In April 2017, as the nation’s attention bounced between Republican efforts to confirm Neil Gorsuch to the Supreme Court and a counter-strike against the airfields of Bashar al-Assad, lawmakers quietly passed legislation that would alter the landscape of American privacy.
Repealing Obama-era regulations preventing internet providers from collecting customer data without consent, the new law enabled telecom giants to mine reams of previously forbidden information, such as users’ browsing histories, app usage, and locations. In lobbying for this change, corporate giants like Verizon and Comcast argued they had been unfairly singled out. After all, they noted, players like Google and Facebook were already employing such tactics, raking in revenues by sharing users’ personal information with advertisers. Now they wanted their piece of the $83 billion digital advertising pie. After relatively little public scrutiny, the new law cleared the path for them to get it.
Although ISPs’ pursuits of profit at the expense of privacy may seem ruthless, their complaints contained a grim grain of truth: Among corporations, the desire to acquire and monetize customer data is the rule, not the exception. Every day, we use dozens of platforms that seek to systematically surveil us. While most internet users are vaguely aware of digital privacy concerns, few understand the true extent of this intrusion. We know because we asked them.
We surveyed over 1,000 internet users about the data they’d be comfortable with various businesses collecting about them. In the case of virtually every company and industry, current collection methods far exceeded what our respondents identified as acceptable. This discrepancy suggests two explanations: Either we lack awareness of what these companies actually practice, or else we simply acquiesce.
Intrusion of the Apps: What Social Media, Mapping, and Fitness Apps Know
This gulf between public preference and reality was apparent with some of the nation’s most ubiquitous technologies: social media platforms. Nearly a third of respondents were uncomfortable with social networks collecting any information about them, while less than half expressed willingness to share their demographic information and shopping habits. However, these details – and much more private insights – are essential to social platforms’ business models.
Ads account for 98 percent of Facebook’s revenue, and it owes much of its success to the scope of demographic and psychographic data the platform offers its advertisers. Companies can target users based on criteria as seemingly private as their commute to work, how much they have in savings, and which charities they favor with donations.
One crucial element of this psychographic profiling is “likes.” A single thumbs-up can provide companies with sufficient data to wage an effective campaign of persuasion on a susceptible buyer. In some case studies, conversion improved by 50 percent when targeting using a single-page like was implemented. Despite these practices, Facebook was the most trusted platform among respondents (although 30 percent isn’t exactly a ringing endorsement).
Second place fell to Instagram, a Facebook subsidiary that largely follows its parent company’s lead in privacy matters. Indeed, advertisers exploit the continuum of personal information between these platforms to deliver ads on both, tracking your activities on either network. With the addition of Instagram Stories, however, advertisers have an even more granular grasp of your content consumption habits, including how you view and respond to their sponsored videos.
Instagram’s rival Snapchat has aroused particular suspicion for tracking its users’ locations – a feature just 14 percent of respondents said they were comfortable with. For instance, advertisers can now tell if someone who viewed a sponsored filter subsequently visited one of their stores. With the introduction of Snap Map functionality to share one’s location, the possibilities for corporate surveillance on this platform have only multiplied.
But another platform might merit more anxiety about the tracking of our movements: mapping apps. While Google Maps may be your go-to tool for directions, advertisers may be eager to use your data to influence your destinations as well.
With the advent of its “lists” function, the platform could sell your itinerary to businesses that wish to lure you away from the places you’ve already chosen. In fact, the company has already gathered historical data about our travels through their “timeline” feature, which records the locations you’ve visited – and not just those you’ve explicitly searched for. According to our data, roughly a quarter of internet users would be comfortable with this practice. Over a third would willingly assent to real-time tracking of their whereabouts, another distinct possibility for the future of Maps.
As Google makes a push to extract revenue from Maps in the years to come, it’s no stretch to think they’ll tap into these kinds of functionality for advertiser dollars as well. In fact, the company has already been criticized widely for its “WiSpy” scandal of 2011, in which Maps vans were caught collecting snippets of Wi-Fi data on the streets they were recording for their “Street View” images. Still, a majority of respondents trusted the platform, which could not be said of alternatives like Apple Maps or Waze, which has its own controversial data-sharing practices.
Even apps as seemingly benign as Accuweather have suspect records on protecting user location data. The company was caught secretly sharing users’ locations, even when they explicitly denied the app permission to do so. Unsurprisingly, the data were being routed to a firm that specializes in monetizing geodata. Against this backdrop, it’s no surprise more than a third of respondents said they’d be comfortable sharing none of their personal information with apps that employed mapping.
App data collection extends to another kind of movement, as well: our exercise patterns. While fitness apps are marketed as tools for health improvement, corporations could see serious gains from them, too. Recently, the sale of Fitbit data to insurance companies resulted in public outcry – which might explain why fewer than 1 in 3 respondents trusted the app. Could your premiums increase if your provider learns you’ve stopped working out?
What if an employer was interested in his or her workers’ workout habits as a measure of their general well-being? In many cases, these data are already being leveraged in employee health programs tied to insurance benefits, and pressure to participate can be intense. While merely 28 percent of those surveyed said they’d be comfortable with the collection of this biometric data, such measures could well become a prerequisite for receiving insurance coverage.
Moreover, advertisers could be intensely interested in aligning their efforts with specific segments of the population depending on their exercise habits. Could Nike bombard gym rats with ads for their gear? Could fast food companies target consumers who haven’t worked out in a while?
Shopping Scrutiny: What Loyalty Programs and Payment Apps Tell Retailers
If companies are eager to gain your information through popular apps, they can also obtain it more directly. Plenty of brick-and-mortar retail brands record your shopping habits via their loyalty programs, analyzing your recent purchases to target you with deals and ads for related products.
In one viral incident, a young woman’s parents actually learned she was pregnant because Target sent a deluge of ads featuring maternity products to their home. The week earlier, she’d purchased products that registered on Target’s “pregnancy prediction score.” While two-thirds of respondents said they’d accept tracking of their purchases, only 1 in 10 respondents were comfortable with this kind of inference.
While grocery loyalty programs were more trusted than big-box giants in our data, they often collaborate with individual brands to break through to customers who typically choose their competitors instead. For instance, a paper towel brand might purchase a list of contact information from a supermarket for customers who bought a different kind of paper towel within the last month. They’d then target that list of shoppers with paper and digital ads to woo them away from their preferred brand.
Other brick-and-mortar loyalty programs are more explicit, brazenly offering discounts in exchange for data. In the pharmacy industry, such trade-offs are increasingly routine: Walgreens grants discounts in exchange for healthy medical and exercise data recorded by fitness apps, and CVS gives loyalty card holders a break on prescriptions if they agree to waive their HIPAA rights.
CVS’s data acquisition isn’t all so consensual, however: The company’s loyalty app was proven to be sharing its users’ location data inadvertently, raising the question of whether it could do so intentionally. In our survey, only 21 percent of respondents felt comfortable with loyalty programs collecting their locations.
Moreover, just 16 percent of Americans trusted cellphone service provider loyalty programs – and perhaps with good reason. Verizon’s latest reward program offers hefty discounts simply for paying your bill, but there’s a concerning catch. Signing up requires you to agree to let them track your browsing and app history, location, and demographic information. They don’t keep it to themselves either: Their contract specifies the ability to share your information with unspecified “vendors and partners.”
Unfortunately, even avoiding loyalty programs won’t keep corporate eyes away from your purchases. Mobile payment apps, which are increasingly integral to our in-person spending habits, may also be leveraging data about what you buy.
Consider Venmo’s payment feed, which may strike you as a logical integration of social network functionality or a creepily public account of your spending habits. Either way, the feed is an essential part of the app’s business plan, especially as it pertains to attracting contracts with companies both large and local. Businesses that accept payment via Venmo may enjoy free advertising in the feed – if you see your friend just tried a new restaurant, you’re more likely to do the same.
The company’s plans aren’t limited to this organic attention for partner businesses. Your data are key to their eventual plan to equip advertisers with relevant facts about your spending activities so that companies can hit you with microtargeted offers. According to some experts, each user’s data could be worth up to $400 to interested advertisers.
Fewer than 1 in 5 respondents said they’d be comfortable with this spending habit assessment. But PayPal, by far the most trusted payment app in our survey, does precisely that – and was recently forced to hand that information over to Canadian authorities as a part of a crackdown on income tax evasion.
What You Send and Store: The Cost of Free Email and Cloud Solutions
While loyalty programs and payment apps may be interpreting your purchases, you don’t have to pay anything to have your personal interests assessed. In fact, for many entirely free platforms, data collection is a particularly tempting revenue source.
Take Gmail, which in 2017 announced it would stop scanning the contents of its users’ emails and selling their findings to interested advertisers. While just 10 percent of respondents said they’d be comfortable having their emails analyzed, Google did not stop due to this public concern. Rather, it ended the practice because corporate clients were wary it could compromise their privacy. That doesn’t mean advertisers who acquired this data previously won’t put that information to use, however.
While about half of those surveyed expressed trust in Gmail, Yahoo Mail garnered just 16 percent by contrast. Perhaps that’s because Yahoo previously aided federal intelligence agencies by scanning their customers’ emails for keywords or phrases related to national security interests.
Microsoft’s Cortana service similarly tracks email content related to your travel plans, purchases, and interests – even reminding you when you’re about to miss an event discussed in your messages. Fewer than 1 in 5 survey respondents said they’d be comfortable with such purchase tracking by email platforms, and fewer than 1 in 10 approved of collecting travel plans. What if this information were sold to interested advertisers?
Cloud storage providers also keep a repository of our information at no cost, at least until we exceed certain data limits. However, when Google Drive gamely accepts any file you choose to upload for free, you may be paying the price in privacy. While just 16 percent of those surveyed said they’d willingly allow access to their saved documents, Google willing admits it interacts with your Docs and Sheets. The company suggests this power is necessary to “store and protect” the content you store on these platforms, but the permissions they require are far more extensive than that.
Google Drive’s privacy contract with new users grants them blanket rights to perform many actions on the files you upload, including “a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.” No wonder just 36 percent of respondents expressed trust in the platform.
Dropbox was even more distrusted, although the company does insist on fewer privileges related to manipulating or accessing your content – at least explicitly. However, Dropbox collects metadata and usage information and retains the right to use it for “external purposes” that are only murkily defined in its public statements.
Watching You Around the Web: What Your Browser Reveals
Your browser may be the application you use most, but it’s just as essential to advertisers. Cookies, small text files that allow businesses to form extensive histories of your personal browsing habits, have become a pillar of the digital advertising economy.
While just 35 percent of respondents said they’d be willing to have their browsers record the sites they’ve visited, and just 12 percent were comfortable with a record of the specific activity on those sites, cookies make both types of tracking possible.
Additionally, although merely 9 percent said they’d be comfortable with their browser recording their password and payment details, many do save credentials as a matter of convenience for users. Unfortunately, experts have doubts about the security of these time-saving features, following a significant hack of the Opera browser’s data in 2016.
These tactics explain why advertisements from websites you’ve visited previously seem to follow you around the web, or how sites dynamically adjust their pricing based on your previous activity on their pages. Advertisers are so dependent on these methods that the industry went into an uproar when Apple’s Safari browser recently introduced a way to block them.
Spying at the Source: What ISPs and Public Wi-Fi Networks Collect
While the full impact of reduced privacy regulation for internet service providers remains to be seen, the potential for invasive data collection is quite clear. ISPs are now capable of recording many details of your browsing history, a prospect just 17 percent of respondents were comfortable with.
The specificity of their surveillance depends on the security of the site you’re browsing currently. On unencrypted domains, ISPs can view exactly which pages you visit. For encrypted sites (with URLs beginning with “HTTPS”) they can only ascertain the top-level domain, although that information alone is surely enticing to many advertisers. Given more than two-thirds of respondents said they were uncomfortable with their ISP possessing any information about them, the breadth of what they can record is troubling.
If you’re uncomfortable with what your own ISP can learn about your browsing, then public Wi-Fi networks should represent an equal threat. This is especially true if the network is provided by a business with ulterior motives, such as a major retailer. Seventy-six percent of respondents had good reason to prefer to share nothing with these open network providers.
For instance, stores can track your every move while you use their free Wi-Fi, down to the aisle in which you’re standing. This location tracking could reveal uncomfortably personal information about your shopping habits, and equip retailers with a means to offer you personalized deals based on what you typically look for. Target has already tested this technology in a number of its stores, and coupled with the brand’s aforementioned loyalty program data, it could be a powerful sales tool in the years to come.
The best means to protect your web usage from the spying eyes of corporations is a virtual private network (or VPN). This option encrypts your activity so ISPs can’t determine what you’re doing. Of course, relying on a VPN requires trusting that company to guard your privacy, so our ratings and reviews are a great place to start.
Smart Is Scary: How Our Devices Might Surveil Us
As the “Internet of Things” becomes a reality, smart devices are generating privacy concerns for consumers. Roomba recently set this debate in motion when it revealed it stores data related to its customers’ homes and may soon sell it. All but 13 percent of respondents were uncomfortable with this kind of recording taking place.
The prospect of being recorded further terrified our respondents, with just 1 percent saying they’d be comfortable with their smart devices doing so. Samsung recently came under fire for implying their smart TVs could be listening into customer conversations, acknowledging “that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
Similarly, Google’s smart home devices have been caught listening to their owners – a “glitch” the company promised to correct. Amazon’s Alexa has also prompted its own scrutiny, although the company assures us it processes only what is said in conjunction with the device’s “wake” word. Perhaps it’s no surprise just 15 percent of those surveyed felt trust in these smart assistants, worrying they were more interested in assisting their makers.
The Future: Our Faces?
With the advent of iPhone X’s Face ID feature, privacy advocates are increasingly concerned a massive database of consumers’ faces will begin to accumulate – and eventually become ripe for exploitation. Could retailers eventually ask customers to complete transactions using facial identification, and then store their faces for later use? Just 3 percent of respondents were willing to accept this future intrusion.
Apple has promised to prevent facial data from being utilized for such purposes, but the larger trend is still troubling. Facebook’s tagging feature already amounts to facial data on an unprecedented scale, and the company has been eager to share your other personal data with its advertisers. Could your face be linked to other information they provide about you to their customers?
Some autocratically inclined regimes are already employing facial recognition technology: China keeps a record of its citizens’ faces and does the same with those using public transportation to ensure no one rides without a ticket. In fact, the country possesses “Skynet” cameras powered by AI, so advanced they can readily identify pedestrians and even vehicles on the street from above.
In fact, Walmart has already invested in plans to use facial recognition to gauge its customers’ moods and tailor its customer service efforts accordingly. A 2012 patent filed by the company describes leveraging facial data to determine if a customer is unsatisfied, in which case an employee would be dispatched to assist. This technology could even be coupled with a consumer’s shopping habits to ascertain how their emotions while shopping correlate to purchasing habits.
More frightening still, “face printing” can be done at a distance, without the explicit consent fingerprint or iris identification requires. Could stores eventually capture your face while you complete a transaction, then identify you every time you returned to push specific products?
While current privacy threats abound, the prospect of biometric surveillance assures they will only continue in the years to come.
Privacy From Prying Eyes: Combatting Corporate Surveillance
While the myriad ways in which corporations seek to obtain and employ your data may seem overwhelming, it’s not too late to oppose their efforts in your own life. As our findings make painfully clear, internet users can’t count on the restraint of businesses to preserve their privacy. Rather, we must take tangible steps to prevent surveillance. First, we can endeavor to educate ourselves about the way in which our information is acquired. Then we can employ technologies designed to combat those threats.
If you’re seeking to guard your browsing habits against those who would seek to exploit them, let Top10VPN be your guide to effective and affordable VPN solutions. With expert reviews and advice customized to the needs of any user, we’ll help you find the tools to protect your privacy.
To obtain the survey data, we collected responses from 1,059 internet users using Amazon’s Mechanical Turk platform. Our respondents reported using the internet with the following frequency:
Somewhat regularly – 5.43%
Regularly – 11.44%
Frequently – 33.17%
Constantly – 49.95%
Participants ranged in age from 18 to 75, with a mean of 36.9 and a standard deviation of 11.43. Participants were excluded from analysis if they answered attention check questions incorrectly or reported using the internet less than somewhat regularly.
The data we are presenting rely on self-reporting. There are many issues with self-reported data. These issues include but are not limited to: selective memory, telescoping, attribution, and exaggeration.
Fair Use Statement
This project’s conclusions are one kind of data we don’t mind sharing. If you’d like to include this project’s findings or images on your website for noncommercial purposes, you’re welcome to do so. We simply ask that you provide a link to this page to attribute the authors properly.