I have a simple request, even though we are strangers, I want you to go out into the world and make me rich. I’m not even asking much. You don’t have to do anything differently than you already do. Just go about your normal daily routine. You are already doing it for Google, Facebook, Ancestry, Acxiom, and TikTok… why not me?
Data is the new gold and you are being mined around-the-clock every single day. The insights gleaned from the collection and aggregation of our digital minds is as lucrative as it is invasive and dangerous.
What has been coined as “surveillance capitalism” has given birth to the multi-billion dollar data brokerage industry, resulting in a sea of dossiers on anyone with a digital footprint. Data brokers know everything about you while you likely know nothing about them.
“I have nothing to hide so I don’t care if companies have my data.”
I believe you. However, digital privacy extends far beyond hiding activities. Here are several reasons why you should think twice about exposing your data:
High Tech Grocery Stores
High grocery prices were a major driver in the most recent election with 64% of Americans saying that inflation is a very serious problem. Yet, the main driver behind eggs being more expensive has little to do with the current POTUS.
In 2019, a partnership between The Kroger Co. and Microsoft was announced. Kroger, America’s largest supermarket chain (with over 2,800 locations nationwide), is now integrating advanced technology into their stores.
“Kroger is building a seamless ecosystem driven by data and technology to provide our customers with personalized food inspiration.” – Rodney McMullen, Kroger chairman and CEO
By placing sensors throughout their stores, Kroger is leveraging Microsoft’s cloud computing platform (Azure) to store and process data generated from the “smart” shelves. The new shelves, coined “Enhanced Display for Grocery Environment (EDGE) Shelves” feature digital displays rather than traditional paper tags. These electronic shelf labels (ESLs) enable stores to employ dynamic pricing based on consumer demand, time of day, day of the week, or any other arbitrary data point – a practice known as “surge pricing.”
You may already be familiar with surge pricing in other applications like Uber, where prices are increased on weekends and holidays.
Although Kroger denies any claims of implementing surge pricing (and instead states it will be used to lower prices), they also make a contradictory statement that dynamic pricing will be based on real-time conditions such as demand and inventory. Exactly what surge pricing is.
The company also claims that most stores would not have enough data to determine when specific items will be at higher demand. However, Kroger Plus, the company’s free loyalty program has existed to collect consumer data since 2003 using its own data sciences company 8451. On their own website they state:
“By leveraging data from over 62 million households in the U.S., we attain a deep understanding of consumer and purchase behavior, both in-store and online. We help you find the connections that inspire consumption and build brand loyalty along the path to purchase.”
Even if your local store has not changed, the static tags may already reflect the pricing data.
Kroger is not alone in this either. Walmart, aims to use the digital labels in 2,300 of their stores by 2026 — under the guise of being environmentally conscious (yet they have a history of violations that make this seem disingenuous). This could forever change the way consumers shop for groceries.
The Ballad of Jeffery Roper
In 1994, the Department of Justice (DOJ) reached a settlement in an anti-trust case against six major airlines (American, Delta, Continental, Northwest, Trans World, and Alaska) over a price-fixing scheme which is claimed to have cost over a billion dollars to consumers between 1988 and 1992. More than 50 separate price-fixing agreements over hundreds of routes were discovered. In some cases, consumers were paying up to $138 more for airfare.
At this time, Jeffery Roper was the Director of Revenue Management for Alaska Airlines.
In 2004, Roper was then hired by RealPage Inc. to improve apartment pricing software it had recently acquired. Roper quickly sourced massive amounts of client data from other RealPage applications and fed it to the software which would later become YieldStar.
Clients of YieldStar have since discovered that higher prices are more profitable than lower vacancy. In 2006, Ric Campo (the CEO of Camden Property Trust) saw a tenant turnover increase of 15% accompanied by a revenue increase of 7.4% the year they implemented YieldStar.
“The net effect of driving revenue and pushing people out was $10 million in income…I think that shows keeping the heads in the beds above all else is not always the best strategy.” – Ric Campo
In August of last year, the DOJ filed an anti-trust suit against the RealPage algorithm for price-fixing, alleging that sensitive information is shared between competing landlords. The complaint also alleges that the substantial amount of data held by RealPage is used to maintain a monopoly in the commercial revenue management software industry.
Targeting by Ailment
When it comes to data privacy, even the most nonchalant among us may draw the line at allowing strangers to access their sensitive medical data.
The term protected health information (PHI) refers to information that can be used to identify you such as your name, address, age, social security number, location, health history, diagnoses, and current health status.
However, PHI is only protected by the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules when it is transmitted or maintained by certain entities. Health plans, the majority of health care providers, health care clearinghouses and those who provide services for these entities must adhere to HIPAA.
PHI that is collected through devices, websites, and applications is not protected under HIPAA unless provided by a covered entity or associate. This caveat means that any health data pulled from wearable devices or health related websites and applications can be collected and sold without your consent.
In 2023, the Stanford Cyber Policy Program published a report on their investigation into the open market of mental health data. It was discovered that data brokers advertise highly sensitive PHI for sale and most will sell to anyone. One data broker was offering 5,000 mental health records of Americans for only $275.
Starting at less than $0.10 per person and increasing based on target demographic, data broker LeadsPlease will sell the names and mailing addresses of people suffering from conditions such as cancer and diabetes.
Robbing Grandma
Even if you are still unconcerned with your own data, know that data privacy violations also affect your friends and family. In 2021, one of the largest data brokerage companies in the world was criminally charged by the DOJ.
Epsilon Data Management LLC was fined $150 million for selling the data of over 30 million consumers to perpetrators of elder fraud schemes from 2008 to 2017. They weren’t tricked either. Executives Robert Reger and David Lytle used Epsilon’s algorithms to generate lists of customers that were most likely to respond to scam letters – mainly the elderly and other vulnerable individuals.
Categorizing consumers based on vulnerability is not an Epsilon specific practice either, but rather an industry norm. A 2013 Senate report includes some of the categories for sale:
- Rural and Barely Making it
- Retiring on Empty: Singles
- Tough Start: Young Single Parents
Victims were sent false solicitations that claimed a large prize or psychic service had been won and could be obtained by paying a fee – though once paid, nothing was received.
“When data firms such as Epsilon use their extraordinary access to consumers’ personal information to provide laser-focused marketing lists supporting deceptive practices, more American consumers are placed in harm’s way.” – Craig Goldberg, Deputy Chief Postal Inspector of the U.S. Postal Inspection Service
In a rare occurrence of corporate justice, the two executives were found guilty and sentenced to prison. Reger received a ten-year sentence and Lytle was sentenced to four years.
How is data collected?
When you enter a website in the browser’s address bar and hit enter, the human-readable URL address (www.example.com) is translated into the associated IP address (as machines use IP addresses to identify and communicate with each other). This process is known as the Domain Name System (DNS).
If the IP address is not already saved by your browser or computer, queries will be made to DNS servers in order to discover it. The first external server that will be queried is known as the Resolver and belongs to your internet service provider (ISP). It is through this mechanism that your ISP knows which websites you are visiting. While many ISPs promise not to sell consumer personal data, a FTC Report revealed ISPs often “allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies”.
Tracking Cookies
Cookies are small text files that are sent by servers for your browser to store and have their own storage container. This provides a means to change the “stateless” nature of HTTP into a “stateful” one, one in which the web server can remember things about the client. For example, after submitting a request containing valid credentials to log into your account, a server can send a unique cookie in the response that will identify you. Once your browser receives a cookie, it will save it in its storage and automatically include it in subsequent requests to the server that issued it. When the server parses the request and encounters your unique cookie again, it can check its database and find which account the cookie is tied to.
Without this mechanism, you would have to supply your credentials every time you navigated to a web page that contains sensitive information about you or perform an action in the context of your account.
While cookies can be a convenient solution to certain aspects of your online experience, they are also the way that you are tracked as you browse. Web analytic and customization cookies monitor your browser activity in order to gain data such as what sites you visit, how long you visit for, and what features are being accessed or used. Advertisement cookies are why the ads you see are creepily relevant to your interests. You can quickly share that cute cat video to Facebook because of social networking cookies but at the same time, they are collecting data on you.
Tracking Pixels
Although you have probably never noticed them, websites also use tracking pixels to gather information about you. These are embedded into web pages, ads, or emails and act as a marker to identify when what they are tied to has been loaded or opened. The code associated with tracking pixels contains an external link to a server. When this code is processed by your browser, it will send a request to said server and this interaction will be recorded. This is how read receipts are possible.
What data is collected?
A better question would be: “What don’t they collect?” Whenever you generate data, assume it is being collected.
Although it varies by state, a substantial amount of personally identifiable information (PII) is available through public records. This includes: your name, date of birth, phone number, current address, previous addresses, property information, marital status, education level, and criminal history.
Additionally, certain financial information is available in the public domain such as any bankruptcies and liens against you.
By combining this public information with the tracking mechanisms discussed earlier, data brokers can easily tie your virtual activity to your real-world identity. Organizations have thousands of data points on you. Some of the more specific include:
- The number of whiskey drinks consumed in the past 30 days.
- The brand of shampoo bought within the last six months.
- The number of OB/GYN doctor visits within the last 12 months.
How much data is out there?
This year, one hundred and eighty-one zettabytes of data are expected to be created, captured, copied, and consumed around the world.
A single zettabyte is one sextillion bytes (1,000,000,000,000,000,000,000). Numbers at the zettabyte-scale are beyond what the human mind can imagine.
Let’s try though…
Assuming all roughly 8,000,000,000 people in the world have access to a device, if all 181,000,000,000,000,000,000,000 bytes were evenly distributed, each person would have to type at 860,920,091 characters per minute for 50 years straight to complete their share. The average typing speed for an adult is 200 to 250 characters per minute.
It’s still hard to comprehend. Let’s think about it this way…
Convert every byte to a dollar. Distributed amongst everyone on Earth, everyone would receive about 22.625 trillion dollars ($22,625,000,000,000).
Though outdated, developer Matt Korostoff made an interactive visualization of Jeff Bezos’ wealth at the end of 2020. On my desktop, it took 163.15 seconds to scroll through the $185 billion in wealth represented by $1,000 per pixel. At that rate, it would have taken 5.54 hours of scrolling to reach the end of $22,625,000,000,000 represented in the same way.
If paid out across that same time period, everyone in the world would receive $1,134,394.55 per second of scrolling.
What can I do about it?
Nowadays, achieving complete digital privacy is practically unattainable. However, there are some actions you can take to reduce your digital footprint. If you are new to privacy measures, be aware that these actions may change your browsing experience. While this is not an exhaustive guide, here are some key steps you can take to enhance your online privacy:
General Protection
- Opt out of data collection whenever possible by adjusting your privacy settings in applications, websites, and devices.
- Use a Virtual Private Network (VPN) to mask your IP address.
- Use communication services that provide end-to-end encryption such as Proton Mail and Signal.
- Limit application and device permissions such as camera access, photo album access, and location sharing.
- Delete any unused accounts and applications.
- Pay with cash-on-delivery or virtual cards when making online purchases.
- Avoid loyalty/rewards programs and taking online quizzes/surveys.
- Submit data deletion requests to companies or service providers or use a service like DeleteMe to do it on your behalf
- Use privacy focused search engines such as DuckDuckGo.
DNS Protection
DNS-over-HTTPS (DoH) is the process of encrypting DNS data to render it unrecognizable to humans provided by companies such as NextDNS. In 2019, NextDNS and Mozilla teamed up to limit DNS resolvers on data collection and retention practices through their Trusted Recursive Resolver program.
Browser Protection
Some browsers, such as Tor and Brave prioritize user privacy by default. Their protection can be further enhanced by adjusting their settings.
You can also install privacy-focused browser extensions like uBlock Origin that will filter out unwanted content and trackers.
Cookie Protection
Under the ePrivacy Directive (EPD) (a supplement to the General Data Protection Regulation (GDPR) legislation), in order for a company to set tracking cookies, they must:
- Provide accurate descriptions as to the data each cookie tracks.
- Receive user consent before using the cookies (except strictly necessary ones).
- Record the consent received.
- Allow access to the service even if the user refuses the cookies.
- Make it easy for users to withdraw their consent.
When you encounter one of these consent pop-ups, know that you can reject:
- Preference cookies (sometimes called “functionality cookies”)
- Statistic cookies (sometimes called “performance cookies”)
- Marketing cookies
You can also manually clear cookies and data through your browser settings. Though, this may log you out of accounts and remove any site preferences you have set.
Conclusion
In today’s data-driven world, our digital footprints have become valuable commodities, often exploited without our knowledge. From dynamic pricing in stores to the manipulation of rental markets, the consequences of lax data privacy extend far beyond mere inconvenience.
While achieving complete digital privacy may seem daunting, every step towards protecting your data matters. By implementing even a few protective measures – such as using encrypted communication services and privacy-focused browsers, you can significantly reduce your digital vulnerability.
Remember, privacy isn’t about having something to hide; it’s about maintaining control over your personal information. In an era where data is the new gold, safeguarding your privacy is an essential act of self-preservation and a fundamental right we must all work to protect.
