Citizen Surveillance

Books on cyber security on Social Media

I thought to celebrate Data Privacy Day, held every January 28, I would create a document that will help you understand the constant collection of personal data, how it is being identified and manipulated, steps that you can take to limit this invasion of privacy, and finally a list of best practices.

Citizen Surveillance

“I don’t want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded.”

Edward Snowden

Sur-veil-lance Cap-i-tal-ism, n.

  1. A new economic order that claims human experience as free raw material for hidden commercial practices of extraction, prediction and sales.

“Surveillance Capitalism is not an accident of overzealous technologists, but rather rogue capitalism that learned to cunningly exploit its historical conditions to ensure and defend its success.”

The Age of Surveillance Capitalism Shoshana Zuboff

Welcome to cyber surveillance. This essay will help the reader understand the constant collection of their personal data, how it is being identified and manipulated, steps that can be taken to limit this invasion of privacy, and finally a list of best practices. To create a succinct and readable document, this essay will refrain from defining concepts or terms within this document, however, it will use links to help readers understand terms and policies.

This document will not addressing the governmental intrusion on individual privacy, because there is nothing that can be done on a personal, granular level other than donating to organizations like the Electronic Freedom Foundation who are working to enact laws that limit these surveillances (read spying) on U.S. citizens. When the author was a teen, he toured the FBI headquarters in Washington, D.C., where, at the end of the tour, they encouraged all to be fingerprinted. Of course, his fingerprints were entered into their database.

Now, it is much more – collecting data from telephone calls, emails, texts, GPS, cell phone towers, driver’s licenses, passports, visas, DNA profiles, facial recognition, drones and satellites. For instance, all state driver’s licenses are now REAL ID’s that connects information into a vast national database, with some states selling information to marketers who are the highest bidder. And satellites?  Everyone’s gait is distinctive. Training cameras on individuals can profile them using gait recognition.

In her book, Cyber Privacy – Who Has Your Data and Why You Should Care, April Falcon Doss succinctly lays out four levels of privacy.  She says, broadly speaking, personal data can be characterized as information about:

1) what we have (e.g. Name, date of birth, social security number)\

) what we do (what and who we interact with)

3) who we are (preferences)

4) what we think, believe and know

Each level or function escalates the degree of intrusion into our privacy. This essay will focus on number 2 – what we do, because how we select products and platforms that we use to interact in the digital world is somewhat in our control, but with references to numbers 3 and 4 – sometimes referred to as predictions of certainty.

First, opting out is important not only with your browsers and apps, but with purchases such as cars and televisions, that track you. One day we will have a refrigerator that will have cameras inside that will scan your groceries and help you make up your shopping lists.

Wait. There is already one on the market from Samsung that is called the Samsung Family Hub. A spokesman said, “The latest Family Hub is the most innovative yet, with more personalized, intelligent features that enable busy families to stay better connected to one another.” And Samsung collects all this data from the Family Hub and from other connected Samsung appliances (read phones, TVs etc.) and apps.

The rationale that many companies give when tracking you by default is that they are “making the user’s experience better.” Most Terms of Service – contracts in the digital world  – are long and full of legalese. They opt the user “in” by default and many obscure how to opt out of data collection. These documents are designed to protect and enhance their business. The only reason that consumer rights become involved is if the company is legally forced to protect them. Two articles by Geoffrey A. Fowler of the Washington Post offers help in finding buried default privacy settings. Here is an amalgamation of major sites that track with links to managing their privacy settings.

With modern data collection it is easy to link small pieces of intelligence together to quickly form larger inferences. Your pharmacy loyalty program and your grocery store’s receipt swear that they do not ID you or supply personal information to other marketers. Software that uses “mashups”, machine learning, Artificial Intelligence, algorithms, etc. can quickly and easily combine seemingly anonymous data together for a positive identification.

Here is an example. You drive your “tracked” car, using your mapping GPS, Google Maps, on your cell phone, to your pharmacy. The parking lot has a security camera and upon entering the store, there is another, this one equipped with facial recognition. You select your item on aisle six (another camera) and go to the cashier (another camera) where you enter your telephone number to activate your loyalty card. You pay with your Visa card, then leave the store. You also left a trail.

Basic search technology works when you have a subject, location and a temporal indicator (the time). In this case, we are “missing” the subject, but how long do you think with the data just collected it would it take to find it?

The Internet

Malicious threats and how to avoid them.

Viruses – These are usually promulgated throughout the internet via your email account. The most notorious entry point is Microsoft Outlook.

Defense – AVG or MacAfee Stinger for Windows;  Malwarebytes for Windows or Mac.

Malware – These “moles” usually try to enter your systems by embedding code in apps or programs that you download from the net. Some enter your systems with incoming emails that are innocently opened.

Defense – Have your browser set to ask permission if you are downloading any application or program from the web. Make sure they are from a trusted source. Some browsers will alert you to websites that are not to be trusted.

Phishing – Apparently innocuous emails that are used to gain access to personal information.

Defense – Look closely at the email you receive. It may look legitimate, perhaps even having the graphics of a trusted institution (e.g. your  bank). Look for mistakes in spellings and most importantly the email address that sent you this email (e.g. notification@bankofamerika.com). Note that the IRS never communicates via email.

Email hacking – Usually done by opening a phishing email, posting your email on the net, pixel tags or using public WIFI services.

Defense – If hacked, change your email password. Get with your Internet Service Provider technical assistance to go through your settings to eliminate the bogus email address. You also can change your email address, but that can be a hassle, as you need to email your contacts with your new address.

Tracking

Tracking has been touched on briefly In a previous paragraph. As this issue is one of the most important invasions of privacy, this section will go into more detail on how tracking works and ways to avoid being tracked. Later, under the Social Media heading, tracking will also be addressed.

The coin of the realm in the world of surveillance capitalism is data collection. It is accomplished in a number of ways: cookies, persistent cookies, first and third party cookies, super cookies, etc. and with Terms of Service and user generated data. The data collected, usually under the guise of providing better service is almost always monetized through the mega platforms or third party aggregators. Some websites use heat mapping and session recording to follow your mouse movements when you access their site.

Companies such as Google and Facebook – pure data companies – are using massive data collection not to gain market share, but to own the market. Today, one-third of websites surveyed by The Mark Up contained tracking code from Facebook, which allows the social media company to see where its 3.14 billion active members travel outside of the application.

Google is the wholly owned subsidiary of Alphabet, a technology conglomerate that has acquired and sometimes rebranded more than 225 companies in its 20 year existence – notably in the last 10 years 15 businesses specializing in Artificial Intelligence and machine learning. Their modus operandi is “buy or bury”. The Silicon Valley giant collects data from twice the number of websites as Facebook. Your collected personal data can also be subpoenaed by lawyers, including for civil cases like divorce. Google answered over 150,000 such data requests in 2019 alone.

User generated information

This is another technique used to gather data. Entering personal information into web forms such as registrations makes data collection easy, as the information is volunteered.  Other platforms collecting user information are:

Surveys. Although online surveys conform with privacy laws in a few states, many ask respondents to agree to a consent statement bypassing legal obligations. By default, most collectors track the IP address of the respondents as response metadata. Be wary if the survey asks for personal information such as name, address, date of birth, etc.

Donations. In a Hofstra Law Faculty paper, the author’s wrote about a donor’s right to privacy stating that their article explores the privacy concerns that arise when nonprofit fundraisers trade, sell, rent or otherwise exploit personal information about charitable donors that they obtain in the course of obtaining donations.

Loyalty Programs. Tracking embedded in loyalty programs is directly related to the amount of personal information required to join the program.

A landmark privacy law, the California Consumer Privacy Act (CCPA), enacted in January 2020, is being considered for a similar legislation by many other states and the federal government. The act states that, “If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information and not to sell your personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information…Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.”

Because of this law, many websites now display a popup when entering their site that says that the site uses cookies and you need to accept that fact. Do not accept unless the prompt fills the screen and doesn’t allow you to see the content. The site will work well by the user not agreeing, it’s just that the data dragnet will be disabled. If you have agreed, but you have set your browser preferences to delete cookies and site data when it’s closed, don’t worry.

Apps

 On cell phones, under “Settings” on both Android and Apple, users can toggle app settings on or off for access to your location, photos, cellular data, notifications etc. With an iPhone, on many apps, there is an option that says, “Only when using the app”. All apps will prompt users to go to “Settings” to turn on needed services if they are off.

Also, for iPhones, in “Settings”, users can scroll down to “Advertising“, then toggle “Limit Ad Tracking” to on. For Android, under “Settings, tap “Google”, then tap “Ads”, then toggle “Opt Out of Ads personalization.”

Delete apps that you rarely use. Some security experts have advocated deleting all apps from your phone. If you have an app on your phone you don’t use, you’re essentially carrying around a tracking device for no reason.

Mark Weinstein, a privacy expert quoted in Market Watch says, “Most concerning is that governments around the world also can readily access this information about where you are and what you are doing.”

Browsers

Firefox, Brave, Edge and Safari offer stronger privacy protections by default than you get from Google Chrome, which is the world’s most popular browser, currently used by about 70 percent of people around the world.

While Chrome proves to be a safe web browser, its privacy record is questionable. Google actually collects a disturbingly large amount of data from its users including location, search history and site visits. Google gathers an unprecedented amount of data for its own marketing purposes and shares this information across their network of related companies. They tout that they’re keeping your information private from hackers, but that’s beside the point. Google itself runs the world’s largest advertising network, thanks in large part to data they harvest from their users. Chrome does not protect against session recording or key logging, doesn’t block canvas fingerprinting or third-party cookies, however Google allows users to change the browser’s privacy settings – if the user knows where to look. Here is a primer on how to take control over what Google collects.

The following is an excerpt from Google’s Terms of Service privacy policy:

“Your activity

We collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like. The activity information we collect may include:

  • Chrome browsing history you’ve synched with your Google Account
  • Terms you search for
  • Videos you watch
  • Information about views and interactions with ads so we can provide aggregated reports to advertisers, like telling them whether we served their ad on a page and whether the ad was likely seen by a viewer. We may also measure other interactions, such as how you move your mouse over an ad or if you interact with the page on which the ad appears.
  • Voice and audio information when you use audio features
  • Purchase activity
  • People with whom you communicate or share content
  • Activity on third-party sites and apps that use our services

If you use our services to make and receive calls or send and receive messages, we may collect telephony log information like your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls.

Your location information

We collect information about your location when you use our services. Your location can be determined with varying degrees of accuracy by:

  • GPS
  • IP address
  • Sensor data from your device
  • Information about things near your device, such as Wi-Fi access points, cell towers, and Bluetooth-enabled devices

We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches (a data repository on your device), databases, and server logs.” 

Social Media

 Section 230 of the Federal Communications Decency Act (CDA) immunizes all Internet platforms who disseminate content not of their own creation from liability for defamation, invasion of privacy, and virtually everything else except violations of intellectual property. From the act: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider”. The original intent was to protect free speech on these platforms.

The social media posts and actions by the former President of the United States on January 6, 2020 changed that sentiment. Twitter (the President’s favorite platform), Facebook and others subsequently banned his posts. This raises the obvious question of who will be the arbitrator of  here-to-for uncensored internet content in the future. Use Wikipedia as an information source, as there is only one “page” for each subject. (Here is the attack on the Capitol.)

The five main social media sites in the United States are owned by four large companies – LinkedIn (Microsoft), Facebook and Instagram (Facebook), Twitter and YouTube (Google). All of these platforms are “free to users” and the users are encouraged to post information about themselves, their activities and their friends. Facebook has acquired 80 companies in its 14 year existence. Following is Facebook’s data collection policy – as onerous as Google’s.

 “Device Information

As described below, we collect information from and about the computers, phones, connected TVs and other web-connected devices you use that integrate with our Products, and we combine this information across different devices you use. For example, we use information collected about your use of our Products on your phone to better personalize the content (including ads) or features you see when you use our Products on another device, such as your laptop or tablet, or to measure whether you took an action in response to an ad we showed you on your phone on a different device.

Information we obtain from these devices includes:

  • Device attributes: information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins.
  • Device operations: information about operations and behaviors performed on the device, such as whether a window is foregrounded or backgrounded, or mouse movements (which can help distinguish humans from bots).
  • Identifiers: unique identifiers, device IDs, and other identifiers, such as from games, apps or accounts you use, and Family Device IDs (or other identifiers unique to Facebook Company Products associated with the same device or account).
  • Device signals: Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers.
  • Data from device settings: information you allow us to receive through device settings you turn on, such as access to your GPS location, camera or photos.
  • Network and connections: information such as the name of your mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed and, in some cases, information about other devices that are nearby or on your network, so we can do things like help you stream a video from your phone to your TV.
  • Cookie data: data from cookies stored on your device, including cookie IDs and settings.”

One of those cookies is the “fr” cookie, which, according to the company’s cookie policy, is “Facebook’s primary advertising cookie” and contains information such as your Facebook user ID. It allows the company to link someone’s browsing history across the web with his or her Facebook profile.

In addition, Facebook’s tracking pixel can allow Facebook to identify users whether or not they are logged into Facebook, depending on how the website using the tracking pixel configures it.

These data collection policies also apply to Instagram and WhatsApp as they are owned by Facebook.

As mentioned above under the header of Tracking, these small pieces of personal data are increasingly aggregated by advertising platforms like Google and Facebook to form a more complete picture of who you are, what you do, where you go, and with whom you spend time. (number 3) And those large data profiles can then lead much more easily to significant privacy harms (number 4).

If it is important to join one of these platforms, and you can’t do without it, please see the articles here and here that help you protect against privacy overreach within the social media apps.

“Our lives are scraped and sold to fund their freedom and our subjugation, their knowledge and our ignorance about what they know.”

The Age of Surveillance Capitalism Shoshana Zuboff

Best Practices

 Using the internet, we will always be tracked. Following are the author’s suggestions of programs and applications that will limit surveillance capitalism intrusions but still allow a robust internet experience. For another review of many alternative resources available go to restoreprivacy.com.

Virtual Private Network (VPN) At the outset, do not use your Internet Service Provider (ISP) to access the internet, acquire a VPN. Encryption is a common, although not an inherent, part of a VPN connection. When using public WIFI, consider apps like My Privacy.

Your Internet Service Provider tracks everything you do, similarly to Google and Facebook. My ISP is Verizon and here are their data collection policies in their Terms of Service:

“We collect information when you interact with us and use our products and services.

The types of information we collect depends on your use of our products and services and the ways that you interact with us. This may include information about:

  • Contact, billing and other information you provide
  • How you use our services and your devices
  • How you use our websites and apps (Think webmail)
  • How our network and your devices are working

We also obtain information from others.

This includes:

  • Credit information from outside agencies
  • Demographic and interest data as well as device type, carrier, city and state information from third party data providers
  • Information from social media platforms when you use your social media login to interact with Verizon sites or offers
  • Contact, marketing lead and other information we purchase or receive
  • Fraud information
  • Information from Verizon Media as permitted by its privacy policy and respecting the choices you make.”

Browser

Firefox (Multiple browsers can reside on your devices; Firefox should be the default)

Once the browser is installed, preferences need to be set and extensions activated, See here for preference settings. (Note: In nine months 45,259 trackers were blocked on the author’s browser) A recommended privacy extension is Ghostery and also recommended is the privacy app Jumbo.

Periodically, go into your browser’s preferences and clear your stored cookies and site data. You’ll find that a cookie is more than a few crumbs. The author’s browser generates about a gigabyte a week. If  this data was simply text it would be 500,000 pages or 1,000 thick books, but it also includes large graphic images to cut download times. Don’t worry about websites “not preforming as designed”. When a new user logs into a website, these cookies are automatically generated, and they also will be generated for you when you revisit the site.

Search Engine

DuckDuckGo Use it because it does not track. (Multiple search engines can reside on your devices; DuckDuckGo should be the default).

Password Protection

Lastpass Great password security protection, It can be a browser extension or accessed through their website.

Email

As users have a long history of their email and use it for many “usernames”, and because the “contacts” of others have cached a specific email, changing it may be difficult. You can use the Digital Advertising Alliance powered by AdChoices to help control how data is collected and used for advertising. By using these tools and setting privacy preferences the author only receives one spam email a week.

Mobile devices

iPhone Here is what’s in iOS 14; Apple’s privacy features make it harder for companies to track your movement around the web. It alerts you when apps are accessing your camera and microphone. You can share your approximate location with apps instead of your exact location. Another plus for the iPhone is the data on the entire device is encrypted as is end-to-end encryption when texting another iPhone user.

If you take your privacy seriously, and you have an Android phone, you could also consider using a version of Android that is not built by Google and won’t send them data. Google Assistant is the opt in default of Android. They should call it “Google Collector”. This website has information on how to stay private when using an Android phone. Their first piece of advice; “The basic principle: Turn everything off”!

Storage

iCloud In a word, encryption.

A website that identifies how you are being tracked

Blacklight By entering a website into the “scan site” box on Blacklight, the site will be scanned to reveal the specific user-tracking technologies embedded on the site—and who’s accessing your data.

By far the best way to prevent surveillance capitalism is to avoid entering data into these mega collections by not supplying them with user generated information. With that in mind, the author recommends not using these devices:

Google Home Nest Products

Fitbit (A Google data collection app)

Amazon Alexa and Echo

Amazon Ring

Amazon Blink

An  exception is Apple Home Pod that does not share user generated data.

On your mobile phone turn off Google Assistant.

Why should I care? I have nothing to hide” is a counter-argument that surfaces when discussing privacy, In 1999, Sun Microsystems Scott McNealy said, “You have zero privacy anyway. Get over it.” Privacy should be the default.

  • Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.
  • Privacy is a fundamental right and you don’t need to prove the necessity of fundamental rights to anyone.
  • Lack of privacy creates significant harms that everyone wants to avoid.

China’s Social Credit System is an example of national overreach. There are multiple social credit systems in China. Scholars have conceptualized four types of systems: the judicial system (blacklist system for discredited individuals and organizations), municipal social credit system, the financial credit system, and commercial credit-rating system.

History has shown that in many countries people who opposed those in power were fired, arrested, imprisoned and murdered. The Jews in Poland could say, “I have nothing to hide”. Hong Kong is a current example. The Roman poet Juvenal’s famous question persists: “Who will guard the guardians themselves?”

“If the digital future is to be our home, then it is we who must make it so”

The Age of Surveillance Capitalism Shoshana Zuboff