Skip to content
Go to file
Cannot retrieve contributors at this time
225 lines (196 sloc) 12.7 KB
If not us, who stores and owns our data?
% BY: Fieke Jansen, Tactical Tech
In October 2015 the European Court of Justice ruled that the Safe
Harbor agreement was invalid. This agreement enabled American
companies that comply with European data protection law to transfer
and store data of European citizens. Under the American Patriot Act
this allowed US authorities to gain routine access to the online data
of Europeans stored with American companies, which according to the
European Court infringed on the privacy of EU citizens.[^]{Powles,
J. Tech companies like Facebook not above the law, says Max Schrems}
These jurisdictional issues around data stem from the fact that individuals
no longer own or store their data, that third parties have become the
data holders. The question we try to answer in this article is how do we
lose control of our own data, where is it saved if it is no longer in our
immediate surroundings, and what can be done to reclaim some control over
our data?
How do we loose control over our data?
Our devices – computers, mobile phones, and tablets – are constantly
telling others where we are and what we are doing. Mobile phones in
particular are very effective tracking devices: Where we go, it goes, and
it records our location all the time – even when we're not connected
to the Internet. It also collects information about our contacts, which
websites we visit, and the apps we use.
This might sound abstract, so lets take a closer look at location
data. Location collected over time can tell a surprisingly full
story about who we are and what our life looks like. Location data
can predict where we live and work by analyzing where our phone
sleeps at night and rests during the day.[^]{Location tracking, Me
and My Shadow} Subsequently,
if location data is layered with other data like Google maps, a company
that has access to location data can tell where we have been: whether
we visited the doctor, which restaurants we have visited frequently,
and even whether we are part of a political organization. When location
data is layered with time and data, the location can be linked to public
events, which can tell something about participation in protests, the
attendance of a concert or festival or even a visit to specific support
group. Now imagine a company has access not only to our own location
data, but also to that of all our friends and family. Putting these
locations together can give insight into who was in a room together
at what time, and from this social graphs[^]{Chatterjee, S. and
Anderson, I. Building a Location Based Social Graph in Spark at InMobi}
are built to identify what type of social relationships exist between
Another common form of data collection happens in the browser,
which provides companies with insights into our interests, likes and
behavior. Most, if not all, websites have third party trackers included
in them. The visible trackers are the Facebook like button, Twitter
bird and even the advertising on the page. These third party trackers
are companies that are separate from the website, companies that offer
the website specific services like advertising, analysis and social
media share options. The purpose of data collection in the browser is
for companies to collect data and build up a profile[^]{Miljanovic,
M. Profiling: glass data masks we wear unknowingly. Me and My Shadow}
of who we are: age, gender, where we live, what we read, and what we're
interested in. This information can then be packaged and sold to others:
advertisers, other companies, or governments.
Is the omnipresence of devices in our everyday life and the convenience
of specific tools and services the sole reason that control is lost over
personal data? No, data creation is more complicated then that. Data is
created by us as a prerequisite for using a service – think of the data
needed to register for Facebook or Gmail. Location and browser data is
created when we interact with our devices. Other people tag us in social
media. There are also more subtle ways[^]{Sptiz, M. (2014). Was macht ihr
mit meinen Daten? Woffmann und Camp} to create data about us. When we
register for specific government, financial and social services, name,
tax number, income, address and other data are required. When we move
within and between cities, CCTV cameras and public transport systems are
logging movements. Buying a plane ticket requires entering personal data
and payment information into a website, which is shared at least with
the airline and border police.
What is even more invisible is data about us that is inferred from other
data. Data brokering companies create group profiles[^]{Miljanovic,
M. Profiling: glass data masks we wear unknowingly. Me and My Shadow}
on the basis of shared characteristics, based on social media networks,
location data and/or browsing behavior. Our individual profiles can get
tied to one or more group profiles, binding the group characteristics
(data traces) to us. These group characteristics then become part of
our individual profile, which can determine our credit rating, type of
advertising and offers we receive. The problem is that we have no control
over which group profiles we belong to, nor what inferred data traces
are created and added to our individual profile.
Complicated? Let's take a fictional person, Renata, to understand inferred
data. Renata lives in Rio de Janeiro, and spends most weekdays studying
at the Universidad Federal. Her phone reports her location from there. On
Friday and Saturday night, however, her phone reports back from the area
Santa Teresa until around 4am, before returning to the location where it
normally 'sleeps' (Renata's home on Rue Bento Lisboa). A data brokering
company knows that many people who study at the Universidad Federal and
go out in Santa Teresa also browse for vegetarian recipes and search for
the latest rock concert. Based on Renata's movements, the company decides
that she fits the profile of this group and labels her as a vegetarian
rock-music fan.
Why is all this data collected?
'Data is the new oil.' It does not matter whether this analogy is
accurate. The truth is that there is a multi-billion-dollar data industry
making money from our data. In the data industry companies range from
data collectors, data cleaners, data sellers, all the way to attention
sellers. Most of these companies have names we have probably never heard
of, such as Acxiom, AdSquirt, Rubicon, CommScore and DoubleClick, whereas
others are companies we might use on a daily basis, such as Google,
Facebook, Linkedin and OkCupid. However, all these companies make money
on data that is collected about us.
As a response to an in-depth investigation by the Federal
Trade Commission (FTC) into the data broker industry[^]{EFF. Data
Broker Acxiom Launches Transparency Tool, But Consumers Still Lack Control},
the oldest and one of the biggest data brokers in the US,
Acxiom, gave people access to their personal data. Acxiom opened a
website[^]{} that gave US citizens, after some
bureaucratic processes, the ability to see, change and remove their data. In
many instances US citizen who gained access to their Acxiom profile did
not delete their data but changed it so that it would represent them
better. This action moved them from being Acxiom's product to becoming
free labor for the company[^]{Keen, A. (2015). Why the internet is not
the answer. Atlantic Monthly} by making Acxiom's data sets more accurate
and thus more valuable.
If our data is not saved by us but by the data industry, where is it? This
is not very exciting: it is safe to assume that our data is stored
in data centers all around the world. Our data is stored by multiple
companies, and large commercial corporations like Google or Facebook
do not store it in one location. These companies copy and store it in
multiple locations. Individuals can only delete this data if the company
gives them permission to do so.
What can we do to control our data?
The friction in increasing privacy and digital security as an individual
is that companies and governments are becoming more and more sophisticated
about collecting, analyzing and storing data, while we, the users, are
made responsible for protecting our data with strategies and tools that
only cover part of our digital traces. This does not mean that we should
not do anything, but it does mean that we can only make it a little less
bad and that all measures will have an expiration data.
The first steps to increase our privacy and take control of our data are
actually surprisingly easy. Be aware of what is collected, where and who
has access to it (other people, companies or governments), make choices
about what data we want to keep private and which data we are comfortable
sharing with others. Try the following steps:
1. Give as little data as possible. When we open a new email, social
media or online shopping account or register for an event or a
website or book a flight, several data pieces are requested. Limit
the amount of data shared with companies by taking a critical look
at the necessity of providing data for the use of a tool or service.
Is this really necessary and or are there other ways? For instance,
Twitter does not have a real name policy and enables people to
create an account using a fake name with a random picture. However,
the service still asks for an email address and mobile phone number.
There is another way, though, because registering in the browser
only requires an email account and not a phone number. Creating an
anonymous email account is much easier than having an anonymous
phone number.
2. Block tracking in the browser. There are some very effective bits of
software that block trackers, encrypt website connections, or stop
spying ads from running – all of which can make a big difference to
our privacy. Apple recently allowed ad blocker in the App Store,
enabling us to block third party trackers in the browser on our
phones. Don't forget to clear the browser history and clear all
cookies on a regular 'daily' basis.
3. Play around with default settings. Commercial Internet services have
privacy settings which are often set to 'share as much as possible',
but luckily this can usually be changed in our browser and on
platforms like Facebook and Google. Remember that by changing the
default setting, we are limiting the digital traces that will become
public, but this does not mean the company that owns the platform
will not collect it.
4. Have multiple identities. Play with separating your data profiles by
creating different identities for communicating with work, family,
network and friends. Try creating different identities for online
shopping or use different browsers when accessing Amazon, Facebook,
Twitter or Google.
5. Use alternative services. When we use commercial services for our
email, chat apps, maps and file sharing, we share a lot of data with
these companies. Using an alternative to these commercial services,
will give us more control over who has access to this data. Find out
which 'alternative' email services exist.[^]{}
6. Don't forget the privacy and digital security basics. There's no
such thing as 'perfect privacy' or 'perfect security', but there
*are*a few simple things we can do to keep our content,
communications and web browsing more private and more secure. Keep
our devices clean and healthy, use unique and strong passwords,
install HTTPS everywhere, anonymize our Internet connection using
the Tor Browser.
For more practical tips on managing your data, please visit us at and
% BIOGRAPHY: -------------------------------------
**Fieke Jansen** (NL) is a researcher and writer who aims for more
transparency in the global data industry. Currently she works as the
Project Lead for the Politics of Data program at the Tactical Technology
Collective, which is an international organization dedicated to the use
of information in activism.
You can’t perform that action at this time.