Privacy attacked: behavioral marketing taken to the limit

4th January 2017 by Marie-Claire Péroux

Learn about the practices in big data processing and the direct implications on your privacy and digital identity management.
What are the effects on the cyber-security of your personal data and what is at risk in the future?
Solutions should be found in ethics in the policies and design implemented by all stakeholders in the big data and machine learning field.

Today I want to talk about an Idea I recently read about.[1]

I Was Shell-Shocked by This New Folly in Behavioral Marketing.

A company, Clear Channel Outdoor America (CCOA), has developed a new way to track consumers.

Their chief marketing officer, Mr. Levi, describes a new product, RADAR: “data that analyzes people’s movements and uses an algorithm to determine when is the best time to target the right audience.
Levi said it reviews the mobile data to gain understanding of how people move and share behaviors in the real world.“[2]

The interview further explains:
“For example, the system can analyze a device’s GPS location to determine if a user visited a Starbucks and infer that the device owner is a Starbucks patron. Based on this movement, the system can determine what other devices exhibit similar behavior and aggregate the data into an audience of consumers with shared behaviors. From there, it can analyze the group’s daily movement patterns and determine the likelihood of these users passing a Clear Channel billboard.”[3]

To further describe the wonderful system, the consumer is also tracked after the exposure to the connected billboard:
“RADAR traces the behaviors of consumers after they have been exposed to the ads. According to Levi, further analysis by CCOA revealed how consumer behaviors changed after exposure to RADAR’s targeted advertising.“[4]

It arrives at this frightening conclusion:
“Levi anticipates datasets will expand and connectivity will improve, which will ultimately offer greater insights into consumer behavior and improve their mobile device experience. This model is based on data that relies on his behavior and preferences, instead of pushing a random ad.
“If I can eventually get to the point where Starbucks knows that I buy my drink every morning at 7:30 a.m. and it’s typically an iced coffee with almond milk, and I’m walking by my typical Starbucks, and they can push me a message that says, ‘Today it’s free’ or ‘Today it’s $1 off,’ that’s kind of cool for me,” said Levi. “That’s where I’d like to see things get to.”[5]

You do not see anything wrong with this picture? Well, please read further

To understand my concern, you have to be aware of the purpose and functioning of the Internet of Things(IoT)[6]

➡ FIRST A SMALL RECAP ON WHAT IS DIGITAL TRACKING AND THE COLLECTION OF PRIVATE DATA. You might discover something ...

People suggest that we could be tracked inside our house, in the street and when we enter a shop. All this in a seamless process.

The term IoT covers any mean used to record and analyse data through the will of the person (you bought a health tracking device[7]), any connected object that we buy, bring to our home, wear on or in our body or carry in our pocket (smartphones[8]).
It concerns as well connected objects recording our every movements in public areas without our express contentment, in the street for example, think cameras present everywhere we go.

The ever-increasing mass of the Internet of things (IoT) family which is just blooming is predicted to reach 34 billion connected things by 2020. It will collect a staggering amount of personal data crossing every aspect of our life.[9]

Basically, any product can be changed in a connected thing[10] meaning that there is hardly any part of our life which will not be recorded, analysed, scrutinised.

Even our level of happiness is checked, yes, I am not kidding:

Vinaya is a wearable developer with a special focus on the design process. The company also develops Zenta[11], a bracelet that allows users to track their habits and actions and their effect on stress, happiness and productivity.

Everything we do in our house[12], our behavior at work[13], all these activities produce a huge amount of data stored and analysed constantly.

We are tracked during our travels and daily moves, we might not realise that many of the connected things we carry go on recording our movements nonstop.[14]
What we eat[15], how we entertain during our travel time[16], how we are doing at sport and where we are practicing it.[17]
Companies even know everything about our pets at home[18].

I could go on describing more tracking of our daily life, it is mind-boggling to discover the commercial rush to the IoT goldmine.

Of course, all these connected “things” will sooner or later be able to communicate between themselves creating a giant physical web of communication around our body.
This is the difference, the next revolution in Internet[19] is to bring computers and data communications closer to our behavior and our body, it is never turned off.[20]
The problem of cybersecurity of this huge web of personal data transfer and storage will soon enough become acute.

The coming General Data Protection Regulation (GDPR[21]) in Europe addresses the protection of personal data of Europeans by imposing “privacy by design” rules. However, it remains to be seen how this set of rules will be implemented by the stakeholders and how effectively the supervising authorities will impose the very new stringent fines applied to misconduct.

➡ Is this Orwellian world of constant snooping, tracking and controlling of our real life, not only our digital activities behind a computer, worrying someone out there?

I wonder how many people realise how far the constant tracking has evolved the last 5 years only?
The “fun” bracelet bought to check on one’s daily fitness is much more than a gadget.
The connected digital personal assistant sitting on our coffee table can snoop much more than consumers might have agreed upon when buying it.

➡ The question of informed consent of the person subject to the collection of personal data

When one gives express consent to the collection of data for a specific purpose of analysis, do we really understand the meaning of data analysis and the power behind big data machine learning?

Our data is constantly crossed with whatever exist on Internet, since nothing dies there, it could be anything you did years ago and forgot about it.

Look at what credit card have in mind to improve identification.

When someone says that “companies build digital user identities that are far better than their physical/analogue equivalent.
These identities are built from information that they enter via their profiles, transaction information and current usage information and are further expanded by how their digital attributes behave in applications outside the company, such as via social media, the deep/dark web, banking, remittance and many others.“[22]
I shudder...

Of course, the idea of securing the identification of the user is a defendable purpose but they go to extremities.
They protect themselves first when they plan to collect every possible information available on the card holder to map a digital portrait of the client. More than just digital by the way since it includes biological measures that we unsafely give.

I come back to the wonderful world of CCOA. (they are surely not the only ones to go into that direction.

When the company tries to reassure the reader by saying that only data collection approved by the consumer will be concerned, who are they kidding?
How a lambda consumer not versed in the arcane of complex algorithms will understand or even check that the machine will collect only a limited set of data for ever.
How could anyone check the evolution of the algorithms in time?

This is not a little problem, it is the core of an informed consent.
It should be made in complete transparency and after a clear information.

Personal data on our behavior are not mundane, it is what separates us others, our way of living and reacting to information should never be the object of manipulation by companies (or governments for that matter...)
It has to stop, to be tamed once for all.

A line has to be drawned somewhere!
The consumer cannot always be pressurized to give more and more in order to access a service. If the service is incapable of ensuring controls without impeding the privacy of its users, then the service is badly construed and has to change.

Why going down the road of clear attacks on privacy always under the cover of security?
Security for whom?
The end user, the consumer, the client is not there to serve the concerns of companies.

I strongly believe that consumer education made easier through internet is the best answer to the question of informed consent.

Company social responsibility

The respect of privacy is part of the Social responsibility for companies.
Of course, it is tempting for marketers to sell more and more personalised and targeted advertisement and since technology coupled with machine learning enhanced capabilities, allows more and more analysis of an ever-increasing pool of data, why not invent the perfect tracking of the unsuspecting consumer?

The problem lies at the question of who is the technology serving?
The company collecting more and more data to sell more and more quickly to targeted audiences or the end consumer, falling prey to tactics and powerful behavioral techniques who thinks he got a great deal from an add arrived just after he had been looking on that specific subject. How convenient

The reason of a better service to the end client is often raised when talking about extreme tracking of individuals.

Is it?
Is the client better served when presented a pre-selected array of things or services to buy?
These services are they really based on the person’s interest or on the company’s.

Who do these platforms serve? Their master, the developers and the companies buying it, certainly not the end users.

An extremely large amount of details is gathered on your digital and physical life.

Taken individually you might think that it is not so serious if you have given data about your daily physical training routine to a service but it is the extreme pooling and cross-referencing of your data which becomes dangerous.
Everywhere your behavior is recorded, sometimes you have willingly give your consent to the use of cryptic logarithms.

➡Are you sure to give an informed consent?

Do you really know where your personal information is kept, in which country?
Are you really sure that the algorithm you consent to has not evolved to gather more than the 1st time?
Do you have any idea how long these informations are kept? A month, a year more? What if your personal information, your very habits, your physical personal information (biometric values like your heart beat, your iris...) is hacked.

You only have one type of iris, one type of fingerprints. Biometrics identification seems like a good idea to prevent the stealing of your identity on internet but think twice.
Nothing is 100 % safe, one can only mitigate the risks.

If it is easy to change password, phone number or any code after a cyberattacks, there is no way to alter your biometric identification if and when it is hacked by malevolent people of even countries.

Imagine the power these sorts of files give?

Look at the discussions in France about the TES (Titres électroniques sécurisés) file[23]

In a country prone to defend human rights worldwide, one see a government, under the cover of the terrorist protection, gather biometric data of an entire population, without any suspicion of illegal behavior “just in case...”

The outrage in France is not proportional to the outrage to French civil liberties. The collecting of the files TES is amended but the discussions are not over.

Noone can insure 100% CyberSecurity, 24/7. It is a fact that many consumers and end users of IoT are not aware of.

One could argue, after all is it so serious to have my personal information hacked and sold to the highest offer?[24]

Yes it is.
For once, the use of these techniques of influence and tracking can be used by malevolent states to better track and prevent civil liberties of an unsuspecting population.
It is our very freedom of choice which is impaired by having machines showing us always the same array of products and services based on our Passed behavior.

What about exploring completely new themes, trying new things, completely out of the box this Orwellian system is trapping us in?

I do not want machines learning from my past and assuming a digital identity which might not reflect what I dream to be even though some algorithms predict our exposure to certain sicknesses or our political beliefs.

➡The machines must remain at the service of the humans, not the reverse. [25]

Marketers, sellers, companies and the like have to take the turn of ethics in the use of big data, machine learning and artificial intelligence.

It is the only way out of an insane approach to the consumer’s behavior tracking.

Privacy is not dead as long as there is a political will to impose rules on the race to big data.

Europe is at the forefront of privacy protection and might become the generator of ethical rules to the use of private data for commercial or political purpose.[26] Nowadays, several rules are being imposed. They are not perfect but they will be adapted through time.

Are you forward thinking? Will you take the competitive advantage of ethics in data collection?

It is in the interest of the users of big data to take the ethical turn very fast, their business will not survive a massive cyberattack when the end users, the consumers, discover that their extremely private data like the veins in their palm, their heart beat, their iris... have been stolen and that any other individual can impersonate them on Internet and in real life.

It would be disastrous for any business to be associated with such a scandal

What would be ethical rules in the collection and analysis of personal data? Some directions.

- The ones that benefit the person and the company equally.

- Transparency for once, education of the users to techniques most have no idea about.

Present detailed rules and abide by them through a single label accessible to all stakeholders to check.
What is collected, for how long, where?
Who else will see or use the personal information?

- This should be accessible anytime, anywhere by the users. Their data has great value to them first.

It is time to put human first in Internet and to limit the hunger of companies for ever more private information of the consumer.

Do you have questions or comments on these issues, please feel free to contact me

References:
[1]: "Yahoo: the breach still echos" [1] “NEW REPORT: Forget Letters To Santa — Smart Billboards Know What You Want” PYMNTS, Dec.22, 2016, http://www.pymnts.com/internet-of-things/2016/smart- billboards-iot/
[2] idem, emphasis added.
[3] idem
[4] idem
[5] idem
[6] I will not talk about the industrial connected machines used in supply chain structures.
[7] for example: there are many others, Lumo develops body tracking technology, including running shorts or capris that measure cadence and speed, giving the runner instant feedback through earphones. Lumo also offers clip-on devices that monitor posture or Fitbit bracelets “motivates you to reach your health and fitness goals by tracking your activity, exercise, sleep, weight and more.” (from their website) or Jawbone track users’ lifestyles how they sleep, move and eat.
[8] https://www.engadget.com/2016/12/16/2016s-biggest-privacy-threat-your-phone/
[9] The big family of IoT:
-devices like wearables, machines, appliances (connected lightbulbs...) cars, medical implants...
-services like payment software (think contactless payments)
-data storage and analysis,
-security architectures for the IoT.
[10] Arrayent offers an IoT platform that enables manufacturers to transform traditional products into connected devices. It also offers an end-to-end solution that offers secure access to customer and product data. From http://www.pymnts.com/internet- of-things/2016/smart-billboards-iot/
[11] https://www.vinaya.com/blog/introducing-zenta-indiegogo
[12] Nest: a technology company focused on smart home tools. Nest products include a thermostat that learns from user preferences, a smart smoke-CO2 alarm and a camera that tracks the user’s phone location to know when to turn on.
Lutron offers a family of IoT devices including lights, shades and temperature controls for a room or a whole house.
From http://www.pymnts.com/internet-of-things/2016/smart-billboards-iot/
[13] HotSchedules develops employee scheduling and labor management solutions for the restaurant industry. (...) a restaurant can connect things like kitchen appliances, payment devices and drive-thru displays into the same platform, gathering data in a single place and allowing for more complete information. Fujitsu is an information and communication technology company offering IoT platforms ranging from enterprise wearable devices. (...)
[14] Skyhook is a global location network that, by georeferencing mobile users, allows companies to deliver more personalized content. The company’s location engine is based on Wi-Fi data that is combined with information from GPS, cell towers, IP addresses and device sensors, and its services are suitable for different industries, including app development, advertising, device manufacturing and wearable design
[15] Tovala has designed a Smart Oven that can steam, bake, broil and heat prepackaged meals that the device, after scanning the code they come with, will know how to cook. The oven can also connect to the user’s phone using its own app, which allows for tracking of the cooking time.
[16] Vinli is a small device that can be connected to a car to provide services including connectivity and apps. Using a 4G LTE network, Vinli can also be used as a Wi-Fi hotspot to allow passengers to stream movies or download games.
[17] The Ruckus Wireless Wi-Fi platform offers various capabilities, including location analytics and engagement technology.
Lumo develops body tracking technology, including running shorts or capris that measure cadence and speed, giving the runner instant feedback through earphones. Lumo also offers clip-on devices that monitor posture.
[18] Petnet offers the SmartFeeder, an automatic feeder for cats and dogs that enables users to manage feeding times, portion sizes and food supply. The SmartFeeder uses sensors to measure portions based on a pet’s age, weight and level of activity. Users can control their pet’s feeding from their smartphones
[19] “How the Intersect of the Internet of Things (IoT), AI and Cloud Computing will Disrupt Everything” Cami ROSSO, March 25, 2016. https://www.linkedin.com/pulse/how-intersect-internet-things-iot-ai-cloud- computing-disrupt-cami-r-
[20] IBM develops an array of solutions among industries such as analytics, commerce, security, cloud and mobile. IBM’s Watson IoT platform extends the power of cognitive computing to the Internet of Things. The platform enables the connection of devices and the application of cloud- based services like device management, predictive and real-time data analytics or information management. All above references from http://www.pymnts.com/internet-of-things/2016/smart- billboards-iot/
[21] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
[22] Remark by Mr. Jose CALDERA, VP of marketing and products, IdentityMind in “Payments 2016: The Year Of The ‘Ecosystem,’ Redefined”. PYMNTS.COM. dec.30, 2016. Page 24 http://www.pymnts.com/news/payments-innovation/2016/payments- 2016-the-year-of-the-ecosystem-redefined/
[23] Décret n° 2016-1460 du 28 octobre 2016 autorisant la création d'un traitement de données à caractère personnel relatif aux passeports et aux cartes nationales d'identité https://www.legifrance.gouv.fr/eli/decret/2016/10/28/INTD1619701D/jo
[24] http://rue89.nouvelobs.com/2016/09/24/franchement-faire-pirater-mail-cest- vraiment-grave-265249
[25] See my blog post https://www.swiss-cybersecurity.ch/blog-161213 26 GDPR CF note 21