You can’t protect your privacy if you don’t know how it’s being violated. That’s the essence of a report by the Electronic Frontier Foundation that shines a bright disinfecting light on how corporations are collecting data on consumers. Think Facebook-like data collection on steroids and you begin to grasp the scope of the problem.
“I think on mobile, we’re still in this Wild West Era where people don’t understand the kind of tracking that’s happening when they use apps on their phone,”Bennett Cyphers with the Electronic Frontier Foundation (EFF) told Threatpost. “And there aren’t really a lot of ways to rein it in either, even if you do know what’s happening.”
Threatpost caught up with Cyphers for a podcast (see below) to better understand his 17,300-word in-depth report “Behind the One-Way Mirror“. In his overview with Threatpost he discusses the “identifiers” behind data collection – the ways that companies identify consumers who they’re collecting the data from.
Cyphers notes that consumers and regulators are struggling to understand who is collecting data, how that data is being shared and how it’s being stored. Identifiers, he said, are part of a new corporate surveillance state that includes mobile and physical tracking via “invisible pixel images, browser fingerprinting, social widgets, mobile tracking, and face recognition [that] companies employ to collect information about who we are, what we like, where we go, and who our friends are.”
Unfortunately, according to the report released this week, these new types of tracking identifiers are still in a stage where its difficult to reign them in via sector-specific federal regulation.
“Sector-specific federal statutes apply only to specific types information about specific types of people when held by specific businesses,” Cyphers wrote. “They have many gaps, which are exploited by trackers, advertisers, and data brokers.”
Cyphers discusses the key takeaways of how data is being tracked and used, how consumers can protect themselves – and why it’s not all bad news in our Threatpost Podcast interview, below. Download direct here.
Below is a lightly edited transcript of the interview.
Lindsey O’Donnell Welch: Hi, everyone, welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell Welch here today with Threatpost and I’m joined by Bennett Cyphers with the Electronic Frontier Foundation today. Bennett, thank you so much for joining us.
Bennett Cyphers: Hello, Thanks for having me on.
LO: Yeah, thanks for coming on. So for our listeners just to give a short intro to Bennett, he is a staff technologist on the EFF’s tech projects team, where he works on Privacy Badger, and before the EFF, Bennett was at Access Now and MIT, and he has a masters of engineering for work on privacy-preserving machine learning. And finally he specializes in privacy, transparency and data equity issues. Now, this week you and your colleague, Genny Gebhart, released new research, taking a deep dive into the technology of corporate surveillance. And, you know, I read over the report this morning, it was a really great report, some really in-depth pointers about trackers and data brokers and what strategies tech companies and advertisers are using in terms of surveillance online. And I really liked that you guys focused not just on web trackers, like cookies and whatnot, but also tracking in the physical world; how businesses, concerts and political campaigns are using Bluetooth or Wi-Fi beacons to perform more passive monitoring of people in their area. So just to start, I want to take a step back here and ask, why is this report so important for consumers today? And what really gave you and Genny the idea to really delve into this area?
BC: Yeah, so I guess I wouldn’t really call this new research. This is more kind of like a combination, an assembling of a bunch of stuff that EFF has been working on for many, many years, like for a long time before I got here. And we kind of just wanted to synthesize all these different things that we know about third-party tracking and the way that trackers work in different parts of the Internet and the real world, and trying to tell one coherent story about it. I guess we want to give people a way to think about all the tracking that’s happening in their lives, if that makes sense. We think that’s important now because this kind of stuff can be really overwhelming. For the past pretty much since Cambridge Analytica, that’s the big thing that kicked off this last like year and a half of intense privacy press coverage and activity in the legislature, and there’s been all these stories where like, there’s a data breach here, there’s like crazy surreptitious tracking going on over there. Like, when I talked to friends and family who don’t work in this field, they’ll ask about a particular story that I might not know about. Or they’ll be like, oh, is there any point to doing anything? Because all our data is already everywhere.
And I think a big part of this report is we’re trying to be a little bit hopeful and say that’s not actually the case. It’s not true that there’s this awful world where literally everything you do is being monitored all the time and there’s nothing you can do about it. A lot of things are being monitored, but we can sort of go through and explain how those things work and teach people how to think about the ways in which they might be monitored so that they can be better prepared to avoid those specific kinds of tracking and to support the right kinds of legislation that will actually be able to rein those in.
LO: Right.
BC: That was a bit of a mouthful. Sorry.
LO: No, I do think it’s important to, like you said to highlight kind of the sheer breadth and depth of different forms of tracking and who’s tracking what and what they’re doing with that data, and what data is even being collected. It’s just so much at this point that every single thing that I do online or whatnot, I feel as though there’s really not a lot of privacy anymore. The report focused specifically on corporate third-party tracking as you just mentioned, which is the collection of personal data by companies that users don’t intend to interact with, or might not know that they’re interacting with. Can you talk about the third party versus first party tracking, and why you guys decided to focus specifically on that?
BC: Sure, yeah. So, first-party tracking is I think the tracking that most people are more familiar with. This is like, when you go to Google and you type something in Google is recording your search queries, or you go to Facebook and you like something. Facebook is storing all the likes that you’ve ever made, and all the comments and all that kind of a thing. And they have a lot of data about you that way. But I think what a lot of people still don’t realize is that the biggest companies – Facebook, Google, Amazon, Twitter – as well as all these smaller companies that you probably haven’t heard of, are doing the majority of their data collection in situations where you’re not trying to interact with those companies at all. And a lot of that happens on the web, if you browse to any website that’s not Google or Facebook or Twitter, there are a whole bunch of different technologies that we go into in the paper that can record information about your activity on those websites and send it back to trackers like Google and Facebook and Twitter and Amazon, and a whole bunch of other smaller ad tech companies. The same thing is true on mobile devices. If you’re using an app that doesn’t belong to one of the big tech companies, they’re probably still monitoring the activity. Your activity in that app through what’s called software development kits or SDKs, and in the physical world, Wi Fi hotspots and Bluetooth beacons can record information about people’s devices even when they’re not trying to connect to those hotspots or beacons.
And there are other technologies that use image recognition like automated license plate readers, that’s one thing we go into in this paper, which are just cameras that private companies can set up all around the world, on public roads or in private parking lots that record license plate numbers and sometimes information about the make and model of your car and use that to build profiles of where people drive. And that data can be linked to data that’s collected from phones, and that kind of a thing, to create this big profile of all your activity.
LO: And then speaking of data that’s actually being collected, there’s data that you guys highlighted, that’s collected, that includes everything from browsing history, to app usage to purchases and geolocation data. And these are things that, you know, someone who’s a regular consumer might, they might realize is being collected, but then there are also trackers that collect, in my opinion, the more invasive behavioral types of data, you know, political affiliation, religious beliefs, sexual identity, even physical and mental health types of data. And you had some good information about how trackers tie this data to people. Can you kind of walk us through that and tell us a little bit about what happens to all these different pieces of data after they’re collected? Because I feel like one part of the report that stuck with me too, was not just the data being collected, but how it’s forming that behavioral picture of different identities over time. I thought that was pretty fascinating.
BC: Sure, yeah, so I’ll do my best here. This is kind of a hard thing to explain, which is kind of why we started writing the white paper.
LO: Right.
BC: The basic idea is that, it doesn’t matter so much what a tracker collects, like the raw data that a tracker collects, like whether that’s voice data or location data or browser history. That doesn’t matter so much if the tracker can’t tie that data to a specific person. One data point might be useful. But what’s really powerful is when a tracker can take data from a bunch of different places over a long period of time and tie all of that to a particular person. And that’s when these profiles start to become really revealing. So like, for example, you might not care that someone knows that you visited a particular website, you read a news article, in your browser in the morning about, I don’t know, whatever happened yesterday, on the New York Times, but if some tracker has like all of your browsing history from the past two years across all of your devices, that starts to become a lot more revealing, and that’s how you get insights about people’s religious affiliation, political affiliation, physical mental health, all of that kind of thing. So we go into in the paper, a few of the different technologies that can be used to identify people, like the big one that people might be familiar with are cookies. There’s a lot of talk about cookies. And the reason cookies are powerful, I think this gets lost a lot, cookies don’t actually collect data about you. Cookies are identifiers. All that’s in a cookie is like a string of random letters and numbers that points to your specific browser. And the way that a cookie works is every time you visit a web page, that cookie gets shared with a tracker, attached to the URL of that web page. And so the tracker then knows, oh, the person whose identity is associated with this cookie, just visited this web page at this time, from this device, maybe from this location. And over time, as you visit more and more web pages, and you make more of these requests that are tied to the same cookie, that tracker can build up a huge profile of everything you do. But if it weren’t for that cookie, the tracker would just be going like, someone visited this website, oh, someone else visited this website. I don’t know if they’re the same person. And the cookie is like the kind of the key that ties everything together. And on mobile, there’s another thing, there’s a similar thing to cookies. That’s called an advertising ID. This exists both on Android phones and on iPhones. And it’s this unique identifier that is built into the operating system of your device that trackers in every app on your phone can access whenever they want. There’s no permission to control whether the trackers can access this. It’s just there by default. And that allows – every time you open an app, and a tracker in that app, like pings home and says, oh, someone just opened this app and someone is on this page of this app or doing this activity – They can tie that specific action to your phone’s identity because of that ad ID, and that’s the really powerful thing that allows them to build these long term profiles.
LO: Right. And I thought that was something that stuck out to me was – like you said – it’s not just the the cookies or the browser fingerprints that a lot of people have read about or know about. It’s these other identifiers, these phone identifiers, or even ones, like you mentioned, also, license plates, credit cards. And the one that stuck out to me too, was the the face biometrics as an identifier right? You mentioned facial recognition cameras and how that could be a disturbing application when it comes to certain ways that it’s being used in the real world as a tracking application. Do you see things like the face biometrics, like license plates and credit cards, do you see those increasing are those already at this point prevalent?
BC: I think those are – Well, it depends 0n the specific one. License plate readers are unfortunately, already quite prevalent. I don’t think they’re used a ton in the advertising industry. So that might be a place where they could increase in the future. But license plate readers are used everywhere by police forces by malls and shopping centers and by bounty hunters and repo men. And they’re all these networks. My colleague Dave Moss has done a ton of really good research into the ways that license plate readers in particular used around the country. But facial recognition is, I think, the big one that we sort of see on the horizon. It hasn’t achieved really widespread adoption yet. But it’s starting to, like if you’ve been to an airport recently, you’ve probably seen a bunch of different airlines and there’s the clear company that’s doing TSA stuff, and it’s been adopted at concerts, like face recognition is starting to penetrate, in what are sort of considered the more benign or justifiable applications right now; like, Oh, it’s just for airport security, oh, it’s just for concert security, oh, it’s just so that we can identify thieves or whatever in stores. But that’s really I think, unless we do something to rein it in, I think that’s going to open the door to the more widespread and less justifiable uses of this technology, which are for profiling behavior and doing personalized ads in the real world. And that’s what we wrote about in our paper: Walgreens earlier this year started a pilot program, where they were using facial recognition cameras on fridges, to profile, the people who were walking through the store and looking at drinks, and then they could actually serve targeted ads on screens that were on the front of these fringes.
LO: Oh, wow. I hadn’t heard about that.
BC: Yeah, that was a pilot program. So hopefully people got really creeped out. And their pilot was a failure. But, I mean, I don’t think that’s going to be the last attempt that we see to do that kind of a thing. And I mean, you can clear your cookies and you can buy a new phone, but you can’t really buy a new face.
LO: And that brings up issues of you know, consent and everything else too.
BC:Totally. Yeah. It’s it’s very hard to consent to having your face be captured and profiled by a camera that you can’t see.
LO: How long did this take, by the way to delve through all this?
BC: I think we started working on this back in like May or June. So this this came out of a project where we were trying to explain to lawmakers around the California Consumer Privacy Act like how some of these trackers worked and what they should be thinking about. And one of my colleagues who’s a lawyer was like, oh, could you write like a blog post about third party tracking? Like maybe 1000 words? I started writing and realized there’s no way I can write a blog post.
LO: Yeah. A little longer.
BC: Yeah. So that’s how I started bringing other people in. And this became this 50 page monstrosity.
LO: Like you mentioned, this is kind of an extension over things that have been happening over the past few years or maybe longer. But when you looked at the report, was there anything that really surprised you, or any big takeaways that consumers should really be aware of?
BC: I mean, I think the biggest thing that sticks out to me is like the sort of lowest hanging fruit is, it’s IDFA on iOS and the advertising ID on Android. And these are things like I think people who think about privacy even a little bit probably know what cookies are and they understand that tracking happens on the web a lot. And there are a lot of really widely adopted tracker blockers and ad blockers that can kind of reign in a lot of the web tracking.
But I think on mobile, we’re still in this Wild West Era where people don’t understand the kind of tracking that’s happening when they use apps on their phone. And there aren’t really a lot of ways to rein it in either, even if you do know what’s happening. So I think you asked if there’s something that like consumers can do and yeah, there are there ways that consumers can go in and reset your Ad ID on Android and you can like turn it off on iPhone and you should do that. But I think it’s more important for people to just get mad about this and pressure the companies that make these phones to get rid of this thing altogether. And pressure lawmakers to pressure the companies to make this less desirable for the companies to do because there’s no incentive for them not to do this right now. And the only incentive that companies have either comes from laws or comes from people getting very upset. And so, that’s why when you’re talking about, these trackers existing in the shadows, they can only exist in the shadows because as soon as people realize what’s going on, they get mad about it. And the most egregious tracking practices really can’t survive exposure to sunlight. Because these companies still have to keep users on their good side, at least a little bit.
LO: Right. Yeah, I was going to ask should it fall onto the shoulders of consumers or do you think this will be more of a issue that regulation really needs to happen for things to change, or even does it need to come from like you said, like, the smart phone manufacturers, the browsers, because I know the the browsers have taken some steps for cookies. But who responsible? Who kind of holds onus over this?
BC: Yeah. I mean, it’s a tough question. So, I mean, at the end of the day, consumers have to be responsible at some level because like, the other parties just haven’t been responsible, like the browser companies and the smartphone companies are all advertisers themselves. I shouldn’t say all the browser companies are, the biggest browser company in the world, Google, is an advertising company, first and foremost. The biggest mobile operating system company in the world, also, Google is an advertising company. And so, they should be the one saying responsibility, but they won’t, unless they’re forced into it. Same thing with lawmakers, lawmakers really should be putting protections in place. And that’s what we’re trying to as the kind of change that we’re trying to affect at EFF. But so far they haven’t. And so that leaves it unfortunately, up to consumers a lot of the time to take their privacy into their own hands.
But one of the things that another thing that we’re trying to push back on with this report is the idea that it should be up to consumers, because I’ve heard this sort of framing of privacy recently from other people that it’s like a matter of personal responsibility or Oh, if you didn’t want to be tracked, you shouldn’t sign up for Facebook, or if you didn’t want to be tracked, you shouldn’t use Google Chrome or whatever. But, that’s a really terrible framing, we don’t talk about other things in that way. Like you shouldn’t you don’t deserve to be victimized because of something you don’t understand. And it really shouldn’t be people’s responsibility to know how every part of every one of their devices works. Like if you went to the store and you bought lettuce and then you got E. Coli from that lettuce, is that your fault? Like, should you have been like testing, doing little auger swabs on all the food before you eat it? No, we we decided a long time ago that that’s not reasonable at all. People shouldn’t have to be responsible for inspecting every level of the supply chain of all the things they can do. But for some reason, a lot of people think it’s reasonable to expect that for privacy. And so we’re slowly seeing a shift in that where more lawmakers are saying like, Hey, we really need like sensible baselines so that people won’t be victimized by things they don’t understand. But that’s a long, slow process. And so in the meantime, there are a lot of things that consumers can do to protect themselves.
LO: Right. And I mean, to your point also about consumers, the level of responsibility that they are able to have, if you look at the top three companies that you guys mentioned are collecting the most data web traffic, which is obviously Google, number one, Facebook and Amazon. If you look at like just the sheer level of devices and services that say, Google has, they’ve got Google Maps, Google search, like you said, Android, everything else. It’s so hard to if even if you just sign online, it’s difficult to prevent that as a consumer.
BC: Oh, totally. Totally. Yeah, there was a good Motherboard article, I think last year by – I just found it – Daniel Oberhaus about trying to quit, like not use any services from Apple, Microsoft, Google, Facebook and Amazon for a month, and just how absurdly difficult that was.
LO: Oh my god. I bet.
BC: Yeah. You can only imagine. But yeah, the reality is these companies are so big, they’re so vast, a lot of times you’re using them and you don’t even realize you’re using their services now. And it’s really not realistic to say like, Oh, just quit Facebook, just quit Google, there’s you. You should be able to, that’s a different story. But for now, you can’t.
LO: The final question I have is looking at the coming year, do you see things turning into a more positive light when it comes to privacy, aka more regulation, more consumer awareness? Or do you see, you know, more of the same or even more, you know, new ways that are appearing in terms of identifiers and trackers and things like that? Or maybe both? I don’t know.
BC: Yeah, I think I think it’s mostly positive really. I think people understand this better than they ever have. And lawmakers are really starting to understand this. And we’re getting a generation of lawmakers who grew up with the internet or at least spent their young adulthood on the internet and understand the technology a lot better. And so yeah, there’s real momentum behind privacy laws and antitrust and trying to rein in the monopolies of the big tech companies.
And so I think there’s there are a lot of battles yet to be fought. And obviously, the tracking companies have a lot of resources. And so it’s definitely going to be a battle over the next few years to try and get protections in place. But I think that we’re in a better position now as user advocates than we have been in a long time. At the same time, technology is evolving. There are a lot of new ways to track people and there will continue being new ways to track people. But I think that that momentum has been going for a long time. Like every year for the past 30 years, there’s been some new research paper about the new way to track people. But what’s new is the the momentum in the other direction where people are saying Enough is enough.
LO: Right, especially like you said before, new regulations, new privacy acts, the CCPA, everything else. So, I like to end things on a positive note. So let’s wrap up here. Bennett, thank you so much for joining me today on the Threatpost podcast.
BC: Thank you so much, Lindsey. Greatly appreciate your time.
LO: Yeah, thanks for coming on. And once again, you’ve got Lindsey O’Donnell Welch here with Threatpost talking to Bennett Cyphers with the EFF. Catch us next week on the Threatpost podcast.