All Tech Considered
Tue October 1, 2013
Your Digital Trail: Private Company Access
Originally published on Wed October 2, 2013 3:21 pm
This is the second story in our four-part series examining your digital trail and who potentially has access to it. It was co-reported by G.W. Schulz from the Center for Investigative Reporting. Yesterday, we examined how data can be collected as you go through your everyday life. Today we look at how data-tracking companies are monitoring your online behavior.
While news reports have focused on the National Security Administration and its efforts to monitor people's phone calls and online activities, private companies you have probably never heard of are also tracking what you are doing, just about everywhere you leave a digital footprint.
So, who has access to the personal information you put online? To begin to answer that question, we examined what happens to the intimate information that millions of people share with online dating sites.
"I use Match.com and OKCupid," says Jithu Ramesh, as she joins a throng of 20- and 30-somethings at Busboys and Poets, a Washington, D.C., cafe. Their tables and the bar counter are covered with glasses of beer and wine and platters of hummus squeezed next to their laptop computers.
Ramesh says she does not hesitate to fill out the websites' questionnaires, such as on OKCupid, because she says it's the best way to find a match.
"It asks you about your drug use, it asks you about how many sexual partners you've had, sexual habits," says Ramesh. OKCupid's computers pair people who seem to fit each other's answers. The users can then message each other anonymously until they decide if they want to reveal more.
"Usually I don't share my name until we've exchanged a few messages and I feel comfortable," says Ramesh.
But when we sit down at a computer with Ashkan Soltani, a digital privacy specialist, he reveals how unprivate this information can be.
He sets up a fake account at OKCupid.com to demonstrate how private companies are tracking what you're doing online.
Soltani used to work at the Federal Trade Commission, where he helped investigate how Google and Facebook handle consumers' privacy. Now a private consultant, Soltani has testified before Congress and written widely about Internet privacy issues.
OKCupid's questionnaire asks Soltani for a wide range of information, including his gender, age, income, religion, ethnicity, whether he's "left wing" or "right wing," and whether he supports abortion. It also asks if he drinks alcohol and uses drugs. "And I'm going to pretend that I drink very often," Soltani says, clicking on that answer. "For drugs, I select 'often,' just for the purposes of this interview."
Then, Soltani launches two software programs — Collusion and MITM Proxy — that, in effect, pull the curtain aside and show the inner workings of the Internet. The Collusion program reveals that almost 50 companies are tracking Soltani's computer as he visits the dating site. The program depicts each company as a white circle against a black background, labeled with its name. Some of those companies are advertising firms, while others collect information and then sell it to ad firms or industry research companies.
There's nothing unusual about OKCupid — websites commonly allow other companies to monitor what users are doing on their sites.
MITM Proxy, the other program Soltani uses, shows information that those companies are receiving from OKCupid as Soltani visits the website. Some receive basic information such as his age, gender and body type. Others get more personal details. "They know that we're Middle Eastern, drinking very often, smoking, yes," Soltani reads.
And the software shows that at least one company, Lotame, learned that Soltani uses drugs "often." Executives at Lotame didn't return our emails and phone calls, and a spokesman at OKCupid declined an interview. However, Lotame's website states, "Lotame does not buy, sell, or otherwise use information related to drug use frequency." But Soltani's software shows us in black and white: Even if Lotame doesn't use that information, Lotame receives it from OKCupid.
"So by me being naive and disclosing to OKCupid that I do drugs," Soltani says about his made-up answers, "this company that I've never heard of gets to know that I commit a crime."
A Not-So 'Creepy' Explanation For Data Collecting
The head of a national group financed by the Internet industry shakes his head when he hears that executives at OKCupid, Lotame and other companies would not give us interviews about how they track people's computers on the Web.
"I think companies haven't figured out how to talk to people about data or privacy," says Jules Polonetsky, executive director of the Future of Privacy Forum. "And we think that's a big part of why the industry has such a bad rap. They're worried that [consumers'] reaction will be, 'That's creepy. I don't like it.' "
But Polonetsky says most companies that track users have an innocent explanation: They are helping other companies advertise their products directly to you, or personalizing their service to buy your loyalty. Have you ever wondered: Weird, I keep getting ads for running shoes; how do they know I jog?
"The other day I downloaded a prayer book app," says Polonetsky. "The first thing it did when I opened it up, it asked me for location, and I'm like, what?"
He says he couldn't figure out why a prayer book app would ever need to know his GPS coordinates. But then the app sent him information on the closest synagogues, including their scheduled prayers.
"So it was actually trying to help me," he says.
Polonetsky says that most of the companies that track users don't know their personal identities. But he acknowledges that the companies can identify their computers. Every time you browse the Internet, companies can put invisible markers on your computer called cookies.
In theory, nobody else's computer has the same cookie. In addition, your Internet service provider tags your computer with another marker known as an IP address. So, as you browse the Web, companies can recognize your computer as it moves from site to site — knowing, for example, that the same computer or mobile device that downloaded Jewish prayers last week also checked out new cars a month ago, researched asthma and heart disease a few months ago, and scouted for hotels in Hawaii last night.
To reassure users who think this kind of tracking is "creepy," as Polonetsky puts it, some Internet providers let you click on a feature now labeled "Do Not Track," or similar language. But researchers such as Jonathan Mayer, of Stanford University's Center for Internet and Society, say the feature usually doesn't prevent companies from tracking you — it's merely a supplication. Many companies ignore it.
Most companies "go to some great length" to keep your name, email and any personal information from being linked with your searches, Polonetsky says.
Leaks In Personal Data
But some computer researchers say their studies contradict that. "One of the greatest myths about Web privacy is, 'Don't worry, it's all anonymous,' " says Mayer. "There are, in fact, many ways that what you do online is not anonymous."
Mayer and his Stanford colleagues studied almost 200 companies on the Internet, from Home Depot to Facebook. The results showed that more than 60 percent of those websites leaked personal information, such as usernames or email addresses, to other companies that track you.
Researchers use the term "leak" to suggest that the tracking companies may have received the personal information inadvertently. Mayer says inadvertent or not, that information would make it easy for law enforcement or private companies to figure out a computer user's actual identity.
"I at least take many of these companies at face value," says Mayer, "when they say, 'We don't want to know who the users are; we just want to show them a more relevant ad.' " But, Mayer says, "there's a world of difference as far as privacy goes between, 'We know who you are — we just at present don't act on that information,' and, 'We have no way of knowing who you are.' "
Mayer also says that as a handful of companies take over more and more of the digital world, it's becoming even easier to profile Internet users. To give one example, Mayer logs onto Google with the username and password of a willing NPR producer, Emma Anderson.
"And I don't mean to really single out Google," says Mayer, as he logs in to her account. In fact, he says Google is more open than many companies are about some of the personal information it collects.
He clicks through Google's menu until he comes to a section that reveals details about Anderson's life — including appointments and Internet searches that she forgot. For example, the name of the man with whom Anderson had scheduled a meeting on her calendar, her idle Web search one day for the latest gossip about TV reality star Kim Kardashian and her new baby, the YouTube videos Anderson has watched, and the confidential NPR projects she is researching, which she stores in Google's cloud.
Google also knows Anderson went to a pizza bar on M Street NW in Washington, D.C., because she used Google Maps to get there.
A Google spokesperson declined an interview, but sent a written statement: "We are committed to keeping people's information safe and helping them control their personal data."
Google has reported in the past that law enforcement demanded information from its users' accounts more than 21,000 times last year. Google has sometimes resisted, but a company report says it turned over information for roughly two-thirds of the requests. Other big companies like Yahoo, Facebook and Microsoft say they get tens of thousands of requests from law enforcement, too. But none of the companies has revealed exactly what kinds of information they surrender.
Meanwhile, back at Busboys and Poets, we told Ramesh that the intimate details she puts on OKCupid might not be as private as she would like.
"It doesn't bother me," she says about big companies or corporations getting access to her personal information. "I feel like I'm just a statistic, or data for them. Will my mom have access to it?" Ramesh asked. "Probably not."
Research for this story by NPR's Emma Anderson.
AUDIE CORNISH, HOST:
It's ALL THINGS CONSIDERED from NPR News. I'm Audie Cornish.
MELISSA BLOCK, HOST:
And I'm Melissa Block.
This week, we're exploring the many ways you share personal information with the digital universe, whether you know it or not. When you search online, when you shop, when you look for love.
And as NPR's Daniel Zwerdling reports, if you leave a digital footprint, private companies you've likely never heard of are keeping track.
DANIEL ZWERDLING, BYLINE: We stopped by a popular cafe one evening here in Washington, D.C. Lots of 20 and 30-somethings, beer and wine, plates of hummus. And the first three we talk to say, yep, they share intimate details about themselves on the Internet.
Hi, guys. Could I ask you a question for a second? Have you ever used one of those dating sites online?
SASHA: Yes, I met my current boyfriend of three years on OKCupid.
ZWERDLING: Can I use your name?
SASHA: Use my first name. It's Sasha.
JITHU RAMESH: My name is Jithu Ramesh. I've tried OKCupid, Match.com.
ZWERDLING: Have you ever used a dating site? Millions of people do. And they spotlight one of the most sensitive questions in the digital world: Who has access to the personal information you put on the Web? Consider OKCupid.
RAMESH: It asks you about your drug use. It asks you about, like, the number of sexual partners you've had, sexual habits.
ZWERDLING: And did you answer those kinds of questions honestly?
RAMESH: I did.
ZWERDLING: Because websites like OKCupid work by automatically matching people who seem to fit each other's answers. Then those people can message each other, anonymously, until they decide if they want to reveal more.
RAMESH: Yeah, usually I don't share my name until we've exchanged a few messages and I feel comfortable. And I feel like, yes, I'm going to meet you.
ZWERDLING: An understandable attempt to protect her privacy. But back at the office, I sit down with a computer privacy specialist and he gives us a striking demonstration...
(SOUNDBITE OF MUSIC)
ZWERDLING: ...to show how un-private the Internet can be. He signs up with OKCupid, as we watch.
(SOUNDBITE OF TYPING)
ASKHAN SOLTANI: It's creating an account now on this site.
ZWERDLING: And now, OKCupid has said Hooray - exclamation mark.
SOLTANI: That's right. So we're now signing in and we have to choose a username.
ZWERDLING: Ashkan Soltani used to work at the Federal Trade Commission. He helped investigate how Google and Facebook handle consumers' privacy. Now he studies the industry as a private consultant.
SOLTANI: And then we have to create a password.
(SOUNDBITE OF TYPING)
ZWERDLING: And first, Soltani shows us what you see when you go to OKCupid.com. Sure enough, the personal questionnaire pops up on the screen. OKCupid wants to know your sex, age, job, your income.
SOLTANI: Your ethnicity, your body type.
ZWERDLING: Your religion.
SOLTANI: Your diet.
ZWERDLING: Do you support the right to abortion? Are you left-wing or right-wing? How much do you drink?
SOLTANI: And I'm going to pretend that I drink very often.
ZWERDLING: And then OKCupid asks this question: How often do you take drugs?
SOLTANI: For drugs I selected "often" just for the purpose of this interview.
ZWERDLING: And now, Soltani is going to show us what you don't see. He launches special software that basically pulls the curtain aside and shows the inner workings of the Internet. Suddenly, we see what looks like lots of white ping-pong balls moving on a black background. Each of those balls is a different company that's monitoring him as he visits OKCupid.com. He starts counting the companies.
SOLTANI: Oh, wow. This is a lot. One, two, three, four, five, six...
ZWERDLING: There's nothing unusual about OKCupid. Websites commonly allow other companies to monitor what you're doing on their site.
SOLTANI: ...31, -2, -3...
ZWERDLING: But unless you know how to reveal those companies, as Soltani does, they're pretty much invisible.
SOLTANI: ...38, 39, 40, 41, 42, 43...
ZWERDLING: It turns out that 50 companies are tracking Soltani's computer on OKCupid.com. Some are advertising firms, others just collect information and then sell it to ad firms. Soltani's software shows that some companies are getting basic information like his age, gender, body type. Others get more personal.
SOLTANI: They know that we're Middle Eastern, drinking very often, smoking, yes.
ZWERDLING: And the software shows that at least one company has learned that Soltani uses drugs often. That company is called Lotame. Lotame's website states, quote, "Lotame does not buy, sell, or otherwise use information related to drug use frequency," unquote. But the software shows it in black and white: Soltani's drug answer has gone to Lotame, even if they're not using it.
So this company most of us have never heard of, Lotame, learned that you do drugs.
SOLTANI: That's right. So by me being naive and disclosing to OKCupid that I do drugs, this company, Lotame, that I've never heard of, gets to know that I commit a crime.
ZWERDLING: Soltani says, please remember, he made up that answer and others for this demonstration. In any case, we got in touch with OKCupid and Lotame, and many of the other companies that were tracking him at OKCupid. None would give us an interview. So we met with the head of a group that's mainly financed by Internet companies. It's called the Future of Privacy Forum.
One company after another, the executives have said they will not talk with us.
JULES POLONETSKY: Clearly, there are folks who haven't figured out how to make the case for what they're doing. And we think that's a big part of why the industry has such a bad rap.
ZWERDLING: Jules Polonetsky is executive director of the forum. Dozens of leading companies support it, including Amazon, Google, Microsoft and Lotame. The group is trying to find common ground between industry and privacy advocates.
POLONETSKY: I think companies haven't figured out how to talk to people about data or privacy. They're worried that their reaction will be: that's creepy, I don't like it.
ZWERDLING: But he says, you know what, most of the companies that track you have an innocent explanation. They're helping other companies advertise their products directly to you. Have you ever wondered: Weird, I keep getting ads for running shoes - how do they know I jog?
POLONETSKY: There's nothing they should be ashamed of if what they're doing is fair and honest. Hey, we're trying to sell you stuff.
ZWERDLING: Polonetsky says it's true, some companies ask for information that seems too personal.
POLONETSKY: The other day I downloaded a prayer book app. And the first thing it did when I opened it up, it asked me for location. And I'm like what, what? Hey, you're some righteous prayer book kind of thing, what are you also doing this? Later on, I learned it was going to also tell me where the closest synagogue was. So it was actually trying to help me, but it didn't say so up front and so I had my guard up right away.
ZWERDLING: In any case, Polonetsky says, most of the companies that track you don't really know who you are. Now, they do know your computer, because every time you browse the Internet, the companies that track you put invisible markers on your computer. They're called cookies, and cookies are like your own ID tag. In theory, nobody else's computer in the world has the same one.
In addition, your Internet company tags your computer in another way; it's called an IP address. So, as you browse the Internet, some companies can recognize, hey, that's the same computer that downloaded Jewish prayers last week and was checking out new cars the other day and was researching asthma and was looking at hotels in Hawaii. But Polonetsky says...
POLONETSKY: Most of these companies go to some great length to keep this non-personal, to keep your name, your email, your explicit information from being linked together with that.
ZWERDLING: To which some computer specialists say...
JONATHAN MAYER: One of the greatest myths about Web privacy is don't worry 'cause it's all anonymous. And there are in fact many ways in which what you do online is not anonymous.
ZWERDLING: Jonathan Mayer researches Web privacy at Stanford University. He's with their Center for Internet and Society. And listen to this. He and his colleagues at Stanford studied almost 200 companies on the Internet, from Home Depot to Facebook. The Stanford researchers found that more than 60 percent of those websites leaked personal information to other companies that track you.
Leak, that's a term Web researchers use. It means the tracking companies might have received personal information inadvertently, or maybe not. The trackers got usernames or email addresses or other information that could make it easy to figure out who you are.
MAYER: I, at least, take many of these companies at face value when they say we don't want to know who the users are, we just want to show them a more relevant ad. But, of course, there's a world of difference - as far as privacy goes - between we know who you are, we just at present don't act on that information, and we have no way of knowing who you are.
ZWERDLING: And as a handful of companies takes over more and more of the digital world, it's becoming even easier to know who you are. Mayer points to Google.
MAYER: And I don't mean to really single out Google. In fact, I actually think Google, on balance, does a lot better than many companies.
ZWERDLING: Mayer means that Google is more open than many companies are about the personal information they collect. If you have an account, you can go to a section on Google that shows some of the details it's gathered about your life. To give us a glimpse, Mayer looked up information that Google has archived about one of our producers. Her name is Emma Anderson. She gave him her password.
MAYER: Google here is indicating that there is a calendar, an event scheduled on that calendar was talking with J.D., not quite sure who J.D. is, on August 15th.
EMMA ANDERSON: Yeah, J.D. is a friend from my university. I didn't realize that I had synched my calendar, I guess, to my Google account.
MAYER: A Web history is kind of interesting. So I guess you were looking into Kim Kardashian's kid just a few days back.
ANDERSON: (Laughing) Apparently I was, yeah, just on my phone, I think.
ZWERDLING: This one company, Google, also knows what YouTube videos our producer has watched. It knows about her NPR projects, which she stores in Google's cloud.
MAYER: The document you worked on most recently is called "Full State by State."
ANDERSON: Another story that I'm working on.
ZWERDLING: Google's computers know where she's gone.
MAYER: You navigated to possibly a bar on M Street in Washington, just a few days back.
ANDERSON: Oh, it's a - yeah, it's a pizza place and I guess there's a bar.
ZWERDLING: We asked Google's spokesperson for a recorded interview and she declined. She sent a written statement, quote, "We are committed to keeping people's information safe and helping them control their personal data," unquote.
MAYER: Okay. Let's see. You were looking to buy a Carl Sagan autograph earlier in the year.
ANDERSON: Yeah, my boyfriend's birthday was coming up. He's into Carl Sagan.
ZWERDLING: So far, Google won't say whether police or, say, the FBI have gotten access to those kinds of personal details. Google has reported that law enforcement demanded information from its user accounts more than 21,000 times last year. Google has sometimes resisted, but a Google report says the company ended up turning over information in response to roughly two-thirds of those requests.
Other big companies like Yahoo and Facebook and Microsoft say they get tens of thousands of requests from law enforcement, too. Meanwhile, back at the cafe bar in Washington, D.C., we told one of the customers, Jithu Ramesh, you know those intimate details you put on the dating site, they might not be as private as you think. Does it bother you?
RAMESH: It doesn't bother me when somebody is - like, something is as removed as like a company, like a big corporation looking at it. It's not personal at all to me. I feel like I'm just a statistic or data for them. Will my mom have access to it? Probably not.
ZWERDLING: But know who can get access to some of your personal digital files? Your neighborhood lawyer. It turns out that some states consider private attorneys to be officers of the court, so lawyers can issue subpoenas for your phone texts, credit card records, even your digital medical files, despite the HIPAA law. Lawyers say that's one of the best ways to dig up dirt these days on people like cheating spouses. Daniel Zwerdling, NPR News.
BLOCK: Our story was co-reported by G.W. Schulz at the Center for Investigative Reporting. Tomorrow, we'll hear how the Bill of Rights has failed to keep up with the digital age. For more on our series, you can go to npr.org. Transcript provided by NPR, Copyright NPR.