Your Digital Trail: Private Company Access
This is the second story in our four-part series examining your digital trail and who potentially has access to it. It was co-reported by G.W. Schultz from the Center for Investigative Reporting. Yesterday, we examined how data can be collected as you go through your everyday life. Today we look at how data-tracking companies are monitoring your online behavior.
While news reports have focused on the National Security Administration and its efforts to monitor people's phone calls and online activities, private companies you have probably never heard of are also tracking what you are doing, just about everywhere you leave a digital footprint.
So, who has access to the personal information you put on online? To begin to answer that question, we examined what happens to the intimate information that millions of people share with online dating sites.
"I use Match.com and OKCupid," says Jithu Ramesh, as she joins a throng of 20- and 30-somethings at Busboys and Poets, a Washington, D.C., café. Their tables and the bar counter are covered with glasses of beer and wine and platters of humus squeezed next to their laptop computers.
Ramesh says she does not hesitate to fill out the websites' questionnaires, such as on OKCupid, because she says it's the best way to find a match.
"It asks you about your drug use, it asks you about how many sexual partners you've had, sexual habits," says Ramesh. OKCupid's computers pair people who seem to fit each other's answers. The users can then message each other anonymously until they decide if they want to reveal more.
"Usually I don't share my name until we've exchanged a few messages and I feel comfortable," says Ramesh.
But when we sit down at a computer with Ashkan Soltani, a digital privacy specialist, he reveals how un-private this information can be.
He sets up a fake account at OKCupid.com to demonstrate how private companies are tracking what you're doing online.
Soltani used to work at the Federal Trade Commission, where he helped investigate how Google and Facebook handle consumers' privacy. Now a private consultant, Soltani has testified before Congress and written widely about Internet privacy issues.
OKCupid's questionnaire asks Soltani for a wide range of information, including his gender, age, income, religion, ethnicity, whether he's "left wing" or "right wing," and whether he supports abortion. It also asks if he drinks alcohol and uses drugs. "And I'm going to pretend that I drink very often," Soltani says, clicking on that answer. "For drugs, I select 'often,' just for the purposes of this interview."
Then, Soltani launches two software program — Collusion and MITM Proxy — that, in effect, pull the curtain aside and show the inner workings of the Internet. The Collusion program reveals that almost 50 companies are tracking Soltani's computer as he visits the dating site. The program depicts each company as a white circle against a black background, labeled with its name. Some of those companies are advertising firms, while others collect information and then sell it to ad firms or industry research companies.
There's nothing unusual about OKCupid — websites commonly allow other companies to monitor what users are doing on their sites.
MITM Proxy, the other program Soltani uses, shows information that those companies are receiving from OKCupid as Soltani visits the website. Some receive basic information such as his age, gender and body type. Others get more personal details. "They know that we're Middle Eastern, drinking very often, smoking, yes," Soltani reads.
And the software shows that at least one company, Lotame, learned that Soltani uses drugs "often." Executives at Lotame didn't return our emails and phone calls, and a spokesman at OKCupid declined an interview. However, Lotame's website states, "Lotame does not buy, sell, or otherwise use information related to drug use frequency." But Soltani's software shows us in black and white: Even if Lotame doesn't use that information, Lotame receives it from OKCupid.
"So by me being naive and disclosing to OKCupid that I do drugs," Soltani says about his made-up answers, "this company that I've never heard of gets to know that I commit a crime."
A Not-So 'Creepy' Explanation For Data Collecting
The head of a national group financed by the Internet industry shakes his head when he hears that executives at OKCupid, Lotame and other companies would not give us interviews about how they track people's computers on the Web.
"I think companies haven't figured out how to talk to people about data or privacy," says Jules Polonetsky, executive director of the Future of Privacy Forum. "And we think that's a big part of why the industry has such a bad rap. They're worried that [consumers'] reaction will be, 'That's creepy, I don't like it.'"
But Polonetsky says most companies that track users have an innocent explanation: They are helping other companies advertise their products directly to you, or personalizing their service to buy your loyalty. Have you ever wondered: Weird, I keep getting ads for running shoes, how do they know I jog?
"The other day I downloaded a prayer book app," Polonetsky says." The first thing it did when I opened it up, it asked me for location, and I'm like what?"
He says he couldn't figure out why a prayer book app would ever need to know his GPS coordinates. But then the app sent him information on the closest synagogues, including their scheduled prayers.
"So it was actually trying to help me," he says.
Polonetsky says that most of the companies that track users don't know their personal identities. But he acknowledges that the companies can identify their computers. Every time you browse the Internet, companies can put invisible markers on your computer called cookies.
In theory, nobody else's computer has the same cookie. In addition, your Internet service provider tags your computer with another marker known as an IP address. So, as you browse the Internet, companies can recognize your computer as it moves from site to site — knowing, for example, that the same computer or mobile device that downloaded Jewish prayers last week also checked out new cars a month ago, researched asthma and heart disease a few months ago, and scouted for hotels in Hawaii last night.
To reassure users who think this kind of tracking is "creepy," as Polonetsky puts it, some Internet providers let you click on a feature now labeled "Do Not Track," or similar language. But researchers such as Jonathan Mayer, of Stanford University's Center for Internet and Society, say the feature usually doesn't prevent companies from tracking you — it's merely a supplication. Many companies ignore it.
Most companies "go to some great length" to keep your name, email and any personal information from being linked with your searches, Polonetsky says.
Leaks In Personal Data
But some computer researchers say their studies contradict that. "One of the greatest myths about Web privacy is, 'Don't worry, it's all anonymous,'" says Mayer. "There are in fact many ways that what you do online is not anonymous."
Mayer and his Stanford colleagues studied almost 200 companies on the Internet, from Home Depot to Facebook. The results showed that more than 60 percent of those websites leaked personal information, such as usernames or email addresses, to other companies that track you.
Researchers use the term leak to suggest that the tracking companies may have received the personal information inadvertently. Mayer says inadvertent or not, that information would make it easy for law enforcement or private companies to figure out a computer user's actual identity.
"I at least take many of these companies at face value," says Mayer, "when they say, 'We don't want to know who the users are, we just want to show them a more relevant ad.'" But Mayer says "there's a world of difference as far as privacy goes between, 'We know who you are, we just at present don't act on that information,' and, 'We have no way of knowing who you are.' "
Mayer also says that as a handful of companies take over more and more of the digital world, it's becoming even easier to profile Internet users. To give one example, Mayer logs onto Google with the username and password of a willing NPR producer, Emma Anderson.
"And I don't mean to really single out Google," Mayer says, as he logs onto her account. In fact, he says Google is more open than many companies are about some of the personal information it collects.
He clicks through Google's menu until he comes to a section that reveals details about Anderson's life – including appointments and Internet searches that she forgot. For example, the name of the man with whom Anderson had scheduled a meeting on her calendar, her idle Web search one day for the latest gossip about TV reality star Kim Kardashian and her new baby, the Youtube videos Anderson has watched, and the confidential NPR projects she is researching, which she stores in Google's cloud.
Google also knows Anderson went to a pizza bar on M Street NW in Washington, D.C., because she used Google Maps to get there.
A Google spokesperson declined an interview, but sent a written statement: "We are committed to keeping people's information safe and helping them control their personal data."
Google has reported in the past that law enforcement demanded information from its users' accounts more than 21,000 times last year. Google has sometimes resisted, but a company report says it turned over information for roughly two-thirds of the requests. Other big companies like Yahoo, Facebook and Microsoft say they get tens of thousands of requests from law enforcement, too. But none of the companies has revealed exactly what kinds of information they surrender.
Meanwhile, back at Busboys and Poets, we told Ramesh that the intimate details she puts on OKCupid might not be as private as she would like.
"It doesn't bother me," she says about big companies or corporations getting access to her personal information. "I feel like I'm just a statistic, or data for them. Will my mom have access to it?" Ramesh asked. "Probably not."
Research for this story by NPR's Emma Anderson.