Sure, you lock your home, and you probably don't share your deepest secrets with random strangers. And if someone knocked on your door and asked to know when you last got your period, you'd tell them to get lost.
Yet, as a smartphone user, you're likely sharing highly personal information with total strangers every minute – strangers whose main focus is to convert every element of your personality into money. Click here. Vote for this candidate. Open this app again. Watch this ad. Buy this product.
We've been giving out our private information in order to use convenient, fun and largely free apps, and we're only now understanding the true costs.
Would you mind if an app that you specifically told not to use your location tracked your real-time movements anyway by pinging off nearby Bluetooth and Wi-Fi signals? What if the mobile therapy app you use to get counseling told Facebook whenever you're in a session and, without using your name, told an advertising firm the last time you felt suicidal?
Or, what if there was a global pandemic, and a company you'd never heard of revealed a map of cellphone locations showing that you hadn't been doing your part to stay away from others and slow the spread of the deadly virus? Could that become enforceable? Could you be fined? Publicly shamed?
While most Americans say they're concerned about how companies and the government use their data, Pew Research shows they also largely feel they have little to no control over the data that companies and the government collect about them.
Tech companies often defend data collection, noting they remove users' names to "depersonalize" the information. But privacy experts say that's pretty much bullshit: Location data without a name can easily be pinned to an individual when you see that pin travel between a workplace and a home address. And even if your internet activity is shared under a unique number instead of your name, the goal is to intimately understand exactly who you are, what you like and what you'll pay for.
The good news is, privacy advocates say that we can avoid a dystopian future where nothing is private. But to get there will take understanding the many ways that data and technology are already used to violate privacy and civil rights, and willpower among lawmakers to pass strong legislation that ensures actual consent to how our information is used, and penalties for those who abuse our trust. People also need to decide if the risks outweigh the perks.
"People don't like it – they don't like being known unless they've asked to be known," says Jennifer King, director of privacy at Stanford University's Center on Internet and Society. "Companies are banking on the fact that if they keep pushing us towards that world, we'll just say, 'Yeah, it is really convenient.'"
FIRST OF ALL, WE'RE BEING TRACKED
At this point in the digital age, many Americans realize they're being tracked in one way or another, whether by companies or governments, even if they don't know just how detailed that tracking is.
Seven years ago, whistleblower Edward Snowden revealed that the United States of America doesn't just spy on the rest of the world, but also tracks its own citizens through the National Security Agency, which maps cellphone locations, reads people's emails and monitors internet activities.
Then, about two years ago, former employees of tech company Cambridge Analytica revealed to lawmakers in the U.S. how they used Facebook surveys to secure thousands of data points about every American voter. Even voters who hadn't signed up for the personality tests were captured in the scraped data, which was used to create highly targeted ads for "persuadable" voters to help Donald Trump's 2016 presidential campaign. The company focused specifically on flipping persuadable voters in certain precincts, which then helped flip a few key states in his favor, as detailed in the documentary The Great Hack.
Now, as contact-tracing efforts are becoming widespread for novel coronavirus COVID-19, the world has gotten its latest reminder that many companies far less recognizable than Google, Apple, Amazon, Facebook or Microsoft are purchasing and using your location data all the time.
With much of the world sheltering in place for weeks in an effort to slow the spread of the deadly virus, people quickly turned their attention to places that weren't taking aggressive measures. Florida, for instance, was playing host to spring break partiers in mid-March, and dozens who traveled to the beaches there later tested positive for COVID-19.
The extent of how those travelers could have spread the virus was shown in late March, when location data and mapping companies Tectonix GEO and X-Mode Social created a visualization showing how thousands of phone users who spent time on a single Florida beach traveled across much of the U.S. over the next two weeks.
Public reaction was mixed. Some found the map to be a helpful tool to show how easy it is for the virus to spread, underlining the importance of social-distancing measures. But others questioned how the companies obtained the data and called it terrifying.
The companies had gotten consent, they replied, noting that they comply with strict data protection policies in California and Europe. But many people don't realize that when they allow an app to use their location for the service they provide, companies can also sell that location information to third parties who use it in "anonymized" applications like the kind that enabled the mapping.
"We definitely understand the concern, but we take every effort to ensure privacy in the data we use," Tectonix GEO responded to one Twitter user. "All device data is anonymized and we only work with partners who share our commitment to privacy and security above all! It's about using data to progress, not to invade!"
But users pointed out that if you can see all the stops a phone makes over the course of two weeks, it's not truly anonymous.
CONTACT TRACING: COMING TO A PHONE NEAR YOU
In an effort to help public health officials start to reopen the economy, Google and Apple have both announced plans to create opt-in contact-tracing tools for Android and iPhone.
The tracing tools would use your phone's Bluetooth signal to ping off the devices of the people you're around at coffee shops, grocery stores and other public spaces. Strangers' phones would store a number that your phone sends via Bluetooth, and your phone would store the number from their phone. The numbers, which could be generated and changed by phones regularly, would not be shared with the tech companies, but stored in individuals' phones for a few weeks. Then, if someone tests positive for COVID-19, they could send an alert from their phone that would ping phones that gathered their signal over the past two weeks to let people know they may have come in contact with someone who tested positive.
Without that type of tool and more extensive testing, experts warn that the only other way to prevent deaths from spiking again until there is a vaccine is to extend the stay-home orders that plunged more than 22 million Americans into unemployment in March and April.
While the tool could allow more people to return to their routines, the American Civil Liberties Union warns that cell phone location data isn't perfect, and if it were used to enforce quarantines for those who've come into contact with the virus, phones would essentially be turned into ankle monitors.
"The challenges posed by COVID-19 are extraordinary, and we should consider with an open mind any and all measures that might help contain the virus consistent with our fundamental principles," states an ACLU response to the proposals.
"At the same time, location data contains an enormously invasive and personal set of information about each of us, with the potential to reveal such things as people's social, sexual, religious, and political associations. The potential for invasions of privacy, abuse and stigmatization is enormous."
MOBILE HEALTH CARE
Currently, the United States lacks comprehensive legislation to protect the vast amounts of personal data created on our devices every day, from the type of pictures you like to the number of steps you walk.
A patchwork of federal privacy protections outlines rules for things like sharing healthcare data, banking information, credit reports and collecting information on children under 13. Plus, the Federal Trade Commission enforces consumer protection cases against companies using unfair or deceptive practices.
"But we don't have what we think of as a comprehensive law, just a baseline law that would apply to personal data, who collects it and why they collect it," says Stacey Gray, senior counsel with the Future of Privacy Forum, a nonpartisan think tank that provides information on commercial privacy issues for policymakers.
For example, while health care information collected by your doctor and other health care professionals is protected by HIPAA (the Health Insurance Portability and Accountability Act), HIPAA doesn't apply to many technologies you may use to track your health.
"People are realizing the same or similar information can be collected from your Apple watch and other devices, which can see your health or mental state – that is not protected by HIPAA because it is not collected from a health care professional," Gray says. "There are mobile apps that will let you track your pregnancy, your period, dieting."
In 2019, advocacy group Privacy International published a report on period-tracker apps Mia Fem and Maya, showing that the apps were sharing information with Facebook and third parties. They shared things like whether users were keeping track of their menstruation or fertility, when they last had sex, whether they drank caffeine or alcohol, and when they last masturbated. Even users without a Facebook account had their data shared with the tech giant, the report found.
Similarly, the website Jezebel reported in February that the therapy app Better Help, which is heavily advertised on Facebook and offers therapy sessions with licensed health care professionals, tells Facebook when users are in the app, effectively sharing when they're in therapy sessions. What's more, the app passed along users' intake forms by assigning them a number instead of a name – a method that's approved by HIPAA, Jezebel notes – giving a research and analytics firm called MixPanel intimate detail on a user's self-reported sexuality, beliefs and mental health.
"MixPanel is the kind of startup that's omnipresent yet mostly invisible to people who don't work in tech; it's used by everyone from Uber and Airbnb to BMW," Jezebel reports. "Its basic concession is producing monetizable data out of literally any human behavior: By tracking and cataloguing people's habits and desires, the theory goes, companies can figure out how to best encourage their users to open an app again and again."
The implications of health information sharing could go far beyond the apparent desire to target highly personalized ads. Employer health plans continue to evolve, with some offering health-tracking apps for employees, with the promise of a discount on their insurance for using the tools. However, privacy advocates warn that insurance companies could eventually charge you more based on your health behaviors, and your employer could see health details like when you're trying to get pregnant or whether you struggle with certain health conditions.
IS MY PHONE LISTENING TO ME?
Many people who use social media have had the experience of opening an app and seeing an ad for something they were just talking about with their friends, followed by the odd feeling that your phone has been listening to you.
"People are convinced their microphones are being used or pictures being taken, but by and large those things generally aren't happening," explains Serge Engelman, the chief technology officer for App Census, a company that tests apps to see what information they collect, how they collect it and who they share it with.
Engelman also directs the International Computer Science Institute research lab at University of California, Berkeley, and explains that truly, advertisers just know enough about you to direct relevant ads your way.
"Most of what we see is tracking, it's profiling, mostly by persistent identifiers," he says.
A persistent identifier is a unique number that can be tied directly to your device, such as a number tied to your sim card, and another known as the IMEI, or the International Mobile Equipment Identity.
You can think of that like a license plate for your phone, he says.
"By itself, the license plate number is a pretty meaningless piece of information, but if you start recording every place you see it, you can learn a lot about the user's activities and preferences," Engelman says. "That's all made possible by linking that number to the user's actions and activities. It's the same way a cookie works."
But unlike cookies, which similarly track your internet browsing but can be cleared from your browser history, there wasn't an equivalent option to clear history for mobile phones until about 2013, he says. Now, Google and Apple allow users to reset their advertising ID, but if that is still collected alongside a persistent identifier like the IMEI, companies can still track your behaviors across platforms.
Through App Census, Engelman and other researchers have used Android phones to test tens of thousands of apps. What they found is that even after the changes meant to allow users to reset their temporary IDs, most apps were still sending the persistent identifiers with information they collected.
"The problem is, from the consumer standpoint, there's no way of knowing when this is happening and when it's not," he says. "The average user is not writing their own version of Android to analyze what data is being sent."
Companies typically defend this type of data collection – using advertising IDs or persistent identifiers – as they claim that the number "de-identifies" the information from a user's name, and therefore protects their privacy.
"That's utter bullshit," Engelman says. "They collect these explicitly so they can augment information about you over time. They're using it explicitly to identify you."
You, the single 30-something woman who often buys shoes and cat litter. You, the 40-something married man who wants a riding lawn mower. You, the 60-year-old retiree with an open line of credit at a mid-level retail store who collects Coca-Cola memorabilia.
Entire companies are devoted to tying your depersonalized data with identifying information that can be found elsewhere, which many people don't realize, Engelman says.
"The problem is, most regulatory agencies, at least in this country, are complaint-based. They rely on consumer complaints," Engelman says. "How can you open an investigation based on consumer complaints when consumers don't even know what's happening?"
ARE PRIVACY POLICIES ENOUGH?
So how could people be more protected? The 2018 General Data Protection Regulation, or GDPR, in Europe requires that companies allow people to opt out of having their data shared, and that companies have a legal basis for collecting information.
But broad language in privacy policies often covers types of data sharing that users can't fully comprehend, experts say.
"In the consumer area broadly there are like zero restrictions there," says King, the privacy expert at Stanford's Center for Internet and Society. "I can track you across multiple platforms, I can track your data and sell it, as long as I tell you in the policy, which people don't read, and are not written to be read."