Show me my data, and I’ll tell you who I am

“Stop manipulating us, and give us real choices,” says Katarzyna Szymielewicz, a technology and human rights expert, lawyer and activist who advocates for people to have more control over how their data is processed and used.

Companies are building digital profiles of us, made up of data collected by thousands of trackers in mobile apps or on the web. They gather information about us practically whenever we are connected to the internet. Data brokers sell this data to whoever is willing to pay the price. It changes hands between countless companies without our knowledge.

Data about us is sorted into categories we often can’t see and analyzed by algorithms we often don’t know about – and then used to make decisions that could impact our lives, for better or worse.

But what if we could take guessing out of the equation, and just tell companies who we are? Would they respect our answers?

Katarzyna Szymielewicz is the co-founder and president of Panoptykon Foundation, a digital rights organization in Poland. In January 2019, Panoptykon filed a complaint against Google under the new European General Data Protection Regulation, alleging the company had violated the regulation’s  requirements to provide users with access to data held about them.

To help a broader audience visualize how little we’re currently able to control our digital profiles, Szymielewicz has developed a metaphor of “three layers” of data: providing examples of what is collected about us, what is observed and what is generated by machines.

Three layers of our digital profile

Three layers of our digital profile by Katarzyna Szymielewicz, Marcin Antas, Kamil Śliwowski,  2019. Data used in this visualization is based on Panoptykon’s research and it is meant as data samples that aren’t exhaustive or applicable to every person.

Q: Are our data profiles inaccurate?

A: Who knows? Without transparency and access to the full profiles that are generated for us by tech companies we cannot really tell. I am sure users themselves would be the best auditors of these datasets because they have real (often economic) incentives not to be judged on the basis of incorrect or incomplete information. But they are not given the chance to do so.

I came up with this layered metaphor to explain the complexity (and dangers) of how online data profiles work after hearing for the hundredth time: ‘What’s the problem if we choose to share and publish our data ourselves?’ The thing is that we do not make these choices ourselves. We are lured into sharing more data than we would accept, observed and qualified by machines in ways we can hardly imagine. Not surprisingly, they detect sensitive characteristics we may prefer to keep private.

Q: Why should we want to see our data?

The only way to regain full control over our profiles is to convince the companies who do the profiling to change their approach. Instead of hiding our data from us, they should become more transparent. We need to open these opaque systems to the scrutiny of users.

On the other hand – instead of guessing our location, relationships, or hidden desires behind our backs, I think companies could simply start asking us questions, and respecting our answers. I even see this as a real opportunity for marketing companies to build trust and make targeted ads more relevant and fair.

In the European Union, we have a legal framework that facilitates greater openness and access. The General Data Protection Regulation (GDPR) now gives Europeans the right to verify data held by individual companies, including marketing and advertising profiles. Companies can still protect their code and algorithms as business secrets, but in theory they can no longer hide personal data they generate about their users. I say in theory – because in practice companies don’t reveal the full picture when confronted with this legal obligation. In particular, they hide behavioural observation data and data generated with proprietary algorithms. This must change, and I am sure it will, once we begin to see the first legal complaints result in fines.

Q: How could we make radical transparency a reality?

Well, no doubt we have to be prepared for a long march. We need to work together as a movement and test different approaches. Some of us will continue to test legal tools and fight opponents in courts or in front of Data Protection Authorities. Others will advocate for (still) better legal safeguards, for example in the upcoming European ePrivacy Regulation. Others will build or crowdfund alternative services or push big tech to test new business models, and so on. I am sure it will be a long run, but as a movement, we are at least heading in the right direction. The main challenge for us now is to convince or compel commercial actors to come along.

How much of your data could you imagine being in control of?

  1. Digital Literacy Step 3 – Mirnan Meligy

    […] how we are always being tracked. The 3 articles that I have read are “Understand the Issue”, “Show me my data, and I’ll tell you who I am”, and “Your mobile apps are tracking […]

  2. Mozilla Webthings 로 사용자 프라이버시 보호와 탈중앙화 IoT 실현하기 ★ Mozilla 웹 기술 블로그

    […] Mozilla 는 당신이 스마트홈 장치 그리고 그 장치가 만드는 데이터에 대한 제어권을 가져야 한다고 믿습니다.  당신이 데이터를 소유해야 하고, 당신이 그 데이터를 다른 사람과 공유할지 결정해야 하고, 당신이 잘못된 당신의 신상 정보를 바로잡을 수 있어야 합니다. […]

  3. Mozilla Webthings 로 사용자 프라이버시 보호와 탈중앙화 IoT 실현하기 ★ Mozilla 웹 기술 블로그

    […] Mozilla 는 당신이 스마트홈 장치 그리고 그 장치가 만드는 데이터에 대한 제어권을 가져야 한다고 믿습니다.  당신이 데이터를 소유해야 하고, 당신이 그 데이터를 다른 사람과 공유할지 결정해야 하고, 당신이 잘못된 당신의 신상 정보를 바로잡을 수 있어야 합니다. […]

  4. Empowering User Privacy and Decentralizing IoT with Mozilla WebThings - Mozilla Hacks - the Web developer blog

    […] At Mozilla, we believe that you should have control over your devices and the data that smart home devices create about you. You should own your data, you should have control over how it’s shared with others, and you should be able to contest when a data profile about you is inaccurate. […]

  5. Samuel

    Data currency project...

    For all personal data being collected (mined/harvested) and profited from, there needs to be some kind of conversion into compensation for the user.

  6. JohnT

    I usually just tell them a pack of lies about age date of birth etc when registering with a site unless I'm actually buying something from them
    sadly Mr Michael Mouse no longer works but there are plenty of other candidates also get a proton mail free email account and just use it for registering with sites you only have a vague interest in

  7. Anonymous

    Everyone should use private browsers, social tools, and everything else decentralized. Tor Browser, Signal messaging, etc... These need to be publicized more. These need to be known.

  8. Connor

    A great example of this is when you click a video on youtube, not because you're interested in that topic, but because the thumbnail was interesting or it was by someone you respect. Suddenly youtube spends the next fifteen years shoving the same content in your face despite repeatedly telling the algorithm that you don't like this content. It's sometimes hard to see what's wrong when companies take data on you and don't tell you the results. The problem becomes obvious when they do it WRONG and try to target DISLIKED content towards you.

  9. Jamshed

    The best way is to impart as little personal info. as you can. Not open up web sites out of curiosity, unknown ones, and essentially do not give much info about yourself or family till such time as the country you live in comes up with a centralized protection law which can allow you to take the offending party to court.

  10. Anonymous

    Pigeon-holing people stifles their growth; it should be made known and be overt what and how people and corporations infringe our freedoms and rights and those who do so should be indicted/punished. (in an ideal world). At least a code of practice by which the corporations who breach that trust are then judged and abandonned.