Consumer Tracking and Surveillance: Who is Watching You?

October 3, 2016

         

Consumer tracking is a complex issue. New technologies have many enticing features, and that privacy risks can seem remote compared to immediate benefits like customized directions, or a friend request. We know that often, using services that monitor your behavior seems like your only choice – it might feel like you will miss out on an important part of life if you decide not to use popular services like Google or Instagram.

However, CCLA is concerned about how corporations collect and use your personal information. Organisations are required by Canadian privacy law to collect and use your data responsibly, but unfortunately, Canadians’ privacy rights are not always respected.  

For this reason, we want to make sure that you are informed about how corporations collect and use your data. This guide will give you information about when you are being tracked, how you are being tracked, the risks that come from being tracked, and some steps you can take to protect your privacy. We hope you can use this guide to make more informed decisions about whether you want to give companies access to your personal information.

 When and How Am I Being Tracked?

You might be aware that private companies collect data about you – you’ve probably experienced targeted advertising while browsing the web, or when using social media services like Facebook. Maybe you’ve even explicitly consented to data collection when filling out a survey, or entering a sweepstakes contest. 

However, though some forms of consumer tracking may seem like common knowledge, companies also use a number of tracking methods that are subtler, and less well-known. We have set out below what we think are some of the ways that companies monitor people.

 

Location Tracking: Wifi

You might be aware that it is possible to track the location of your cellphone through GPS technology – you have probably noticed apps like Google Maps or Waze ask for this information. However, location tracking involves more than just GPS signals – your phone’s Wifi capabilities can also be used to determine its location. In fact, locating your phone using Wifi signals is much more precise than GPS, and works even in places where GPS cannot, like in the subway. 

Locating your phone using Wifi is somewhat technical, (for more information check out this article)  and there are several different ways to do it. However, broadly, it is possible to determine your phone’s location using Wifi signals because as you move through the world with your phone, it is constantly emitting signals searching for Wifi networks to connect to. It is possible to determine your phone’s location by measuring how long it takes those signals to reach a Wifi router. The distance indicates how far you are from the router, and thus, your location.

This method can also be used by third parties to figure out your location. When your phone is in range of a Wifi network and emitting signals, the person running the network will be able to see your phone’s Media Access Control Address (MAC). The MAC is a unique number associated with your mobile device. So, when your phone is in range of a Wifi network, the person operating the network can identify your device and determine its precise location.

This information is really valuable to retail establishments, who want detailed information about their customers and their habits. As a result, when you are in range of a retail establishment with a Wifi network, they may be tracking your movements. Retail establishments can use your phone’s Wifi signals to find out when you go into a store, and when you pass them by. Within the store, they can figure out what displays you stop in front of, or what aisles you linger in. They may use this information to inform how they organize their stores, or even to strategically send you advertising based on your location in the store. The data they collect could also be combined with information collected by other retailers. For example, a number of stores in a mall could develop a detailed profile of where you went on a shopping trip by combining together the information each collected about you individually (for an example of how this works, look at this).

 

Video Surveillance and Facial Recognition Software

Another trend in consumer tracking is the widespread use of surveillance cameras by shopping centers, office buildings, and other public areas. For example, there are roughly 500 cameras in or around the Eaton Centre, and close to 13,000 cameras in the TTC network. We are very used to seeing these cameras, and we often assume they are part of a security system. However, there are many possible uses for the data captured by these cameras.

We at the CCLA are concerned about this trend, especially because  the surveillance cameras organizations use are frequently not strictly obeying privacy law. Those who use surveillance cameras are supposed to let you know you are being recorded, as well as telling you: 1) who is operating the camera, 2) who you can contact about questions, and 3) the purpose of the surveillance.

Despite these requirements, research suggests that 70% of privately owned Canadian video surveillance networks do not inform citizens they are being filmed. If businesses do put up a sign to let people know about the surveillance, they normally still neglect some of the required information, like giving you contact information or telling you who is operating the camera.

Video surveillance is especially concerning because facial recognition software is becoming more and more sophisticated. Facial recognition software is able to identify people using only an image of their face. Once a person has been identified, organizations can then link their identity to other information they have collected about them. For example, in the retail environment, facial recognition software could be used to scan customer’s faces and identify them. If a customer’s face is scanned and identified each time they enter a store, the retailer could track their purchasing history and their shopping preferences over time, and connect the individual to that history each time they entered the retail space. As a result, the customers would lose their ability to go in and out of stores anonymously. This could all happen without the consumer even knowing that they had been identified, or that there was any information associated with them.

While facial recognition software is still in development, it has already been used in some Canadian contexts. For example, Saks Fifth Avenue, which recently opened a new location at the Eaton Centre, uses facial recognition in its stores to identify potential shoplifters and thieves, as well as to track and identify customers.  Other corporations, like Facebook, are actively working to expand their facial recognition technology. Facebook has featured some of these abilities through their Moments app, which scans photos to identify the people within them, though these features were not all included in the Canadian version of the product. It is likely that as facial recognition software continues to develop, more and more retail actors will adopt it for use in their stores.

 

Loyalty Cards

Retailers also track you using loyalty cards and programs. Loyalty programs are initiatives that offer consumers benefits if they download an app to their phone, or carry a card. Consumers sign up for the program, typically providing their name, age, gender, address and email address, and collect points by swiping or scanning the card or app each time they make an in-store purchase. For example, Shoppers Drugmart gives users points that lead to discounts each time they swipe a Shoppers Optimum Card, and the Starbucks Rewards program gives members free coffees if they make purchases through an app on their phone. There are hundreds of examples, and most of us have at least one or two loyalty cards in our wallets.

Often, businesses don’t tell you that the objective of these programs is not to give you rewards, but rather to collect detailed information about you. Using loyalty programs, businesses will track information like how often you visit the store, the brands and products you buy, and when you buy them. They may use this information to guess what products you will want in the future, and to better target their advertising to get you into the store more often. The information these programs collect can also give stores incredibly intimate insight into your life . For example, the information you provide to a retailer could be used to figure out when you are going on vacation, if you are coming down with a cold, or your personal hygiene habits, based on your purchases.

 

Online Shopping and Consent

Online retailers also invest considerable effort into tracking your behavior. Tracking cookies are one of the most common ways that online stores track your behavior. Cookies are bits of text that websites download onto your browser while you are online. The cookie identifies you to websites when you go back to them more than once, keeping track of your preferences, like your password and user name. Tracking cookies are a type of cookie that do more than remember your preferences – they also remember information about everything you do online, then send that information to whoever installed the cookie. They record things like what websites you visit, where you are in the world, and what you click on when surfing the web (for more information this is a good article). By tracking this information, retailers are better able to target advertising to you – they will know at what point you abandon an online shopping cart, or if you choose not to shop with them after looking at a competitor’s website.

Typically, companies inform consumers about tracking cookies either through a pop up that tells a user that if they keep using the site they are consenting to the use of cookies,  or simply by including a link to a privacy policy at the bottom of their website. Retailers will often claim that either of these practices count as obtaining consent for installing tracking cookies. However, the CCLA has several concerns about this practice. Technically, consent is supposed to be “informed,” that is, you’re supposed to know what you’re saying ‘yes’ to. But consumers often are not aware of what tracking cookies do, how they are different from other cookies, or what the implications are of allowing them to be installed on their browser. Most people don’t read privacy policies, partly because they are often long, and written in a really complex way that is hard to understand.

 

 How are companies using my information?

 

Often, we provide information to entities on the basis of couple of assumptions – we may assume that companies will keep our information to themselves, that it is anonymous and can’t be linked back to us, or that it will only be used to improve the services we use from day to day. However, we at the CCLA are concerned that often, these assumptions are not in line with the reality of how companies use your data. We want consumers to understand how the Big Data industry works, so that you understand the implications of giving companies your personal information.

 

Data Aggregation

When you give companies access to your personal information, they often do not keep it to themselves. Commonly, data sets are sold to data aggregators. Data aggregators are businesses that gather information about people, and sell it to other organizations. They combine together data sets they have purchased, as well as publicaly available information they have scraped from the internet from sources like public records, newspapers, and social media accounts. For example, in Canada, the Cornerstone Group of Companies offers organizations “mailing lists or other data to prospect for new customers,” and offers a range of services to assist organizations to find new customers, enhance their data, and monetize their customer lists (here is an example). The data aggregators are able to develop very intimate profiles of consumers, and may have much more information about you than you realize.

As a result, the data you provide in any given context does not function in isolation – instead, it is combined with all the other data points you have made available about yourself over time. This is important to consider when you are asked to provide what seems like only a small amount of information about yourself – like your email address, postal code, or shopping habits. You should remember that this data is being used to complement what is likely already a detailed portrait of you and your habits.

 

Deidentification

Another common misconception about data collection and aggregation is that consumers provide information anonymously, and that it cannot be linked back to the person who provided it. However, this conception is often inaccurate.

It is true that it is possible to remove clearly identifying information like names or SIN numbers from data sets. This process is called deidentification. Deidentification varies from simple methods, like removing names from a data set, to more complex methods that remove even more information.

However, deidentification does not always keep data anonymous. Even when companies deidentify data, they collect so much incredibly detailed information that it often remains distinctive even after clearly identifiable information has been removed. For example, think of your web searches. Even if your name were not clearly associated with them, you have likely googled your address, events happening in your neighborhood, health services you access, information about your school, people you know, movies and TV shows you have seen, and other things related to your own unique set of circumstances and life experiences. If someone had even a small amount of information about you, they could potentially use it to link those searches to you.

For this reason, some data scientists have suggested that no data can truly be anonymized (read the abstract of one study here). Because the data our modern devices collect is so unique and detailed, with the right technical skills and resources, it is likely possible to reidentify any data set. Data scientists have demonstrated this possibility a number of times. For example, in 2006, AOL released deidentified information about the search histories of its customers to the public. Data scientists were able to use this information to identify the searches of a specific 66-year-old woman.

 

Predictive Analytics

The personal information that you provide to companies can also impact you down the line in ways you may not anticipate. Companies use the data you give them in predictive analytics, a statistical method for analyzing large data sets. Predictive analytics tries to find connections between different factors in a data set, and uses those connections to predict consumer behavior. A very simple example of this type of prediction might be a finding that when it is rainy, umbrella sales go up, or that women are more likely to buy fruit scented shampoo. Predictive analytics, of course, are now capable of much more advanced conclusions – in fact, they can often find connections between data points that are unexpected. For example, in the US, Target used predictive analytics to find out that buying unscented hand soap is a potential predictor that a woman is in the second trimester of a pregnancy (want to read more? see this story).

As a result, when you give companies information, you should know that they may use it for this type of analysis. Further, you should keep in mind that the results of the predictive analytics may impact you in ways you don’t expect. For example, consider the connection between unscented hand soap and pregnancy. The people who contributed information that helped establish that indicator were Target shoppers who had no idea their behaviour was being tracked and analysed. In general, few if any women who subsequently became pregnant and receive discount coupons for soap would ever know that their behaviour had contributed to the kind of offers that were popping up in their inbox.

Predictive analytics can also be used to draw conclusions about big societal groups. These conclusions will also impact how organizations interact with you. Organizations may tailor their interactions with you based on assumptions they have made about how people in your age, gender, or socio-economic bracket act. For example, a retailer might make conclusions about what coupons to offer you based on whether you are a man or woman, or what neighborhood you live in. This type of analysis can reinforce some of the differences between social groups and lead to social sorting (for more information about this, the FTC in the US did a great report). For example, lower income individuals may be put on lists identifying them as credit risks. Financial institutions may choose not to show people on those lists advertisements for competitive mortgage or lending rates. As a result, the low income individuals would not know about the same borrowing options as higher income individuals. In this way, predictive analytics and targeted advertising can reinforce inequalities, and lead to different groups having different experiences and opportunities. When you give organizations your information, you are helping them draw these conclusions, and letting them know what assumptions to make about you.

The information you provide also impacts you in other contexts. For example, insurance providers use Big Data to draw conclusions about factors that predict life expectancy or injury, including lifestyle choices, your neighborhood, or the type of car you drive (see for example, this article). As a result, your personal information could impact your insurance rates.  Big Data is even used by law enforcement. For example, some police forces in the U.S. use the Beware Software, a statistical analysis software that reviews data sets, including commercial data bases and deep Web searches, to tell police forces what your risk assessment is when they are responding to emergency calls (for more information see this story).

Given these trends, we at the CCLA think that it is important to think about how your data will be used when you provide it to commercial entities. When you consent to tracking online, or in an app, you probably don’t expect it to impact your insurance rates, or your interactions with police. You should consider whether and how organizations will use your information when you provide it to commercial actors.

 

What are my rights?

 

Canadians’ privacy rights are not stated explicitly in the Charter of Rights and Freedoms or any of our other constitutional documents. However, courts have long recognized that privacy rights are important to democracy, and that legislation protecting privacy has a quasi-constitutional status.

There are two key pieces of legislation that protect your privacy rights and regulate what the government and private corporations can do with your data: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act governs what data the government can collect, and how they can use it. PIPEDA sets out requirements for how private companies may collect, use and process your data. In some provinces, like Ontario, Alberta and BC, there is also provincial legislation governing data collection and use. Often, the provincial legislation is substantially similar to the provisions in PIPEDA, though there are small differences from province to province. The companies who collect your data in the ways we discuss above are governed by PIPEDA, and are required to comply with its provisions.

Under PIPEDA, organizations are only permitted to collect, use or disclose your data “for purposes that a reasonable person would consider appropriate in the circumstances.” You should be informed of this purpose when your data is being collected, and organizations are not to use your information for another purpose unless they gain your consent.  The collection must also be limited to what is necessary to satisfy the stated purpose – they should not be collecting extraneous information.

Organizations also need your consent to collect your information, and are not to collect it without your knowledge, unless the circumstances fall under one of a number of exceptions, such as if an organization is collecting the data for a journalistic purpose. Private companies are also prohibited from disclosing your personal information to others without your consent, again with several exceptions, like when information disclosure is necessary in an emergency to save a life.

You might notice that it seems like a number of organizations do not follow these provisions, or that when they follow them, it is only in a cursory way – for example, by telling you the purpose of the collection in a long, complicated privacy policy that is difficult to read and understand. We agree – we recently provided policy submissions to the Office of the Privacy Commissioner that recommended, among other things, that Canadians’ privacy would be better protected if the privacy protections in PIPEDA were better enforced.

 

So, what can I do?  

           

 If you are concerned about the privacy issues we have talked about above, there are a couple of things you can do to protect privacy or to get involved politically.

 Protect Your Privacy

The first thing that you can do is make choices that will protect your privacy. For example, you can choose the most privacy protective settings on social media, and turn off location tracking on your phone. When downloading new apps, signing up for new services like loyalty cards, or creating a profile on a website, it is important to think critically about what information an organization is requesting from you, and what they might do with it. Weigh the risks we have identified for you with the benefits you might get from a given service. If you don’t think an organization will use your information in a responsible way, don’t give it to them!

You can also actively seek out products and services that protect your privacy. There are a number of services that provide you a degree of privacy online, such as search engines that allow you to conduct encrypted web services, Chrome plugins that hinder third party tracking, and anonymous email providers. You can find great list of privacy protective resources put out by the Electronic Privacy Information Center, a list of things to use for mobile privacy from the Library Freedom Project, and a website called “Right to Hide” from one of the members of the international civil liberties organisation that CCLA belongs to, which provides all kinds of information about using privacy protective tools.

 
Stay Informed

Another important thing you can do is to stay informed about privacy issues, noting new trends and critiques that emerge as technologies change. Keeping informed will help you make more privacy protective choices by helping you to identify risks.

First, you can simply follow the news, keeping an eye out for stories investigating privacy issues, like new types of tracking or cybersecurity breaches. For more tailored information, there are a number of legal blogs that track developments in technology and privacy law. The Canadian Privacy Law Blog is run by a Canadian privacy lawyer, and tracks notable legal developments related to privacy. The Canadian Internet Policy and Public Interest Clinic tracks news and legal developments in internet law, and Michael Geist, a law professor at the University of Ottawa, also runs a blog dedicated to legal developments in privacy and technology law. And, you can learn more about CCLA’s privacy related work on our website, ccla.org. Our Talk Rights website has a growing set of information resources about privacy. 

 
Get Involved

If the issues we have written about concern you, you can also try to get involved politically. You can write letters to your member of parliament, expressing concern about privacy generally, or about a particular practice. 

You can also make your voice heard to industry by choosing privacy protective products, and avoiding ones you think violate your privacy. If consumers let organizations know privacy is a priority, it may encourage companies to develop products that better protect your privacy. You can also write to companies directly to let them know about concerns you may have about their privacy practices, and your preferences as a consumer.

Finally, if you think that a company is acting inappropriately, or think that your privacy rights have been violated, you can made a complaint to a privacy commissioner, who can independently investigate your complaint. If the complaint is substantiated or well-founded, the Privacy Commissioner will normally make a report summarizing their findings and recommendations. They may also request an offending organization to take a particular action.

There is both a federal privacy commissioner, as well as several provincial privacy commissioners. Who you complain to depends on both where you are located, and what type of organization you think violated your privacy. 

The Office of the Privacy Commissioner of Canada deals with all complaints related to data that flows across provincial or national borders. The Office of the Privacy Commissioner of Canada also deals with all complaints related to federal works, undertakings and businesses (FWUBS). This includes:

  • Telecommunications;
  •  Broadcasting;
  •  interprovincial or international trucking, shipping, railways or other transportation;
  • Aviation
  • Banking
  • Nuclear Energy
  • Activities related to marigime navigation and shipping
  • Local businesses in the Yukon, Nunuvut and territories.

If your complaint relates to any of the above types of organizations, you can make a complaint to the Office of the Privacy Commissioner of Canada.

However, if your complaint is about an organization that does not fall into the categories we mentioned above (it is not a federal work, undertaking or business, and does not handle data that crosses federal or provincial lines), who you complain to depends on where you are located and what the complaint is about:

If you are located in Alberta, British Columbia or Quebec, there is provincial legislation in your province that has been declared to be substantially similar to PIPEDA. As a result, if you have a complaint about an organization that collects, uses and discloses data entirely within the province, you should complain to your respective privacy commissioner. The links to the complaint process for each province are below:

  • Alberta
  • British Columbia
  • Quebec
  • Ontario, New Brunswick, and Newfoundland and Labrador have privacy legislation that is substantially similar to PIPEDA with respect to health information only. So, if your complaint relates to how a health information custodian dealt with your information in one of these provinces, you should complain within these provinces.

If your complaint is about a provincial government body, you should complain to the privacy agency within that province. A list of the applicable legislation, and individuals with oversight in each Canadian province is available.