We are in a digital era where every aspect of our lives is interacting with a digital service. The data and metadata of these interactions reflect our personality. Personality based models help advertisers to predict consumer response to an advertisement. Therefore, users’ data and metadata have garnered immense monetary potential. Privacy policies and service agreements govern the transactional data; whereas, the metadata is the data collected by ISPs, DNSs, and payment providers. The observers of a transaction may not be privy to the transactional data, but they witness a portion of the digital service, which allows them to make inferences.
Furthermore, with the advent of AI, one of the most significant concerns users have in the current era is how their data is analyzed and used. The limited explanation users get about what inferences and predictions are made about their online activities makes them anxious. With the privacy settings they need to configure on each service they use, keeping track of their data trails is burdensome, time-consuming, complicated, and sometimes impossible. Users are often unaware of where their data is being collected, stored, shared, and processed; thus, a large amount of user data remains ungoverned by the privacy settings they employ.
Online Social Networks are the data platforms where users voluntarily share information to exchange a unique online social experience. All the user actions on the forum are recorded by the platform with users’ consent and partially by the secondary observers (Like ISPs, DNS, PKIs, trackers) to whom the user might not have given explicit consent.
As the business model of Facebook revolves around monetizing user profiles through advertisements, it has built an extensive data collection apparatus called social graph through a symbiotic app ecosystem (authorized/consented co-observer). It partners with the underlying platform in collecting and contextually labeling user actions on or off the forum. For example, an app of type health will allow the platform to record user actions in the context of health. Similarly, for other categories of the app, contextual labeling is done.
From A Users Point-Of-View
Every Online service is composed of entities that play a role in the delivery of that service. The entities vary from hardware devices like computers/mobiles. End users access those services to software components like browsers/apps doing data representation, ISPs providing connectivity, a DNS helping in endpoint discovery, a PKI authenticating endpoints, API services supporting payments. The service provider providing services to the end-user is called the primary observer. Other interchangeable entities that enable a service are called secondary observers, who mostly have separate service agreements with the service providers. Accessing a service from different locations like home, office, and cafe will reveal those locations to primary and secondary observers, monetizing their observations.
Assume the service agreement with Social Media Platforms does not cover location information. Assume the bank the user uses is known for providing its services to customers with specific financial strategies. Imagine the logs at the service provider end receiving user device information like iPhone X vs. Android 4.1. Apart from online services, even user offline activities are recorded and traded at data exchanges legally- without the end-user being a party to the trade.
Depending on the secondary observer’s position in service composition, users’ information makes its way into different classes. A primary observer has access to all the classes, even the Directly Private Data. By definition, only the user should have control over the Directly Private Data. However, with the advent of AI/ML, it is possible to determine sexual orientation with a very high probability just from a photograph. The accuracy of prediction from observing the data determines user engagement and advertisement revenue.
Google has been making its venture into several free services that keep its users as close to its platform as possible: Chrome browser, Android OS, DNS 22.214.171.124, Google Trust Services, Public WiFi – thus reducing exposure of its user data to secondary observers and becoming an omniscient observer itself.
Social Networking Platforms Control Of PII & Its Limitations
Social Networking platforms like Facebook are at the forefront of user engagement through social interaction services like Messenger, WhatsApps, Instagram. They all have their services with end-users but funnels the user’s data to the same data center. The platform acts as a primary observer for core services, and the collaborators act as secondary observers. In the context of Facebook apps, as per GDPR, the apps are data controllers, and the platform is the data processor. However, through the analytical service that apps/websites use for audience measurement, a stream of user behavioral data makes its way to the platform. Facebook links to the individuals as it introduced the concept of Local ID such its collaborators do not link their user actions.
The privacy settings of Facebook and its collaborators are disjoint and are set independently. Thus, a personal attribute that a user does not want to share with Facebook but shares with the app makes its way to Facebook’s platform, which is not liable for its protection as a data processor. Another peculiar characteristic of social interactions is that the users share data with other users, which can be observed by other users and apps based on the access control on Facebook on that interaction.
The private data from users’ on-platform and off-platform interactions is used to generate actionable intent markers so that advertisers can identify prospective buyers/consumers. The advertisers can submit several well-crafted campaign requests and later perform intersections on the audiences returned by those requests. This convoluted data flow helps the platform and continuously improves its knowledge base about users, apps, and advertisers.
The perception of an observer is essential because, for any given service, the data and the metadata about users are being observed not only by the entities that compose that particular social networking service but also by the third-party applications about whom the user may not have complete knowledge. The user consents for its data to the primary observers about whom the user may not have thorough expertise or most of the time without even reading the Terms and Conditions. After the consent, the user adjusts their privacy settings, deriving a false sense of Privacy Control. The user ignores any third-party app that participates in user transactions either by users’ choice or by the service provider’s will for their potential to collect, infer, and monetize user data. Despite the users being provided with legal rights to protect themselves from online tracking, profiling by services, the users do not have a comprehensive view of their data scattered across the data ecosystem and thus fail to exercise their rights.
With the Security plotholes on Social Media Platforms, users’ security on these platforms has become a myth. On 25th September 2018, Hackers compromised about nearly 50 million accounts on Facebook. With the latest news regarding the upcoming Whatsapp Update, it will allow Facebook to observe users’ data on WhatsApp and share it with Third-Party advertisers for customized ad targeting.