image

The Right To Be Forgotten

The amount of information compiled on all of us is truly astonishing. From the giant highly visible data troves of facebook, google, the credit agencies powering modern financial systems and the shadowy marketing companies tracking our digital peregrinations. We all cast massive binary shadows. Over the past few years, regulators enacted right to be forgotten laws to help us escape from our shadows. The reality of these laws and their efficacy is limited and I’d like to discuss why.

Having operated in the world of user tracking, I immediately and unequivocally state that without a massive public education campaign. All of these laws do absolutely nothing for protecting individuals. Any law that requires “opting out”, requires a user to know they’re being tracked and who is doing the tracking. It takes an informed, intentional act to see that information in a desktop browser and its almost invisible in most mobile contexts. That’s also quite specific to tracking cookies and pixels. Advertisers have used these techniques for years. News articles abound describing how they work and tools to observe them don’t require deep technical knowledge.

Today, we encounter sophisticated code based surveillance techniques that go beyond the basic breadcrumbs. Agents silently track unique hardware quirks, mouse movements, and key presses throughout the user experience without disclosure or remorse. Observing these techniques requires a detailed technical understanding of the platform and tools at work. It also requires a deeper understanding of what data can mean vs what is being captured.

The true meaning of the data being captured is what we most need to address in public education right now. There was a major incident a few months when a company insisted they weren’t location tracking users. In fact they provided a clear opt out. But they were tracking the details of a users network and sending that data to a partner. Since that partner had access to a detailed data set of various networks and their locations, it was a trivial exercise to reconstruct a users location with a high degree of accuracy. Even in the light of the public disclosure. The company insisted that it didn’t do anything wrong.

This power to join data sets is perhaps the most damming problem with any of the current privacy laws. It’s simply to easy to build the set of breadcrumbs and it gets easier every year. I once worked on a project where successfully identifying 30% of website visitors based on a few disparate data sets was considered a great success. A project 2 years later achieve twice that accuracy with minimal additional investment in the technology foundation. This hidden capability to stich things together is the most difficult aspect of trying to achieve anonymity.

In order to know exactly who knows what about you, you need to know everything a given agent knows, plus everything everyone that agent does business with knows. It's not enough to know that app x tracks your wifi network, you need to also know that company y has a map with your network on it and that company z is buying data from both app x and company y. For even the most sophisticated digital citizen, this is an impossible task.