Thursday, July 13, 2017

 ISTOCKPHOTO
To make the concepts and potential dangers more tangible, here is a hypothetical day of an average American. Included is a timeline, activities, what data gets collected, how it is collected, and who might use it.
6:30 a.m.: Alarm rings. J. Doe wakes, washes, and scans Google News headlines on an iPad. Google and various websites Doe visits note the Internet address of the tablet and the type of device in use, examine personal surfing preferences and previous activity on the sites, and note the time spent looking at particular stories. This is accomplished with browser cookies and the basic technology of how the Web works and the data it normally transfers. Doe's Internet service provider sees, and may record, all the activity. The federal government could get access from Google or the ISP with a warrant from a secret court, but such a warrant might cover a large number of users at the same time.
7:43 a.m.: Doe commutes to work. Gets onto and off of a toll road that uses the EZPass system in one of the states that provides toll information to comply with court orders in civil cases. E-ZPass notes the unique transponder identifier of its devices which link to the vehicle license plate, name of the user, user Social Security or driver's license number, and credit or debit card. The system notes the times, dates, and locations of travel, helping place the location of individuals and document their travel habits and patterns. States have individual privacy policies and all would have to respond to federal security warrants. It is unclear whether any states sell information to corporations.
8:39 a.m.: Buys tall Americano at Starbucks before heading upstairs to office. Uses a Starbucks card to make the purchase. Starbucks records the amount of the purchase, details of what was purchased, and the location and time. Not only does the company use the data for its own marketing and operational activities, but it shares data with other companies if someone gives permission. Doe did without realizing it when setting up the card account. Information can be shared with the company that processes Doe's credit card payments and with government when under court order.
8:47 a.m.: Sends an instant message to a colleague via Skype. The employer's IT systems can note the contents of the messaging as it passes over the internal network before traveling over the Internet. The company's ISP could also monitor the communications. Skype (owned by Microsoft) will note the user IDs of both parties, profile information that the users have provided, information about the time and duration of the interaction, and the actual text of the messages in both directions. It "generally" stores the data between 30 and 90 days "unless otherwise permitted or required by law" or to "comply with applicable legislation, regulatory requests and relevant orders from competent courts." Federal warrants for the NSA would be included in the latter. The information shows with whom you communicate, when, and for how long, which can help build a picture of a personal social network. If using Skype's software, some information could also go to third-party advertisers. Microsoft (MSFT), Apple (AAPL), Yahoo (YHOO) and other companies denied cooperating with the government on its PRISM program, revealed in a Washington Post report last week. PRISM reportedly taps directly into servers of these companies to extract data on users Internet communications.
9:25 a.m.: Opens ESPN tab on a browser. Doe's employer can see employee browsing history. So can ESPN, which is owned by The Walt Disney Company, which collects such information as location, posts in public forums, history of pages and stories viewed, private one-to-one or limited group messages where "permitted by law," unique device or network identifying information, and data made available when used through a third-party like a social networking site. Again, Doe unconsciously allowed sharing of information with third parties, so Disney will share the information with other companies that then use their own privacy policies to govern what is done with it.
10:00 a.m.: All-day meeting. Although sitting in a room for a meeting, Doe uses an Android smartphone on AT&T to check personal Gmail, place two personal calls, and use a variety of apps. AT&T (T) is reportedly also under a court order to provide call data to the NSA. AT&T says that it does not sell data to others. It does collect data about online data usage, tracks online activity, and collects location information and will disclose any of this as required under court order. Google (="http:>GOOG) scans the contents of email to better target ads and keywords may become part of the data it retains about users. That is combined with other personal data it gets from account information, search history, and use of Google services. Google is reportedly one of the companies that may provide data to the NSA under court order.="http:>
5:00 p.m.: Meeting a friend. Doe stops at a pub for a drink with a friend before heading home. Doe's smartphone records location information and passes it to AT&T. The friend's smartphone also passes information over. Matching so-called metadata about phone call histories, it is possible to know that the two people are connected, that they met on this day, and the approximate duration of the meeting. Doe pays for the drink with a debit card, and so the bank records the time, location, establishment, and purchase. The federal government has had access to bank records since the early 2000s, and debit card transactions are included.
6:30 p.m.: Heading home. Doe leaves the pub, travels back via the toll road, leaving an electronic trail, stops at a grocery store to buy a few things (recorded along with the identity of Doe, who used a frequent shopper card), and then arrives home to have a quiet meal and watch some political commentary on YouTube videos, also recorded by Google and possibly passed on to the government.
The data seems innocuous, but consider a few possibilities. Let's say Doe and the people he communicated with online innocently used some trigger words that make security authorities pay attention. Perhaps one of Doe's friends corresponds, in the course of business, with someone suspected of having terrorist ties. That puts Doe within two degrees of that person and, so, is in a social network of heightened interest. Doe watched some videos strongly critical of the government. All this data gets aggregated and it never goes away. 

No comments:

Post a Comment