It’s interesting, government departments in many countries cannot ask for any personal information unless it is needed for the services they provide. Why can internet sites get away with this? Your date of birth is a critical piece of identity information, but it’s absolutely not necessary to register for a website.
A number of websites ask you your birth date as part of their registration process, including – as shown in the above example – Yahoo!
Yahoo! in this case tries to soften the blow by promising to provide me with a “better experience”. Let me translate what that means; they will guess based on your age which ads should be served to you. So if you’re in your thirties, and perhaps visit a baby clothes site, you’ll get baby ads, if you’re over forty five it’ll be hair-loss and menopause remedies. Get older and it’s incontinence pads. As if you couldn’t search for such products without their help.
In my case I lie, I have a birth date that I use as my “internet birthday”. Which means I’ll get the incontinence pad ads a little late.
If you’re in the EU you will have been bombarded with messages in the last few weeks, emails from everything you’ve ever subscribed to, forced logged out of apps, and screeds of new terms and conditions to read. It’s all because of GDPR, the European General Data Protection Regulation.
The GDPR is a new law on data privacy in the EU and it relates to companies, individuals and organisations processing personal data for commercial use. It’s meant a lot of work over the last 3 years for anyone working in digital and a lot of lawyers. It grants citizens very specific rights over their personal data, here’s the list of rights from the EU official site:
The responsibility rests with companies to obtain clear consent from you, and you must opt in to receive information from them, the law states that “pre-ticked boxes are not considered to be valid consent under GDPR”. The law also recognises that consent is not always possible, for example an employee cannot consent to be supervised by CCTV for a productivity issue – since there is a power imbalance between the employer and the employee. The penalties for companies are steep, up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. No wonder companies are working hard to set up good privacy systems.
As an individual, a consumer and an employee I like the principles of the law. I’m glad to see a comprehensive overall of how our data is used, and that the EU is using its power to counteract the power behind US tech giants who haven’t taken as much care of my data as I’d like. But oh boy it’s exhausting to read everyone’s terms and conditions and sort out what I’m going to agree to. And not all companies present it in the easiest way. Here’s the notification on data sharing from FastCompany
Seems OK right?
That’s until you scroll and find out that there are 53 companies other than Fast Company who get access to your data, and they get your data not just from Fast Company but also from other sites which use these companies – that’s code for tracking cookies being set on your computer so they know which site you use. I work in digital and I have heard of about 8 of these. There’s no way anyone has time to look through the conditions of all these sites and evaluate what is being done with the data.
EMX Digital LLC
Adobe Advertising Cloud
Quantcast International Limited
Oath (EMEA) Limited
Index Exchange, Inc.
Purch Group, Inc.
Research Now Group, Inc
OpenX Software Ltd. and its affiliates
DigiTrust / IAB Tech Lab
Eyeota Ptd Ltd
Integral Ad Science, Inc.
Conversant Europe Ltd.
Lotame Solutions, Inc.
SlimCut Media SAS
Sizmek Technologies, Inc.
The Rubicon Project, Limited
Unruly Group Ltd
The Trade Desk, Inc and affiliated companies
Sovrn Holdings Inc
Taboola Europe Limited
district m inc.
Some companies weren’t able to make their sites GDRP compliant in the two years since the law was passed and I got this message
Fast Company made a list of companies that hadn’t made the deadline, of their list Klout and Super Monday Night Compat have shut down for good, and A&E Networds, Crowdpac and History.com have managed to put a solution in place in the week following the deadline).
On the upside perhaps I will end up with less spam. A friend of mine who returned to New Zealand a decade ago commented “maybe the recruiters who haven’t believed my unsubscribe requests will finally figure it out”. Let’s hope.
I have had a few emails that stated “confirm now or we’ll never email you again”.
There are no surviving letters from Captain Cook to his wife, she burnt them saying they were “too personal and sacred”. We’re losing the idea that some things might be worth holding as personal and sacred. Part of that is our own doing, we’re sharing more images, texts and posts than ever (today’s count = 2 blog posts, 5 images, 4 links, spread across seven accounts). But a bigger part, a scary part, is from the technologies we use and the changing government rules.
Governments are taking more and more of our data. Last year the UK government expanded its surveillance powers last year with the passing of the Investigatory Powers Bill, which creates a government database to store the web history of every citizen in the country.
But perhaps the most insidious increase in data collection is via our mobile phones. I don’t share personal information on Facebook itself (I lied about my date of birth), but if I leave the application permissions on default then I grant Facebook the right to data from my calendar, camera, contacts, location, microphone, phone, sms, and storage. The location data means that Facebook knows where I live, where I work, and where my favourite cafe is. The contact data means they potentially know my mother’s home phone number.
Your phone knows more than you realise, health data from your fitbit, stored passwords for your banking account, your exact location – either via the location app or via wifi pings. And beyond Facebook we install dozens of apps and grant them permissions, in this edition of the BBC’s “Click” programme they report on an app that collects a frightening amount of data, which happens to have been downloaded 50M downloads.
In general it doesn’t really matter if someone knows where I work, I publish that information on LinkedIn anyway, and it probably doesn’t matter much that someone finds out where I live. But it might. For vulnerable people – those escaping domestic violence, refugees, protesters – this is information that they definitely want to keep private. (Here are some practical tips to secure your phone, from encryption to app management. )
In fact the EU Charter on Human Rights asserts that data protection is a human right with the words “Everyone has the right to the protection of personal data concerning him or her” and there is debate on whether this should be a global human right. If you think we have a right to privacy then it’s a pretty short step to thinking data protection must be an important part of that.
Tomorrow is Data Protection Day, celebrate by adding two factor authentication to your accounts, checking app permissions and adding encryption to your phone.
in an anonymous forum someone figures out who you are IRL (in real life) and publishes your real name.
your social security number ends up on a site based in the former soviet union – and you’re the First Lady, Michelle Obama
the head of FBI’s home address was posted online (although an out-of-date address)
It sounds like a problem, and it could be in some cases, but it’s legal. Or at least it’s legal to re-publish public information.
If the information is obtained by hacking or by social engineering then a crime may have be committed, and if the information is used to infiltrate emails, commit fraud or to threaten someone that is a crime.
But publishing public information? Not a problem.
Which means we should all be smart about how much information we share online, but as the number of devices we use grows, and the amount we communicate online grows this gets harder.
In a week where Instagram (now owned by facebook) was in the news for changing its terms and conditions, facebook improved its privacy set up by introducing privacy shortcuts.
I haven’t found any change to the options available, or any change to my settings – I’d be writing a very different post if that were the case. This just makes it a whole lot easier to check my settings. With the “view as” option I can also see how various group members can see my posts in a really easy way – my mother doesn’t need to know some of the nonsense my friends post…. and that picture was photoshopped, honest.
I don’t always like how facebook behaves, but this seems to be a good step.
I’ve resisted it. I found it harder to find things on other people’s profile so I didn’t want to change my own but I finally gave in to the inevitable and updated my facebook page to timeline last weekend. I did some research, and the two things I knew I had to change were the cover image and my privacy settings. I also knew I needed to check which apps were connected to my facebook account and ensure that there was no frictionless sharing that I did not want.
1; The Cover Image
This is the large banner style image that is at the top of the page, your profile image is now set into the lower left of it.
I’m a bit leery of posting photos of myself online, I like my face well enough, but I’ve had a couple of minor stalker-ish issues in the past. So I choose my favourite image from my holiday last summer, of calm seas and boats at anchor. It was taken soon after dawn on a day with no wind in the middle of a sailing holiday. It goes with my profile picture – but that’s luck rather then good management. The overall impression is pleasing, but not particularly creative.
Facebook said that around half of my friends had switched – but not all of those had uploaded a new cover photo, so I suspect for some it hasn’t been a choice.
For a brilliant (and funny) riff on the whole cover photo concept, take a minute to check this out.
2; Privacy Settings
It’s one of my gripes about Facebook – the privacy settings aren’t that easy to find. But because facebook now pushes everything you do onto your timeline it’s important to find them and check your settings.
Look for the little arrow on the top right of the page, click on it and you’ll see a short menu which includes Privacy Settings.
Once you have found it and clicked on privacy settings it is easy, easier than it has been, to control who can connect with you, and who can see and post to your timeline.
You will also need to go through your timeline and remove anything that you don’t want to be seen – some things that were buried in the past are now easier for your friends and contacts to browse to. You can remove items individually by clicking on the “edit or remove”button on the upper right of the image. I like the “micro control” this gives visitors to facebook.
It’s easier on timeline for someone to find old posts you made, to limit this to friends only click on “Limit the Audience for Past Posts” on the privacy settings post. They’ve made this step hard to reverse so be sure it’s what you want before saying yes. For me this was a no-brainer, I’ve never wanted to share publically on facebook so limiting who can see the history probably doesn’t change what non-friends can see – but I enabled it just to be sure.
You can also delete your posts from other people’s timeline – this could be important because you do not know their privacy settings, and it’s their settings that will apply to your post. Here’s how.
3; Frictionless Sharing
This is the concept that information from one place, or internet service is shared on facebook. It’s why you’re seeing what your colleague listens to on Spotify or what your brother has read on Washington Post. I don’t particularly want to know, and I definitely don’t want to share. So I haven’t enabled this sort of sharing. In fact I will not click through to articles from Washington Post because I don’t want this sort of cross-platform sharing.
When I set up timeline I checked which apps had access to my facebook account (via the privacy settings), it’s only two and neither of them post to facebook automatically. Which is good news for me – I won’t be spamming my friends.
So it’s done. I’m on timeline. It took me about fifteen minutes.
Others have become more concerned about the facebook security, in some cases to the point where they purge their profile regularly or delete it all together. My personal approach is that I don’t put anything there that isn’t more or less public, and I only connect to family and friends. I lock down the security fairly strongly (only friends can see my profile), and I check the site daily (OK not just for security reasons). I still think it’s a great tool – but everyone has to take responsibility for protecting their own data and being smart about what they share online. It’s public people.
Have you ever heard of the “EU’s Privacy and Electronic Communications Directive”? Well it’s come into effect as law in the UK as of 25 May this year, with businesses having a year to comply.
Here in the Netherlands no law amendment has been made, but it will be discussed in the Tweede Kamer (House of Representatives), so I’m watching to see what the outcome will be. I don’t know the progress in other EU countries. (You can read more about the Dutch situation, in Dutch).
What seems to be required is an “opt-in” before a cookie placed on the visitors computer. Since most commercial websites add cookies for a range of purposes this will have a huge impact, and could significantly impact a visitor’s browsing experience. Imagine if every click on a site raised a pop-op informing you that a cookie was being placed and asking for you to agree or cancel. Most visitors would be quickly annoyed.
But there are other ways this could be implemented, I was visiting All Thing D for the first time. I was presented with this banner.
The promise to only present this note the first time you visit this site is met by setting a cookie, but it’s tracking cookies they are more concerned about. The “read more” link takes you to a page explaining their point of view on tracking cookies, and giving visitors information on how to remove cookies, or opt-out.
It’s a method that is more helpful to the visitor, and more visitor-friendly, but I’m not sure whether it will meet the requirements of the EU directive.
Cookies often store information about your last visit so that you do not have to re-enter information to a site, so they can be helpful – including password information on registration sites. Cookies can also be used as part of measuring traffic on the site. But they can also track all the sites you visit and send that information back to the site that set the cookie, or be used to track your viewing behaviour in order to customise the ads offered to you. The EU directive is connected to concerns at these uses of cookies.
I would definitely like to see more information available for visitors on what cookies are being set and how they are used. But endless popups are incredibly irritating for the user, so I’m hoping the ‘provide information’ option and one accept will work. Then of course there’s the question of whether visitors outside EU should have their visiting interrupted if it’s not legally required.