If you use a smartphone and download apps, as half the U.K. population does now, you've probably used an app which pops up a dialog box pop asking “Find your friends?” and offering to search some new social network — or one of the more familiar ones — for people you already know.
It's easy and quick to click on the “OK” button. But do you know what's happening once you do? This is where you suddenly discover that what you thought you knew about your online privacy is wrong — or at best, incomplete.
In mid-February, an Indian researcher, Arun Thampi, figured out what was happening when Path, a would-be social network app for Apple's iPhone for “sharing your life,” asked that question. It was uploading the entire contents of your address book — names, emails, phone numbers — to Path's servers.
The outcry over this data grab was rapid and widespread — at least among the Silicon Valley digerati and those who watch them. Path's chief executive wrote a mea culpa blogpost, the company updated its app so it wouldn't upload all the data, and everything seemed calm.
Apps and data
Then Dustin Curtis, a user interface designer, pointed out that loads of apps do this. On his blog, he noted: “I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millions of records. One company's database has Mark Zuckerberg's cellphone number, Larry Ellison's home phone number and Bill Gates's cellphone number.” But he added: “This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.” More digging showed that Facebook, Instagram, Yelp and location service Gowalla did too. It seemed like it would be easier to list the apps that didn't do it.
For those feeling suddenly itchy about their privacy, there was more to come. A few days after Curtis's blog, Twitter admitted that it too grabbed address book data (though only, it said, your friends' emails and phone numbers); the purpose being just to find people you already know who might already be, or will be, members of the service. Jon Leibowitz, the chairman of the U.S.'s powerful Federal Trade Commission, summed it up in a sentence: “Right now, it is almost impossible to figure out which apps collect data and what they do with it.” Apple chewed this over silently for a week and then announced that a forthcoming update of the iPhone and iPad software would prevent this.
But just as another privacy storm seemed to have come and gone, another arrived: Jonathan Mayer, who researches online privacy at Stanford University, discovered that Google had hacked past the default privacy settings of Apple's browsers on the iPhone, iPad and desktop so it could track people's use of the web, whether or not they were signed into its services. That also meant that its advertising arm DoubleClick could follow them too. Adding to the appearance of culpability, as soon as the Wall Street Journal, following up Mayer's discovery, contacted Google, it stopped doing it. In recent weeks, only Facebook has emerged without immediate criticism.
But the damage has been done. “Between the Path debacle and Google's Safari cookies, [Silicon] Valley's moral bankruptcy on privacy was made obvious,” commented James Grimmelmann, an associate professor at New York Law School, on Twitter.
But it's not just in the narrow space of web browsing or apps that we're identifiable. A chilling story in the New York Times described how the giant Target store is now so good at tracking what items people buy that it can spot if someone is pregnant — especially in the second trimester, when they begin buying things such as vitamins and maternity clothes; catch them there and “we could capture them for years,” as a statistician explained. The 25-item prediction system works so well that Target knew that a teenage girl was pregnant (and began sending appropriate shopping coupons to her home) before her father did.
On Target's part, it was nothing personal. But it wasn't private either: somewhere in its machine, there was a link between the girl and her pregnancy.
Essentially, the edifices of privacy that we once thought we understood are melting like ice in a heatwave. Once upon a time, before mobile phones, it was really hard, without direct surveillance, for anyone else to know where you were. Now add in smartphones and apps such as Path, Twitter and Foursquare, as well as web-based companies such as Facebook and Google which rely on serving ads, and data-crunching like that done by Target (and all the big supermarkets) and the idea of “privacy” is being eroded from inside and outside. Your address book is somewhere in the “cloud.” You're telling anyone who has access to your Facebook profile where you were. Foursquare users can track your whereabouts, if you “check in.” The supermarket where you shop is sending you coupons for nappies.
A graphical representation of how much public data Facebook used to show in 2005 compared to 2010 looks just like scary forecasts of polar ice cap melt. Except it's already happening. In fact, online privacy looks altogether like global warming: we tut about it and mutter “something must be done,” and then do the equivalent of clambering into 4x4s — tagging photos on Facebook of friends getting drunk, tweeting pictures of our lovely trip and family on Instagram. Simon Davies, director-general of Privacy International, the pressure group that has been warning about the ease of such invasions for years, thinks it's an apt metaphor — but equally that, like the environmental movement, awareness is growing that it's not right, and that we can't go on this way.
“We have had developers tell us that they don't want their platform screwed up by too much privacy management,” he says. “There's all sorts of hoodwinking and linguistic devices that they use to persuade you to hand over your data.” Such practices are pervasive, he says.
But there's growing awareness among a number of people on social networks that there's value in keeping information about yourself, your whereabouts and life private. Not just to protect yourself from identity theft; also just because it's nice to have some part of you that isn't subjected to the panopticon of the web. “It is like the environmental movement, in that there are evangelists working to keep the brakes on excess use,” says Davies. “I think Microsoft and Google are starting to see a change there.” The trouble for Google is that 97 per cent of its revenue comes from serving ads. Its profits improve if people click on ads, so it likes to show “relevant” ads — and the best way to work out which ads to offer is to watch which web pages people visit.
Google is painfully aware that government agencies take a dim view of any corporate infringement of people's privacy — and also that if it loses users' trust, the slope from top dog in search to also-ran could be slippery. (For that reason, Microsoft has been hammering away at the privacy topic in its PR efforts: when news broke that Google had worked around Internet Explorer's protections, rather than follow its frankly arcane privacy system, Frank Shaw, Microsoft's combative head of PR, tweeted in faux disbelief: “Google can work on a self-driving car but can't figure out how to implement a standard?”) The culmination was the announcement last week by the Obama administration that it would push for all browsers to have a “Do Not Track” button as part of a “consumer privacy bill of rights”, while the Californian attorney general said that apps would have to include privacy policies to tell users what data they would access.
But where does it all end? “It's a systemic problem,” says Davies. “The situation will only change when it's not fashionable to give away your data, when it becomes sad to do so in front of your peers.” Is there any chance of that happening? Mayer says there are “bright spots” in privacy; he is working on the “Do Not Track” system. But others in the industry point to the differences between the U.S. and Europe — the strong data protection legislation in the latter, and its almost total absence in the former — and suggest the gulf can't be bridged; our data will always flow downhill towards the area that lets companies make as much (profitable) use of it that they can. The columnist Helen Popkin commented despairingly: “Facebook is the slowly-warming pot of water and we, my friends, are the frog. By the time we noticed our peeling skin, another hunk of our privacy is long gone.” But that was in March last year. Since then more and more chefs have continued to gather around the pot. Do you want to find friends already using this service? Is it getting warm in here? — © Guardian Newspapers Limited, 2012