CybersecurityIdentity and privacy Personally identifiable information

I.

Personally identifiable information

We live in a digital world and leave pieces of our identity behind wherever we go. This digital footprint is surprisingly easy to collect online. Big companies such as Google rely on the information you leave behind to sustain their advertisement revenue. Advertisers prefer targeted ads and are willing to pay more for them. This creates an incentive for advertising companies to collect this information and try to pinpoint your demographic information from that data.

For companies to be able to target advertisements in a reliable way, a lot of data needs to be gathered. The coverage also needs to be broad, meaning the companies need to know quite a lot of your interests for the data to be beneficial.

Note

Social media sites and advertising companies such as Google track your online activity to better understand your preferences. That same tracking can tell a lot about your other preferences too, and it could be very easy for the companies to find out about your political or sexual preferences, for example.

In the eyes of law, this kind of approximation of information is not considered PII. However, along with even a little bit of identifying information, demographic info can become really precious. Some companies collect this kind of data from dozens or hundreds of different locations and try to combine it for a better way to monetise your information.

Note

There are thousands of companies collecting and selling your data online. These companies operate in a grey area of the law and what they’re doing is not a criminal act in most places. However, they have sometimes been caught collecting data without permission and misusing the data they have access to. For example, data brokers might set up a Facebook page that provides a service (or a game or a quiz) but at the same time collects your information for sale.

Some areas have taken on the problem of privacy on the internet. Regulations such as the EU’s GDPR and California’s CCPA aim at protecting the privacy of their citizens with laws.

In addition to the tiny traces of data that can be attached to your identity only by large tracking networks, you leave personal data to many services you use. This data can be anything considered confidential such as credit card information, social security numbers, contact details, medical history or political allegiance.

Looking at cookie crumbles through a magnifying glass

Tracking via cookies

Almost all companies track your browser via cookies, which are small pieces of information left on your computer that identify you to the website that serves the cookie. Cookies can’t track all your internet activity, but they can track the pages you visit if the page contains a widget or an ad from the original site. A widget can be a like button or a login prompt from the original site (Facebook or Google login). When the widget or ad is loaded, the original site is asked for the widget and gets the address of the site you are loading along with the original cookie identifying you to them. The advertisements on the page can also come from companies that combine the ad data and pages where the ads are shown to you to better identify your habits.

Browser fingerprinting

Your online actions can also be tracked via multiple techniques that are called browser fingerprinting. When you visit a website, your browser sends a lot of information to the server. These include items such as language preferences, browser identification codes, window dimensions, font size and so on. Combined with cookies and your IP address, these provide a powerful tool for tracking you, even if you were to clear your cookies or deny the sites permission to use cookies.

You can overcome some of these tracking methods by using your browser’s private or incognito mode. Some browser plugins such as Privacy Badger or AdBlock Plus also block some of the tracking methods used.

Example

An example of a browser fingerprinting result can be found on the site amiunique.org You can use this to determine if the browser you are using can be uniquely identified among the almost three million browsers tested. You can test your browser at https://amiunique.org/

Why it matters that your data is gathered

Most of the time, the information gathered about you is used to identify you and serve better targeted ads or to show you better suggestions. This can make your online experience more pleasant by enabling you to discover content and items that suit your taste and needs.

However, that data can be used for more nefarious purposes as well. A recent example is Cambridge Analytica, which used Facebook data received from a researcher for political purposes. The data was used to target political messages to individuals to affect many elections globally, the most familiar being the 2016 US presidential election and the Brexit vote in the UK. Cambridge Analytica also used a Facebook app called “This Is Your Digital Life” to gather info from its 270,000 users and, without their consent, the users’ friends covering in total about 87 million users.

A less nefarious example, but a worrying one nonetheless, is from the distant past of the year 2012. Target, a US-based shopping chain, was trying to better target their paper advertisements to their customers and in some people’s opinion the company went a bit too far. In this case, Target’s data scientists used their customers’ data and the items users bought to determine what kinds of products they would be likely to purchase. As a teenaged Target customer became pregnant, she shifted her habits just enough for the algorithms to determine that she was pregnant, thus offering her items that exposed her pregnancy. She hadn’t told her family about the pregnancy yet, but they found out from the marketing material sent to their home.

For some services, their entire business model is based on gathering this information from as many sources as they can and selling that information to anyone willing to pay the price. This information is commonly used to improve user experience, academic research, targeted advertisements, targeted political messages and so on. This data can also be used by authoritarian governments for monitoring their citizens and cracking down on dissidents. The harsh attitudes towards TikTok in the US, for example, were attributed to the app gathering lots of data from its users and sending it to the Chinese government.

Next section
II. Privacy rights