Why do we have so many privacy concerns regarding the internet?

We are provided with news all the time about how Facebook and Google are using our information and violating our privacy. Why is this a new concern that appears to have arisen only in the last decade?

Consider some traditional services: the purchase of goods at a shop, the transfer of money at a bank, the usage of a television channel. They all involve the customer paying the provider (shop, bank, cable provider) an amount of money for the service or good. There is clarity on who the customer is, i.e. the person who receives the good or the service.

How about someone who uses Gmail? He pays no money to Google for the service. Likewise a user of Facebook. How do these non-traditional service providers make their money? They serve advertisements to the users and get money from the companies that wish to advertise. Users are not the customers of Google and Facebook, advertisers are.

The money tends to come in depending on the number of clicks on the advertisements. Why would a user click on an advertisement? To state the obvious: an advertisement is more likely to be clicked if it is relevant to the user. Here is the interesting question: How do Google and Facebook find out what is relevant to their users? They collect data about their users: their browsing habits, the things that they search for, people who are connected to them and therefore are likely to have similar browsing habits…  This is where the privacy concerns come in. The catchy quote goes thus: “If you are not paying for it, you are the product.”

Apple’s CEO Tim Cook criticised this model of doing business – an easy task, since his company gets its money up-front from the user: “I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong.”

Take a look at this advertisement by Mozilla.

Imagine someone following you around and noting down everything that you are doing: where you are, how long you remain, what you looked at, what you wore. Some of the technology sites that we are addicted to are the digital equivalents of the creepy guy in the video doing exactly that. In real life we may get a restraining order trying to keep this person away from us. In our online lives, we have invited him into our homes.

More posts on this subject will follow.

My Telco Knows My Ethnicity. Should it?

I received something in the mail in April that caused me some irritation. It was a colourful card wishing me a “joyous new year” – in April. It turns out that various Indian and Indian-derived new years are celebrated in April. Inside, the card contained information about some celebratory programme.

Why would this card irritate me? In just the preceding few months, Christmas, New Year and Chinese New Year had passed without me getting any card. Somehow my telco found out my ethnicity and sent me a card that it figured was tailored to my interests (It wasn’t. I have no idea who those people in the pictures are).

How they figured it out is not a difficult question. Telcos in Singapore (and in many other countries) collect copies of one’s identity card perhaps mandated by law, and also to identify the customer during customer interactions. Singapore’s identity cards (ICs) clearly state the person’s race. My guess is that someone at the telco thought it a good idea to collect the personal information about ethnicity for some tailored marketing. It couldn’t hurt, right? After all it already holds on to the information. Not so.

Singapore enacted a personal data protection act (PDPA) a few years ago. One key idea of the law is that personally identifiable information (such as the information in one’s IC) should only be collected with consent for a stated purpose (such as identifying a person when he calls up the telco claiming to be a customer). Getting promotional material from the company about non-telephone services was not something that I had signed up for.

I exchanged a few emails with the telco’s data protection office. I was advised thus:

“We are using the individual’s ethnicity/race to ensure that we do not send offers/events that are not relevant or potentially offensive to the customer.”

I found this to be objectionable even on some non-privacy grounds but what I found really problematic was how they ended that email.

“If you could share the reason of why you would not consent to giving this information, it will be helpful for us to see how we can best address your concerns.”

The telco took for granted that I was giving up this information and I would be OK with them using it for the purposes they chose. Without asking me.

In the very last email, the DPO assured me that the telco would not provide my data to third parties for commercial purposes without seeking my explicit permission. I had no such worries. My concern was that they would abuse it internally for commercial purposes without asking my explicit permission, as they already had.

Companies can try to wiggle out of their responsibilities by finding loopholes with the law. My ethnicity is not really the personally identifying information (PII) that is the focus of the PDPA. The problem lies in the fact that it is collected from the IC, that treasure trove of PII and we have no visibility as to what else the company is doing with our information.

The PDPA was a step in the right direction for Singapore. Many companies have scrambled to follow the letter of the law in terms of visible implementation. They have put up notices on their websites stating who customers can contact if they wish to enquire about the privacy of their data. They have appointed data privacy officers with clear responsibilities. These are mandated by the law and an auditor can verify it.

What is difficult is to bring about a change in attitude toward customer data as something that belongs to the customer and not to the profit-seeking company. Appearing to obey the law may not be too difficult. Understanding and accepting the intent of the law will take some time and motivation.

This essay was originally posted at my LinkedIn page: https://www.linkedin.com/pulse/my-telco-knows-ethnicity-should-vijay-luiz