Cyber privacy: Open door

I was recently having dinner in a hotel restaurant in Italy where I was served by a slightly over-familiar waiter. When I returned to my room later that evening, I found he had requested to be my friend on Facebook, despite the fact I hadn't even told him my name, let alone shown any signs of wanting to get to know him on a personal level. I was spooked – but regardless of how he found out who I was, I realised that had he typed my name into Google, he would have been able to see where I worked, my job title, which city I lived in, articles I had written, my career history, where I went to university, what training I'd received, photographs and videos I had taken, things I liked, tweets I had posted and places I had been. All information I have voluntarily shared online – allowing anyone who cares to build a profile of me. When was the last time you Googled yourself? Even if nothing much comes up, don't imagine you can relax. Think about the information you freely give away on a daily basis but that might not show up in a web search – whether it's when booking a flight, signing up to a loyalty programme, downloading an app, filling in a customer survey form or sending an email. Then consider how this contributes to your data shadow. Of course, the issue of maintaining e-privacy is worrying, but the reality is that it is almost impossible to live and work in the modern world without sharing personal data. The questions you have to ask yourself are how much is worth sharing, what you get in return and how you can protect yourself. Futurist Juan Enriquez gave a TED lecture in February entitled “Your online life – permanent as a tattoo”. He presented the idea that our digital selves will outlive our physical selves, and our data may reveal more about us than we'd like to believe. “What happens if Facebook, Twitter, Google, LinkedIn, cell phones, GPS, Foursquare, Yelp, Easy Pass, security cameras, Wikipedia, credit scores, credit cards… all these things we deal with every day, turn out to be electronic tattoos?” Enriquez asks. He also posits what could happen when facial recognition gets so accurate that you could take a photo of a man in a bar on your smartphone and instantly download his name and records because he is “plastered by electronic tattoos”. Think it will never happen? Israeli facial recognition software company face.com has already “discovered” 18 billion faces online. And in June last year it was sold to Facebook. Jane Frost, chief executive of the Market Research Society, says: “Up until very recently, everyone assumed data was discrete – but data algorithms can actually put these things together and start to understand to an individual level the person whose data it is. You might have thought you were just a piece of digital data but with facial matching, Facebook can do a hell of a lot to tell who you are. [What’s more], you can never be forgotten. Your misdeeds or indiscretions when you were young can come back to bite you when you are older.” Cutting-edge technology is already beginning to harness data in creative ways, be it through Google Glass (voice-activated augmented reality spectacles that perform like a smartphone), social booking platforms, or RFID (radio frequency identification) tags. And there is plenty of potential for applying it to the world of travel – in fact, innovative hotels and airlines are already dabbling in it in an attempt to improve or personalise the customer experience. In Ibiza, the Ushuaia Beach hotel enables partygoers to “socialise” their experiences on Facebook in real time by tapping RFID wristbands on special screens around the resort that automatically log them into the network. According to travel technology website tnooz.com, “all content captured using the hotel’s swipe machines [is] also collected on the hotel’s own Facebook page” and “guests will be encouraged to tag themselves in each of their pictures”. Think that’s weird? You can also pay for food and drinks with just your fingerprints. Over in Las Vegas, the Aria Resort and Casino hands out digital menus in its restaurants so, according to Paul Berry, vice-president of hotel operations, it can “understand what people like, what is popular, and what is visually stimulating”. It also stores information on what temperature, lighting levels, “curtain operations” and wake-up alarm sounds they prefer in their room. The demand for personalised service, particularly within the high-end market, has seen a rise in travel companies using your data to create guest profiles. As discussed in these pages before (“The future of luxury”), some airlines and hotels are taking this further. British Airways has given iPads to senior cabin crew so they can access important passengers’ Executive Club status, onward journey, meal preferences and previous travel experiences, and find out what passengers look like on Google Images so they can recognise them. The ITC Grand Chola hotel in Chennai, meanwhile, has placed RFID scanners in the corridors that read your room key as you pass by, then send an alert to the phones of nearby staff with your name, photo and other personal details. If you saw my feature “Fancy meeting you here”), you will also be familiar with a new breed of online social seating platform, such as KLM’s Meet and Seat, which essentially enables you to choose who you sit next to on a plane based on data from their LinkedIn or Facebook profile. Some will even pair you up automatically with someone an algorithm has decided will be a good match. Sergio Mello is co-founder and chief executive of business-to-business platform satisfly.com, which has so far teamed up with Air Baltic to offer a service for finding a compatible passenger to sit with on the carrier’s flights. He said: “We can see the brands you like, the companies you have worked for, the check-ins you have made, the people you have in common. It is a tool to improve your experience – your details are not published, we just match your data with other people.” SeatID is a similar B2B service that was launched earlier this year, and is designed to harness the information you share on social networks to enhance your booking experience. As well as airlines, it also offers applications for hotels and trains. In talks with “one of the biggest train operators in Europe”, Eran Savir, chief executive and co-founder, explains how it works: “We have a widget that asks you to log in – after you do this, it follows you on the web and when you make a reservation we take this information – we know who you are – and show others. “If you opt in, we get access to your profile, but what is visible is defined by your own privacy settings. If you are on Expedia booking a hotel in Bangkok but are not sure which one to choose, we put a small widget next to each hotel to show you who else that you know has stayed there. All of a sudden this is an important factor in your decision-making process – social proofing.” Many of these data-based services are opt-in, so what travellers should really be aware of is the pervasive harvesting and subtle collation of personal information that takes place online in your day-to-day life. Much of it is for your own benefit, saving you time and making sites easier to navigate – but you won’t always be aware of what is taking place behind the scenes or have any control over what happens to your data once you have shared it. Consider how cookies store your activity so that when returning to an airline website, for example, it remembers what flight you were searching for or your loyalty scheme login information, and tailors offers to suit you. This can be a useful feature, but as soon as this information is passed on to third parties, it gets murky. Lindsey Greig, chief executive of global e-privacy consultation service Data Guidance, says: “You might click on an advert and then your information is passed to other parties. Suddenly, your data is shared with a company in the US, a company in Russia and a company in India without you really being aware that that is taking place.” According to BA’s privacy policy: “Cookies are used to enable us to present appropriate messages to our customers. For example, to allow [us] to serve up different versions of a page for marketing purposes, control invitations for instant credit card offers, allow third parties to display appropriate advertising and to track its effectiveness, and display messages which offer a selection of products based on what you’re viewing, which are presented to you by our agency when you visit other selected websites.” However, it also says: “You can choose to opt out of this type of advertising permanently by going to networkadvertising.org/choices. Please note, though, that if you delete your cookies too, we’ll no longer know that you’ve opted out, so the banners from our third-party will reappear when you visit other selected websites.” What else could your data be used for? Disconcertingly, it lists: “Accounting, billing and audit, credit or other payment card verification and anti-fraud screening, immigration and customs control, safety, security, health, administrative and legal purposes, statistical and marketing analysis, operation of frequent flyer programmes, systems testing, maintenance and development, customer surveys, customer relations, and to help us in any future dealings with you, for example by identifying your requirements and preferences.” Other major airlines carry similar statements on their websites. “Data is the new oil” was a phrase coined by British data commercialisation entrepreneur Clive Huby in 2006 to reflect the financial importance this new commodity has. According to IBM, the world’s population creates 2.5 quintillion (one followed by 18 zeros) bytes of data a day. What’s more, 90 per cent of data in existence has been created in the past two years alone. It’s no wonder that all of this has been branded Big Data, and its perceived value has even led to the mind-blowingly Herculean task of archiving the entire digital universe. In April, the British Library was granted the right to preserve the entire UK web space with about a petabyte of data stored over ten years – that’s 100 terabytes a year, or one billion pages a day stored for posterity. In the US, the Library of Congress has now archived more than 170 billion tweets. (Don’t forget just how big one billion actually is – if one million seconds is 12 days, one billion seconds is 31.7 years.) Though what use these billions of 140-character musings will have is yet to be seen. Frost says: “Clearly, data – the right sort of data, I would have to emphasise – helps businesses and governments to understand what their customers and general public are doing, and help them communicate in a targeted fashion. We have software that can collect and deliver it almost instantaneously so we can use it to frame decision-making about pricing. So if you are a Sky viewer they will look at your viewing patterns and suggest things you might want to watch, or if you are a Kindle user it will have ‘recommended for you’ based on your purchasing pattern. Your Oyster card tells Transport for London exactly where you are and can map all your journeys. Data can track your history.” As we are all well aware, not all data is being collected in ethical ways, or with noble intentions. Security breaches and heated debate over privacy settings is commonplace. Facebook is rarely out of the headlines and June bore witness to a particularly outrageous scandal regarding details leaked by a former CIA technical worker claiming that the US National Security Agency had been using a top-secret programme called Prism to collect citizens’ emails, phone calls, social media messages, photos and documents by accessing the servers of Apple, Facebook, Microsoft, Yahoo, Skype, You Tube and Google. A number of companies were quick to issue denials but there is little doubt that many of us have been under surveillance, and will continue to be so as governments continue haphazardly to juggle civil liberties and security. Before you panic, in the EU steps have been, and continue to be, taken to safeguard people’s e-privacy, but bear in mind that legislation is complex, evolving and arguably always going to be out of date as technology advances so fast. A spokesperson for the Office of the Information Commissioner says: “Any organisation that processes personal data in the UK must comply with the UK Data Protection Act. The act places legal obligations on organisations that help to ensure that they are looking after people’s information correctly; this includes making sure that the information is secure and that organisations are open with users about how their information will be used.” At once recognising that protecting your personal data is a fundamental right, and that the free flow of personal data is a common good, EU law states that “personal data can only be gathered legally under strict conditions, for a legitimate purpose” and “you have the right to complain and obtain redress if your data is misused anywhere in the EU”. There is even an initiative (though being shirked by the UK) being discussed as part of the EU’s General Data Protection Regulation that will allow people “the right to be forgotten” – where all their details can be deleted from cyberspace if they so choose. This will become a more pertinent issue as people become savvier about online reputation and their “digital tattoos”. In May 2012, legislation was passed that meant websites had to get consent from users before installing cookies on their systems, but it was then changed to a simple warning on the website and tacit consent was agreed to be enough. But this is not good enough for many people – according to a 2011 survey of 4,000 mobile phone users by Futuresight for trade body GSMA, 84 per cent wanted to be able to choose whether to receive advertising based on their browsing behaviour. Selecting “Do Not Track” in your browser settings is one solution to this problem – Internet Explorer, Safari, Opera, Firefox and Google Chrome support various methods of tracking protection. According to Firefox, when the feature is enabled, it will “tell advertising networks and other websites that you want to opt out of tracking for purposes like behavioural advertising”. But Do Not Track “may interfere with some personalised services you enjoy”. This might sound like a reasonable compromise, but in April, an article on wired.com by Peter Swire warned: “Without effective targeting and tracking, advertisers argue ad revenue could plummet and lead to the shuttering of many popular websites that rely on third-party ads as their primary source of revenue.” And an “arms race” could begin whereby “the digital cookies currently used to track user habits are blocked by the browsers – only to have the advertisers respond with even more sophisticated tracking methods like digital fingerprinting”. So what can you do? Frost says: “People need to be aware. They don’t need to be frightened, but they need to take a grown-up attitude towards this. If you get value from giving your data away, do it with care. If society benefits from your data, do it with care because if you let your data go astray it’s very difficult to retrieve it. You should give it away to someone who will respect it, and for something that you value.” Greig agrees: “If something is free on the web, then you’re the product. Somebody’s got to be able to make money to pay for these free services, and they’re doing it by sharing data with somebody else. That’s fine if people accept that trade-off. Where it becomes tricky is when people aren’t aware of what’s going on.” CONTACTS bigbrotherwatch.org.uk dataguidance.com ec.europa.eu/justice/data-protection fairdata.org.uk getsafeonline.org ico.org.uk mrs.org.uk Jenny Southan