Companies collect our personal data online and use it to target us with ads, among other purposes. And while that's not a new phenomenon, you still might be surprised at how much they know about you. Here's how to find out.
The best description of the data economy comes from AOL, of all places. The once-mighty internet service provider now runs a tidy business in the ad-exchange space. The site promoting the service is hip and tasteful, showing happy, partying people and white text that spells out things like "Monetize your most valuable asset" in all caps.
"A publisher's audience is their currency," the site says. "No matter how they make money from content—be it through advertising, paid subscription or syndication, a publisher's core asset is audience and audience data."
This is weapons-grade marketing speak, but it's also a surprisingly honest assessment of digital media's beating heart—one that pumps out content and takes in reams of data from the people who consume that content. And somewhere, unseen, money is being made from what we see and do online.
Bill Budington, a senior staff technologist with the Electronic Frontier Foundation, sees the avenues for data gathering everywhere: advertising identifiers in the headers of mobile web traffic, fingerprinting browsers, customer tracking in stores using Wi-Fi probe data, SDKs inside mobile apps, and ultrasonic tones from TV that are outside the range of hearing but can be detected by apps on smart devices to track viewing habits.
Some data isn't being used yet—he said, for example, that the genetic information gathered by 23andMe could one day be used for advertising or for discrimination. Genetics being used for advertising is something from a hyper-capitalist cyberpunk fever dream; and yet, it's plausible.
"There is no legal regime for the protection of that data, so consumers need to be on watch for it in the US and make those choices," said Budington. "The US is at the forefront of deploying those technologies, and the companies that are starting are going to target US customers first. In a lot of ways, the US serves as a playground for the big-data economy, which means that US citizens have to be more aware of the dangers."
The collected data has value because of how it's used in online advertising, specifically targeted advertising: when a company sends an ad your way based on information about you, such as your location, age, and race. Targeted ads, the thinking goes, are not only more likely to result in a sale (or at least a click), they're also supposed to be more relevant to consumers.
Budington pointed out that there's a dark side to this kind of advertising. "I have targeted ads that are more attuned to my desires and my wants... But if you have someone who has an alcohol abuse problem getting a liquor store ad…" He trailed off, letting the implication hang.
Your local liquor store probably isn't advertising in this way, but vulnerable communities are being targeted for specific ads. For-profit universities, for example, target low-income people, Budington said. "You pay thousands and thousands of dollars, and they give you a diploma that isn't worth the paper it's printed on. Targeted advertising has a really pernicious side."
A subset of targeted ads is ad retargeting. Retargeted ads take into account your previous online activity in order to push an ad your way. For example, tracking pixels can be added to a webpage. When the site loads, the owner of a tracking pixel will see that a computer requested said pixel and that it loaded at a particular time. It can even capture identifying information about the computer that visited the site.
This is what creates the unnerving experience of seeing an ad on one website, and then seeing it again on another site. The ad "follows" you across the web, hoping for a click.
This has given rise to a popular conspiracy theory: that phones and smart devices are listening in and then targeting ads based on what you're saying. One study debunked this claim, demonstrating that mobile phones didn't seem to be sending audio data—but some apps were found to be transmitting screenshots of device activity. Apps using the Silverpush software development kit (SDK) were listening for ultrasonic beacons (as mentioned above), but Google has worked to suppress the use of this technology on its Android platform.
Budington said that in some cases, app developers may be including tracking SDKs without fully understanding the privacy implications for users and perhaps without ever receiving the data themselves. Developers sometimes get paid for including the SDKs and may include them as tools for debugging or gathering analytics. The SDK operators, however, can then potentially receive information about people's behaviors and app usage.
As for devices with built-in digital assistants, such as the Google Home and Amazon Echo, it is true that these services send recordings of your queries back to the respective companies for processing. With the Google Assistant and Alexa voice assistants, you can even listen to recordings of every question you've ever asked. Budington said that while companies have been clear on what kind of data they're gathering with these devices and services, what they're using the data for is much more opaque.
Budington doesn't expect this data economy to change, at least without external pressure. Most efforts by companies to improve user privacy typically don't solve what he sees as the real problem. "[Companies] are willing to set up privacy filters with regard to other users, because that doesn't affect their bottom line; but they're still getting that data themselves."
Budington also doesn't see fixes coming from Congress. "I don't see much hope for that in the US," he told me. "Often, I think, when regulation comes into play, it's ill-worded and misapplied. And because of that, you don't have the necessary protection, and [it] can often do more damage than it does good."
The argument against Budington's position on privacy is that targeted advertising and the data collection behind it are fair compensation for companies that provide free online services. Google, Facebook, and Twitter would likely not exist if they couldn't turn user data into cash. Not everyone has the money to pay for subscriptions or is willing to—but most people have value to advertisers as potential consumers.
That argument rings hollow to Budington. "People don't have a lot of options if they're going to interact with the world. Most people like to take pictures and upload them to Instagram," he said. The EFF created Privacy Badger—a browser extension that blocks ads and trackers—to address this lack of choice. It lets users toggle which trackers are allowed to interact with their web experience, and it replaces social widgets and embedded YouTube videos with badger icons that viewers have to click in order to activate (and then, in turn, information about the viewer is transmitted).
So for now, change is coming not from companies and regulators but from the people who are being advertised to in the first place.