Nowhere to hide: Data harvesters came for your privacy – and found it

The way your data is stored and shared is changing and your online activity can be used to categorise you in ways that drastically alter your life. There are ways to take back control.

ONE Friday in 2021, I walked into a hotel in Exeter, UK, at 17:57:35. The next morning, I drove 9 minutes to the nearby hospital. I stayed for three days. The drive home, normally 1 hour 15 minutes, took 1 hour 40 minutes. The reason for the slow speed, my brand-new baby, dozed in the back.

Michael Kirkham


These aren’t details from a journal. Instead, they are what Google knows about my daughter’s birth, based on my location history alone.


A data snapshot of that weekend reveals this isn’t all that companies know about me. Netflix remembers that I watched a variety of feel-good fluff including Gilmore Girls and How to Lose a Guy in 10 Days. Instagram recorded that I “liked” a post about labour induction, then didn’t log in again for a week.


So what? We all know by now that we are being tracked online, and that the data collected on us is both granular and constant. Perhaps you like that Netflix and Instagram know your film and fashion tastes so well.


But a growing number of investigations and lawsuits reveal a new online tracking landscape in which the reach of companies that harvest data is more insidious than many of us realise. When I looked more closely, I found that my personal data could be affecting everything from my job prospects and loan applications to my access to healthcare. It may, in other words, be shaping my everyday life in ways that I was unaware of. “The problem’s huge, and there are always new horrors,” says Reuben Binns at the University of Oxford.


You could be forgiven for thinking that, with the introduction of legislation like the General Data Protection Regulation (GDPR) – European Union rules implemented in 2018 that give people more access to the data companies hold on them and limit what firms can do with it – data privacy is no longer a real issue. You can always opt out of cookies if you don’t want to be tracked, right? But when I say this to Pam Dixon at non-profit research group World Privacy Forum she starts laughing in disbelief. “Do you really believe that?” she says.

Data scrapers

Hundreds of fines have been issued for breaches of GDPR, including against Google, British Airways and Amazon. But data experts say those are just the tip of the iceberg. A study last year by David Basin at ETH Zurich in Switzerland found that 95 per cent of websites may be breaking GDPR rules. Even the legislation’s aim to make it easier to understand what data we are agreeing to provide has gone unrealised. Since the legislation came into effect, research shows that privacy agreements have become more convoluted, not less. And if you thought that ad-blockers and virtual private networks (VPNs) – which hide your computer’s IP address – offer protection, think again. Many of these services also sell on your data.


We are only now grasping the scale and intricacy of the online tracking landscape. A few big names – the likes of Google, Meta, Amazon and Microsoft – hold much of the power, says Isabel Wagner, associate professor of cybersecurity at the University of Basel, Switzerland. But behind these big players, a diverse ecosystem of thousands, if not millions, of buyers, sellers, servers, trackers and analysers are sharing our personal data.


What does all of this mean for a regular user like myself? To find out, I have come to HestiaLabs in Lausanne, Switzerland, a start-up founded by Paul-Olivier Dehaye, a mathematician and key whistle-blower in the scandal surrounding the use of Facebook data by the political consulting firm Cambridge Analytica. The company used personal data to influence Donald Trump’s election as US president in 2016. Dehaye’s investigation into Cambridge Analytica starkly demonstrated how deep the influence of companies that buy and sell data goes. He set up HestiaLabs to change that.

Your phone tracks your location even if mobile data is switched off
REUTERS/Yuya Shino


Before arriving, I have requested my personal data from a variety of companies, itself a more complicated process than it should be in the post-GDPR era. I meet Charles Foucault-Dumas, HestiaLabs’s project manager, at the firm’s HQ – a modest co-working space across from Lausanne’s train station. We sit down and upload my files into its bespoke portal.


My data spreads before me, visualised as a map of every place I have ever been, every post I have ever liked and every app that has ever contacted an advertiser. At places I frequent regularly, like my daughter’s nursery, hundreds of data points morph into paint-like blobs. At my home address, there is a huge, impossible-to-miss bullseye. It’s compelling. And a little terrifying.


One of the biggest surprises is which of my phone’s apps are contacting third-party firms on my behalf. The biggest offender in the past week, contacting 29 companies, was a web browser I use because it describes itself as “privacy first”. But pretty much every app on my phone, from a grocery service to a virtual notepad, was busy contacting other firms while I went about my day.

Generally speaking, a company that wants to sell a product or service talks to an ad agency, which connects with platforms that deal with advertisement delivery, which use ad exchanges, which link to supply-side platforms, which place ads on publisher websites. Every time you open a website or momentarily hover on a social media post, this machine – estimated to be worth £150 billion a year – kicks into motion.


What exactly were these companies sharing about me? To find out, I would have to put in requests with each separate company. And even with the ones that I have contacted with the help of HestiaLabs, it isn’t always clear.


Take Instagram. It has provided me with data showing it has recorded 333 “interests” on my behalf. Some of them are way off the mark: rugby, the Burning Man festival, real-estate development, even “cat lady”. Reader, I have never owned a cat. But others are more accurate, and a number, unsurprisingly, have to do with my becoming a parent, ranging from brands like Huggies and Peppa Pig to topics like bassinets and baby-led weaning.


I find myself wondering how this data may not only have affected my purchases, but also my daughter’s life. Is her love of the pink cartoon pig really organic, or were we “served” these videos because of information Instagram passed on about me? Did baby-led weaning posts wind up all over my feed – and therefore influence how my daughter was first introduced to food – by chance, or because I had been targeted? I have access to none of this cause-and-effect chain, nor do I know how these various “interests” might have categorised me for would-be marketers.

It is near impossible to unpick the complex web of backstreet data deals. Personal data is often replicated, split and then fed into algorithms and machine-learning systems. As a result, says Dixon, even with legislation like GDPR, we don’t have access to all of our personal data. “There are two strata that we’re dealing with. There’s the stuff that can be found,” she says. “But there is another strata that you cannot see, that you do not have the legal right to see – none of us do.”


Personal profiling

Recent reports offer glimpses. In June, an investigation in The Markup found that this kind of hidden data is used by advertisers to categorise us according to our political beliefs, health conditions and psychological profiles. Might I be deemed a “mobile addict mom”, an “indulger”, “easily deflated” or “woke”? I have no idea, but I do know these are all actual categories use by online ad platforms.


It is unsettling to think that I am being stereotyped in unknown ways. Another part of me wonders if it really matters. I can see the value in advertising that takes my preferences into account, or in opening my maps app and, say, having restaurants and museums highlighted that I might be interested in or have been to before. But take it from me, there are few ways to make a data expert grimace faster than with the glibness of that trade-off.


For one, the uses of this data go far beyond selling you advertising, says Dixon. Something as seemingly innocuous as whether you shop at discount stores (signalling lower income) or buy sports goods (a tip-off that you exercise) can affect everything from how appealing you look as a university applicant to how much you pay for health insurance. “This is not just advertising,” says Dixon. “This is real life.”

Recent legislation in the US has forced some of these companies into the light. Vermont’s 2018 Data Broker Act, for instance, revealed that data brokers registered in the state – but which are also active elsewhere – sell personal information to potential landlords and employers, often via third parties. And in July, the US Consumer Financial Protection Bureau heard evidence that this hidden second strata of data also includes information used to run a “consumer score”, employed much like a credit score. “Things that you’ve done, websites you’ve visited, apps that you use, can all feed into services that check if you’re a suitable tenant or decide what terms to offer you for a loan or a mortgage,” says Binns.


At HestiaLabs, it dawns on me that I, too, may have been concretely affected, not just in terms of ads I see, but because of how algorithms digested my data. In LinkedIn’s “inferences”, I am identified both as “not a people leader” and “not a senior leader”. That is despite my having led a team of 20 people at the BBC and serving as an editor of various BBC sites before that – information I specifically put into LinkedIn myself. How might this be affecting my career opportunities? When I put this to LinkedIn, a spokesperson said that these inferences aren’t used “in any way to inform job search suggestions”.

Despite this, we know from lawsuits that data was used to exclude women from seeing tech job ads on Facebook. As a result, the platform’s owner, Meta, stopped giving advertisers this option in 2019. But data experts say there are plenty of workarounds, such as only targeting people with interests that are stereotypically male. “These harms are not visible to individual users in that moment. They are often very abstract and might happen a long way down the line,” says Wagner.


As the data collected about our everyday lives proliferates, the list of harms reported by newspapers keeps growing. Ovulation tracking apps – as well as text messages, emails and web searches – have been used to prosecute women who had an abortion in the US since the Roe v Wade ruling was overturned last year. Priests have been outed for using the gay dating app Grindr. A Russian military officer was even tracked and killed on his morning run, allegedly due to publicly available data from fitness app Strava. Data protection purports to prevent many of these harms. “But there is obviously a huge gap in enforcement,” says Binns.

Part of the issue is a lack of transparency. Many companies are moving towards “privacy-preserving” models, which break up an individual user’s data points and scatter them across many computer servers, or encrypt them locally. Ironically, this makes it harder for you to access your own data and try to figure out how it has been used.


For his part, though, HestiaLabs’s Dehaye is clear that these companies can and should give us back control. “If you go and consult a website right now, within hundreds of milliseconds, lots of actors will figure out who you are and whose website you’ve put shoes into a shopping basket on two weeks ago. When the goal is to show you a crappy ad, they’re able to resolve all of those problems,” he says. “But when you make a privacy request, they’re like, ‘Oh, shit, how do we do that?'”


He adds: “But there is a way to use this force of capitalism that has solved a problem in a billion-dollar industry for you – not for them.”


I hope he is right. As I walk through Lausanne after leaving HestiaLabs, I see a man lingering outside a knife shop, his phone outlined in his pocket. A stylish woman carries a Zara bag in one hand, her phone in the other. A man outside the police station talks excitedly into his device.


To me, and probably to them, these are brief, forgettable moments in time. But to the companies that harvest data, they are opportunities. They are dollar signs. And they are data points that might never go away.

Part of the issue is a lack of transparency. Many companies are moving towards “privacy-preserving” models, which break up an individual user’s data points and scatter them across many computer servers, or encrypt them locally. Ironically, this makes it harder for you to access your own data and try to figure out how it has been used.


For his part, though, HestiaLabs’s Dehaye is clear that these companies can and should give us back control. “If you go and consult a website right now, within hundreds of milliseconds, lots of actors will figure out who you are and whose website you’ve put shoes into a shopping basket on two weeks ago. When the goal is to show you a crappy ad, they’re able to resolve all of those problems,” he says. “But when you make a privacy request, they’re like, ‘Oh, shit, how do we do that?'”


He adds: “But there is a way to use this force of capitalism that has solved a problem in a billion-dollar industry for you – not for them.”


I hope he is right. As I walk through Lausanne after leaving HestiaLabs, I see a man lingering outside a knife shop, his phone outlined in his pocket. A stylish woman carries a Zara bag in one hand, her phone in the other. A man outside the police station talks excitedly into his device.


To me, and probably to them, these are brief, forgettable moments in time. But to the companies that harvest data, they are opportunities. They are dollar signs. And they are data points that might never go away.

Taking back control

Based on tips I have picked up from Dehaye and the other experts I have interviewed, when I get home, I audit my apps, deleting those I don’t use. I also delete some of those I use but that are particularly eager to contact companies, planning to use them just on my laptop instead. (I used a platform called TC Slim to tell me which companies my apps are contacting.) I also install a new browser that (it seems) is genuinely privacy first. Open source and non-profit apps and browsers can be safer choices, says Wagner, as they have little incentive to collect your data.


I also start to turn my phone off more often when I am not using it. This is because your phone usually tracks your location even when you have mobile data and Wi-Fi off or airplane mode on. And, logging into my Google preferences, I opt out of saving my location history, even though nostalgia – for now – keeps me from requesting that all of my past data be deleted.

We can also reset our relationship with online tracking by changing how we pay for things, says Dixon. She suggests using a variety of credit cards and being “very careful” about which digital wallet we use. For purchases that could create a “negative” signal, like those made at a discount store, use cash, if possible. Dixon also counsels against using health-related apps or websites, if you can. “It’s just not a clear, safe space,” she says.


The reality is, though, that whatever steps you take, companies will always be engineering new workarounds. “This is a game you can only lose,” says Dehaye. That’s why the solution doesn’t come down to individuals, he says. “This really needs to be a societal shift.”


With enough individual voices put together, Dehaye believes we can change the system – and that this all begins by you requesting your data. “Tell companies: ‘If you slip, then our trust is gone’, ” he says. “And in this world of data, if people don’t trust your company, you are dead.”


Amanda Ruggeri is an award‑winning freelance journalist and editor based in Switzerland

Post a Comment

0 Comments