Protecting our privacy on social media

You are concerned about how the use of online social media is eroding your privacy. What measures can you take? Here are a few possibilities. You can choose more than one.

  1. Stop using online social media: you will enjoy none of the benefits of social media and suffer none of the drawbacks.
  2. Use social media that is built for privacy. There exists at least one social network (Diaspora– I do not endorse it) that claims to have such aims. I once came across a write-up that said that users of Facebook would be willing to pay a sum to use it rather than have advertisements served to them. The problem is that a subscription will automatically limit the number of users to the network. The value of the network (to users and to the owners) increases in proportion to the number of users. Any entry barrier is value reducing. It works only if you have a close-knit group who are accepting of the desire to share things merely among themselves.
  3. Lock down your privacy controls. See these posts on network-specific information on Facebook and LinkedIn.
  4. Avoid putting any information that you do not want your grandmother to read – the golden rule of social media. You do not have control of what your connections do with information that you have uploaded. Even if a post is privacy restricted, your connections are free to quote you or take screenshots of your posts and post them elsewhere. Do not display your date of birth and other private information that may be used as identity verification measures at banks and such.
  5. Separate social media and other browsing. Log in to your social media using one browser. Do all other browsing using another browser. Set your browser to automatically clear the browser cache each time you close it. The social network will have slightly less knowledge about what you do and are interested in and is unlikely to serve you advertisements for that vacation that you are planning to Bali in a few weeks. Note that if you click on any links within the social network, it will know.
  6. Reconsider the use of phone apps. Look at all the permissions that the app requests when you install it on your phone and consider whether you can indeed tolerate them. It can be hard to not use some apps as most of our social media usage may be on the phone. At the same time, if we do not use the app on our phones, the network has no access to the information in our phones. I have been most concerned about this when using LinkedIn and have (for now) removed the app. Given how much I use it, removing the Facebook app is unthinkable for me at the moment.
  7. Stop posting new things; just use it for getting information about other people. This would put you in the creepy or inactive person category. Some people may not accept connections from people who have no activity, particularly on Facebook.

Also see my previous post: Why do we have so many privacy concerns regarding the internet?

Why do we have so many privacy concerns regarding the internet?

We are provided with news all the time about how Facebook and Google are using our information and violating our privacy. Why is this a new concern that appears to have arisen only in the last decade?

Consider some traditional services: the purchase of goods at a shop, the transfer of money at a bank, the usage of a television channel. They all involve the customer paying the provider (shop, bank, cable provider) an amount of money for the service or good. There is clarity on who the customer is, i.e. the person who receives the good or the service.

How about someone who uses Gmail? He pays no money to Google for the service. Likewise a user of Facebook. How do these non-traditional service providers make their money? They serve advertisements to the users and get money from the companies that wish to advertise. Users are not the customers of Google and Facebook, advertisers are.

The money tends to come in depending on the number of clicks on the advertisements. Why would a user click on an advertisement? To state the obvious: an advertisement is more likely to be clicked if it is relevant to the user. Here is the interesting question: How do Google and Facebook find out what is relevant to their users? They collect data about their users: their browsing habits, the things that they search for, people who are connected to them and therefore are likely to have similar browsing habits…  This is where the privacy concerns come in. The catchy quote goes thus: “If you are not paying for it, you are the product.”

Apple’s CEO Tim Cook criticised this model of doing business – an easy task, since his company gets its money up-front from the user: “I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong.”

Take a look at this advertisement by Mozilla.

Imagine someone following you around and noting down everything that you are doing: where you are, how long you remain, what you looked at, what you wore. Some of the technology sites that we are addicted to are the digital equivalents of the creepy guy in the video doing exactly that. In real life we may get a restraining order trying to keep this person away from us. In our online lives, we have invited him into our homes.

More posts on this subject will follow.

My Telco Knows My Ethnicity. Should it?

I received something in the mail in April that caused me some irritation. It was a colourful card wishing me a “joyous new year” – in April. It turns out that various Indian and Indian-derived new years are celebrated in April. Inside, the card contained information about some celebratory programme.

Why would this card irritate me? In just the preceding few months, Christmas, New Year and Chinese New Year had passed without me getting any card. Somehow my telco found out my ethnicity and sent me a card that it figured was tailored to my interests (It wasn’t. I have no idea who those people in the pictures are).

How they figured it out is not a difficult question. Telcos in Singapore (and in many other countries) collect copies of one’s identity card perhaps mandated by law, and also to identify the customer during customer interactions. Singapore’s identity cards (ICs) clearly state the person’s race. My guess is that someone at the telco thought it a good idea to collect the personal information about ethnicity for some tailored marketing. It couldn’t hurt, right? After all it already holds on to the information. Not so.

Singapore enacted a personal data protection act (PDPA) a few years ago. One key idea of the law is that personally identifiable information (such as the information in one’s IC) should only be collected with consent for a stated purpose (such as identifying a person when he calls up the telco claiming to be a customer). Getting promotional material from the company about non-telephone services was not something that I had signed up for.

I exchanged a few emails with the telco’s data protection office. I was advised thus:

“We are using the individual’s ethnicity/race to ensure that we do not send offers/events that are not relevant or potentially offensive to the customer.”

I found this to be objectionable even on some non-privacy grounds but what I found really problematic was how they ended that email.

“If you could share the reason of why you would not consent to giving this information, it will be helpful for us to see how we can best address your concerns.”

The telco took for granted that I was giving up this information and I would be OK with them using it for the purposes they chose. Without asking me.

In the very last email, the DPO assured me that the telco would not provide my data to third parties for commercial purposes without seeking my explicit permission. I had no such worries. My concern was that they would abuse it internally for commercial purposes without asking my explicit permission, as they already had.

Companies can try to wiggle out of their responsibilities by finding loopholes with the law. My ethnicity is not really the personally identifying information (PII) that is the focus of the PDPA. The problem lies in the fact that it is collected from the IC, that treasure trove of PII and we have no visibility as to what else the company is doing with our information.

The PDPA was a step in the right direction for Singapore. Many companies have scrambled to follow the letter of the law in terms of visible implementation. They have put up notices on their websites stating who customers can contact if they wish to enquire about the privacy of their data. They have appointed data privacy officers with clear responsibilities. These are mandated by the law and an auditor can verify it.

What is difficult is to bring about a change in attitude toward customer data as something that belongs to the customer and not to the profit-seeking company. Appearing to obey the law may not be too difficult. Understanding and accepting the intent of the law will take some time and motivation.

This essay was originally posted at my LinkedIn page: