With over 1,578 terabytes of data generated every minute, the internet is bringing tremendous changes to the world. With the rise of smartphones, wearables and Internet of Things (connected objects in your home), the volume of data generated about you is at a point where it cannot be sensibly measured anymore. But how do you think all of these cool apps are free? Do you know how much it costs to run global IT infrastructure capable of handling more than 2.7 billion monthly active users? With social media responsible for 33% of the time we spend online [Source: Global Web Index] and the fact that they rely on us, users, to generate that content, it is natural that social media companies feel the heat when we talk about data and privacy.
Using cookie technology on the web, those platforms are able to track most of your browsing activity and build a profile of your interests and wishes and use it to push targeted advertising. Their whole business model revolves around what they know about us, as over 97% of Facebook’s revenue comes from advertising (FB Q2 2020 Earnings Report). Your data is being monetised. When a product is free, YOU are the product.
As users, we do enjoy sharing our data when it serves a useful purpose. I don’t mind Netflix recording my viewing history to make recommendations on what I should watch next. But when does it become too much? Are you happy with an airline company recording and sharing your flight searches to other companies to push holidays promotions? Do we trust our voice assistant constantly listening to what we are saying in the privacy of our homes? Who do we want to access our location and activities data, constantly recorded by our “always-on” mobile devices and connected watches? As Scott Galloway puts it, social media platforms have weaponized our data, selling it to the highest bidder for ads. The scandals around Cambridge Analytica and the 2016 US election show how those platforms can actually become a threat to democracy.
So can the regulators really protect our democracy and our personal data?
Over the last decade, international regulators have been playing catch up. The ageing data privacy laws were drawn from the time of newspaper journalism. Europe has been leading the charge with The General Data Protection Regulation (GDPR) coming into place in May 2018 after almost a decade in the making. The US doesn’t have a similar comprehensive federal law but some states are catching up, such as California with the CCPA (California Consumer Privacy Act - CCPA) with limited reach.
These laws are a step in the right direction and have impacted all businesses (from SME to multinationals). It brought data privacy discussions to boardrooms and all businesses are adapting their processes, training their teams and most are now more aware of the importance of data privacy.
Even with strict European and US laws, there is still very limited protection when it comes to sharing data online. As this is user-generated content, our information can get disseminated further than we intended. Just last week, it was confirmed that Instagram is not deleting the pictures you erased:
After years of scandals, EU lawsuits, US senate hearing and apologies, the biggest platforms are still making schoolboy errors! And alongside this, Facebook and the “Big Tech FAANG” are still spending millions of dollars lobbying lawmakers to try and shift the focus of discussions and policies away from what could hurt their model (i.e. global affairs boss Nick Clegg, lobbying against new EU privacy laws which would force tech companies to get consent from users before accessing and using data from their private messages).
So as individuals, we have to ask ourselves if we can really trust these companies with our data. Similar to outdated tax laws with these companies finding loopholes to avoid paying their fair shares, social media platforms will continue to find loopholes to capture more of our data and secure their revenue and growth.
This is why it’s so important to educate everyone with the basic technical knowledge of how those platforms work and to remain aware of our actions online.
From an end-user perspective, let’s analyse the different level of awareness and progression when it comes to data privacy online:
[Stage 1] The Social Media Newbie: “What are you talking about?”
This would start as an example with your teenage nephew/niece (or even parents and grandparents, as users 65 years and older are the fastest-growing group on Facebook) when they first start creating social media accounts. At that phase, you see the internet as a new playground, discovering the powers of connecting with old friends and strangers.
At this phase, you probably have never heard of data privacy. You don’t know that privacy settings even exist to control what information is stored and who it’s shared with. You don’t know that with every post you like or every game you play, you are feeding their algorithm building up a database of thousands of data points on you. Every minute that you spend online continues to feed this enormous monster that becomes more powerful and valuable. A Guardian journalist downloaded his data in 2018 and received 600MB worth of it, or the equivalent of 400,000-word documents!
[Stage 2] The Non-Digital Friend: “I don’t care”
At this stage, you have probably heard about the scandals and started to think it could happen to you but you might not care. You accept that the quality of your feed and entertainment value outweighs the risk of sharing too much data. You will accept default cookie popups without thinking, as the joy of sharing to an audience grows every time you get more likes and your dopamine shot from the notifications you receive.
The wider challenge to consider is about the long term implications of sharing personal information or pictures online. Recruiters running due diligence or trying to know you better will most probably check your online profile: will they find social media posts from college parties or teenage rants always showing “your best self”?
This is where most of my friends that are not working in “digital” are sitting today. I’d recommend opening up discussions, just to bring some more awareness about this topic and how basic changes on our online behaviours can have a big impact on our privacy.
[Stage 3] The Wise Parent: “I am careful with my data”
Now you are taking things more seriously. You are more aware of what is going on and we had time to think, analyse and grow up to realise that there are more risks and unknowns about how your data is stored and shared online. The hacking scandals also create further risk about identity theft and the consequences it could have on your finances.
At this stage, you will follow best-practices such as :
- Being more careful when connecting on public wifi. If you do not control the hotspot, using a VPN will anonymise and secure the transfer of your data
- Checking that eCommerce sites are genuine: do they have a physical address, phone number with a real customer service team? Is the “secure lock” icon that encrypts the traffic showing next to the URL?
- Using an ad-blocker to declutter your pages
- Using a password management tool to not use the same password on multiple sites
- Updating the privacy settings on our social media accounts to disable public sharing, disable GPS or access to the camera from our mobile phone or edit the Alexa / Siri / Ok Google settings to NOT share recording for analysis
This is probably the stage I am at now. I work in digital, I educate clients on best practices for data storage, database hosting and business processes to remain GDPR compliant, but it’s not easy. I still accept most cookie policies and continue to interact weekly with my Facebook account to stay in touch with high-school friends.
[Stage 4] The Privacy Advocate: “My data, my rules”
By this stage, you probably have deleted your Facebook account, gone into the hidden options of your browser to set it up as “Do not track” (or use browsers such as Tor or Brave) and use DuckDuckGo instead of Google. More than using the existing tools to protect the basics, you go much further and change your actual behaviours online.
You also make use of the “Subject Access Request” GDPR laws if you are based in Europe: you email the online services to request an export of your data, analyse what they are storing and you might request a full deletion under the “Right to be forgotten” if the data is inadequate, irrelevant, or no longer relevant.
You consider that these platforms are invading your privacy and you decide to actively shield your data as much as possible. This might have happened after an unfortunate hacking incident or just a realisation that you do not want to be the product of the free services.
So where do you stand today?
Ideally, everyone would grow through the maturity stages to reach a higher level of awareness but realistically, it’s not that straightforward. Moving to Stage 3 would be my strong recommendation for everyone as it requires little effort… But to get to Stage 4 really requires a lot more effort and some sacrifices to your online experience.
Getting everyone around you to just think about it and get a basic understanding of online behaviours will be a good start. You need to be aware and understand how these online services work at a personal level (on your own data) before you can apply better decisions at work. In the next article, I’ll cover how you can implement privacy-first products and processes in your workplace to protect your customers’ data (now that you know how to protect yours)!