By now, I’m sure most of us are familiar with the fact that we should absolutely be vigilant about online privacy and protecting our personal information from ne’er-do-wells. Typically, though, I would say that we understand the need to protect ourselves as arising from threats attributed to hackers, phishing attempts, ransomware, etc.—devils we don’t know. Our faith in the devils we know, however, might betray the fact that we are not as informed as we should be about the risks involved with our personal information. So, instead of approaching this topic from the typical perspective, I wanted to introduce you to a new concept, or at least one that is new to me: surveillance capitalism or the surveillance business model—a preferred business model for many of the devils we know.
The reality, as I will endeavor to illustrate, is that this concept is not exactly new—it’s just a new label, or it is at least to me; but there is no doubting the fact that technology and the online world have made an economy predicated upon surveillance easier to implement and orchestrate, if not turning what was utterly impossible into possible. If the inherent concerns of being surveilled are not obvious, I hope to paint a picture for what some of the problems might be. As is my nature, however, I would never dump a problem at your feet without some accompanying solutions, so I will also share with you some tools, tips, and resources that I have compiled to enhance my online security, regardless of from where the threat might come.
The Surveillance Business Model Defined and Its Implications
To get the ball rolling, let’s start with defining what exactly it is we’re talking about here. Shoshana Zuboff, author of the book The Age of Surveillance Capitalism, defines “surveillance capitalism as the unilateral claiming of private human experience as free raw material for translation into behavioral data” (Source). Matt’s translation: businesses want to watch what you do, collect information on what you do, analyze the data they collect to understand why you do what you do, exploit what they learn about you, and do it all without you knowing it.
A little nugget of wisdom, here: you don’t collect and analyze data, unless you are trying to learn something that you can apply toward something else. Further, businesses are created to fix the problems of the people who run the business, first—i.e., you start a business needing to make money, not because it’s icing on some other proverbial cake. The purpose behind mentioning that here is simply to say that our default should not necessarily be to assume that the motivations behind the surveillance are altruistic—these companies are out to make money, too.
So, how does a business predicated upon surveillance generate revenue? I’m sure we’ve all had the experience of someone finishing a thought or a sentence for us. For my wife and I, the occasion of sharing the same thought occurs frequently enough that we have adopted the only acceptable response: get outta my head! The significance of those types of occasions, in this context, is that they reveal the simple fact that the other person, even if only in the moment, knows enough about you and your thought process to anticipate what you are going to say. How do they know? How else could they know? Through observation, of course. A synonym for observation: surveillance.
If you’re like me, my understanding of surveillance is that it implies the fact that more than just observation is taking place. To me, surveillance also implies that there is an identifiable purpose for observation. In other words, there are countless observations that we make all day, every day (I dare you to try to go an entire day, or even an entire minute, without observing anything; including how awkward such an experiment might be—that’s an observation, too), but not all of those observations are intentional or even valuable. So, if observation is our default, the fact that another word, surveillance, was created to describe essentially the same behavior would seem to indicate that there is at least one additional quality to the nature of the observations that would be made while surveilling.
If you are a business, what more efficient way could there be to operate than to be able to anticipate a customer’s exact need or want at the exact moment that the need or want arises? After all, this would mean that you could match the supply of a good or service precisely to the demand. In the conventional economy made up of physical stores, businesses must carry inventory, and the reason for that is precisely because they don’t know exactly when a product will be purchased, or how much. Sure, they can evaluate trends, but trends are averages and averages don’t necessarily apply to a particular individual, or any individual at all. So, the exact problem is not knowing when the next individual is going to purchase their product and how much they are going to purchase. There are obviously costs involved in manufacturing inventory, but also to simply store the inventory, and that can get very expensive, depending on the product. Knowing when an individual will make a purchase and how much they will purchase would go a long way to helping a company manage costs.
In using averages to inform manufacturing and inventory decisions, a business is inevitably left in the position of manufacturing and storing too much inventory for some, while accounting for too little for others. Further, it is a fact of manufacturing goods that damage will occur to some product. This means that a business must account for things like damage by attempting to produce enough to ensure that sufficient product is left over to meet demand, after damaged product is discarded. The damaged product, and any excess quality product, would be considered waste, and that is a sure sign of inefficiency. If only there was a more efficient way to operate—a more direct way to know and meet customer needs…
To close the loop a bit on this point, there is no simpler way to put it: a business predicated upon surveillance wants to learn as much as possible about you to be able to anticipate your next move. Like any other business, their motivations are profit, and profit is achieved by being a part of a transaction that was going to take place anyway or by creating an entirely new transaction (more on that later). This would seem to inevitably mean that an entire economy comprised of these types of businesses would involve a lot of observations (gathering of all types of data—the more, the better).
If all manner of data can potentially be used for profit, and if more data results in more accurate predictions, then the first problem that I would identify with a surveillance economy is this: it is not obvious to me what the default principle would be that would place a natural limit on the data collection and analysis performed by these companies—i.e., I am unable to identify a natural reason for a businesses to only go so far in their data collection and analysis, especially if those from which data is collected are virtually unaware that it is taking place. So, to hijack a phrase: our personal worlds might very well be considered the oysters to which surveillance-minded parties want access.
A slight detour for a moment…I began this post by essentially saying that I wanted to take an unfamiliar approach in talking about online privacy and security. To illustrate why the points from the previous paragraph are so significant, let’s consider one of the most familiar online threats—a hacker. Why do we think of hackers as a threat? Correct me if I am wrong, but I would imagine that your explanation for why a hacker is a threat would be similar to mine: we don’t know how they intend to exploit the fact that they have managed to steal information from us.
My point in mentioning this is to simply highlight the fact that it is not merely the fact that someone possesses certain information about us that is concerning—it’s not knowing exactly how someone might use what they know to their advantage, and our detriment, that creates the fear. To elaborate, if we knew someone possessed certain information about us, and if we could also know that they were never going to share that information, then that doesn't seem very threatening. If we are unaware of surveillance-based businesses collecting our information, the quantity and quality of that information, what they will ultimately do with that information, and whether a factor even exists to limit their activities, should we be surprised that any outcome might be possible? Further, aggregating information in one location would seem to make things easier on someone inclined to steal that information--e.g., a hacker. When we aggregate, we consolidate many into one. So, if we aggregate information from multiple sources, we are creating a single source for the same information--a hacker might say we have created a single target. This simply means that if the companies are not the problems, themselves, then they might have created a problem by virtue of centralizing data.
I can hear it now: Matt, these are reputable businesses with advanced security protocols--they take this stuff seriously. I have no doubts that such a statement is generally true about business. I will also say this, however: even companies in which we have we placed tremendous faith do bad things. In 2009, Pfizer was hit with the largest criminal fine in US history (Source). My takeaway: never underestimate the allure of money.
The easiest example of the surveillance business model in action would be tracking for the purposes of advertising. Who are some of the top names who engage in this kind of tracking? Google and its products (e.g., YouTube and Gmail), Apple, and Facebook might be some of the more obvious examples, but even the likes of Amazon, Walmart, and Target know what people are actually purchasing, at minimum, which would be valuable information that an advertiser could potentially exploit (Source). A point to ponder: Amazon, Walmart, and Target obviously know what people purchase in their stores, but credit card companies know when, where, and for what their cards are used, regardless of the store—yes, credit card companies also see the potential for profit in surveillance (Source). My takeaway: being in a position to observe might be sufficient to be in a position to exploit—i.e., never let your guard down.
How Companies Track
Let’s talk for a moment about how these companies track, or collect observations. In short, they track by whatever means are available. The conventional way of tracking online behavior, however, has been via cookies:
"Cookies are used to remember things about websites: your login information, what you have in your shopping cart, what language you prefer. They are created by websites and sit in your browser until they expire.
Some cookies are harmless, but others remain active even on websites that they didn’t originate from, gathering information about your behavior and what you click on. These are called third-party persistent cookies or, more colloquially, tracking cookies.
Tracking cookies can be so invasive that many antivirus programs classify them as spyware. Despite their bad reputation, they have become so ubiquitous that it’s nearly impossible to avoid them." (Source)
Because of privacy concerns—it might actually be more accurate to say that because of the increasing awareness of the average person—the cookie is being phased out, at least by Google, and Apple has begun placing the option for iPhone users to request that apps not track their activity front-and-center when a new app is installed (Source). Rest assured, though, data collection activities are likely to be as diligent and invasive as ever, maybe even moreso.
One example of this is “contextual intelligence”. A relatively new startup in the UK, NumberEight, has created “context prediction software” that “helps apps infer user activity based on data from a smartphone’s sensors: whether they’re running or seated, near a park or museum, driving or riding a train” (Source). Before you get too stressed out over the potential for ubiquitous tracking to become an everyday reality, we probably need to ask ourselves if we can be so sure that it isn’t already taking place.
The best indication of how pervasive tracking has already become might be Amazon’s Alexa, or any of the other dictation-based services or apps through your cell phone, like Siri. In case it’s any secret, your cell phone has the potential to be, and is most likely already being used as, a device to surveil you. To be fair:
"Technology companies Facebook, Amazon and Google say their devices do listen for wake words, or hotwords, like “OK, Google,” or “Alexa,” and the recording of your request is sent to the cloud, but they say they don’t monitor conversations. Facebook, which owns Instgram, says it only accesses the microphone on your phone for reasons you allow, like recording sound with your videos." (Source)
I tell you what, our engineers and programmers are virtual wizards—they have managed to program a device to understand the English language spoken aloud, but even more miraculously, they have figured out how to program a device to predict the future and only listen at the exact moments that words are spoken that are relevant to the device. Obviously, the powers of predicting the future are limited to the realm of listening, otherwise there would be no need to collect data on us—the companies would just be able to predict our behavior directly. Do I need to point out the sarcasm? Rhetorical question: if we can establish that the more data a company has on you, the more accurate its predictions of your future behavior will be, and if we are unable to identify a reason why companies would naturally limit their data collecting activities, what reason is left to believe that the value of preserving a customer’s privacy is perceived as a higher priority than the profit to come from disregarding that privacy?
It’s fair to say that the focus so far has been on how companies can profit directly from the collection of data—e.g., Amazon using the information it has about customer purchases to predict, and influence through advertising, future purchases. Simply because you collect the data, however, it doesn’t mean the data holds value that is exclusive to you. A great illustration of this is the simple fact that Google has created an entire business around data and analytics. Heck, even the marketing platform that we use employs Google Analytics to analyze web traffic. It should be understood that Google Analytics is a subscription service predicated upon the analysis of data of users’ web activity. This quite literally means that Google is in the business of selling data, and to the extent that you have used Google services, that would most likely include data about you.
In another example that might very well prove how unaware we are of the ubiquity of surveillance, we actually wrote about a company employing such a business model here and here, but without using the word surveillance. That company? Robinhood. Its business? Financial services, or investments. Robinhood's exploitation of data, however, was fairly indirect.
Robinhood was able to profit off of the data detailing the trades that individual investors were requesting via its platform. It did this by selling the rights to execute those trades to other firms. To be clear, firms are willing to pay for the right to process the trades of individual investors. Processing trades is work. These firms are buying work. If that sounds backwards, it should, and it should be the first indication that something might be amiss.
What was apparently amiss was the simple fact that if a company is paying for the ability to do work, then there must be profit to be found in what is being purchased, over and above the expense of the purchase. As it turns out, the profit to be made was in taking positions opposite of individual investors. As an example, if a firm was to purchase the data on a block of trades, and those trades happened to include a sufficient number of requests to sell a certain company’s stock, this might indicate to the firm executing the trades that the particular stock at-hand is going to decline in value. A firm can maneuver to take advantage of such a decline by shorting the stock—a practice defined in this post. That is precisely what occurred in the case of stock for Gamestop and is also why Robinhood is more well-known today than it was before that episode. Probably the biggest lesson learned by folks out of this episode is this: if something is free, then you might not be the customer.
By the way, when I said earlier that there would be more on the concept of companies using data to create transactions from which they can profit, the Robinhood example is a good one to illustrate what I meant. Robinhood didn't, and to my knowledge still doesn't, profit directly from the transactions of investors on its platform. Robinhood profits by having created a completely new and distinct transaction solely around the data that it collects. Just to hit this point as hard and direct as I possibly can, what Robinhood, or a company like Robinhood, has done is set up a legitimate service offering from which it does not profit directly. We already established that companies exist to solve the problems of the owners, first, so if a company is not solving the problems of the owners by charging customers like you, then you should absolutely be curious about how or why they are still in business.
To be perfectly clear, the purpose here is not to stoke fear. The purpose is simply to share information that is most likely helpful. So, if the information that is being shared does stoke fear, then that most likely speaks more to the fact that you feel as if you might have some vulnerabilities—this is a good thing. As we’ve discussed previously, you can’t know how resilient you are, unless you know how vulnerable you are. So, the first step in feeling more resilient is to define and address your vulnerabilities—this is where some tools, tips, and resources come in.
What follows here is heavily focused on Windows devices, but the concepts are similar on any device that accesses the internet and there is certainly a plethora of resources to be found online about enhancing your security and privacy, regardless of the device you might use to access the internet. Because I am not an exhaustive resource, nor am I seeking to create one with this post, I wanted to first provide you with a couple of links that I found to be helpful in evaluating my own vulnerabilities and needs:
The particular points that I identified as priorities to discuss here:
- Windows settings
- Paying for services
- Research parent companies
- Virtual Private Networks (VPNs)
- Browser and search
When it comes to steps that you can take to immediately enhance your security and privacy, you don’t have to go far. I found that Windows, itself, was defaulted on all of my machines to allow access to things that made me uncomfortable. Upon locating your privacy settings (Windows 10: Windows menu>>Settings>>Privacy), you will find toggles to control all manner of things related to what information can be accessed, what devices can be used and by what apps, etc. My approach: shut down access to anything and everything and wait until it’s proven that I need to allow a certain permission before I toggle it on.
Windows also comes with what is commonly referred to as bloatware—superfluous applications that are very rarely useful and seem to be games, for the most part. Some of these have their own privacy settings, but if you don’t use them, be sure to legitimately consider uninstalling them. In addition, you can also look into using a local account to login to your Windows machine. Some of the benefits of using a local account:
- More secure: You create a complex password that works on one computer and nowhere else.
- Private: Your settings and computer uses don't transmit to remote servers. Everything is stored locally on one computer.
- Internet-independent: A Microsoft login requires a connection to the internet to retrieve user settings and preferences; a local login does not require an internet connection.
- Custom login name: You don't use your email address as a login name, so it won't display on the login screen when your screen locks. (Source)
A new principle that I have adopted, particularly as a result over concerns of whether I was truly the customer of free services, is that I pay for any and every service that I use. To be clear, I don't expect this to guarantee that my data won’t be collected and used without my knowledge, but it at least removes some of the incentive. My thinking is that if enough customers pay for a service, that may very well ensure that a company's respect for privacy remains in line with my own. I do, however, try to make sure that I'm working with companies who have good privacy track records to start with.
Another habit that I have picked up is looking into the parent companies of the apps and services that I use. The reason I do this is simple: if an app or service has a reputation for data gathering and exploitation, then any property that company owns is most likely going to do be engaged in the same. An easy example of this would be Instagram. Facebook has already been mentioned as a company involved in data gathering and exploitation. Facebook owns Instagram. So, even if I was not already aware of data collection performed by Instagram, it stands to reason that Instagram would most likely be involved in data gathering as well, as a subsidiary of a larger company engaged in that practice.
A powerful tool for online security, and one that has really gained notoriety over the last several years, is a VPN. Here's a good explanation of a VPN:
A VPN works by creating an encrypted connection between your computer/device and a VPN server. Think of this encrypted connection as a protected “tunnel” through which you can access everything online, while appearing to be in the location of the VPN server you are connected to. This gives you a high level online anonymity, provides you with added security, and allows you to access the entire internet without restrictions.
Without a VPN, everything you do online is traceable to your physical location and the device you are using via the device’s IP address. Every device that connects to the internet has a unique IP address – from your computer to your phone and tablet. By using a VPN, you will hide your true location and IP address, which will be replaced by the VPN server you are using.
Most VPN providers maintain servers all around the world. This gives you lots of connection possibilities and access to worldwide content. Two VPNs that both have a large server network around the world are ExpressVPN and NordVPN. (Source)
I wanted to be sure to mention at least a couple of things concerning antivirus software. There might not be anything more fundamental to online security and privacy than having a good antivirus solution. Lately, though, the “antivirus” label has become somewhat of a misnomer, as companies who develop antivirus software have begun offering suites of solutions that often include a VPN, secure and encrypted password storage, secure and encrypted cloud file storage (potentially important in the event of a ransomware attack), utilities to enhance computer performance, identify theft protection, etc. Choosing the right solution that offers the features that are best for you is obviously important, but it's also good to acknowledge that protecting your private information from antivirus software is a virtually impossible task, because antivirus software basically needs access to all of your files to do its job.
Given that the primary way in which most of us interact with the internet is via web browser and to search for answers to life’s most important questions that wander into our minds throughout the day, using a secure browser and search engine are important. We’ve already discussed some of the ways in which Google is involved in tracking and a large part of this involves the searches that are performed through the Google search engine. Google Analytics was referenced earlier as a way to verify the tracking in which Google engages, but another easy demonstration comes via Google Trends. Google Trends is basically Google’s way of saying, “Here’s what all of you searched for.” Our response seems to be something akin to, “Cool. Has anyone liked or commented on my post yet?” More sarcasm.
Why might we need to care more? Google can’t know what all of our searches have been, unless it knows what each individual search was, so you are absolutely represented in the data on Google Trends, if you have used Google’s search engine. By the way, I would assume that Google’s proclivity to collect data has been firmly established, so I will leave you to infer what this means for Google Chrome and other Google products and services.
In closing, I will simply say this: there is value in information, and I don’t know that the idea that information holds value is lost on too many people. What this simply means to me is that where there is information you will find someone trying to exploit it. In order to exploit information,though, you have to be able to get your hands on it. Without at least trying to put measures in-place to block access to our private information, it would seem that we are essentially agreeing to provide access to our information and to live at the mercy of those who take advantage of such a generous offer.