I’ve been looking for a new bike on the Internet, just a brief search, but it’s had big consequences. You see, since then, I’ve been hounded by adverts for sturdy city bikes and versatile MTBs – whether I visit an obscure British music blog or a newspaper website. I’ve been bombarded with them for weeks now.
It’s a result of a super-swift online auction, Robert van Eijk explains. Van Eijk is a doctoral candidate and senior inspector with the Dutch Data Protection Authority in The Hague, the administrative authority that monitors personal details processing. He is hoping to be awarded his doctorate on 29 January for his study of the networks that share information that enables them to sell products and advertisements on the Internet. The methods used by these networks could very well be in conflict with our fundamental rights, such as privacy.
On request, Van Eijk gives a quick diagnosis of my web-surfing:
“Which browser do you use?”
“Google Chrome”
“And you log onto Chrome?”
“Yep”
“And you never log off?”
“Uh, no.”
“Do you ever delete cookies?”
“That’s a no, too.”
“So, you leave traces all the time.”
“Advertising firms like Google monitor everything you show any interest in very closely,” Van Eijk continues.
“There are all sorts of platforms that help advertisers to find potential buyers on various websites. Then there are parties that are very good at enhancing your tracking cookies. They try to stick as much information about you as they can on those cookies. They might not know precisely who you are, but they know which browser and which computer you used and that you’re looking for a bike. An extremely rapid online auction decides who can fill in the advertising space with adverts on the websites you visit. It’s called real-time bidding.”
All those actions take place within a fraction of a second, in ever-expanding networks that collect that information, enhance it and trade it. “From a marketing point of view, you’re a fish they’re reeling in. Next, companies can make offers: those adverts that flash up on your screen.”
To find out how it’s run, Van Eijk listens in to the network traffic. “The server produces a host of answers, jigsaw pieces from different companies: one produces a picture, another a video clip, or a “like” button. I put all that information into a graph, it’s a spider’s web of all the parties who work together and contribute to a web page. It’s possible to apply algorithms to such networks and combine the data, so I can then investigate what is really happening: who’s sharing information about us with whom? And that means we can assess the legal aspects.”
What’s the issue with these networks? “Not being watched is a fundamental right. We mustn’t underestimate its importance. If all sorts of companies know when someone wants a bike, there could be drastic consequences. Snowden’s proved that very clearly.”
Edward Snowden worked for the American secret service, the NSA, and in 2013, he published a large number of documents about that organisation’s large-scale espionage operations.
“For instance, the NSA used tracking cookies to build profiles of certain people. Moreover, the system could also be used to contact you for other matters, like political advertisements. The more you know about a person, through analysing cookies, etc., the easier it is to influence a person, as became evident after the Cambridge Analytica scandal.” Cambridge Analytica used Facebook data and applied psycho-demographical algorithms to it to find out what people were thinking. That information was then used to influence their political preferences.
“We need to solve the problem of tracking cookies following us. We already have the “Cookie Act” in the Netherlands, but there’s proposal for a new European ePrivacy directive too. The directive will make it “forbidden” to use cookies “unless someone gives explicit permission”.
That’s a raising the bar considerably, but we really need to do it. A serious delay in Brussels is the main reason that the directive is not yet in effect, but I’m hoping that my study can help get it passed quickly.”
Van Eijk claims that you can make profiles of people without using cookies, i.e. “fingerprinting”. “For instance, browsers can allow access to sensors in mobile phones. That access is called an “application programming interface” and it physically reads the smartphone’s sensors’ properties. The properties of the chips or the battery in each phone are different, even if they’re made in the same factory, and you can use those differences to calculate a unique signature. We know that that kind of information is used for targeted advertising.
“I’ve come across fingerprinting in Hotjar, for instance, which is a tool used for analysing internet use. It’s more invasive than cookies, because it’s not visible to ordinary users, who are not usually specifically informed about it, either, when they visit a website.”
How does Van Eijk surf the Internet? “I type in the URL of the website I want to visit in a browser and click on very few links. I’ve set my browser, Mozilla Firefox, to delete all the cookies when I close it. I use social media, but only for functional reasons: LinkedIn and Twitter.
“I don’t have a smartphone, at least, not for personal use. I can use anything with a web-interface on my computer anyway, which gives me far more control over the information I don’t want collected. I want to be able to see clearly what happens to my data, and that’s more difficult on a telephone. It’s a habit I’ve picked up from my job.”
Bodycams and trigger-happy cowboys
Peter Swire works for the Georgia Institute of Technology and is an expert on privacy, law and the Internet. He was advisor to Bill Clinton and Barack Obama and has conducted a study of the NSA, the American secret service.
A symposium has been arranged around Robbert van Eijk’s thesis defence ceremony and American university professor Peter Swire is one of the speakers.
Mare spoke to Swire on Skype before the symposium: “In Leiden, I want to talk about the bodycams worn by the police”. The cameras are great for justifying police actions, especially within the context of police violence, for instance, and Black Lives Matter.
Coincidentally, it was announced this week that the officers of Leiden’s special investigation and arrest units are to be equipped with bodycams. “All those images raise some tough issues. What do we do with the footage? How do we make sure that’s processed and stored safely? The police are not exactly the best experts when it comes to cybersecurity. And what are they allowed to do with all that footage anyway?”
After Edward Snowden’s disclosures, Swire was commissioned to investigate the National Security Agency (NSA). “We were granted highest priority clearance and spoke to lots and lots of staff. The impression, particularly in Europe, was that the service was like a trigger-happy cowboy who broke all the rules.
That’s not the case. In fact, we discovered that the NSA had set up an extensive programme back in 2008, in which they had laid down the impact of legislation on the service. The service kept a close eye on its staff too, to make sure they actually abided by the law.
“We came across some odd stuff, though. There were some cases of LOVEINT: love-intelligence, staff who used the options offered by the NSA to investigate their loved ones, or people they had a crush on. There were nine of those cases, and those persons had been punished too, and even fired in some cases.”