When Privacy Falls Short
It is essential to acknowledge that all efforts to enhance user privacy do not always yield successful results. Part of my research involves looking at the great feats that can come with robust data privacy, but learning from faulty or lacklustre experiences is important to learn from and develop a better understand of user needs and wants. I needed to discuss scenarios where the outcome was less than ideal, because new technologies are becoming available and evolving rapidly. A notable example of this is the App Tracking Transparency (ATT) initiative, introduced by Apple in 2021. The primary purpose of ATT was to provide users with the option to opt out of app tracking on iOS, thereby creating a more transparent relationship between the user and the company attempting to track.
A study led by Johnny Lin and Sean Halloran, the founders of Lockdown Privacy VPN and former Apple engineers, found that the number of active third-party trackers remained unchanged and had little to no impact on tracking attempts (Lin & Halloran, 2023). This was discovered when apps were initially onboarded and tracked using Lockdown Privacy, once when selecting “Ask Not to Track”, and another time when ignoring the prompt. Using the Lockdown Privacy app on iOS, they found negligible differences between the two scenarios, concluding that ATT was functionally ineffective. Apple, a pioneer of many privacy-focused initiatives, has unfortunately fallen short with App Tracking Transparency. Hypotheses can be formulated regarding the reasons for this shortfall. Arguably, Apple has no incentive to regulate the App Store, given that it constitutes a significant portion of their revenue, and they receive a 30% cut from all purchases made in and through their App Store. This situation contrasts with first-party apps and their specific privacy policies.
With a recent software update, Apple introduced Advanced Data Protection, making a significant portion of Apple’s services end-to-end encrypted, meaning not even Apple can read the data being transmitted. The perception of privacy when it comes to first party (made by Apple) versus third-party (not made by Apple) applications is where ATT falls short, as it provides a false sense of security to a user who may be accustomed to a certain standard of privacy when using an Apple device. I want Apple to more rigorously vet the content that is uploaded onto the App Store for better data protections and take actions when an application is overreaching the perceived trust it bestows upon its users. The UI elements are already there, and applications like Safari already do this. Prompting the user about App Tracking is a truly great feature to help with the understanding of privacy, it just needs to be implemented in a way that isn’t an empty promise. The development of Data Wallet was inspired by this very idea of ATT and has the feasibility to exist in iOS for users to view data transactions much like financial or location data.
The feasibility of Data Wallet came into question when I started to look into how it could be realistically implemented in an operating system and what it would require from the users and developers alike. Most users simply do not understand where their data is going, and Data Wallet aimed to showcase the transactional element of that process. However, it was under the assumption that the Wallet had access to such data and could provide the user with the ability to block and/or restrict data going off the device; an inverted toll booth, let’s say. Having such power from the user may not bode well with app developers who rely on these invisible transactions - the irony.
Looking at the scale and funding behind Apple, implementing a feature like Data Wallet into their next WWDC sounds simple enough. The development of the app isn’t the challenging part however, forcing developers to go through the toll booth may not be a welcome change and will require a strong hand and unwavering commitment to user privacy at the expense of business relations. As a user, it is evident that using my digital data as bartering chips in the exchange of vast wealth among large corporations is not something I am particularly fond of. Realizing the assumptions required to turn Data Wallet into a reality, I wanted to investigate how I could still give power and autonomy to users without needing to bend for others. In Privacy Toolkit, I explore how on-device changes could be made or enabled to protect a user’s data without requiring the acknowledgement of third-parties.
When Privacy Falls Short / It's Not You, It’s Them
In October 2023, the Pew Research Center (PEW), a nonpartisan and non-advocacy fact tank renowned for conducting public opinion polling and demographic research, published a report entitled "How Americans View Data Privacy". This comprehensive study surveyed 5,101 U.S. adults, exploring their personal perspectives on privacy, data, and online habits. A salient observation revealed in the report was the apparent correlation between educational attainment and attitudes towards data privacy. Specifically, individuals possessing a High School diploma or less expressed greater confidence in the appropriate use of their personal data by those who had access to it and demonstrated a more relaxed attitude towards privacy (McClain et al., 2023). This contrasts with the attitudes of individuals who had attained at least a college degree or higher.
The report did not delve into the reasons behind this observed phenomenon. However, it is intriguing to note that a higher level of education seems to correlate with an increased awareness of privacy issues and a decrease in confidence in the data management practices of companies. The surveyed individuals were not queried about their specific degrees, suggesting a diverse range of specialties within the group. This diversity further amplifies the interest in understanding how and why post-secondary education leads to heightened privacy awareness, even in the absence of explicit privacy-related curriculum.
Reflecting on my high school experience in the early 2010s, data privacy was neither a topic of conversation nor part of the educational curriculum. This could be attributed to a simple lack of necessity at the time. Security features such as two-factor authentication were not widespread, as many students, including myself, did not possess a cell phone, and the surge of social media was just beginning. Fast forward a decade, and the landscape has dramatically changed. As of 2019, 84% of American teenagers now own cellphones (Kamenetz, 2019). The PEW report only surveyed individuals aged 18 and above, yet over half of American children possess a smartphone by the age of 11. The rapid adoption of smartphones and the consequent expansion of the data pool available for companies to harvest underscore the critical importance of incorporating privacy and data education into the school curriculum.
However, the challenges do not end there. Companies like Facebook are leveraging the extracted data to create complex algorithms that construct digital identities of their users, encompassing vast amounts of data that are difficult to comprehend. This development further emphasizes the need for robust privacy education and awareness.
When Privacy Falls Short / It's Not You, It’s Them / Uneasy Lies The Head That Wears The Crown
Zuboff's interpretation of the "God View" concept, in conjunction with the revelations from the Cambridge Analytica scandal, paints a disconcerting picture of the future. The stranglehold that Big Tech companies exert over their users is progressively tightening, fuelled by an expanding understanding of their respective "God Views". The scandal that unfolded in 2018 was not merely an exposé of data harvesting practices; it offered a glimpse into the formidable power of data in crafting user algorithms and constructing online identities. It was revealed that a substantial portion of the harvested data was linked to political affiliations, including those of former President Donald Trump and Senator Ted Cruz, as well as the Brexit referendum.
What began as a platform for connecting with loved ones and engaging in casual games like FarmVille has morphed into a potent force in politics and policy. Social media now controls the algorithms that dictate the content users see, potentially swaying their perspectives from behind an invisible veil. Our online data is evolving beyond mere IP addresses and phone numbers; it is transforming into a digital persona that mirrors our real-world selves. This persona is used to predict our behaviours and actions before we even make them, underscoring the profound influence and reach of these digital platforms.
Quick! Nobody Is Looking
Exploring how law and order influence data privacy was crucial for my own research. Understanding ways a user can protect themselves cannot be understated, but this a dance and we need a partner, data privacy laws. Players like the EU have had immense impact on shaping privacy protections, enough to force change upon how Silicon Valley view and produce products and services. A discerning reader may observe that a significant proportion of discourse related to privacy emanates from the United States, the home of Silicon Valley. Google and Meta, two entities identified by Zuboff as potential threats, are situated in proximity in California. One could hypothesize that there is something unique about the air in California, but a more disconcerting theory could be at play (without undermining the significance of the air).
The United States lacks comprehensive statutory data protection laws, leading to inconsistencies across state boundaries as each state may have divergent and potentially conflicting laws, leaving citizens in a state of confusion and potential vulnerability. This lack of uniformity extends to the global stage, with the United States, along with China, Saudi Arabia, and India, being the only G20 nations without statutory data protection laws. This stands in stark contrast to the European Union, whose laws have served as templates for legislation worldwide. The General Data Protection Regulation (GDPR) enacted by the EU has become the gold standard for data protection. Spin-offs of this regulation include the Consumer Privacy Protection Act (CPPA) in Canada and the California Consumer Privacy Act (CCPA).
The impact of the GDPR is profound because it empowers consumers by holding companies accountable for their handling and treatment of personal data. The GDPR does not take lightly to irresponsibility; of the 20 largest fines imposed by the GDPR to date, Meta features in seven of them. These include a €405 million fine for concerns over the processing of children’s data and a €1.2 billion fine for transferring personal data of European users to the United States without adequate data protection measures in place (Data Privacy Manager, 2023).
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law implemented by the European Union that provides individuals with control over their personal data. It imposes strict rules on those hosting and processing this data, anywhere in the world, and applies tough penalties for those organizations that fail to comply with these rules.
The influence of the GDPR cannot be overstated, and it is challenging to envision its implementation in a country like the United States. Given their dependence on data collection and processing, U.S. tech companies could face significant repercussions under GDPR-like regulations. The views of citizens may also vary, given that freedom of speech and commerce are deeply ingrained in society. Due to the complexity and potential impossibility of implementing a GDPR-like policy guideline in the United States, it falls upon its citizens to cultivate their own sense of data privacy and knowledge.
Providing citizens with a simple framework of what data privacy laws are applicable to them would be great to expand upon. Canada provides a general template for the breakdown of Personal Information Protection and Electronic Documents Act (PIPEDA), but in typical legal jargon that is not interesting nor engaging to read. Developing a website that allows citizens to see what they can do to protect themselves and what services and help are provided against potential breaches in data privacy would be a good start. Providing details on what it means to use a US-based service would also be welcome, as the difference in US versus Canadian-based data servers are potentially not well understood.
What Now?
What Now? / I Don't Care
Fair. It is understandable to not care about something that is hard to understand and impossible to see. It happens all around us and we perhaps link it to just coincidence, when we chat with friends about the next summer vacation and then suddenly receive an influx of ads from travel agents or airlines the following day. The things we do online have an impact on anything and everything, it depends on who wants to know. Understand that online data as a form of currency in the biggest marketplace known to man. It’s used by companies to target ads, improve products, and even sold to third parties. If you don’t control your data, you’re giving away something valuable for free.
Number of Fraud, Identity Theft and Other Reports by Year (FTC, 2023). A substantial increase from the early 2000s.
You may not even have the choice to give it away. In the United States, identity theft is a significant issue. According to the Federal Trade Commission, Georgia had the highest number of identity theft reports per capita in 2022, with 574 reported cases per 100,000 residents (FTC, 2023). The most common being credit card fraud with bank fraud, loan or lease fraud, and phone or utilities fraud also on the list. Simple practices can be implemented to minimize or prevent potential theft or fraud like browsing on a website using https:// and not using public Wi-Fi for sensitive information.
What Now? / Privacy Toolkit
The unnecessary complexity and high barriers of understanding of modern technology lead many consumers confused about their own privacy, even for companies that provide simplified marketing terms to break it down. On Apple’s Safari, the “Privacy Report” highlights trackers prevented from profiling your browsing. On Microsoft Edge, a feature called “Secure Network” encrypts user’s web traffic using a Cloudflare-powered VPN service. Many similar features appear in many similar products, but what differs is if a user knows or cares enough to enable them. The harsh reality is that as discussed, data has extraordinary value to those who know what to do with it. Those who know what to do with it are great at making products with such vast amounts of data to learn from and have little incentive to stop collecting such a valuable commodity. It is crucial for consumers to have the access to privacy knowledge they can use to decide how they would like to proceed navigating such rocky terrain, and I wanted to explore ways to visualize settings or tools that a user could view and have a general understanding of what they do or mean. After learning about potential blockers with Data Wallet, specifically knowing that using Apple’s ATT was not a reliable source for information and the large assumptions necessary to make the product functional, I wanted to explore a simpler way of visualization
Privacy Toolkit - replacing Data Wallet to view data as a system status rather than a value proposition.
The goal of Privacy Toolkit is to provide a simple way to view complex information. Merging privacy features from various software along with system-level operations, navigating privacy settings should be a simple process. VPN and DNS toggles are at the forefront rather than being buried in settings on typical devices, along with quick information tiles updating the user on the status of their security. As this is iOS focused, the “Privacy Protection” is built from Safari’s own feature but brought down to a system level. The reason I chose to focus on an iOS direction was because their business model is from products (like iPhones) and services (like iCloud) rather than ads. The implementation of such a feature is more likely to occur than on an operating system such as Google’s Android OS.
One thing I have noticed repeatedly is how while a user may say to me that privacy is not a huge concern for them, I cannot help but wonder why that is the case. When an iPhone connects to a public Wi-Fi network the only prompt is that the connection is insecure, assuming that part is even read. There is no indication as to what you should(n’t) do on an unsecured network, so those connecting to it will go about their usual business. There is a distinct barrier when trying to access a website that is not https://, and the user is explicitly asked if they want to continue. This is great, why stop there?
An example of a Siri Shortcut that alerts you when connected to Public Wi-Fi.
In the case of Apple’s iOS and MacOS, there are multiple privacy features built right into the software but are hidden away, like an optional feature turned off by default called Advanced Data Protection. By opting for Advanced Data Protection, you ensure that most of your iCloud data, such as iCloud Backup, Photos, Notes, and more, is safeguarded through end-to-end encryption. This level of security means that your encrypted data is inaccessible to everyone else, including Apple. Moreover, even in the event of a cloud data breach, your information remains secure.
What Now? / Ghost in the Shell
Throughout this research, my perception of what I was seeking was unknown. I think I wanted to be safer online and protect my digital identity from potential threats and hacks. I think I wanted to have my guards up and guns loaded in case a breach occurred. I think I wanted anonymity. Now however, I understand that anonymity was never the goal. I am not running a criminal organization nor hiding from government entities, yet I set myself up in a way so that I could run a criminal organization and hide from government entities. Why? “I have nothing to hide…” is a familiar sentiment I have heard in recent months, and it is indeed true - I don’t. However, privacy needn’t be a switch of on or off. Becoming a ghost on the internet was never my intention, yet I am led to believe from security-related marketing that if I do not become a ghost, I am at risk of cyber-attacks and identity theft - I must hide my IP address and I must delete my cookies after every browsing session.
Truth be told, I don’t want to. If I am on DuckDuckGo and searching for places to eat, I would prefer it to know my location and show me restaurants around me rather than in Sri Lanka. I would prefer to not log into YouTube every time I open it and use two-factor authentication to watch videos. Being anonymous while searching for tonight’s dinner is more of a pain than a benefit. This entire process I was not seeking anonymity, I was seeking solitude. I want the power to step away from the connectedness when I choose to. I want to be in my own little cubicle of the internet, shutting the blinds when I require.
This became evident to me when I had the personal experience between solitude and anonymity. As a member of the LGBTQIA+ community, there are times when my physical identity is a shell that I may need to adapt or change within the context of my surroundings. Travelling to Idaho with my partner, I had an indescribable sense of eeriness walking around the various spots we visited; a feeling I have yet to experience while living in Vancouver. Discovering that Idaho was a GOP stronghold, the sense of fear clouded over once I felt like an outsider for possibly the first time in my life. Being in an interracial same-sex couple was something that never had me thinking until it became “unusual”. In this context, I couldn’t be anonymous, I wanted to go eat out with my partner and enjoy the activities and amusement parks, the reason we went at all. My identity that I had taken for granted as intertwined with my being had now suddenly become a shell, be slightly more masculine and slightly more heterosexual. I craved solitude at that moment. I wanted to feel safe, I wanted to keep my partner safe. Everything became so immersive, feeling the eyes staring at the back of my head while I acted less than myself. This was real and I could feel it. I cannot see the eyes online. I cannot feel the discomfort online. My physical and digital identity are perceived differently. Sometimes I feel as though my online presence is a digitization of Idaho, but it is midnight, and everyone has night-vision goggles apart from me.
What I struggle to convey is that the world wide web is not anonymous. I sit on my sofa writing this work and saving it to iCloud Drive, searching Duck for resources via Private Relay and storing them locally on Zotero. I can imagine that anyone trying to break into my digital life to obtain this document may have a slightly challenging time to do so. This is the bare minimum. I want to live in privacy, but I want to live with some level of convenience. This is a culmination of research and adaptations to workflows, enabling settings and disabling others. Paying for features that protect me and being cognizant where I step. Others may not. Others may be told to be a ghost or get hacked. Pay for services or get their identity stolen. Buy this or have bad outcome. This is fear mongering, this is dirty marketing. Enabling DoH is free, enabling Private relay is free* (if paying for iCloud storage for $1.29/month), using digital payment methods over physical cards is free. The barrier to security is rarely due to cost, it is the lack of information.
What Now? / #OwnYourData
Being aware of what data you produce and where it goes sounds tricky, but it needn’t be. It becomes complicated because ad companies make it that way in what is known as “dark patterns” in design (Nguyen, 2023). The act of opting out of cookies becomes challenging but accepting all cookies is a single click, creating a new account takes multiple steps or simply Sign in with Google. Being cognizant of how websites and applications are designed can help you understand what the main objective is with the product. Brittany Kaiser, co-founder of the Own Your Data Foundation, aims to bridge the knowledge gap, advocating for a digitally aware global community. The Foundation believes in empowering everyone to protect themselves online (2020).
The goal is not to become anonymous; it is to simply be aware. Providing the tools and resources to be able to dictate how you want your data to be used. If using Google and banking on Starbucks Wi-Fi is convenient for you, go for it. Data is becoming the most valuable currency we have ever been able to transact with. Understanding that your data has value and weight in different hands is critical, make them work for it.
Sources
Apple. (2021). iCloud Private Relay Overview. Learn how Private Relay protects users’ privacy on the internet. Apple. https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF
Confessore, N. (2018, April 4). Cambridge Analytica and Facebook: The Scandal and the Fallout So Far. The New York Times. https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html
Data Privacy Manager. (2023, September 19). 20 biggest GDPR fines so far [2023]. Data Privacy Manager. https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020
Duck Duck Go, Inc. (2023, November 5). We don’t track you. https://duckduckgo.com/privacy
FTC. (2023). 2022 Consumer Sentinel Network Data Book. Federal Trade Commission. https://www.ftc.gov/system/files/ftc_gov/pdf/CSN-Data-Book-2022.pdf
Hunt, T., Hunt, C., & Sigurðarson, S. J. (2019, February 21). Have i been pwned? PwnedWebsites. https://haveibeenpwned.com/PwnedWebsites#MyFitnessPal
Kamenetz, A. (2019, October 31). It’s A Smartphone Life: More Than Half Of U.S. Children Now Have One [News]. Education. https://www.npr.org/2019/10/31/774838891/its-a-smartphone-life-more-than-half-of-u-s-children-now-have-one
Lin, J., & Halloran, S. (2023, November 30). Study: Effectiveness of Apple’s App Tracking Transparency [Blog]. Transparancy Matters. https://blog.lockdownprivacy.com/2021/09/22/study-effectiveness-of-apples-app-tracking-transparency.html
McClain, C., Faverio, M., Anderson, M., & Park, E. (2023, October 18). How Americans View Data Privacy. Report: Online Privacy & Security. https://www.pewresearch.org/internet/wp-content/uploads/sites/9/2023/10/PI_2023.10.18_Data-Privacy_FINAL.pdf
Mehrotra, D., & D’Anastasio, C. (2019, October 16). The Creators Of Pokémon Go Mapped The World. Now They’re Mapping You. Kotaku. https://kotaku.com/the-creators-of-pokemon-go-mapped-the-world-now-theyre-1838974714
Meredith, S. (2018, April 10). Facebook-Cambridge Analytica: A timeline of the data hijacking scandal. CNBC. https://www.cnbc.com/2018/04/10/facebook-cambridge-analytica-a-timeline-of-the-data-hijacking-scandal.html
Meta. (2023, February 1). Meta Reports Fourth Quarter and Full Year 2022 Results [Press Release]. Meta Investor Relations. https://investor.fb.com/investor-news/press-release-details/2023/Meta-Reports-Fourth-Quarter-and-Full-Year-2022-Results/default.aspx
Mullvad. (2023, February 26). Swedish legislation relevant to us as a VPN provider. https://mullvad.net/en/help/swedish-legislation
Nguyen, C. (2023, July 3). 7 Dark Patterns in UX Design: A Guide To Ethical Design. A Better UX Career, Faster. https://uxplaybook.org/articles/ux-dark-patterns-and-ethical-design
Orvill, S. (2024, January 13). Pokemon Go Player Count, Revenue & Stats 2023. Pokemon Go Stats. https://prioridata.com/data/pokemon-go-stats/
Own Your Data Foundation. (2020). DEMOCRATIZING DIGITAL INTELLIGENCE. https://ownyourdata.foundation
Schmitt, P., Iyengar, J., Wood, C., & Raghavan, B. (2022). The decoupling principle: A practical privacy framework. Proceedings of the 21st ACM Workshop on Hot Topics in Networks, 213–220. https://doi.org/10.1145/3563766.3564112
Schneier, B. (2016). Data and Goliath: The hidden battles to collect your data and control your world (First published as a Norton paperback 2016). W.W. Norton & Company.
Surfshark. (2020, December 9). How much does Surfshark cost? Check the pricing. Surfshark. https://surfshark.com/pricing
Tung, L. (2022, March 3). We’re all still using the same passwords, even after they’ve been breached. https://www.zdnet.com/article/were-all-still-using-the-same-passwords-even-after-theyve-been-breached/
Williams, M. (2021, June 29). What’s the truth about the NordVPN breach? Here’s what we now know. Techradar Pro. https://www.techradar.com/news/whats-the-truth-about-the-nordvpn-breach-heres-what-we-now-know
Zuboff, S. (2019). The age of surveillance capitalism: The fight for a human future at the new frontier of power. Profile books.