How Anonymous is Anonymous Data?
Turns out, it probably isn’t too difficult to put together some pieces of your identity using the “anonymous” data that is tracked by various companies.
Lots of interesting things in this post by Chris Dale about various sources of data and how they will start to show up in the legal world as eDiscovery, but a couple really caught my eye.
First, this:
A further part of my talk was on the aggregation of data – how one source of information when added to another source might reveal more than either of them, particularly when third-party sources are brought into play. That is the subject of an article called Even this data guru is creeped out by what anonymous location data reveals about us. The starting point for the experiment covered by the article was a user’s Google Maps timeline. The article showed how this may be supplemented by other information to remove the mask of anonymity promised, perhaps, by each of the relevant sources, but which is easily stripped away when some analytics (and perhaps some old-fashioned research) is brought into play.
Now, if you follow along in the article Chris links above, you’ll see how someone just grabbing the “anonymous” data collected by Google Maps about a user was able to get a whole lot of information about that person, and eventually figure out exactly who the person was. Now, you may think that’s no big deal. After all, that data is on my phone, along with a ton of other data about me, and frankly, if someone gets access to my phone, they’re going to know everything about me anyway, and you’d be right. But, how many apps like Google are collecting that information, and storing it on their servers?
Most of them, frankly. So now it’s not just you phone that is a problem, it’s every server in the world that has information that has been tracked about you.
Alas, it’s worse than that. Chris also points out another example of how your phone is giving away your location, and how even an organization trying to use that information to help you, could also be causing you pain:
Transport for London has been conducting an interesting experiment using phone and tablet tracking to see, for example, what routes passengers use to get between platforms. The aim was (or was said to be) “to better understand how people navigate the London Underground network, allowing TfL to improve the experience for customers”. If the article is right, however, TfL now plans to go on from there and sell data to others. So what? you might say, comforted by the fact that the data is both limited and anonymised; anyway, TfL already knows your routing from the entry and exit points collected from your Oyster card or contactless credit card. Selling your device’s MAC address and its movements, even if that is the only data which is passed on, enables marketers, security services and all sorts of shysters to link your travel data to other information.
Here we have two things that, when added to what we read earlier, raise some red flags. First, your cell phone location is being tracked just by your presence in the Underground, and second, not only is that data that probably includes the MAC address of your phone being stored by them, it’s also being sold to just about anyone who wants it.
Now, why would an advertising company want that kind of information? Well, they don’t necessarily want just that data. They want to put that data together with other data that is being sold to figure out how to target advertising at you.
For example, let’s say I have this data from TfL. It shows me that your phone has frequently been at Euston Square station. That same MAC address shows up in data I purchased from Uber, or Tesco. Those details tell me that you also frequent another area outside of London. Maybe where you live? Data from Starbucks may tell me a bit more, and if I’m lucky enough, you’ll also walk into my location with that cell phone turned on, and I’ll start tracking your movements right there in our store, maybe I’ll even have a way to make sure if you look at Facebook while you’re there, I can make sure you see an ad for something that I have for sale right now!
That’s the advertisers dream. All that data is also law enforcement’s and government surveillance dream too.
Now, you may also be saying, so what? Someone would have to take all that information and specifically target you for it to really be dangerous. And, you might be right. Personally, I find some of the services I use with my phone to be quite helpful to me. Waze helps me deal with the unpredictability of Baton Rouge traffic. EXIF data helps me pinpoint where I took a photo and share the location on Instagram. I even enjoy checking in on Facebook to share a fun event or good place to eat. All of that data exists out there, and someone could easily combine it all together, and track me down if they were so inclined.
I accept that, and I accept the risks that go along with it. But I’m not a particularly vulnerable person either. I don’t work with highly secure information. I don’t have access to much that would be worth targeting me. But, I know people who do. I know people who don’t list what they actually do on their LinkedIn profiles because it would make them a target for spear-fishing and real-life risks. There are also myriad people out there who are in physical danger. Women with restraining orders on their abusers, criminal witnesses, and protesters of all kinds are also vulnerable people. Anyone in that kind of position probably should be very mindful of how much information they are sharing, even if the company they share it with promises to anonymize it. If it were me, I’d really think about turning off my iPhone frequently.
For the rest of us, we should be educated not just about how much data is out there, but how that data is being used to manipulate us. Yes, it’s mostly advertisers trying to sell us stuff, but it’s also political ads aimed at changing the way we vote, or the way we view other people. It’s the ability to hyper-target ads to the people most likely to be influences by them. Heck, we already know Russia was using those same advertising tools to foster dissension among groups of US citizens. Do we really think it’s just Russia?
It probably isn’t. There are all kinds of people who want to be able to influence our actions, and the only way to avoid that is to know when it’s happening, and be able to resist it. In fact, I’ll have more to share on this topic, but that’s another post.
Follow these topics: Tech
