Head Belly Root
Notes Privacy Is Hard Creative Commons License
Chapter 2

You Have Zero Privacy Anyway—Get Over It

  1. S. D. Warren and L. D. Brandeis, "The Right to Privacy: The Implicit Made Explicit," Harvard Law Review 4, no. 5 (December 15, 1890): 193–220.
  2. D. Vincent, Privacy: A Short History (Cambridge: Polity, 2016); S. Keulen and R. Kroeze, "Privacy from a Historical Perspective," in The Handbook of Privacy Studies, ed. B. van der Sloot and A. de Groot (Amsterdam: Amsterdam University Press, 2018), 21–56.
  3. P. Sprenger, "Sun on Privacy: 'Get Over It,'" Wired, January 26, 1999.
  4. Economist, "The World's Most Valuable Resource," weekly edition, Economist, May 6, 2017.
  5. M. Weiser, "The Computer for the 21st Century," Scientific American 265, no. 3 (September 1991: 94–104.
  6. B. Schneier, Click Here to Kill Everybody (New York: W. W. Norton & Company, 2018).
  7. B. H. Bratton, The Stack: On Software and Sovereignty (Cambridge, MA: MIT Press, 2016).
  8. B. W. Kernighan, Understanding the Digital World: What You Need to Know about Computers, the Internet, Privacy, and Security (Princeton, NJ: Princeton University Press, 2017).
  9. The Stasi were the secret service of the German Democratic Republic (former East Germany).
  10. See here, accessed October 30, 2018.
  11. See here, accessed July 16, 2019.
  12. G. A. Fowler, "It's the Middle of the Night: Do You Know Who Your iPhone Is Talking To?," Washington Post, May 28, 2019.
  13. IP addresses originally looked like this: 74.125.136.83 (i.e., four short numbers separated by three dots). This is the format of the original IPv4 addresses. As the number of devices that need an IP address currently exceeds the total number of available addresses, an update of the Internet Protocol (IPv6) provides a much larger address space.
  14. We simplify matters considerably here.
  15. As explained further ahead. Recall that all packets that traverse the internet to exchange data between your computer and the websites you visit also contain your own IP address as the sender.
  16. Such a database is easily constructed, for example, with the help of the billions of smartphones that know their location using GPS, and that can help link these locations to each and every IP address of each new network the smartphones connect to.
  17. P. Eckersley, "How Unique Is Your Web Browser?," in Privacy Enhancing Technologies, 10th International Symposium, PETS 2010, ed. M. J. Atallah and N. J. Hopper (Berlin: Springer, 2010), 1–18.
  18. E. Mills, "Device Identification in Online Banking Is Privacy Threat, Expert Says," CNET, April 24, 2009; P. Laperdrix, N. Bielova, B. Baudry, and G. Avoine, "Browser Fingerprinting: A Survey," arXiv:1905.01051 (2019).
  19. On the one hand, cookies are more reliable for tracking than IP addresses as your IP address may change over time when you connect to the internet from different locations, whereas a cookie usually never changes after it is first set. On the other hand, cookies can be deleted (and many browsers do so by default).
  20. J. Martin, T. Mayberry, C. Donahue, L. Foppe, L. Brown, C. Riggins, E. C. Rye, and D. Brown, "A Study of MAC Address Randomization in Mobile Devices and When it Fails," Proceedings on Privacy Enhancing Technologies (PoPETs) 2017, no. 4 (2017): 365–383.
  21. This chapter only scratches the surface of this important topic. Luckily, many excellent books have been written about this— for example: P. E. Agre and M. Rotenberg, Technology and Privacy: The New Landscape (Cambridge, MA: MIT Press, 1998); D. J. Solove, Understanding Privacy (Cambridge, MA: Harvard University Press, 2008); W. Christl and S. Spiekermann, Networks of Control: A Report on Corporate Surveillance, Digital Tracking, Big Data & Privacy (Vienna: Facultas, 2016). Far fewer books discuss approaches to solve the problem instead, which is the main topic of this book. We refer to B. Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (New York: W. W. Norton & Company, 2015); R. J. Cronk, Strategic Privacy by Design (Portsmouth, NH: IAPP, 2018); W. Herzog, Privacy's Blueprint: The Battle to Control the Design of New Technologies (Cambridge, MA: Harvard University Press, 2018).
  22. We go by many different monikers that subtly change our rights and obligations towards the people using them. It matters whether you are considered a citizen versus a user. Interestingly, the only other "users" beyond those using computers are drug users. See here, accessed September 10, 2019.
  23. S. Boztas, "Look Away: Privacy Watchdog Warns Banks Not to Use Payments for Marketing," DutchNews.nl, July 3, 2019.
  24. Wikipedia, "Global Internet Usage," last modified June 21, 2020.
  25. J. Williams, Stand out of Our Light: Freedom and Resistance in the Attention Economy (Cambridge: Cambridge University Press, 2018); E. Pariser, The Filter Bubble: What the Internet Is Hiding from You (London: Viking /Penguin Books, 2011); V. F. Hendricks and M. Vestergaard, Reality Lost: Markets of Attention, Misinformation and Manipulation (Cham: Springer, 2019). See J. Möller, N. Helberger, and M. Makhortykh, Filter Bubbles in the Netherlands? (Hilversum, Netherlands: Commissariaat voor de Media/UvA Institute for Information Law, 2019) for a critical note, arguing that at least in the Netherlands, few people are captured in a filter bubble as far as their online news consumption is concerned.
  26. Here Technologies is a Netherlands-based mapping data company; see here ;-). See also B. Ferris, "Do I Stay or Do I Go Now? Google Maps Has the Answer in One Tap," Google (blog), January 13, 2016; D. Geere, "Algorithm Predicts Your Location in 24 Hours with 20-Metre Accuracy," Wired, August 14, 2012.
  27. S. A. Thompson and C. Warzel, "Twelve Million Phones, One Dataset, Zero Privacy," New York Times, December 19, 2019.
  28. Such sharing platforms bypass existing laws that regulate public transport or the hospitality business, creating unfair competition with taxis and hotels, while wrecking neighborhoods with the everlasting rumble of wheeled suitcases and soaring housing prices. But the focus in this book is on privacy, so we will for the most part ignore these additional ill effects of recent technological advances.
  29. M. Veale (@mikarv), "When pushed with the GDPR, @spotify gives you a huge amount of telemetry data from their app (for me, 850mb of JSON files). Includes your A/B testing history, anything you've ever drag-dropped, connected, so on. This is how software works today," Twitter, June 28, 2018, 7:26.
  30. C. Doctorow, "Microsoft Is About to Shut Off Its Ebook DRM Servers: 'The Books Will Stop Working,'" Boing Boing, June 28, 2019.
  31. If you don't have access to a computer, or don't know how to operate one: tough luck. For a harrowing illustration of the possible consequences of such a point of view, watch I, Daniel Blake, directed by K. Loach, (BFI 2016).
  32. See Schneier, Data and Goliath for many more.
  33. R. Anderson, "Who Is the Opponent?," in Security Engineering, 3rd ed. (Hoboken, NJ: Wiley, 2020). See also the NSA Files, maintained by the Guardian, accessed July 8, 2019.
  34. G. Greenwald and E. MacAskill, "NSA Prism Program Taps in to User Data of Apple, Google and Others," Guardian, June 7, 2013.
  35. J. Borger, "GCHQ and European Spy Agencies Worked Together on Mass Surveillance," Guardian, November 1, 2013.
  36. 36. B. Schneier, "How the NSA Attacks Tor/Firefox Users with QUANTUM and FOXACID," Schneier on Security (blog), October 7, 2013.
  37. E. Learned-Miller, G. B. Huang, A. RoyChowdhury, H. Li, and G. Hua, "Labeled Faces in the Wild: A Survey," in Advances in Face Detection and Facial Image Analysis, ed. M. Kawulok, M. E. Celebi, and B. Smolka (Cham: Springer, 2016), 189–248.
  38. M. Galič, "Surveillance and Privacy in Smart Cities and Living Labs: Conceptualising Privacy for Public Space" (PhD thesis, Tilburg University, November 19, 2019).
  39. S. Issenberg, "How Obama's Team Used Big Data to Rally Voters," MIT Technology Review, December 19, 2012.
  40. According to Rayid Ghani, chief scientist of the 2012 Obama campaign. See R. Ghani, "Why What Cambridge Analytica Did Was Unacceptable," Medium, March 20, 2018.
  41. M. Mosk, T. Turner, and K. Faulders, "Russian Influence Operation Attempted to Suppress Black Vote: Indictment," ABC News, February 18, 2019. See also here accessed July 10, 2019.
  42. See the Guardian's Cambridge Analytica files, accessed October 16, 2018. See also C. Cadwalladr and E. Graham-Harrison, "How Cambridge Analytica Turned Facebook 'Likes' into a Lucrative Political Tool," Guardian, March 17, 2018.
  43. M. Kosinski, D. Stillwell, and T. Graepel, "Private Traits and Attributes Are Preictable from Digital Records of Human Behavior," Proceedings of the National Academy of Sciences 110, no. 15 (2013): 5802–5805.
  44. C. Cadwalladr and E. Graham-Harrison, "Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach," Guardian, March 17, 2018.
  45. S. Kirchgaessner, "Cambridge Analytica Used Data from Facebook and Politico to Help Trump," Guardian, October 26, 2017.
  46. C. Cadwalladr, "The Great British Brexit Robbery: How Our Democracy Was Hijacked," Guardian, May 7, 2017.
  47. C. Cadwalladr, "Fresh Cambridge Analytica Leak 'Shows Global Manipulation Is out of Control,'" Guardian, January 4, 2020.
  48. The Wall Street Journal What They Know series, https:// www . wsj . com / news / types / what - they - know, accessed December 28, 2019.
  49. P. Kulp, "Ads Will Target Your Emotions and There's Nothing You Can Do about It," Mashable, May 2, 2017; L. Matsakis, "Facebook's Targeted Ads Are More Complex than It Lets On," Wired, April 25, 2018.
  50. See, for example, Facebook for Business, Google Ad Manager, or Google Marketing Platform.
  51. F. Houweling (@freekh), "De VVD wil met deze advertentie mensen op Facebook bereiken die zijn geïnteresseerd in Geert Wilders," Twitter, January 26, 2018, 1:21.
  52. G. Venkatadri, E. Lucherini, and P. S. A. Mislove, "Investigating Sources of PII Used in Facebook's Targeted Advertising," Proceedings on Privacy Enhancing Technologies 2019, no. 1 (January 2019): 227–244.
  53. R. H. Thaler and C. R. Sunstein, Nudge: Improving Decisions about Health, Wealth, and Happiness, revised and expanded edition (London: Penguin Books, 2009).
  54. K. Petrasic, B. Saul, J. Greig, M. Bornfreund, and K. Lamberth, Algorithms and Bias: What Lenders Need to Know, Report (White & Case LLP, January 20, 2017); A. Johnson, "Big Data Recruiting: All You Need to Know to Get Started," Harver (blog), October 18, 2018.
  55. Ovia, a free menstruation-tracking app, is "pitching a paid version of its app to insurers and large employers who want a heads-up on how many of their members or employees want to conceive." N. Kresge, I. Khrennikov, and D. Ramli, "Period-Tracking Apps Are Monetizing Women's Extremely Personal Data," Bloomberg Businessweek, January 24, 2019.
  56. A. Woodie, "How Auto Insurers Detect and Use Your Driving 'Fingerprint,'" datanami, July 26, 2016.
  57. M. Allen, "Health Insurers Are Vacuuming Up Details about You— And It Could Raise Your Rates," ProPublica, July 17, 2018.]
  58. A. Hannak, G. Soeller, D. Lazer, A. Mislove and C. Wilson, "Measuring Price Discrimination and Steering on E-commerce Web Sites," in IMC '14: Proceedings of the 2014 Internet Measurement Conference (New York: ACM, 2014), 305–318.
  59. J. Mikians, L. Gyarmati, V. Erramilli, and N. Laoutaris, "Detecting Price and Search Discrimination on the Internet," in Proceedings of the 11th ACM Workshop on Hot Topics in Networks (New York: ACM, 2012), 79–84.
  60. J. Valentino-DeVries, J. Singer-Vine, and A. Soltani, "Websites Vary Prices, Deals Based on Users' Information," Wall Street Journal, December 24, 2012.
  61. D. Mattioli, "On Orbitz, Mac Users Steered to Pricier Hotels," Wall Street Journal, August 23, 2012.
  62. L. Beckett, "Everything We Know about What Data Brokers Know about You," ProPublica, June 13, 2014; D. C. Schmidt, Google Data Collection (Digital Content Next, August 2018); I. Bogost, "Welcome to the Age of Privacy Nihilism," Atlantic, August 23, 2018; J. Angwin, S. Mattu, and T. Parris Jr., "Facebook Doesn't Tell Users Everything It Really Knows about Them," ProPublica, December 27, 2016; Christl and Spiekermann, Networks of Control; W. Christl, Corporate Surveillance in Everyday Life (Cracked Labs, June 2017).
  63. United States Senate, Committee on Commerce, Science, and Transportation, Office of Oversight and Investigations Majority Staff, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, staff report for Chairman Rockefeller, December 18, 2013.
  64. Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability (Washington, DC: FTC, May 2014).
  65. United States Senate, Committee on Commerce, Science, and Transportation, Office of Oversight and Investigations Majority Staff, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, staff report for Chairman Rockefeller, December 18, 2013.
  66. Warren and Brandeis already recognized back in 1890 the impact of business methods on our privacy. See Warren and Brandeis, "The Right to Privacy," 195–196.
  67. Regulation (EU) 2016/679 (GDPR).
  68. Judgment of May 13, 2014, Google Spain, C-131/12 EU:C:2014:317.
  69. See here, accessed July 10, 2019.
  70. J. E. Cohen, "What Privacy Is For," Harvard Law Review 126 (May 20, 2013): 1904–1933.
  71. D. Tokmetzis and M. Martijn, "Lees of luister: Alleen als we privacy zien als iets dat ons allen aangaat, kunnen we de techbedrijven temmen," De Correspondent, September 24, 2018.
  72. UK Parliament Committee on Digital, Culture, Media and Sports, Disinformation and "Fake News", interim report, July 29, 2018.
  73. S. Zuboff, "You Are Now Remotely Controlled: Surveillance Capitalists Control the Science and the Scientists, the Secrets and the Truth," New York Times, January 24, 2020.
  74. P. M. Regan, Legislating Privacy: Technology, Social Values, and Public Policy (Chapel Hill: University of North Carolina Press, 1995).
  75. G. Orwell, 1984 (London: Secker & Warburg, 1949).
  76. S. Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (New York: PublicAffairs, 2019).
  77. F. Kafka, Der Process (Berlin: Die Schmiede, 1925).
  78. Other notable creative works that have addressed the issue of privacy in a compelling way are stories and books like E. M. Foster, "The Machine Stops," Oxford and Cambridge Review, November 1909; and A. Huxley, Brave New World (London: Chatto & Windus, 1932)— both of which appeared before the Second World War— as well as movies like S. Spielberg, Minority Report (20th Century Fox, 2002); and L. Wachowski and L. Wachowski, The Matrix (Warner Bros., 1999).
  79. Solove, Understanding Privacy.
  80. Warren and Brandeis, "The Right to Privacy."
  81. A. Westin, Privacy and Freedom (New York: Atheneum, 1976).
  82. E. Goffman, The Presentation of Self in Everyday Life (New York: Doubleday, 1959).
  83. Agre and Rotenberg, Technology and Privacy.
  84. H. Nissenbaum, "Privacy as Contextual Integrity," Washington Law Review 79, no. 1 (February 2004): 119–158; H. Nissenbaum, Privacy in Context: Technology, Policy and the Integrity of Social Life (Palo Alto, CA: Stanford University Press, 2010).
  85. H. Nissenbaum (@HNissenbaum), "A right to privacy is a right to appropriate flow of information, neither secrecy nor control," Twitter, October 5, 2019, 8:19.
  86. B.-J. Koops, B. Clayton Newell, T. Timan, I. Škorvánek, T. Chokrevski, and M. Galič, "A Typology of Privacy," University of Pennsylvania Journal of International Law 38 (2017): 483–575.
  87. D. J. Solove, "A Brief History of Information Privacy Law," in Proskauer on Privacy, ed. R. P. Blaney, chapter 1 (New York: Practising Law Institute, 2006).
  88. United Nations, "Universal Declaration of Human Rights," General Assembly Resolution 217 A(III), December 10, 1948 (see also here); Council of Europe, "European Convention on Human Rights and Fundamental Freedoms," November 4, 1950.
  89. Only within the European Union to be precise, though: European Union, "Charter of Fundamental Rights of the European Union," Official Journal of the European Union C 326 (October 26, 2012): 391–407.
  90. Regulation (EU) 2016/679 (GDPR); Directive 95/46/EC (DPD), "On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data." In other words, all the organizations that suddenly, at the very last moment, were struggling to comply with the GDPR were most probably in violation of its predecessor for ages.
  91. C. J. Hoofnagle, B. van der Sloot, and F. Zuiderveen Borgesius, "The European Union General Data Protection Regulation: What It Is and What It Means," Information & Communications Technology Law 28, no. 1 (2019): 65–98.
  92. The infamous "right to be forgotten."
  93. M. Kiskis, "GDPR Is Eroding Our Privacy, Not Protecting It," TNW, August 5, 2018.
  94. A. Cavoukian, Privacy by Design: The 7 Foundational Principles, report, revised version (Ontario: Information and Privacy Commissioner of Ontario, January 2011).
  95. Taken from R. J. Cronk, Strategic Privacy by Design.
  96. Normally, this is the case. However, in certain circumstances, even group size can be a proxy for identity. If, for example, in a particular restaurant, the only group of eleven ever to visit is always the Johnson family of eleven people, then clearly recording the group size is recording the fact that the Johnsons were visiting. This shows that even in seemingly obvious cases, data may in practice not be so anonymous after all. We return to the difficulty of truly anonymizing data in chapter 4.
  97. Warren and Brandeis, "The Right to Privacy."