating and analyzing” more than 50 trillion unique data transactions every year. Ninety-six percent of American households are represented in its data banks, and Acxiom has amassed profiles on over 700 million consumers worldwide. Each profile contains more than fifteen hundred specific traits per individual, such as race, gender, phone number, type of car driven, education level, number of children, the square footage of his or her home, portfolio size, recent purchases, age, height, weight, marital status, politics, health issues, occupation, and right- or left-handedness, as well as pet o
wnership and breed.
The goal of Acxiom and other data brokers is to provide what is alternatively called “behavioral targeting,” “predictive targeting,” or “premium proprietary behavioral insights” on you and your life. In plain English, this means understanding you with extreme precision so that data brokers can sell the information they aggregate at the highest price to advertisers, marketers, and other companies for their decision-making purposes. For example, showing an ad for Pampers to a nineteen-year-old male college student might very well be a waste of an executive’s marketing budget, but the same information presented to a thirty-two-year-old pregnant housewife might result in hundreds of dollars of sales. To maximize the value of the digital intelligence they collect, data brokers are forever segmenting us into increasingly specific groupings or profiles. Welcome to the world of dataveillance.
Acxiom sells these consumer profiles to twelve of the top fifteen credit card issuers, seven of the top ten retail banks, eight of the top ten telecommunications companies, and nine of the top ten insurers. To command the billions it charges its advertising customers every year, “Acxiom assigns you a 13-digit code and puts you into one of 70 ‘clusters’ depending on your behavior and demographics.” For example, people in cluster 38 “are most likely to be African American or Hispanic, working parents of teenage kids, and lower middle class and shop at discount stores.” Someone in cluster 48 is likely to be “Caucasian, high school educated, rural, family oriented, and interested in hunting, fishing and watching NASCAR.” These data are also sold to other third-party brokers who apply their own algorithms, further refining the data sets to create category lists of their own such as “Christian families,” “compulsive online gamblers,” “zero mobility,” and “Hispanic Pay Day Loan Responders.”
Those in the Christian family category might receive ads for Bibles and ChristianMingle.com, whereas gamblers and those deemed by an algorithm to have “zero mobility” would be targeted with ads for subprime lenders and debt-consolidation schemes. While being listed as a Christian family or as an urban Hispanic college-educated female might on the surface not appear too troubling, some data brokers have sold much more disturbing lists to advertisers and other parties unknown. For example, some brokers offer lists of seniors with dementia and people living with AIDS, while another firm, MEDbase200, has even auctioned off lists naming both victims of domestic violence and survivors of rape.
The depth and extent of the commercial data collection and surveillance economy were highlighted in early 2014 when a grieving father in Lindenhurst, Illinois, received a sales flyer in the mail from the retailer OfficeMax. Printed on the address label were the words “Mike Seay, Daughter Killed in Car Crash,” followed by the man’s home address. OfficeMax had indeed reached the right guy: Seay’s seventeen-year-old daughter had been killed in a car crash with her boyfriend the year prior. When Seay called OfficeMax to complain about the incident, the manager refused to believe him and dismissed the allegation as “impossible.” It wasn’t until a local NBC reporter in Chicago ran the story that OfficeMax acknowledged the error was “the result of a mailing list rented through a third-party provider.” Eventually, Seay received a phone call from a lower-level OfficeMax executive who apologized for the incident but refused Seay’s repeated requests to name the data broker responsible for the incident. Nor would the executive reveal whether the company held similar data on other prospective customers. Seay’s story is obviously troubling, especially because he was an infrequent OfficeMax shopper who had only on occasion purchased printer paper in the store.
The incident highlights some serious questions about the data broker industry. For example, what other deeply personal data does OfficeMax have on its customers? For the data broker that sold the information in the first place, what else might its massive data banks reveal about you and your family? Brother an alcoholic? Mother diagnosed schizophrenic? Thirteen-year-old daughter with an eating disorder? What regulations exist to limit what data brokers can do with this information, and what can you do if the information they hold on you is incorrect? There are hardly any regulations, as it turns out. It’s reminiscent of the plotline from Franz Kafka’s famous novel The Trial, in which a man is arrested without being informed why and only later learns that a mysterious court has a secret dossier on him, which he cannot access. Today’s modern data brokers, unlike credit-reporting agencies, are almost entirely unregulated by the government. There are no laws, such as the Fair Credit Reporting Act, that require them to safeguard a consumer’s privacy, correct any factual errors, or even reveal what information is contained within their systems on you and your family.
As a result of Seay’s experience and those of thousands more like him, Congress, led by Senator Jay Rockefeller of West Virginia, the Federal Trade Commission, and the Consumer Financial Protection Bureau, have begun to investigate the nature and scope of the multibillion-dollar data broker industry. Any meaningful regulatory changes will be vehemently opposed by the data brokers; there is just too much money to be made. Moreover, once the data is out there, it is virtually impossible to put the proverbial toothpaste back in the tube. In the interim, Acxiom and others continue their stockpiling of your information. In late 2013, Acxiom’s CEO, Scott Howe, proudly announced that his firm had collected nearly 1.1 billion third-party cookies and had identified and profiled the mobile devices of more than 200 million customers. “Our digital reach will soon approach nearly every Internet user in the US,” Howe affirmed.
By mining public databases and aggregating that knowledge with all the personal information people share, wittingly and unwittingly, about themselves, their friends, and their families on social media, companies such as Acxiom have been able to deploy the most comprehensive intelligence surveillance system that has ever existed into the lives of nearly every American alive today. This technological feat represents the “new normal” of our data surveillance society and is part of what the former vice president Al Gore dubbed the “stalker economy” while speaking at the 2013 South by Southwest interactive festival in Austin, Texas.
Gore is right. As should be obvious by now, surveillance is the business model of the Internet. You create “free” accounts on Web sites such as Snapchat, Facebook, Google, LinkedIn, Foursquare, and PatientsLikeMe and download free apps like Angry Birds, Candy Crush Saga, Words with Friends, and Fruit Ninja, and in return you, wittingly or not, agree to allow these companies to track all your moves, aggregate them, correlate them, and sell them to as many people as possible at the highest price, unencumbered by regulation, decency, or ethical limitation. Yet so few stop and ask who else has access to all these data detritus and how it might be used against us. Dataveillance is the “new black,” and its uses, capabilities, and powers are about to mushroom in ways few consumers, governments, or technologists might have imagined.
Analyzing You
Each of us now leaves a trail of digital exhaust throughout our day—an infinite stream of phone records, text messages, browser histories, GPS data, and e-mail that will live on forever. The analysis of this information allows companies to find prospective customers with much higher degrees of accuracy and at greater value than previously possible. For example, let’s say that you’re interested in taking a family vacation to Miami Beach. You search for flights on Kayak. Later you go into a store and buy a bathing suit using your credit card. The data retrieved from the purchase of the swimsuit combined with your browsing data reinforce the likelihood that you are interested in booking a hotel room in Miami. As a result of this behavioral analysis, you now have a quantifiable data value to the hotels in Miami, which can outbid each other for your business, in real time, by presenting advertising that reaches you with highly relevant messages and offers based on your intended behavior.
Google Now, which promises “just the right information at just the right time,” is another example of deep analysis applied to large data sets. The Google Now app provides consumers with wonderfully con
venient information that helps them capture and leverage all of the data invisibly swirling around them. Once users agree to Google’s ToS, Google Now will show them when their friends are nearby, provide traffic alerts, determine the quickest travel routes home and to work, automatically furnish the morning’s weather report, and keep track of favorite sports teams and update their scores in real time. Google Now automagically tells you when your flight is delayed and when your gate has changed and offers flight alternatives when available. Because Google Now knows where all your appointments are located and monitors traffic jams along all your intended routes in real time, the app will alert you at your current location, advising you to leave early if you hope to make your next appointment on time. Using a technique known as geo-fencing, Google Now will analyze your to-do list and match it against your persistently tracked location in order to alert you as you drive past the grocery store that you need to buy milk. To enjoy this cornucopia of information and bounty of convenience, you just need to provide Google Now with access to your entire online digital footprint, including your Gmail in-box, Web searches, hotel bookings, flight plans, full contact lists, friends’ birthdays, restaurant reservations, and calendar appointments, as well as your physical location at all times via the GPS on your mobile phone. From this massive data set, Google (and others) can re-create what intelligence analysts call your pattern of life, knowing and mapping your physical location over time as well as what you are doing and with whom. How terribly convenient.