Column by new Root Striker Michael Gurnow.
Exclusive to STR
As I was vanity surfing one afternoon, out of sheer boredom I opted to click on one of the many seemingly innocuous web hit listings supposedly offering my personal data for a price. In most cases, these sites merely provide a name, estimated age, and then the option to buy additional information: Current location, phone number, email address, Social Security number, etc. However, to my amazement, this website freely presented an extremely detailed biography: My age, every place I had lived throughout my life (with almost spot-on precision), the jobs I have and have had (with nearly the same accuracy), my spouse, her age, and how long we’d been married. To add insult to injury, alongside my present address was a picture of my home.
I contacted the website’s administrators and requested my profile be taken down. I believed that this was a wasted effort but, interestingly enough, was sent an opt-out link. Less than 48 hours after submitting my request, my profile disappeared.
I later learned that the site complied due to federal law.
I proceeded to attempt to cull all of the collected online personal data I could find. I filled out one opt-out form after another from such organizations as beenverified, mylife, whitepages, radaris, pipl, zoominfo, intelius, lookupanyone, instantcheckmate, plussaddress, 123people, peekyou, peoplesmart, rapleaf, emailfinder, freephonetracker, and phonedetective. As I was doing so, realizing that the number of similar sites could be endless (atop the fact that in many of their FAQs, they explicitly state that there is no guarantee that the information will not reappear at a later date), I asked myself where these businesses were getting their information. It turns out that the various “people location service” sites are merely middle-men: Many such online firms have purchased their information from what is referred to as “data collection / mining / brokerage / analytics” agencies.
Data collection agencies—multimillion-dollar corporations—make it their business to obtain personal data from a multitude of sources: Social networks, public records, seemingly secure personal paperwork such as bank loans, as well as through a person’s own Internet browsing habits. The most well-known data broker is Acxiom, based in Little Rock, Arkansas. Similar companies are Datalogix, Euclid, AddThis, Federated Media, Epsilon, Digital Advertising Alliance, BlueKai, and Network Advertising Initiative, among others.
How do these businesses go about collecting such exacting information about you? Aside from merely taking what a person freely offers through social networking sites and public records, they cast an invisible electronic net over the Web using what is referred to as a cookie.
A cookie is information sent from a website that is then stored on your computer. When you return to the website, the cookie alerts that webpage of your previous activity. This type of data exchange is called a first-party cookie interaction. A cookie log file reveals what websites a person has been on, the order visited, and for how long. Then there are third-party cookies. If you arrive at one website that has an advertisement, a third-person cookie is set. If you then go to another website which has another advertisement by that company (because you are checking out which store has the lowest prices on curtains), this sends a notice of your repeated interest to the advertiser—or web analyst hired to collect the data. Companies then begin sending you home improvement ads in both your electronic and snail mailbox because they assume you are remodeling. This is also how and why the ad for the shoes you were looking at three websites ago is suddenly, “coincidentally” appearing as a sidebar in your online weather report. The accuracy of this type of online predation has been found to be scary [4]. A data mining company uses cookie information—time; date; your IP address, which reveals your location—to establish a consumer preference list, which is then bundled and sold to whoever is willing to pay. There are a lot of people who want this information. However, people location service websites are not data miners’ biggest clients. Advertising agencies, insurance companies, banks, marketing firms, and corporations stand to make a lot more money by acquiring your information.
Insurance companies actively purchase this type of data and check it (this is part of the underwriters’ jobs). Even if you don’t disclose on your medical insurance paperwork that you are prone to severe headaches or put on your home loan applications that you have a German Shepherd, because you have repeatedly checked online to see if Store X or Y has a sale on Tylenol and you have requested dog food coupons via the Internet, the insurance companies’ data collection files tell them this (which is ironic in that insurance companies require a professional assessment when deciding claims but, when issuing premiums, everyone’s unspoken web-browsed diagnosis is freely welcomed and accepted). The problem arises when your daughter, who wants a dog, has consistently searched for cheap dog toys over the past few months in order to sweeten her appeal for a puppy. Because your insurance company has “reason to believe” you now—or will in the near future—own a dog, they add this expense into the policy without telling you (because it would be too costly to send a field agent and they do not trust the client to reliably relay such information). They don’t care if their assessment is not 100% accurate because, when in doubt, they add in whatever would financially benefit them under the ruse of protecting their investment. This is how third-party cookies can increase interest rates on home loans and create higher medical deductibles.
The main issue is not these companies’ right to collect personal data, which they are dubiously permitted to do by law. The concern is what they do with the information. In short, because they are willing to sell it to whomever is willing to pay and there is no oversight as to how this data is distributed, we find people—such as myself—whose personal privacy and security are at the whimsical disposal of whoever has a credit card or, it would seem, merely an Internet connection.
The question now becomes, since nothing guarantees that once you are removed from an online profile listing that it will not later reappear because nosy corporations will continue to hire data collection agencies to violate your privacy, what can be done? The simple solution is to not offer data, personal information, and preferences in the first place.
First, wipe yourself from social media outlets. As Facebook recently made clear, it owns whatever you place on its servers. It is not as if Facebook hopes of one day using your uploaded photographs to publish a calendar. It does so in order to retain the right to sell your information and, by tagging your photographs, we just make it easier for the analysts to do their jobs. We can readily assume all social media outlets are following suit. The obvious solution is to cancel these accounts. However, some websites make it more challenging than others, while a minority makes it virtually impossible. Luckily, accountkiller.com [5] is there to guide you through the process of canceling the accounts of many of the more popular online programs. Ironically, as with several data collection agency opt-out forms, some sites will audaciously request you create another account or provide a current email address “for confirmation purposes.” Accountkiller rightly directs you to fashion a dead-end dummy email account, preferably using the name “Account Killer.” This way you can confirm the cancellation request and, since the account will not correspond to you through cross-referencing because no authentic personal information was provided on the email application, there is no way they can track you.
Second, put up blocks to keep your browsing secure. Though their titles imply this is what they are doing, Explorer’s Inprivate and Chrome’s Incognito features only wipe one side of the computer: Yours. Likewise, encrypted Google still records where you are going and where you have been. In order to keep companies from cataloguing your search preferences, not only via search engine inquiries but through the particular websites you access, download the Ghostery [6] or DoNotTrackMe [7] add-ons. Be sure to go through the set-up process and mark what you specifically want blocked. You can also manually disable third-party cookies in all major browsers. As if first and third-party cookies weren’t enough, a more recent data collection invention is the Flash cookie, also known as the Supercookie. This evades typical security blocks and protocols. At this time, only Firefox provides a defense against this type of intrusion via BetterPrivacy [8]. If you would like a second-by-second report of who is tracking you, as well as how much they are making as a result, there if Privacyfix [9].
The most startling revelation as to the extent to which companies go to collect data using third-party cookies can be seen by visiting http://www.aboutads.info/choices [10]. This website reveals which organizations have a regular tracker set on your computer. It offers a supposedly all-inclusive opt-out feature. I had over 100. For the few non-responders left over, I had to go to their websites and submit individual opt-outs requests.
Third, encrypt your cell phone. This is why retail outlets go to the seemingly arbitrary expense of offering free Wifi: If your phone can access a Wifi network, the network can likewise access your phone (and all its data). By encrypting your phone, corporations cannot read any information you have on your phone. If you don’t do this, you might find that you “Liked” a store you were in via Facebook without having actually done so. Obviously, the corporation has automated protocols in place to do this once it has gained access to your phone.
This secures your phone’s memory but it does not automatically make for safe browsing because you will still be at the Wifi network’s mercy. (This is why you might be unable to access competitors’ websites when in some retail outlets—the store’s Wifi is restricting your access). To protect against this, use the encrypted rerouter conjunction of Orbot [11] and Orweb [12].
It is worthy to note that whenever you use your cell phone, it is possible to triangulate your location from the signal strength of the receiving cell tower. If you are running background data, i.e., email alerts, your phone is constantly receiving communication from the nearest tower. If this weren’t scary enough, when you take a picture with your cell, the GPS and phone’s make and model are embedded in the photo’s code. Obscuracam [13] removes this personal information.
Fourth, turn the GPS off of your various devices [14]. This should go without saying but it is worth adding that a person’s location can also be determined when one is within Wifi range. Turn off Wifi when in public if this is a concern.
Fifth, use Startpage [15] or Duckduckgo [16] as your search engine. It is completely anonymous browsing but I’ll let the latter speak for itself [17]. However, if you don’t have information blockers installed on your browser, once you click on a return from these search providers, the individual website you are visiting has access to your computer.
Sixth, download and exclusively use the Tor [18] browser. Tor’s completely anonymous browser has everything blocked that a data collection agency, marketer, or advertiser would want to know and, for good measure, it reroutes your IP address so websites have no idea who (or were) you are.
Seventh, only access secure sites which offer encryption. A website with a Secure Socket Layer, or SSL, guarantees to only be communicating between you and the site. This is done through encryption. Most websites use the standard “http” prefix. However, SSLs will house the “https” prefix.
Eighth, be weary of (free) email services. Gmail and Yahoo scan both incoming and outgoing emails and insert related advertising content within the window frame (thus confirming whether or not they read your emails). This means even if you use another email client, when you send an email to someone with a Gmail or Yahoo account, they retain the right to infiltrate the contents because it is crossing their domains. Likewise, business email accounts—even Outlook extensions—are legally viewed as property of the client, in this case, your employer. As such, your employer has the right to read your email. (The same applies to a business-issued cell phone and all its contents.) A truly anonymous email account can be made using the Tor browser so long as the email provider uses encryption and does not include your IP address in the email header (Hotmail clients beware). Remember to use an alias and not disclose any personal information when creating the account. Only access this account using Tor.
Extra secure measures. Remember, these tips help to protect your phone and Internet privacy, but banks and corporations still track (and record) purchases made with a debit or credit card. Admittedly, almost all businesses insist upon direct deposit, thus banks will know what you make, but it doesn’t mean they need to know what you are buying. For those desiring near complete personal anonymity, paying in cash or using a money order leaves no trace.
Related point of interest: “Seated Between Pablo Escobar and Mahatma Gandhi [19].”
[20]
