Facebook’s insidious data harvest

When technology writer Peter Griffin downloaded his personal data from Facebook and Google, it revealed a disturbing amount about the extent of his digital footprint.

Among the digital fragments that make up my massive archive of activity with Google, the most unnerving is my location data. Google knows everywhere I’ve been in the past decade. Whenever I had my Android smartphone with me, its GPS chip was recording and sending my co-ordinates, even trying to guess whether I was on a bike, in a car or on a train at the time.
Every one of the quarter-million emails I’ve sent and received since 2004, when I started using Google’s Gmail service, is there. Every chat conversation; every calendar appointment; every YouTube video I’ve watched. I regularly delete my internet search history, one of the data streams most valuable to Google, but it has plenty of other data points to determine exactly what makes me tick – and therefore what type of advertisements to put in front of me.

My 123MB Facebook archive is a fraction of the size of my 76GB Google file, but it, too, has a wealth of data on me: every message I’ve sent, photo I’ve posted, page I’ve liked; it knows where I logged into Facebook from and, most intriguingly, what advertisements I’ve clicked on over the years. Thus it has concluded that there are 337 ad categories I’m interested in and it seems to be right, since much of what I buy is on the basis of what appears in my newsfeed.

In short, two companies based in California have more intimate information on me than my own Government, my bank and even my own family. I agreed to all of this and so, probably, did you. This, as the US Congress members grilling Facebook founder Mark Zuckerberg on Capitol Hill reminded us, is the price we pay for something that purports to be free.

Facebook’s 2.1 billion users spend, on average, about 50 minutes a day on the site, generating hundreds of billions of data points. When the company allowed British consulting firm Cambridge Analytica to get its hands on the details of tens of millions of users, including 64,000 New Zealanders, it was a betrayal of trust that highlighted the continuous harvest of our data, lawfully and with our consent.

Every time we click the “accept” button on its terms and conditions or allow its app access to our photos, text messages and contact books, we give Facebook a blanket licence to use our data. But who fully understands how that data is being used? Zuckerberg maintains that Facebook users are in “control” of their data – he used the world 45 times before Congress. But although I can delete my Facebook account and have the files erased from Facebook’s servers, I have no access to the information derived from my data: the inferences served up to advertisers about me and two billion others. We are responsible, Zuckerberg says, but that responsibility does not extend to the insights Facebook’s black box of algorithms generates.

“The thing Facebook really has made a mistake with, other than responding too late to the situation, was that it is putting the onus on the user, which in the privacy world is something referred to as ‘user blame’,” says Timothy Summers, director of innovation, entrepreneurship and engagement at the University of Maryland’s college of information studies.

Getting to know you

A cybersecurity expert, Summers studies the psychology of hackers, but lately he has turned his attention to the well-established field of psychographic profiling and what our digital breadcrumb-trail reveals about us.

“We are so used to marketers using demographics,” says Summers. “In the case of Cambridge Analytica, we are talking about psychographics, where a person’s responses give an indication of their personality, values, decision-making and behaviour.”

After decades of work, psychologists have settled on five variables that are key to understanding us: openness, conscientiousness, extroversion, agreeableness and neuroticism. The initial letters of those five words produced the acronym Ocean and it underpins many of the quizzes and personality tests littering the web.

“Using these variables, coupled with big-data analytics, we can predict a person’s IQ and even how likely it is that they will have success in romantic relationships,” says Summers. “This gets even scarier with the inclusion of artificial intelligence. Today, we’re able to use this profiling to make strong assertions about a person’s behaviour. With AI, we’ll be able to make highly accurate predictions.”

Online marketers have long used browser history, location and technical details obtained from our computers and phones to profile us. But what makes Cambridge Analytica stand out, says Summers, is the way it allegedly attempted to apply psychometric predictions to influence the outcome of votes, such as the 2016 US presidential election and the Brexit poll.

“In the case of Cambridge Analytica, the executives specifically said that they wanted to use this data to identify our unconscious fears, which is really creepy if you think about it,” Summers says. “In my opinion it is killing democracy.”

So, how different are Cambridge Analytica and Facebook? Facebook denies it uses psychographic profiling to help advertisers target users.

“We do not allow advertisers to target people based on people’s emotional state or behaviour,” a Facebook spokesperson told the Listener. “Facebook’s ad targeting is based on demographic information and interest.”

A picture of you

But the 70 categories of information Facebook collects about users include religious and political views, if they choose to disclose them, and records of their likes, shares, comments, searches, browsing and location data. That adds up to more than enough to determine personality traits, aptitudes, emotional state and sexual orientation.

In fact, you don’t need much information to begin with. Summers and his colleagues put together a simple personality quiz to show what can be gleaned (an online quiz, This Is Your Digital Life, was part of the app that opened the door to Cambridge Analytica in 2015).

I completed Summers’ quiz – you can, too – and it found, among other things, that my beliefs “frequently drift towards the unconventional”; that I “do not make long-term plans and may even be disorganised or lazy”; I like pictures of guitars and am likely to respond well to messages beginning “Try our new …”. It had me to a T.

A 2013 study led by computational psychologist Michal Kosinski revealed that Facebook likes could predict a user’s race with 95% accuracy; their gender with 93% accuracy; and whether they were Democrat or Republican with 85% accuracy.

Two years later, another Kosinski study, based on an experiment involving 86,000 people, found that a computer could analyse just 10 likes and predict a user’s personality more accurately than a work colleague. With 70 likes, the computer was more accurate than a friend, with 150 more accurate than a family member, and with 300 likes, it could outsmart a spouse. The idea that Facebook knows you better than your family and closest friends may be true.

“It is almost impossible for you to not have your data captured somewhere by someone and out of your possession and control,” says Summers. “But what are you doing with my data and have I given you consent for that? That’s really the important question – regardless of whether you are Google, Amazon, Facebook or whoever.”

So what about Google, the other digital giant that serves us targeted ads? Is it any better than Facebook? It certainly has more of my data than Facebook does, and it regularly delivers advertising that is uncannily relevant to me. But Google lacks the social network. It poured hundreds of millions of dollars into developing Google+ as an alternative platform to Facebook, but it never took off. As a result, Google knows what I’m searching for, who I’m connected to and many other details, but it lacks some of the rich data that Facebook is designed to encourage us to share.

“The things you say in private are very different from what you might want to disclose publicly. Facebook’s community aspect encourages us to share things about ourselves that we might not otherwise,” says Summers.

When private goes public

New Zealand’s Privacy Commissioner, John Edwards, says Facebook stands apart from the other tech giants in the richness of the data it gathers. Three weeks ago, he deleted his Facebook account and publicly accused the company of breaching the Privacy Act.

A Facebook user had contacted him last year, after the social network knocked back a request for access to personal information held on the accounts of other Facebook users. Edwards wanted to look into the case – and his office has a statutory right to request information to assist his team in investigating and deciding whether there’s a case to answer.

But Facebook refused to co-operate. Its global deputy chief privacy officer, Stephen Deadman, said disclosing the information would “violate Irish data protection law, which is the data protection law that applies to Facebook Ireland, the company that provides the Facebook service in New Zealand”. So a company refused to hand over information sought by a privacy watchdog, on the grounds that to do so would breach privacy.

Surely New Zealand law applies to Facebook? It does and Edwards, an expert on information law, who practised law in Wellington for 20 years before becoming the Privacy Commissioner in 2014, was frustrated but could do little more than name and shame Facebook.

“If a respondent agency says to me, ‘No, I’m not going to do it’, which is essentially what Facebook did, there’s very little we can do to hold it to account,” he says.

Good timing

Only a few companies have refused to hand over information to the Privacy Commissioner in the past two years, and Facebook is by far the biggest of them. The case wasn’t related to the Cambridge Analytica data breach, but the timing of it being made public as Zuckerberg prepared to testify to lawmakers was fortuitous.

It also came days before Parliament was to have its first reading of a new privacy bill that contains provisions that would grant expanded powers to the Privacy Commissioner and require companies to report significant data breaches.

The new bill includes none of the recommendations of a 2016 report that Edwards wrote, but it does provide for mandatory reporting of privacy breaches to his office and for penalties if his office’s requests for information are refused: the fine would be up to $10,000, but Edwards wanted the ability to punish serious abuses with fines of up to $1 million.

“As the bill stands, if you have a heinous data breach but report it to me, there are no consequences. What I’m saying is if there is an egregious breach, I should have some access to a civil-penalty regime.”

Zuckerberg’s appearances on Capitol Hill have heightened interest in data privacy, which should give the bill a high measure of visibility as it goes through the select committee process where public submissions will be heard.

Those will probably raise other provisions, such as mandatory data portability and the “right to be forgotten”, which are included in sweeping new laws taking effect in the European Union. The EU’s General Data Protection Regulation can impose fines of up to €20 million or 4% of an offending company’s global annual revenue, a penalty likely to give multibillion-dollar heavyweights such as Facebook, Google and Amazon pause for thought.

Edwards isn’t in favour of what he calls the “cookie-cutter” approach of replicating the GDPR here. “GDPR is a high-tide mark. It would be very easy to say, ‘Let’s hitch our boat to that.’ It’s really important while it is in the House to put these [data protection provisions] to Parliament and say, ‘How about these as well, now that we are here?’”

Edwards hasn’t decided whether he will begin an official investigation into the Facebook-Cambridge Analytica breach. It would probably require someone to come forward who can prove they’ve been negatively affected as a result of it. But it is clear our privacy watchdog is increasingly pondering the power of multinationals that harvest the data of millions of Kiwis.

“Facebook is beginning to look more and more like a monopoly. That is a problem,” he says. “We’ve seen the mea culpa; it is really seizing that narrative. But what is business as usual at Facebook? Is Cambridge Analytica an aberration or is that actually the business model?”

Edwards says he doesn’t miss being on Facebook. “It’s been fine. I’ll go back on as I have family members who are there, but I’ll wipe the slate clean.”

Logging off

For those who have logged off Facebook for good, as part of the #deletefacebook movement, there are probably other factors at play beyond concern about the social network’s breach of trust.

“It isn’t just privacy,” says Alex Beattie, a Victoria University PhD student who is studying how and why people disconnect from the web. “Before Cambridge Analytica, people’s major beef with Facebook was that they thought they were spending too much time on it. They want to declutter their lives and be more present.”

It is often easier said than done. In the past year, I have been running the AntiSocial app on my phone to get a baseline on my own usage. In the past 30 days, I spent 41 hours and 57 minutes on my smartphone. Created by Melbourne-based software developer BugBean, AntiSocial is the first app to offer insights into individual app usage on Android phones and compare your usage with that of others in your demographic from a sample of 15,000 users around the world, hundreds of whom are in New Zealand.

That time spent on my phone was largely devoted to surfing the web using  the Chrome browser (27%), Facebook (26%), Gmail (14%) and Slack, the social network I use for communicating with colleagues (5%). Those usage patterns give me an AntiSocial score of 53, which is classed as average usage – the scale tops out at 160. I spent 58 minutes a day on social media and unlock my phone, on average, 63 times a day.

The notion that my usage is average is reassuring until I remember that that count covers just one screen: the time spent on my work and home computers and iPad tablet isn’t included. The app won’t work on Apple devices, whose software is too locked-down to deliver the metrics that it needs.

It is likely that you have friends and acquaintances you relate to more on Facebook than in real life. There’s social capital built up in a Facebook friends list that extends into the professional world too. But Beattie says that if you can’t leave, you can at least take more control. “There are half-measures, where you don’t delete your Facebook but change your experience of it.”

As part of his doctoral research, he will visit Silicon Valley to explore the “healthy tech” movement – software developers and companies reimagining our relationship with technology. Facebook creates habitual experiences to bring you back, “because the more time you spend on Facebook, the more money it makes”, Beattie says. From the little red icons denoting new messages or comments to the bottomless scrolling newsfeed and randomly timed notifications, Facebook is designed to keep you engaged.

Beattie suggests to those who are annoyed with Facebook but can’t get rid of it that they should change their experience of it. Deleting the Facebook app from your phone is a good start. Facebook has total control within the walled garden of its app. But accessing Facebook through a web browser is a different deal – the more insidious tracking of your activity can be blocked.

Beattie points to Brave, the fledgling web browser that blocks website trackers and intrusive advertisements and shares less data with marketers. Another add-on to the popular Firefox browser blocks Facebook from tracking you once you leave the site. There’s also the Demetricator, a web browser plug-in that strips Facebook of a lot of the metric-displaying features that keep you returning to it.

Rewriting the contract

A more fundamental shift in the design of user interfaces and apps and a rewriting of the “social contract” between Facebook and its users is required, says Beattie. “Everything that you click on, all the digital behaviour that you generate while on Facebook, goes to Facebook. Even when you leave Facebook, it can still track you. That’s a pretty average deal. If what could come out of this is better terms, that would be great.”

At the forefront of the healthy tech movement in the US are Tristan Harris, a former Google software developer, and Max Stossel, whose previous job as a “growth hacker” was to design those addictive notification systems that keep people scrolling and swiping through their phones.

“I began to realise that there was an ethical problem at play,” says Stossel. “We were tapping into basic human psychology to get people to do what we really wanted them to do. When you have the amount of data that Facebook or Snapchat do, you are better at manipulating people’s self-control and attention than they are at doing it themselves.”

The Time Well Spent movement they’ve started, based at the Center for Humane Technology in San Francisco, is looking at better ways of designing apps, and new business models, to underpin a more equitable deal between Big Tech and its users.

“We are trying to push the world away from the advertising model, away from a system in which our time is the commodity that everyone is competing so diligently to steal from us,” says Stossel.

“Unfortunately, Facebook, Apple and Google have disproportionate control over the ability to make the shift that would really matter. We are eager to work with those companies to create alternatives that can help humanity thrive.”

Five tips for taming your smartphone

Home screen Remove all but essential apps, such as phone dialler and address book from your home screen.
Notifications Turn off all notifications – friend requests, game updates, marketing alerts – that aren’t sent by a human being.
Bedtime Commit to not checking your phone in the first and last half hours of your day.
Charging Recharge your phone in the lounge at night, rather than within reach of bed.
Disconnect Turn off your device and have time away from it: an hour, a day or the entire weekend.

The privacy toolbox

Facebook Demetricator: A web browser add-on that strips out all the metrics of social value displayed on Facebook, such as number of friends, comments and likes, removing the social quantification that is so important to manipulating our psychology.

Brave: An open-source web browser for Windows, Mac and Linux computers, as well as iOS and Android phones and tablets. It blocks website trackers and removes intrusive advertisements as well as protecting privacy by sharing less data with advertisers.

DuckDuckGo: An internet search engine that doesn’t keep users’ search history. It shows all users the same results without taking into account a user’s digital profile.

AntiSocial: An Android smartphone app that lets you track your app usage and even block access to apps for periods of time. You can pair the app with a child’s phone too, a useful feature for parents worried their kids are becoming addicted to Snapchat.

This article was first published in the April 28, 2018 issue of the New Zealand Listener.