As enormous data breaches become the new normal, we are being forced to confront how much we truly value our privacy. Major incidents like the Cambridge Analytica scandal, which harvested information from 50 million Facebook profiles, and a security breach at British Airways, which affected 500,000 customers and led to a record £183m fine, are just the tip of the iceberg. A study in February found that British firms saw around 10,000 data breaches in the past year. Last year, the EU brought in the General Data Protection Regulation (GDPR), and research shows that the new regulations are helping to drive European data breaches into the open.
But should we have fewer expectations that our personal details will remain private in the age of social media and overt surveillance?
Not according to Matthew Rice, the Scotland director of Open Rights Group, which works to preserve digital rights and freedoms. “Privacy is a fundamental right,” he says. “One that at times can be tested and strained, but individuals should not lower their expectations of fundamental rights. It is governments and private actors that have to change their expectations of access and they need to show greater responsibility.”
Access was at the heart of the row over FaceApp, the photo-editing software that launched in 2017 but experienced a sudden surge in popularity due to a viral “old-age” meme a few weeks ago. Rumours spread that users were unwittingly granting the Russian company permanent access to all photos on their phones, which would then be uploaded to a server in the country for nefarious purposes.
The FaceApp furore died down after evidence proved that the mass photo theft claims were inaccurate. The incident led to many questions, however, about the ways our personal information is being used by tech firms. Over the past year, consumers have become more compelled to seek answers, as Rice explains: “The UK’s data protection authority saw almost double the number of complaints from the public in 2018-19 compared to 2017-18. This indicates a growing concern from the public but also a growing awareness that individuals can make complaints about practices that they are concerned about, or they feel are in violation of their rights.”
Still, governments could be doing much more to engage with the public on the issue. Rice points out that although most people had heard of GDPR, few fully understood their rights and what it meant for their personal data. “It is in the interests of private companies who profit from our data to make privacy policies long, complex and buried. Open Rights Group created the Data Rights Finder to make privacy policies more accessible and understandable,” he said. The service helps customers learn how their data is being used by companies and make requests to change these uses.
Consumers groups say deceptive behaviour by companies is rife. In its report released last November, the European Consumer Organisation (BEUC) accused Google of deceiving customers into being tracked by bundling services and withholding information.
Even when a company’s policies are transparent, their sheer length is often so off-putting that many of us skim over or ignore key clauses.
According to Rice, it is common for companies to sell our data to third parties, but he says the scale of it is “astonishing.” He points to online advertising as an example. “When a person arrives on a given website, their arrival is broadcast to thousands of different advertisers.
Within that broadcast could be data relating to an individual’s politics, mental health, physical health or religion. Those advertisers, having been able to see sensitive personal information, then bid to serve an ad to that individual. Users don’t know this is happening, are unable to restrict it [from] occurring if they want to access a website, and all of it happens in a matter of nano-seconds.”
Advertising is not the only area where highly sensitive details about our lives are being exposed to strangers. Virtual assistants are fast becoming the new privacy battleground, due to their ability to eavesdrop. Facebook recently joined Google and Amazon in admitting workers listened to some users’ private conversations. All three firms say they have paused this practice while a review takes place.
Facial recognition technology, which is increasingly being installed in public and private places, has also attracted much attention. The software has been installed in a Kings Cross development, leading the London mayor Sadiq Khan to contact the owner and demand to know whether the company believes its use in CCTV systems is legal.
Shady practices and intrusive tech are not likely to disappear any time soon but the negative responses they provoke, combined with the growing number of complaints to data protection authorities, shows the public still cares deeply about privacy rights. In the UK, a Welsh office mounted the country’s first police facial recognition legal action in May.
Rice suggests consumers protect themselves by contacting the data manager of relevant organisations to ask what information it holds about them and who it has shared it with. “They have a duty to respond to that request,” he says. “If you aren’t happy with their response, then you have the opportunity to make a complaint to the Information Commissioner’s Office, who have a duty to make an assessment of your concern.”
“This is a difficult area, one that in the past has had costly lawyer’s fees attached to it. However, Open Rights Group are committed to assisting members of the public and welcome the opportunity to stand up for your rights.”