Privacy and cybersecurity experts tell Bloomington-Normal residents they need to worry more about protecting their information.
The old saying about the internet goes, "If you are not paying for it, you are not the audience, you are the product." And you are the product sometimes even when you do pay because companies will sell your data. Your computer collects information about you through cookies when you visit websites and use social media. Your phone keeps location data and internet use data when you are not on Wi-Fi. Your apps collect information when you shop at the grocery store. Your smart machines like nest devices, smart speakers, even washing machines also harvest data of your daily habits and preferences. You may not be just watching TV; your TV could be watching you.
Companies buy and sell this information to flesh out and better sell their goods and services.
Stephen Ragan is the policy and advocacy strategist on privacy, technology, and surveillance for the ACLU of Illinois. He told the Bloomington-Normal chapter of the American Civil Liberties Union on Tuesday that it's not just commercial habits and taste information at risk. Ragan said even political actors could tailor approaches that could cause you to believe something that might not be true.
"The problem that they can target all this information is that they know so much about us they can kind of trigger us," said Ragan.
You'd think the constitution would protect you from some of this. Not so. And even long-hallowed constitutional protections such as from unreasonable search and seizure could be at risk.
"If someone in a government agency wants to eavesdrop on you, they need to get a search warrant, right? But if they go to a data aggregator and buy all the same data, no search warrant is needed, right? This makes me wonder did we just find a way to hack the Constitution," Dmitri Zhdanov, director of the Center for Cybersecurity Research and Education at Illinois State University.
The same kind of thing is true for medical data. The ACLU's Stephen Ragan said medical providers are governed by strict federal privacy laws. But things like fitness apps aren't. And they can collect some medical information and sell it onward, providing companies with a far more detailed picture of your health and habits than you might want them to have.
Information is important. Before and during World War II, for instance, Ragan said information about individuals lead to state-sponsored violence. Only 14 states now have information privacy laws, and Ragan said those tend not to be comprehensive.
"This is a really common theme that technology always outpaces the law and the law is struggling to keep up," said Ragan.
And Ragan and Zhdanov said there's not a lot that individual consumers can do. Disallowing cookies can make some websites non-functional. You might not want to use certain apps that sell your information if you know about it. Notices about vending information collected typically are tucked away into those end user and licensing agreements no one reads. It's hard to avoid.
Zhdanov said government has even backed off some things. Around 2018 Congress rolled back consumer protection and companies sent out a blizzard of notices they changed their terms of use agreements. Zhdanov said the resolution of complaints is no longer in the courts, it’s in arbitration. To use a service or app, you give up your right to sue.
"And the thing that bugs me personally about arbitration as opposed to open court — arbitration records are sealed. A big company might have 50,000 clients and be abusing them in the same way. If you had a class action (option) that might be a countermeasure, but they cannot find out about each other because — arbitration," said Zhdanov.
Again, just 14 states protect personal data privacy in some fashion. Illinois doesn't have a comprehensive privacy law, but Ragan said the Biometric Information Privacy Act of 2008 does cover your fingerprints, your voice, your facial geometry, and your hand geometry, unless you give your prior consent in ticking the box on one of those user agreements.
Illinois does allow "right of private action" — a lawsuit — if companies misuse personal data or collect it without authorization. But Ragan said that doesn't cover everywhere.
"If there are lax privacy laws in another state and you travel there, those protections don't travel with you," said Ragan.
And information scavenger companies are already moving to do a workaround. California has perhaps the most robust privacy law in the nation, said Ragan. Now some companies are including a provision in their user agreements that you agree to waive "California" protections if you use their app or service.
Ragan said the ACLU is working on a broader health privacy act for Illinois this year. Whether it will pass is not certain.
Zhdanov said Europe and the U.S. tend to look at things very differently. Not only does Europe do an opt in and the U.S. an opt out, but the size of the penalties tends to be vastly different.
"If American courts impose a $50,000 fine on a massive company like the big five in tech, it's nothing for them, a cost of doing business. But in Europe they impose a fine of up to a quarter of annual overall revenue. If that is the fine, the company will think twice whether they want to exploit information," said Zhdanov.
Even if there someday is an overarching federal privacy law, Ragan said it may just words on paper.
"We can have all the privacy laws in the world and if we don't have effective enforcement, if we don't speak in those terms of capital, then companies are going to continue to violate our privacy and kind of operate unimpeded," said Ragan.
Zhdanov and Ragan said there is a consequence to the loss of personal information that can be broader even than a danger of tyranny, personal manipulation, or commercial exploitation. For humans to be truly creative and to express themselves, they need to be able to avoid embarrassment or fear. If you don't control your own identity, you can't do that.