It’s bad enough that Big Brother — in the form of Homeland Security, TSA, NSA, and dozens of other agencies — does its best to track our every action. Big Data — corporations that accumulate information about our personal activities, habits, choices, interests, and more — is even more insidious. These business behemoths voraciously vacuum up every tidbit they can about what we do and build profiles of our personalities to be used in marketing products to us, redlining us from opportunities in employment and housing, determining their risk in offering credit, and more. Big Data probably knows more about who you are, what you have done, what you like and loathe, and how to influence you than your spouse or best friend.
If a company — online or brick-and-mortar — kept track of your interactions, transactions, and choices with that company, it would glean some insight into you. But by sharing their stored data about you with dozens or hundreds of other companies, extensive profiles can be built by data miners and consolidators that would be the envy of forensic psychologists.
Somebody needs to do one of those police TV shows and have the captain fire the profilers and sign a contract with SupremeDataOverlord, Inc., which can deliver spot-on up-to-the-minute analysis of every potential suspect in seconds. Nah, the episodes would be too short when they nab the perp within five minutes because they know he’s at the Starbucks on Main Street buying a venti latte with whipped cream and chocolate shavings right now.
The European Union, which recently struck down the use of ISDS (Investor-State Dispute Settlement), has delivered another accomplishment that should cheer progressives. In 2016, the European Parliament adopted a new law, the General Data Protection Regulation (GDPR), to give citizens more control over the collection and use of their personal data. There has been a two-year delay to allow companies to put in place mechanisms for compliance and the GDPR will be fully in effect on May 25.
Some of the areas that the GDPR affects are personal consent before data can be collected, corporate responsibility for security and breaches thereof, and the right to be forgotten (to petition that one’s data be erased). One key element of the GDPR — and the subject for this diary — is the citizen’s right to data access. That means every person has the right to know who is collecting his or her personal information and how the companies use it or share it with third parties.
As part of its steps to comply with the GDPR, Paypal just released a report on the companies with whom it shares its customers’ personal data. The report lists the companies’ names, the reason for sharing the data, and the scope of the data shared. For example, one company might get only your name and address, another would also get your credit card number, and another might get every single bit of data that Paypal has ever known about you.
You might be shocked to learn that there are over 600 companies on Paypal’s list; on the other hand, if you’ve long been concerned about privacy, you might have expected there to be even more. Inclusion on the list doesn’t mean every company necessarily gets your data (within the scope described for it). That kind of detailed reporting will probably come next, when the GDPR will require Paypal and others to provide you with a specific report about your personal data on request (if you’re lucky enough to live in the EU — if not, sucks to be you, sorry).
You might have noticed that Paypal’s list is cleverly constructed. It is organized in sections and the first parts are for companies which might have a legitimate reason to have some of your data. For example, banks and credit card issuers would need information that would let them verify and process payments you make via Paypal.
It’s not until you scroll way down — something many people might not bother with — that you find the more “iffy” companies, those dealing with marketing and such, whose use of your information would be entirely for their own benefit (or Paypal’s) rather than to ensure your Paypal transactions are completed and done so safely.
Bruce Schneier, a security expert, posted an entry on his blog a couple of days ago with a link to a fascinating interactive site that lets you explore the Paypal list. It’s a tool created by a technology researcher, Rebecca Ricks, who is currently a fellow at Human Rights Watch. Click on items or hover on them and use your mouse wheel to explore these data-sharing relationships.
Bad as it may seem to many of us that potentially hundreds of companies may have access to our data, it may actually be a lot worse. We don’t know the terms of Paypal’s agreements with those 600+ companies.
Are they required to segregate and sequester all of the customer data provided by Paypal? Do they “anonymize” it and share it with other companies (a joke, because it’s been shown that it’s easy to “de-anonymize” a lot of data by matching and backtracking specific bits of information)? Are they free to pass it along to other companies without even a token effort at hiding your identity? Paypal hasn’t made any public statements about these issues yet.
So that’s just one company and it’s not even one of the biggest players, like Facebook, Amazon, or Google. Multiply all of your online and offline-but-trackable activities with the dozens or hundreds of entities you interact with during the course of the year and the potential number of corporations that know you better than you know yourself is hard to imagine.
Add to that all of the “smart” devices — from cell phones to TVs to refrigerators and thermostats — in your home, at your work, and in the places you shop and play. With cameras, microphones, GPS sensors, and more, your daily activities are tracked and logged by a plethora of corporations, many of which you may never have had any relationship with.
Your personal data is sitting in a very tangled web indeed, trapped and ready to be devoured, another tasty and nourishing morsel to feed the beast of Big Data.
Now I don’t want you to feel paranoid but camera data shows that Mrs. Kravitz across the street has looked out her living room window at your house three times today; she also went to the FBI’s page of contact phone numbers and searched the web for “How to tell if my neighbor is a terrorist?” By the way, that medication you ordered for the embarrassing condition you recently googled will be there soon; the delivery van is less than three blocks away.
Good luck!