Too much information: what Google and Facebook know about you


Regulators and ordinary web users are in revolt over what they see as intrusion by Google, Facebook and others into their private lives. But is it their fault or ours that there’s so much data about us online? And does it really matter?

IN 1993, JUST as the internet was becoming a publicly available phenomenon rather than the tool (and plaything) of academics, researchers and technology company employees, the New Yorkermagazine ran a droll, and soon to be famous, cartoon.

In the single panel, a small dog sits at a desk before a PC, looking down to chat with a cat. “On the internet, nobody knows you’re a dog,” he confides. The joke and the zeitgeist then was that the internet as a medium enabled users to be anonymous. Online you could be anyone you wished. Or you could be you. Identity was fluid and vague.

Now a more appropriate caption to the same cartoon would be: “On the internet, everyone knows that I am Spot, a neutered male labrador microchipped with number D19476, living with the Murphys at 42 O’Connell Place; that I eat 1.5 tins of Chum daily, purchased from Tesco; that I am not yet fully housetrained and have a habit of chasing the neighbour’s ginger cat. And I love kids, and a Bonio at bedtime.”

In other words we are far more aware – and increasingly concerned and paranoid – that we are swimming in an ocean of personal data and detail scattered online, not all of it placed there with our consent or knowledge.

When we do place it there ourselves it is typically without giving a second thought to what we have posted, who might view it and how it might be used by others. And according to repeat surveys we also almost never consider that our friends and colleagues might post information and pictures of us online – maybe having drunk too much at a party, or being somewhere we weren’t supposed to be.

But we are getting wiser. We are discovering that our personal data is of great interest to online companies, a point driven home repeatedly in this week’s news stories about Facebook (forced by annoyed users to hastily improve privacy settings), Google, Microsoft and Yahoo (under fire again from the EU for retaining too much data about users and their searches), Google again (from Germany, for its Street View cameras taking pictures without people knowing it; and for Street View’s collecting information on people’s home and business wireless networks) and online companies generally (as the UK’s Office of Fair Trade begins to investigate companies gathering personal data for targeted advertising).

This month Google confirmed it had been collecting data sent over Irish wireless networks – the network name and equipment serial numbers – as part of its Street View process, to see which homes and businesses were using Google Maps on mobiles. The company also confirmed more generally to European data-protection commissioners that it had collected any unprotected data being sent across networks at the time its Street View vehicles were in the area but that this process had ceased and was “a mistake”. All Irish data collected was said to have been destroyed.

The internet has veered in perception – and reality – from being a place where we once felt we could be lost among a crowd to one where we are readily picked out from the crowd. Privacy and any sense of online anonymity recede daily with regular stories about the proliferation of personal data online and the digital trails we leave behind.

Almost every single thing we do on the internet leaves an electronic footprint – when we visit websites, most deposit a small piece of computer code, a “cookie”, on our computer hard drive, so we are recognised when we return to the site, but our activities, such as the pages we view and the ads we click on, can also be tracked. These details can easily be linked to our general location by the electronic address assigned to our computer by our internet service provider.

Cross-reference our cookies to our internet searches and a wealth of data could be generated. Privacy advocates argue this could be of a highly personal nature, and traceable to individuals. Search companies argue that search data is anonymous and that identifiers are stripped out of the information they retain – in most cases, for longer than the six months the EU says its data protection laws allow. But journalists readily traced several individuals using such “anonymous” data released by AOL to researchers a few years ago. Search and online advertising companies also say they are not using data to profile individuals or target ads.

The fear is not so much about what is being done now as about what could be done in the future. When Google purchased the largest online advertising company in the world, DoubleClick, many privacy advocates were alarmed at the potential of merging an individual’s web usage information, held by DoubleClick, to their searches, held by Google. Google said it would not be melding that information, but it isn’t clear how the search giant will use data from this merger.

The crux of the matter is that online advertising is lucrative and is only going to get more so. Just look at Google – highly profitable and now one of the most valuable companies in the world, based primarily on the cash it makes from serving up nondescript little ads when you do a Google search or visit many websites. The overall online ad market was worth almost €4 billion in 2008. Of this, targeted online and mobile advertising using personal information (the type that could easily be gleaned from social- networking sites such as Facebook, Twitter or MySpace) is a small slice – perhaps worth €110 million, but expected to be a major growth area.

In the UK the sector has so far been allowed to self-regulate, though “good practice principles” drawn up by the Internet Advertising Bureau have come under fire from privacy and civil-rights advocates as being too lax. Ireland does not regulate this market.

But should we really be that bothered? Is Big Internet Brother overrated and misunderstood? Is anyone really fussed about whether Facebook’s default settings have, over a couple of years, been tweaked to reveal more and more of your profile information and posts to more and more people, without explicitly letting you know? Maybe Scott McNealy, co-founder of computer company Sun Microsoystems, was right when he said of consumers’ online privacy concerns more than a decade ago: “You have zero privacy anyway. Get over it.”

And in the wake of a furore over Facebook’s approach to user privacy – which backed the company into making very public apologies this week and overhauling how it manages information – Facebook founder and chief executive Mark Zuckerberg told Time magazine: “The way people think about privacy is changing a bit. What people want isn’t complete privacy. It isn’t that they want secrecy. It’s that they want control over what they share and what they don’t.”

To some degree internet users seem to have agreed. One only has to look at the mass take-up of Facebook to see that, far from being protective about their personal details, many people have been perfectly happy to post background facts as well as revealing sometimes indiscreet information about themselves, their children, their friends or their workplace.

That’s a lot of personal data – almost 500 million people have Facebook profiles, including more than a third of the Irish population. Some 46 per cent of online adults in the US have created a profile on a social-network site – up from 20 per cent four years ago. And the proportion of those who say they are worried about the information about them online has dropped – from 40 per cent in 2006 to 33 per cent now.

Do internet users really understand the implications of what they are doing? Most people post information to their Facebook or MySpace or Bebo profiles, tweet on Twitter or write on their blogs for what they consider to be a group of “friends” (who may number in the hundreds or thousands). But much of that information can be easily found by anyone – say, prospective employers. According to a Microsoft survey of employers, 70 per cent indicated they had rejected an applicant because of information they found about them online. Yet a study this week from the respected Pew Trust in the US reveals only 4 per cent of Americans are concerned that they could be damaged by data about them on the internet.

Consider the case of Stacy Snyder. This 25-year-old American student and mother finished her studies to become a school teacher in 2006 – and then was refused her certificate by university authorities because of behaviour inappropriate for a teacher. That “behaviour” was a picture of herself at a party, dressed as a pirate and holding a plastic cup, which she had uploaded to her MySpace page with the caption “drunken pirate”. Her case went to the courts – which upheld the right of the university to deny her teaching credentials.

Many people do not realise that, once posted online, information is almost impossible to obliterate. Many social networks allow a user to cancel their profile – but retain the data in case they want to re-establish them later. As new data goes online, search engines such as Bing and Google permanently archive billions of bits of that information daily.

Take Brian Hogan, who recently found a lost Apple iPhone prototype in a bar, sold it to a gadget blog site and is now being investigated by the California police. He tried to obliterate his identity online, removing images and deleting his social-network profiles. But a journalist tracked him down through available online data and images friends had posted of him to their own profiles and “tagged” with identifying information.

For a generation growing up with a life online as the norm, the fear is that any sense of privacy – those parameters granted implicitly as a human and civil right in most nations, and which underlie our legal systems – will vanish. The innocuous posts made today may cause a lifetime of regret, ruining prospects or exposing adults of the future to ridicule.

“Young people face a major privacy challenge with respect to information they post about themselves, let alone what other people post about them or what third parties collect about them,” say John Palfrey and Urs Gasser in their recent study Born Digital: Understanding the First Generation of Digital Natives.Yet young people almost never read privacy policies or alter privacy settings from the default, even given social-networking technologies’ “high degrees of interactivity and their implicit encouragement to contribute data about oneself and one’s friends”. The authors feel the impact over time on personal privacy “is almost certain to be negative”.

Other experts are more equivocal. Of the often-voiced concern that students may ruin their chances of getting into good universities, or even their future careers, by posting silly pictures of drunken indiscretions on Facebook, legal expert Jonathan Zittrain says he thinks this is vastly exaggerated. In his book The Future of the Internet and How to Stop It, he argues that tomorrow’s university admissions officer or hiring executive will be one of those formerly indiscreet people who uploaded images of themselves dancing on a table in Marbella: “Soon those making hiring decisions will themselves have had Facebook pages.”

And according to the Pew Trust study, awareness of privacy issues seems to be changing. Some 71 per cent of people aged 18-29 in the survey reported that they had changed privacy settings on social-networking sites to increase the privacy protections on their online profiles. And 65 per cent of adults said they had changed settings. If anything, it isn’t younger people but older users who seem to do little to manage their privacy online. Older users are also more likely to trust networking sites such as MySpace and Facebook – while 28 per cent of 18-29s say they “never” trust such sites, half that number of users in the 50-64 age bracket say this.

Other findings in the survey confirm that it is younger, not older, internet users who try to protect their personal data. Some 44 per cent of young adults say they take steps to limit the amount of personal information available through their profiles, compared with 33 per cent aged 30-49, 25 per cent aged 50-64 and 20 per cent of those aged 65 and older.

And all indications now are that consumers have no intention of accepting that when it comes to online privacy, they should “get over it”. As the Facebook story grew two weeks ago, a survey of 1,588 Facebook users by security company Sophos indicated that 60 per cent were considering deleting their profiles and 16 per cent said they had stopped using their profiles because they felt they did not have enough control over their own data. No wonder, then, that the company rapidly countered with a revision of policies, a remake of settings and several public apologies.

In the often murky and confusing world of online data protection and privacy, one thing is clear: if mass numbers of internet users become aware of privacy issues that affect them, they will become a force to be reckoned with and will walk, demolishing the prospective value of the websites they once frequented.

Companies ignore that fact at their peril.