Data privacy and power

We need to rein-in data harvesting with more user control and simply less data collection

Dr Vanessa Teague and Dr Chris Culnane, University of Melbourne

Dr Chris Culnane

Published 28 March 2018

If you don’t like the thought of how much Facebook knows about you, take a look at your Google data download. If you have an Android device, you might be particularly interested in the number of times your device incorrectly thought you said “OK Google”, and duly uploaded an audio recording of everything that was being said.

Governments can do more to stop companies from easily harvesting our personal data. Picture: Pexels

Many people who have downloaded their Facebook data have been unpleasantly surprised to find that it included phone call and text metadata they didn’t know Facebook was collecting.

In the wake of the furore over Facebook’s data sharing and its exploitation by data analytics firm Cambridge Analytica, the Australian Prime Minister’s special advisor on cyber security, Alistair MacGibbon, has deftly called out the real issue. “These companies that hold up privacy, and the sanctity of the individual, to us as governments – western, liberal, democratic governments – are the same ones that are then allowing data at the back end to go off out of their control.”

Clearly, if we’re relying on Facebook to uphold our privacy and the sanctity of the individual against our democratically elected government then we’re in deep strife. What should be done? We argue that the best solution is more user control and less data collection.

Why liberal democracies are vulnerable

Detailed knowledge about a person can be exploited for political purposes. One of the allegations against Cambridge Analytica (which it denies) is that it used Facebook data to promote Donald Trump’s US presidential campaign. Targeted advertising is, after all, exactly what Facebook actually sells.

There are two important implications for elections. The first is the opportunity for using data to micro-target inconsistent messages, so that different parts of the electorate vote for the same person, expecting completely different policies. This was always possible, but it’s worse online, and harder to detect.

A second concern is that narrowly-targeted online ads might help the advertiser evade electoral advertising laws in their country.

Cambridge Analytica’s now suspended CEO, Alexander Nix. Picture: Getty Images

But it’s very unclear how well it works, or what the data is exactly. The best we know is from some data on US voters accidentally left on an unprotected server by the Republican National Committee in 2017. It contained detailed information on over 198 million (i.e. almost all) US voters, including demographic data and political inclinations.

Note, however, manipulation like this may not always work – Cambridge Analytica tried but failed in Nigeria.

Governments that tolerate a lot less political freedom also use this data to keep tabs on their own citizens. The Chinese Communist Party monitors its citizens as part of its social credit system. Apple was justly criticised for its recent decision to store decryption keys for iCloud storage in China. This would allow Chinese officials who could access those keys to decrypt Apple users’ cloud storage, though their end-to-end encrypted messaging.

What you can do

There are of course steps that we can all take to better safeguard our data. It may be a little late to delete Facebook, but you could at least stop giving Facebook new information about yourself – run an ad blocker, browse in private browsing mode, and turn off third-party cookies.

You can buy a cover (or just use some tape) for every device camera you take into the bedroom or bathroom, and get them for your kids too. And if you’ve found a good microphone cover, email us!

Be wary of always-on recording devices providing services like digital assistants. If you buy an always-on recording device for your home, it will be… always-on, recording, in your home.

Use end-to-end encrypted communications, like Signal, Wickr, WhatsApp, iMessage and FaceTime. If it’s properly implemented, this means that the decryption key is held only by the person you’re talking to - even the company that sells the software can’t read it. Try to find an end-to-end encrypted cloud storage provider, so that you are the only person with the decryption key to your cloud storage.

But all this data is useful for catching terrorists and paedophiles isn’t it? Perhaps, but according to Apple’s transparency report Australia is third in terms of number of requests for access to devices, behind Germany and the US, which both have much larger populations.

Some targeted surveillance is, of course, a necessary part of keeping everyone safe – the question is how much, and to what extent companies should be obliged to gather extra data just in case. A recent report from the US Department of Justice suggests that the FBI may have not exhausted all its options for accessing the iPhone data of San Bernadino terrorist Syed Farook, but that some in the FBI wanted it to seem hard, so as to pursue an “agenda of obtaining a favorable court ruling against Apple.”

What governments could do

But what should liberal democratic governments do? Even Facebook founder and CEO Mark Zuckerberg is “not sure we shouldn’t be regulated.” The best government response to this controversy would be to work to decrease data acquisition and sharing.

It could mandate easy, ubiquitous opt-outs. When the “OK Google” button comes up on your phone, you should get an obvious and easy option that says “disable this feature and never upload my audio.”

Zuckerberg says “there are things like ad transparency regulation that I would love to see.” So would we.

Even if it didn’t introduce new security vulnerabilities, the Australian government’s move to force social media companies to grant it access to encrypted messages would increase the information available to the companies themselves. We agree with the recent Senate motion which, on the contrary, encourages end-to-end encryption and secure, user-controlled devices.

There’s nothing wrong with government asking companies for data that they have, given an appropriate warrant. But it’s in the best interests of Australia’s security to disincentivise massive data gathering and encourage end-to-end encrypted communications and secure, user-controlled devices. Then companies like Facebook, Google and Cambridge Analytica and their (real) customers will have less data about Australians to share and exploit.

Banner Image: Getty Images

Find out more about research in this faculty

Engineering & Technology

Content Card Slider

Content Card Slider

Subscribe for your weekly email digest

By subscribing, you agree to our

Acknowledgement of country

We acknowledge Aboriginal and Torres Strait Islander people as the Traditional Owners of the unceded lands on which we work, learn and live. We pay respect to Elders past, present and future, and acknowledge the importance of Indigenous knowledge in the Academy.

Read about our Indigenous priorities
Phone: 13 MELB (13 6352) | International: +61 3 9035 5511The University of Melbourne ABN: 84 002 705 224CRICOS Provider Code: 00116K (visa information)