The companies in control of our secret identities

Your personal data can be collected by companies from many different sources and shaped into a "secret identity". This is when companies use information about you to assume your personality traits and predict your behaviour, and sell this profile onto others. But who are the companies behind this practice?

Long Read
Puzzle of the Girl with a Pearl Earring painting by Johannes Vermeer

Now more than ever with a global pandemic happening, our lives are being shaped by our interaction with the digital world. Work meetings on Zoom followed by Skype with family before a quick run with your favourite running app and a Google search for your next meal: technologies and services offer us a lot and greatly improve our daily lives. But what's the real cost of these tools we rely on so much?

A lot of these companies, especially those offering free services, collect data about you. It might be data you knowingly and willingly share to enjoy the benefits of the service (name, age, email address...) or data that you might not realise you are sharing, like your approximate location through your IP address or your social network identifier or through apps accessing your contacts. Sometimes, companies collect very sensitive information from websites you have visited and interacted with, for example websites about mental health, revealing your state of mind or your diagnosed illness. To make things more complicated, the companies receiving this data aren't always the ones providing the service, as is the case with third party trackers on websites.

While some of this data, and its collection, may appear harmless to some, what happens behind the scenes is a real source of concern as the data collection is only the first step in a long and opaque process. Ad tech companies combine this information together and create an assumed picture of you, akin to a "secret identity". Your personal information can indeed be gathered, cross-referenced and processed to profile you by companies you've never heard of. Using the data they collect about you, these companies can infer even more information about your interests, habits, goals, and fears, with variable accuracy.

These profiles are like secret identities that reveal parts of your that even your most intimate friends might not be aware of. Doubtful? Through submitting data subject access requests (DSARs), we obtained some of our own profiles and the results were frightening. The data we received was the equivalent of our entire browsing history and contained detailed characteristics both inferred from this browsing history and obtained from other tracking companies.

Pieced together from incomplete data and using marketing algorithms, this data forms an uncanny picture of your, one that you have may not have voluntarily revealed, a digital shadow over which you have very little practical control.

Why should I care? Do they really use this data for anything?

In theory, this data is collected for a single purpose: to better target you with ads. The targeted advertising ecosystem, by using trackers included in the sites you visit and Software Development Kits (SDKs) in the apps you use, aims to get a better picture of you in order to present you with more relevant ads. So yes, this data is being used to target you with adverts, despite the benefits over non targeted advertising being debated.

But it doesn't stop there. The adtech ecosystem has one main feature: it connects companies to you through an opaque and technically complex infrastructure, allowing almost anyone to enter the data collection and exchange market. This means any companies can participate in processes such as Real-Time Bidding only to collect data and never display ads. What this also means is that companies participating in this process (say for example two AdTech companies that track your activities on a different set of sites) can grab data from each other to consolidate the data and profiles they have on people.

Long Read
It’s 15:10 pm on April 18, 2018. I’m in the Privacy International office, reading a news story on the use of facial recognition in Thailand. On April 20, at 21:10, I clicked on a CNN Money Exclusive on my phone. At 11:45 on May 11, 2018, I read a story on USA Today about Facebook knowing when teen

As a consequence, companies participating in this ecosystem (or sometimes on their own) are able to sell your data to clients that may not be using it to try and sell you stuff. There are reports of location data sold to federal agencies in the US for border control purposes as well as to the military.

Your data can also feed into machine learning /AI that is being used in the criminal justice system to make decisions on your behalf, whether it is to assess re-offending potential, and consequently what type of rehabilitation services, or your ability to enter a country. Far from the expectation people might have about their data, this reveals how seemingly harmless information can be leveraged against us, without our knowledge or consent.

Given these examples, it isn't hard to imagine that your personal data can be used to influence the price of your insurance (based on how much you exercise), your ability to secure a mortgage (based on your favourite news site) or your ability to get a job (based on your mental health).

Alright now I'm angry, who are these companies?

The challenge when talking about the companies that own your secret identities is their diversity and multiplicity. Unlike household names Facebook or Google, most of the companies tracking you online are largely unknown to the public.

Through our previous research and campaigns, PI has revealed some of these companies and their activities. They include AdTech companies, Credit Rating Agencies and Data Brokers, fundamental actors in the adtech ecosystem whose core business model is to collect, process and exchange your personal data. These companies are at the heart of many legal actions in Europe, including our complaints against 7 companies which we submitted to three Data Protection Authorities.

You can take PI's quiz to check if the seven companies we complained about in 2018 might know you!

The ICO in the UK recently served an enforcement notice on Experian as a result, in part of our complaints.

But other type of companies demonstrate similar practice and build secret identities of people. This includes companies offering tracking SDKs, which bits of code included into apps to add features. Offering a way for developers to monetise their apps, some of these companies have been collecting and selling location data to federal agencies without users knowledge or consent. While offering a service for their customers, these companies act as data brokers in disguise, enriching their dataset of profiles. Similarly, Bounty UK Ltd, a sales and marketing company allowed access to maternity wards, was fined £400,000 by the ICO in 2019 for unlawfully selling the details of 14 million mothers and babies to 39 companies when they operated as a data broker.

Many other business models disguise these invasive company practices. Free addons adding features to your site while collecting information about your users; insurance or mortgage aggregators and comparators collecting your information, fidelity cards...

Other companies have been put under the spotlight, such as Securus Technologies which developed mobile phone tracking technologies meant for inmates but which was eventually used by law enforcement without a warrant to track anyone.

PI has built two use cases to illustrate what the types of companiew that might be harvesting your secret identities. You find out more here:

I really don't like that. What can I do?

It is easy to feel helpless in face of the multitude and secrecy of this corporate activity, especially when the names of the companies are unfamiliar and their business activities are complex and confusing.

PI is chipping away at the secrecy and complexity of this industry. Our work started in earnest the day the GDPR came into force in 2018. And you can take action too. Take a look at the legal tools you can use to exercise your rights, and the guides PI has produced to help limit the intrusions into your online activity.

REQUEST AND DELETE:

Under data protection law, there are tools you can use to exercise control over your personal information. Under the GDPR, you can submit a "data subject access request" (DSAR) to a company you believe holds data or a profile on you. This can be followed by a deletion request to ensure that the company doesn't keep any of your data if you don't want them to. PI's guides can take you through this process. Have a read at our FAQ about right to access to understand how it works, then check our 7+1 tips to make the most out of your DSAR. And if you want to know a LOT more about data protection, PI has a complete guide for that too.

Frequently Asked Questions

LIMIT ONLINE TRACKING

Show your discontent with these practices by building barriers against invasive tracking! PI has produced guides to prevent and limit tracking online and on your devices. You'll be surprised how easy it is to apply a few changes and as a nice bonus, the number of ads you see will fall drastically - everytime you don't see an ad, it's one less ad that these companies profit from. This is an act of resistance that will make your user experience smoother - a clear win-win situation! Head over to these guides by cliking the image below and find the ones for your device.

Guide

Online tracking is a widespread practice with questionnable ethics and legal backing. Learn how to limit your data from being collected unwillingly and disrupt the tracking industry!