Balancing Data Privacy in a Day of Convenience

Key Takeaways

I recently had the opportunity to watch The Great Hack, a Netflix documentary that came out in late July that is about the Cambridge Analytica scandal involving citizen data and elections. If you haven’t watched it, I highly encourage you to do so. In the absence of time, let me break it down for you! The documentary focuses on how accessible our individual human data is and just how much of it is on the internet. Even if you have deleted your Facebook account, much of your data is still out there. The documentary focuses on how Cambridge Analytica gathered and cultivated massive amounts of citizen data from all across the globe and then supposedly used it in marketing campaigns to persuade certain citizens (dubbed the “persuadables”) in voting decisions worldwide; including Brexit (the UK’s withdrawal from the European Union) and the U.S. 2016 presidential election. This article is not going to focus on how Cambridge Analytica used U.S. citizen data, but rather on how they were able to access it without one’s approval.

The background of the documentary is that Cambridge Analytica had collected between 4,000-5,000 data points on every U.S. voting citizen. Every citizen. One may ask, how can this be? Well, does Facebook or Instagram sound familiar? Data from more than 87 million Facebook member profiles was obtained by Cambridge Analytica, who then used that data to assist the Leave campaign in the Brexit vote and the Trump 2016 presidential campaign. Regardless of the presidential outcomes, the fact that they acquired and used that much data on human beings is incredible and even scary.

While that’s just one way citizen data is accessible, according to a May 2019 article from PEW Research, 69 percent of the United States is on Facebook; that’s a pretty significant exposure. The importance of these numbers becomes even more meaningful, when you consider that data and the data giants Alphabet (Google’s parent company), Amazon, Apple, Facebook and Microsoft are now considered more valuable than oil. (May 2017,The Economist).

Yet the bigger story is that our personal data is out there and being used in ways we don’t understand. One may ask, was it really that much important data? We will never really know for sure, but at the time of these campaigns, the data collected from the third-party app that gave anyone access to Facebook included information like interests, likes, location, political affiliation, relationships, photos and more.

So why is this important? In this day and age, our personal assets go beyond just finances; data rights are human rights. Personal data is extremely valuable. Think about how quickly relevant advertisements pop up on your Facebook page or even your cell phone through a text or an app after you have conducted an online search. To bring it to the workplace, think about how much searching we do on the internet for new county equipment, software applications or even job postings for finding qualified staff. And then all of sudden, this particular product or service that you were searching about shows up on your Facebook feed, even though you weren’t on your computer (but rather using only your cell phone). When we search through Google, Bing or another search engine, that information is more than likely being sold to advertisers, consultants and other entities that have paid the big search engines to have your information. Supposedly with permissions, of course. But do you really read those terms and conditions that pop up on your screen when you are diligently looking for that new book, clothing, food item or office equipment? Since we are in a world of instant gratification, I would venture to say “no.”

So, what can citizens and ultimately county government do to protect the data rights of individuals? Europe has taken one approach by implementing The General Data Protection Regulation or GDPR. One may ask: “What is GDPR?” GDPR is a massive data protection or privacy law emanating from the EU that applies to most organizations, regardless of where they are located. While that undertaking was in process long before the Cambridge Analytica shenanigans became public, it was only official in May of 2018, right after the scandal went public. Any organization that offers its products or services to an EU resident or is established in the EU or is engaged in widespread website behavioral monitoring must comply with GDPR. This means even organizations based in the United States may be subject to GDPR. The most obvious result of GDPR is those new footers or pop-ups on websites that are supposed to inform you about what data is being collected when you use their site and have cookies enabled. What I have found is that many are just clicking on the “cookies” message and breezing by what the terms and conditions say.

How this affects local government in the United States is debatable and ranges from there is no need to legally comply with GDPR to “Yes, we know that we have many foreign citizens visiting our website and therefore we must comply in some fashion.” What is more common is that states are beginning to enact their own data privacy laws. Take California for example. The California Consumer Privacy Act of 2018 mirrors the EU law in many ways. Data accuracy and notification to those subscribing on how their data is being used is required, as is the honoring of a citizen request to see what data the organization is collecting or holds on them. Other features include posting a privacy policy on their website that states:

• The type of personal data collected
• Any third parties with whom you share the data
• How users can review and change their data that you’ve collected
• How you’ll update users of changes to your privacy policy
• Your privacy policy’s effective date
• How you’ll respond to “Do Not Track” requests

According to legislative tracking website Quorum, more than 200 pieces of legislation on privacy have been debated in state legislatures so far in 2019.

On a personal level, folks like you and I should be more attentive to what data we make available online. As I like to say often, the devil is in the details. Listed below are some questions to ask yourself and to share with your county departments and your citizens:

• What information do you have in your Facebook profile, your LinkedIn Profile? Do you include where you went to high school, college, if you are married, what your religious affiliation or political affiliation is?
• Do you include your hometown you currently live in?
• Do you have your cell phone posted online anywhere that could be publicly accessible?
• Do you post pictures of yourself, your family members, new grandbabies that can be accessed publicly?
• Have you reviewed your profile settings for privacy and when you create posts, are you diligent about not using the “public” feature on your news feed or your story?
• Do you read the terms and conditions on a site that you join as a member?
• Or the new “cookies” pop-up that so many sites have now, as a result of the GDPR laws in Europe?
• Have you read the current Facebook terms?

The good news is that terms and conditions on most sites are much more transparent these days.

Consider the Facebook terms:

• We don’t charge you to use Facebook or the other products and services covered by these Terms.
• Instead, businesses and organizations pay us to show you ads for their products and services. By using our products, you agree that we can show you ads that we think will be relevant to you and your interests. We use your personal data to help determine which ads to show you.
• We don’t sell your personal data to advertisers, and we don’t share information that directly identifies you (such as your name, email address or other contact information) with advertisers unless you give us specific permission.
• Instead, advertisers can tell us things like the kind of audience they want to see their ads, and we show those ads to people who may be interested. We provide advertisers with reports about the performance of their ads that help them understand how people are interacting with their content. See Section 2…to learn more.

While, the Section 2 reference is quite extensive and not reprinted here, it covers what Facebook does with your data.

While one may or may not be comfortable with these additional details, it is important that you are aware.

You can find out more at https://www.facebook.com/about/privacy/update.  

If nothing else after reading this article, I would highly encourage you to consider the questions above and to look at what those major sites (like Facebook) do with your data and to whom they share your personal information.

Awareness is critical in balancing privacy with convenience.

Remember data rights equal human rights!