How do companies keep your information private?
News Nugget
Why this Matters
In a dry & logical world, this is where we would end. However, as human beings in a highly complex and emotional world - connecting the world via the internet has opened up a near infinite number of ethical and privacy concerns.
Quick Takes
- Who ‘owns’ your data? Do you own the data a company collects about you? Or does a company actually have ownership of it?
- Should we have the right to know exactly what information a company has on us? The right to request a company to destroy this data? A right to know precisely where our data has been sold (or a right to have a say in the matter)?
- Do Governments need to step in now that it’s becoming apparent that the vast amount of data companies have on us can truly affect issues on a global scale? If so, how much? Will laws and regulations suffice, or will we need something more lasting such as a digital bill of rights?
The first 3 parts of this series talked about:
1.) Website vs Web Applications
2.) The Stack and Frameworks
3.) Domains, Hosting, and Servers.
Each of these topics contributes a piece to what goes into the modern internet. In a dry & logical world, this is where we would end. However, as human beings in a highly complex and emotional world - connecting the world via the internet has opened up a near infinite number of ethical and privacy concerns.
How do companies keep your information private? How does your browser connect securely (ie nobody else can eavesdrop) to the server it is communicating with? What do we do about legal gray areas where companies are bending the law for profits while governments move much more slowly? If you are a member of modern society (which you almost certainly are if you are reading this article), you should be paying a great deal of attention to how governments and organizations are tackling these issues.
What's a cookie?
To begin, let’s take a look into how companies actually track you online. The most common method is to use cookies. Cookies are simply small text files placed in your browser (like Chrome) that let the website verify who is visiting. A totally legitimate use of cookies is for logging in and out of web services. If you log into Facebook and check the “keep me signed in” box, you’ll notice that every time you go back you don’t need to login again. This is because that very first time you checked “keep me signed in”, Facebook’s servers sent both the HTML file your browser requested (so you can see your news feed) AND a cookie. A big different here is that you can “see” the HTML file in the form of the web page you are viewing. But you cannot see the cookie. The cookie is in the background behind the scenes and is a small text file that contains a secret random combination of numbers and letters. It’s delivered exclusively to your browser, so your browser is the only browser in the entire world that has this cookie (barring any security incidents).
In part 3 we talked about how your browser sends requests to servers, and servers respond back with HTML files your browser (and you) can view. When there is a cookie, your browser will send both a request for the HTML file AND the secret cookie. Facebook knows what the secret cookie should be (because they are the ones who originally sent it), so they can easily verify if it’s correct or not. If it’s correct they will successfully sign you in and show you the HTML file that contains your news feed. If the cookie is incorrect, Facebook will reject your request for the HTML file. Using cookies in this way sounds excellent. They are there to make sure only you have access to your accounts, and keep your information secure by preventing others from logging in as you. However, there is a darker side to cookies that tracking companies can exploit to follow you around the web.
Cookies for trackers
Because cookies are unique to each user and can be attached to just about any request from your browser to a company's servers, they can be used to not just keep you logged into a service, but to track your movements around the web (even if you do not consent). To understand how this works, let’s use an example:
There is a tracking company called “XYZ tracking” that wants to gather as much information as possible about users online in order to sell that data to advertisers. These advertisers can then use this data to send you ads specifically targeted towards you and your browsing history. To get this valuable data XYZ tracking needs a way to identify users. To do this, XYZ will place a cookie in the browser of every user who visits a website that uses XYZ’s service. The key here is that the cookie will be the same when the user visits any other site on the internet that uses XYZ’s services. This means XYZ is able to track, identify, and follow you around the internet even when you don’t realize it. If cnn.com and espn.com both use XYZ, then XYZ is able to know you are the same user who visited both sites and all information relating to your visits (how long you stayed, which links you clicked, how often you revisited the site, etc). XYZ then takes this information and sells it to advertisers who can target you based on your browsing history! You may have noticed that the real kicker here is that XYZ can only track you IF the website you visit uses their service. Well, due to the consolidating nature of online services, the chances are extremely high that any highly trafficked website will use one of only a handful of services. In fact, almost a full 50% of the most popular websites on the internet use the same tracking service [source]. This is in addition to a separate study finding that 77.4% of websites globally secretly track their users without their permission [source].
To take this back to the physical world: How would you feel if a company secretly photographed and videotaped you while you shopped in the mall? How about not even shopping? What if a company secretly employed private investigators to follow you around the street and pick up on your personal habits? And now what would you think if this entity owned a database containing your photographs, videos, name, address, gender, shopping habits, personal habits (and much more) - and then sold all of this information at will to a different company who is now able to do whatever they want with your data, specifically collected about you, without your knowledge or consent?
Where do we go from here?
These are the very real problems occurring right now in the digital world. Most people are comfortable in where they stand with regard to the physical world. However, as the borders between the digital world and the physical world become more blurred, it’s imperative to ensure that the same protections from one, also carry over to the other. Being connected to and using the internet (in even the smallest regard) is no longer “nice-to-have”. It’s become just about impossible to participate in modern society without some degree of being online.
Before moving forward there will be many hard hitting questions that have to be answered. Until we as a society bring these questions to the mainstream, progress will be inhibited and our data will be freely up for grabs. Some questions to ponder that we will cover in future posts include:
- Who ‘owns’ your data? Do you own the data a company collects about you? Or does a company actually have ownership of it?
- Should we have the right to know exactly what information a company has on us? The right to request a company to destroy this data? A right to know precisely where our data has been sold (or a right to have a say in the matter)?
- Do Governments need to step in now that it’s becoming apparent that the vast amount of data companies have on us can truly affect issues on a global scale? If so, how much? Will laws and regulations suffice, or will we need something more lasting such as a digital bill of rights?
News Nugget
Why this Matters
In a dry & logical world, this is where we would end. However, as human beings in a highly complex and emotional world - connecting the world via the internet has opened up a near infinite number of ethical and privacy concerns.
Quick Takes
- Who ‘owns’ your data? Do you own the data a company collects about you? Or does a company actually have ownership of it?
- Should we have the right to know exactly what information a company has on us? The right to request a company to destroy this data? A right to know precisely where our data has been sold (or a right to have a say in the matter)?
- Do Governments need to step in now that it’s becoming apparent that the vast amount of data companies have on us can truly affect issues on a global scale? If so, how much? Will laws and regulations suffice, or will we need something more lasting such as a digital bill of rights?