I’m tired of knowing my data is being collected and shared by all sorts of digital organizations. I’m tired of being told that it is my obligation to manage this situation by double encrypting everything and using private browsers, while at the same time being warned that there’s no action I can take to truly ensure privacy. In most instances, it is arguable that I gave permission for this to happen. After all, I clicked “accept” after scrolling through non-negotiable standard form terms and conditions. The reality is, that not giving permission would effectively ostracize me from the world in which I live.

Social media and other digital companies are virtually unrestrained in collecting vast amounts of personal data. They collect this data on both users and non users of their websites and applications. Despite numerous public instances of massive unauthorized transfers of personal data, hacking, and identity theft, this practice grows daily.

Digital Icons on a Website Indicate Data Sharing

On any webpage, take note of the icons for other websites or apps on that webpage. A Facebook blog post from earlier this year provides insight regarding precisely what this means. It is not simply about being able to share your views about the website. Rather, these icons indicate that the company behind the icon provides services to the website. Part of the service agreement enables Facebook to obtain a transfer of data that the website obtains with regard to its users, regardless of whether or not they are users of Facebook. The blog post specifically identifies Twitter, Pinterest, Google and Amazon as also participating in these types of data collection arrangements.

What kinds of data might be transferred?

The data obtained may not even be data the user gives the website direct permission to receive. It may be “passive data” which is data that a website or app provider may retrieve from a user’s device. This data may be obtained pursuant to the terms and conditions to which the user agreed prior to downloading the app.

“Passive data” is data that is obtained without any consumer interaction. Arguably, this innocuous sounding category is where the most intrusive data collection occurs.

The types of digital data that might be collected by a website or app are too extensive to list here, but here are a few examples. The first four items are types of passive data:

• Your emails and messages, whether sent by you or to you
• All photos stored on a device connected to the internet or sent via email or text
• All conversations had in the presence of your phone, as both iOS and Android apps are capable of accessing your phone’s microphone
• Details of your browsing history and any material you have viewed on any device, the amount of time you have spent viewing it and locations on the page that you have hovered over with your cursor
• All purchasing information related to purchases made directly on the internet, including payment card details

A list of other data that is available and frequently collected can be found here.

While Facebook is the poster-child for digital companies behaving badly, according to Facebook, other leading digital organizations are also collecting and sharing access to online data using similar approaches. A recent example is the unauthorized ability of 438 Application Program Interfaces (the software used to access transfer data) to access the data of up to 500,000 Google+ accounts.

Control Is an Illusion That’s Far Weaker than Privacy

When questioned about privacy matters, Mark Zuckerberg, CEO of Facebook, has regularly responded with comments about user control of information. Zuckerberg has stated that society’s idea of privacy is being revamped and that users want to share information but to have control over what they share. Other digital organizations are adopting a similar approach when ostensibly addressing privacy concerns.

Let’s be clear: control and privacy are not the same thing. I think the leaders of digital organizations understand this are hoping no one else notices. Even if we accept “control” as a euphemism for “privacy,” it seems that leaders of digital organizations and I have a different definition of the words “share” and “control.”

Recently, I signed up for some training, part of which is to occur via a Facebook group. In an effort to participate anonymously, I created an alter ego and established a new email account and a new Facebook account. However, I created both using an existing device, and it appears that Facebook knew that device was connected to the real me. Facebook immediately suggested that my alter ego “friend” every one of my contacts and I’m guessing it also suggested to my contacts that they “friend” my alter ego.

After about a week of using the account, Facebook shut me out and demanded that I enter a phone number in order to be able to continue to access my account. I debated for a while and then reluctantly entered my phone number because I really wanted to benefit from the course.

Facebook then demanded that I provide a photo so it could confirm that I was who I claimed to be. Facebook doesn’t have a photo of my alter ego, but they could certainly run image recognition software using data on Facebook, other websites, or potentially, data that it obtained as an app provider or purchased from another digital company that has access to digital photos taken by myself or people who have a digital picture of me.

I declined to accede to this demand, so I don’t know if there would have been further intrusive requests from Facebook in an effort to collect even more personal data before allowing me access to the account.

I don’t want to share my birthdate, gender, phone number or picture with Facebook, with anyone in the digital chain that transmits that data from me to Facebook or with anyone that might obtain the data from Facebook. No other website has required me to provide this much data in order to access the site. Failing to provide any of that information precludes me from accessing Facebook. Why does Facebook need that information? What happened to validating an account based on responses to three questions along the lines of “what is the name of your first pet”? I also don’t want information I provide to one digital organization to be shared with anyone else. I consider this over collection and incestuous sharing of data to be a gross invasion of privacy.

Facebook promises to keep the information confidential, but even if I believed that promise, why should they be allowed to collect it or keep it at all? I want to control my information by not providing it in the first place. Facebook wants to control it by requiring that I provide it, and then giving me the illusion of control by effectively saying “trust us” to follow your instructions regarding how we can use it. Well, I don’t trust them and more importantly, I don’t want to need to trust them.

I don’t trust Facebook, which means I also don’t trust those websites that promise to protect my privacy but have icons for other websites on their site. Based on the Facebook blog post, I consider those icons to be a clear sign that my data will be directed to the organizations represented by those icons who may then transfer it to others.

Beware of Future “Too Big to Fail” Organizations

The digital organizations of primary concern are massive organizations that continue to grow and expand their business. One of their target markets is financial services. In November, 2017, Bain & Company, a global management consulting firm, published results of a study it conducted, stating that “established technology firms — Amazon, Apple, Tencent and others — have emerged as the bigger, more immediate threat to retail banking as we know it.”

Bain anticipates that these types of companies will be the major disruptors of the banking industry. How do you feel about trusting your bank with all of your digital information? Everyone has something they want to keep secret. Most of us have communicated that secret digitally in some way.

Digital never forgets. Once digital, information is always accessible and in many instances, it is legally accessible.

Svea Eckert and Andreas Dewes who spoke at Def Con 25 in 2017 describe how they purchased 30 days worth of data related to three million individuals’ browsing activities and correlated the data with other information they obtained legally. As a result, they were able to and uncover the identities of the individuals and tie those identities to embarrassing and potentially damaging personal information (e.g., viewing of porn, researching pharmaceuticals to treat an embarrassing health condition).

There are websites that post revenge porn and websites that sell sex, including sex with children. So far, there’s been little success in efforts to eradicate these abominations. What little success there has been has taken years, enabling a large number of people to be harmed while the legislators and the courts struggle to understand the issues and determine how to address them.

The purchase or theft of data with the primary objective of generating income from embarrassing someone is almost benign by comparison with revenge porn and sexual abuse. Therefore, any publication of personal data is unlikely to receive more prompt or serious attention from the courts or the legislators, regardless of the harm it causes to the individual.

Are you freaked out? I am. But few of us are going to stop using the internet, a cell phone or payment cards. Except in rare instances, it is not reasonable, or in many instances feasible, to take that approach. Maybe it is possible to stop using certain websites, but that’s not going to solve the problem. The first action each of us should take is to heed of the advice of experts who urge us to encrypt our data and use secure browsers.

What Next?

So, what’s the answer? Well, I see a few options, none of which is mutually exclusive.

First, there’s regulatory change. Getting the government to enact regulations to curtail this activity and penalize those that breach the regulations seems like a good idea but one that is unlikely to be adopted by the current administration. Failure to regulate organizations effectively can be disastrous, as Americans experienced most recently in the financial crisis of 2007. Governments should learn from past experiences and adequately regulate digital organizations now before they attain the status of “too big to fail.”

Second, there are individual and class action lawsuits. Where governments choose not to act and people are hurt by the behavior of an organization, lawsuits are more-or-less a last resort for seeking justice. Sometimes they are successful but it is usually a case of “too little, too late.” With regard to class action lawsuits, consider the legal actions against tobacco and glyphosate (the key ingredient in Round-Up). Despite differing progressions along a decades long continuum from suspicion of harm to definitive evidence of harm, organizations continue selling each of these products with only slight product modifications.

Third, there could be an unprecedented mass effort by users to employ social media as an instrument of change, making the tool work for the benefit of the users rather than to their detriment. #SelfControl

Personally, I like the idea of social media evolving from a way for people to feel connected without really connecting into a mechanism to connect people in pursuit of positive change. I think the time has come for the public to meaningfully influence the actions of government officials after they are elected. Finally, I like the irony of using the tools created by those that seek to co-opt our personal data as the tools to thwart their future efforts.