In a rare show of bipartisan unity this past Wednesday, Republicans and Democrats on the House Oversight Committee expressed concerns over the rapid spread of facial recognition software used by technology companies. This should make you stop and think very long and hard about what your elected leaders do not understand about the world we live in.
Facial recognition has a unique value to assist law enforcement when criminals use burner devices and circumvent other unique identifiers that the rest of us use to enhance the quality of our online experiences. If you can hang a wanted poster in the post office, or give law enforcement officials pictures of suspects during an APB, if you can put a missing child’s picture on a milk carton, why can’t you use facial recognition to identify that person with a security camera? It’s not a slippery slope for the 4th Amendment; it’s automation.
It is easy to think that facial recognition is like Orwell’s “Big Brother” using a “televiewer” to identify you, but it’s harder to comprehend the other, more subtle, ways this is already accomplished. If you have your browser history on, or your location services on, or if you allow cookies to be dropped, or allow caller ID to be on, if you use credit cards or debit cards for purchases, if you post your vacation pictures on social media … facial recognition is just icing on the cake.
Your day-to-day life contributes to your digital footprint in many ways. Every business in the world is doing its best to become expert in data-driven decision making and marketing. The key component of a data-driven business is a “single view of the customer” or a “single source of truth.” Said differently, every business (and probably the 17 security agencies of the U.S. government) is working constantly to create the most comprehensive profiles possible about everyone. In light of the recent hoopla about facial recognition, let’s review some data points in your profile.
Active Digital Footprint
When you post your vacation pictures on social media, talk about recovering from a total knee replacement, show pics of your kids graduating from kindergarten, or share any other information about your life, it is immediately added to your social media profile (on that social media network), and it can also be scraped by third parties who make a living aggregating information and selling it. This has nothing to do with the security or privacy policies of the social network. You are making the information publicly available on the web. Yes, you are actively publishing very private, very actionable information. If you have completed a LinkedIn profile, your entire resume is publicly available along with endorsements about what you do best.
When you fill out an online survey or fill in a form, you are actively giving your information to someone. In the case of Amazon, Walmart, eBay, or other reputable eCommerce sites, this is very safe to do. But on sites you don’t know or when you click on a pop-up ad to take a celebrity survey, you’re adding information to your profile.
If you want an up close and personal view of just how much information is collected from your active digital footprint, go have a look at what Equifax, TransUnion, or Acxiom knows about you. Unlike Facebook, Google, Amazon, Twitter, and other truly reputable social networks, Equifax, TransUnion, Acxiom, and the like are in the business of selling the data profiles they create about you. Selling data is a perfectly legal and very profitable business.
Passive Digital Footprint
Every time you click a User License Agreement (ULA), accept the Terms & Conditions on a website, acknowledge that a site uses cookies, or turn on location services, you have entered the world of passive digital footprint creation.
Location Services – A report from the New York Times (NYT) in December found that “at least 75 companies receive anonymous, precise location data from apps whose users enable location services.” Several of those companies track more than 200 million smartphones in the U.S. in “startling detail,” with some devices sending their owners’ location more than 14,000 times per day. The NYT reports that location-targeted advertising reached an estimated $21 billion in 2018.
If a company finds a phone that spends 50% of its time at a particular address, it’s easy for an algorithm to deduce that the owner of that phone resides or works at that address. The rest of the information needed to “figure out it’s you” is public record already.
Companies claim that when you allow your smartphone to track your location, your information is fair game. However, that same NYT report found that “the explanations people see when prompted to give permission are often incomplete or misleading,” and that apps “granting access to [your] location will help [you] get traffic information, but not mention that [your] data will be shared and sold.”
Your phone is also tracked via Wi-Fi, wireless network (4G, 3G, soon to be 5G), GPS, Bluetooth, and the manufacturer (Apple, Samsung, etc.). If you pick up your phone, somewhere in the world, the event is logged into a database.
Credit Card Information – Per the security standards enforced by the Payment Card Industry, retailers (both online and offline) are able to keep authentication data (like your security code or debit PIN) only as long as needed to validate the purchase. That information is encrypted. However, shops are legally allowed to keep the cardholder’s name, account number, expiration date, and service code. Many retailers outsource this to third-party security vendors.
It is also legal to reverse-append your credit card data and your email address in a process called reverse-append data enrichment or data enhancement. If you purchase something, the seller has the right to know who you are and can use third-party services to enrich the data you actively gave them.
Keystroking/Keylogging – While keylogging laws vary, imagine that everything you’ve ever typed was searchable – passwords, bank account info, private conversations – every character you’ve ever written. Keylogging software is often installed by protective parents, jealous spouses, and overvigilant employers. But it is also very often installed via malware (hackers like it too).
Google can use keylogging to tell exactly who you are. Your typing is unique, just like your fingerprint or your retina. If everyone in the household uses the same laptop, Google is capable of knowing who is doing what, even without you having to login to your account.
Google, Facebook, and Krux (Salesforce) IDs – These various IDs are used to help companies understand what device you are using and when and are a useful component of consumer usage metrics.
Your Google ID (the email address you use to sign into your Google account) offers a comprehensive collection of you, across the web. Every search result, every click, every email – it’s all collected in a single identifier, which Google uses to target you with ads relevant to you and your interests.
Your Facebook ID is a number that’s tied to your profile but doesn’t identify you. This ID is what other applications use when you allow them to access your Facebook ID, and is what’s used in targeted Facebook advertising. Associated with your Facebook ID is everything that makes you you on Facebook: your name, your personal info, your likes, your friends, etc.
Salesforce’s Audience Studio allows advertisers to target you via a Krux User ID, which is an identifying profile tied to your interactions with third-party data providers like eXelate, DataLogix, and Targus. (Advertisers can enrich this data with other data they have about you, which is called first-party data.) A Krux User ID is a cookie tied to a specific browser on a specific device. Advertisers can then map and reconcile your various IDs into an “Uber-ID,” which is a profile of you that spans all of your devices and browsers.
Viewing Data – “I watch TV; it watches me.” Yep. That’s exactly right. Every content provider is doing everything it can to figure out who you are and what you watch. The ultimate goal is to put the right content (including advertising) in front of the right person in the right place at the right time. Netflix, Amazon Prime Video, etc. have 100 percent of the data because you log into those services. Other video distributors do their best to figure it out by using a combination of everything in this article, plus stuff I don’t have room to go into.
Cookies – Cookies are small data files stored on your device. They’re used so that websites can remember who you are, customize your experience, and offer you up to automated (programmatic) advertisers. Everything you do online is tracked by cookies.
A common use of cookies is retargeting. When you search for something online, companies bid to put an ad for it on every other website you visit that accepts ads. This is super-effective. However, cookies don’t know whether or not you’ve made a purchase, so you can see ads for something you’ve already purchased for a week or so after the fact.
Stop! I’m Terrified!
There’s nothing to be terrified of … yet. In the United States we enjoy the rule of law. We are able to live in houses with glass doors and windows because we have police to enforce our laws. Otherwise, we’d all live behind castle walls and iron gates.
But if you’re terrified, you’re not terrified enough, because online, there is no rule of law.
Could a company use facial recognition to determine who entered a retail store and made a purchase? Yes. Would that help the company attribute people’s behaviors (both online and offline) previous to that purchase? Yes. Should it be legal? It would help advertisers do a better job. How would it hurt you?
Could the police use passive toll booth information to compute that you had been speeding and send you a speeding ticket via automated email? Yes. Is that any different than having a police car hide on the side of the road and randomly hit you with a radar gun? Should that be legal? It would certainly encourage more people to drive at or below the speed limit.
Just about all of the information described above is personal data that you have willingly consented to share. You can worry about facial recognition (although I don’t see a reason to). You can worry about bad actors illegally accessing your data (anything that can be hacked will be hacked; it’s an arms race). You can worry about the volume of information you’ve shared (though you can control this, unless you’re addicted to social media). But in truth, we live in a post-privacy world of our own creation, and there’s no going back.
What keeps me up at night? Deepfakes. By this time next year, we will live in an AI-created post-privacy, post-truth, post-trust era. What will we do about that?
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it.