21 years later: Se7en privacy horror is our reality

David Barton GDPR, Uncategorized Leave a Comment

A brief exchange in the 1995 film Se7en shows us just how far our expectations of privacy have been eroded in the intervening two decades. Detectives Mills (Brad Pitt) and Somerset (Morgan Freeman) are on the trail of a particularly grisly serial killer and need a break in the case.

Somerset: For years, the FBl’s been hooked into the library system, keeping records.
Mills: Assessing fines?
Somerset: No, monitoring reading habits. Certain books are flagged. Books on, say, nuclear weapons… “Mein Kampf”. Anyone who checks out a flagged book has his library records fed to the FBl.
Mills: Wait. How is this legal?
Somerset: Legal. Illegal. These terms don’t apply.

Mills is visibly uncomfortable with the revelation that the FBI can monitor reading habits. The jaded Somerset dismisses his concerns, refusing to even engage with any moral debate. If for some reason you haven’t seen Se7en yet, you should. If you have, you’ll remember how it all turned out. Then watch it again anyway. Either way, the takeaway from Se7en for us is that it was at least still slightly shocking twenty years ago that a government agency could spy on US citizens.

Today, post-Snowden and after years of both fictional and real-life examples of government tracking, snooping and data collection, few of us would react as the innocent Mills did. We might dislike the thought of a permanent record of our conversations, emails, Internet habits and even physical movements ending up in front of government employees, whatever their reasons, but we could hardly be surprised. An impotent sense of resignation is more likely.

Promiscuous Cookies

While being spied on by governments is one thing, we still might be shocked to find out how extensively our Internet reading habits are being tracked by private companies. The cornerstone of this invisible surveillance is the humble cookie.

Cookies can be pretty useful little things to both web developers and website users. They enable a site to remember a user, so that we don’t need to log in every time we visit. Cookies can be used to remember site preferences, allowing users to customize their experience on a site. Put an item in your shopping cart and a cookie is probably helpfully going to keep it there for when you checkout. But many – especially third-party cookies, or cookies set by a site other than the one you’re visiting – are actively there to facilitate the recording and analysis of our behavior so that we can be shown supposedly relevant advertising across the web.

The Internet is fueled by advertising and current advertising technology depends on targeting. To carry out that targeting, websites and companies all over the world have for a long time been putting cookies on our devices. These cookies report home to their creator whenever we load any website, leaving a trail of crumbs recording almost our every click, or at least the URL of the sites we visit.

From the point of view of an advertiser, it is far more effective when these cookies are synchronized across companies and this is done regularly and freely. Maybe you deleted your cookies from one website but not from another. Or you accessed some sites on a different device. Synchronizing cookies from different sites fills in the gaps. Building up a comprehensive portrait of an Internet user is good for business, if your business is the targeting and re-targeting of ads at people who fit into a certain demographic or might be thinking about a particular purchase.

False Sense of Anonymity

At the murky edge of cookie synchronization is the potential to pair up your Internet habits with your real-life name and address. Personally identifiable information (PII) is often claimed to be radioactive data by advertisers and advertising platforms, as something that nobody wants to obtain or hang onto. But there is no technical limitation on building up a profile of an Internet user that includes a range of PII, such as name, email address, IP address, physical address and beyond. In fact, it seems that the use of cookies for advertising, and especially cookie syncing, is aimed at gathering and storing as much data as possible.

Once two trackers sync cookies, they can exchange user data between their servers. This data can be browsing histories or even PII… To be clear, we don’t know if this is a common practice. But this is precisely my point: cookie syncing enables a world of back-end data sharing, and there is so little oversight of the tracking ecosystem that we just don’t know what is happening behind the scenes. And this is a problem. Based on the evidence of what we can observe in the browser, it seems that every avenue for data collection and sharing does seem to eventually get utilized… Given the sophistication of today’s trackers, starting a truly fresh browsing profile is a very difficult task — the web never really forgets. Steven Englehardt

Starting a truly fresh browsing profile is a very difficult task – the web never really forgets.

It isn’t difficult to imagine a range of future uses for this hoard of cross-indexed data: healthcare providers, insurance companies, private detectives, currently unimaginable oppressive regimes – all would undoubtedly be very interested in even the most innocuous searches made throughout our online lives. Even if real names are never attached to potentially embarrassing or compromising Internet searches, that doesn’t make it any easier to accept that nothing is really private – or forgotten – on the web.

And cookies are just the beginning. Fingerprinting is an even more effective – and disturbing – approach to gathering comprehensive user data.

The Internet is the modern library. We use it for research, entertainment, escape. But these days it isn’t just a disapproving librarian (and shadowy government agency) who knows your secret proclivities and interests. Everything you do on the Internet is being stored, examined and evaluated by a myriad of unaccountable private companies. They may only be interested in selling you stuff for now, but does that make you any more comfortable with their insight into your Internet habits?

 

ABOUT PAGEFAIR

PageFair’s ad serving technology displays safe and respectful ads in a way that adblockers are unable to block. It is the leading global authority on adblocking, issuing the most widely-cited reports on the topic over the last four years. PageFair is also working with global stakeholders, including publishers, consumer groups, advertisers, agencies, and browsers, to develop sustainable approaches to advertising on the web.