Full text of journalist Madhumita Murgia’s talk titled “How data brokers sold my identity” at TEDxExeter conference.
Listen to the MP3 Audio here:
Madhumita Murgia – Journalist
I’m a 26-year-old British Asian woman working in media and living in a South West postcode in London. I have previously lived at two addresses in Sussex, and two others in North East London.
While growing up, my family lived in a detached house in Kent and took holidays to India every year. They mostly did their shopping online at Ocado, gave money to charities and read the Financial Times.
Now, I live in a recently converted flat with a private landlord, and I have a housemate. I’m interested in movies and startups, and I have taken five holidays in the past 12 months, mostly to visit friends abroad. I’m about to buy flights within 14 days.
My annual salary is between 30,000 and 40,000 pounds a year. I don’t own a TV or watch any scheduled programming, but I do enjoy on-demand services such as Netflix or Now TV.
Last week, I passed through Upper Street in North London on Monday and Wednesday evenings at 7 p.m. I cook a little, but I tend to eat out or get takeaways often. My favorite cuisines are Thai and Mexican food.
I don’t own any furniture, and I don’t have any children. On weeknights, I tend to spend the evenings with my university friends having dinner. I usually buy my groceries at Sainsbury’s but only because it’s on my way home.
I don’t care for cars or own one. I don’t like any form of housework, and I have a cleaner who lets herself in while I’m at work.
On Fridays, you’ll find me at the pub after work. At home, I’m far more likely to be browsing restaurant reviews rather than managing my finances or looking at property prices online.
I like the idea of living abroad someday. I prefer to work as a team than on my own. I’m ambitious, and it’s important to me that my family thinks I’m doing well. I’m rarely swayed by others’ views.
This motley set of characteristics, attitudes, thoughts, and desires come very close to defining me as a person. It is also a precise and accurate description of what a group of companies I had never heard of, personal data trackers, had learned about me.
My journey to uncover what data companies knew began in 2014, when I became curious about the murky world of data brokers, a multi-billion-pound industry of companies that collect, package, and sell detailed profiles of individuals based on their online and offline behaviors.
I decided to write about it for Wired Magazine. What I found out shocked me, and reinforced my anxieties about a profit-led system designed to log behaviors every time we interact with the connected world.
I already knew about my daily records being collected by services such as Google Maps, Search, Facebook, or contactless credit card transactions.
But you combine that with public information such as land registry, council tax, or voter records, along with my shopping habits and real-time health and location information, and these benign data sets begin to reveal a lot, such as whether you’re optimistic, political, ambitious, or a risk-taker.
Even as you’re listening to me, you may be sedentary, but your smartphone can reveal your exact location, and even your posture. Your life is being converted into such a data package to be sold on. Ultimately, you are the product.
Ostensibly, we’re all protected by data protection laws. In the UK, the law states that any personal data set has to be stripped of identifiers such as your name or your National Insurance number.
Personal data is considered anything that can be traced directly back to you without the need for additional information. This doesn’t mean it can’t be sold on. It only means that they need your permission.
Simple examples of personal data include your full credit card number, your bank statement, or a criminal record.
However, I discovered that online anonymity is a complete myth. Particulars such as your postcode, your date of birth, and your gender can be traded freely and without your permission because they’re not considered personal but pseudonymous. In other words, they can’t be traced back to you without the need for additional information.
So why does it matter if a bunch of companies you’ve never heard of know your age or your postcode, you may think?
Well, it matters quite a lot. About a decade ago, Latanya Sweeney, a professor of privacy at Harvard University proved that about 87% of U.S. citizens could be uniquely identified by just three facts about them: their zip code, their date of birth, and their gender.
In the UK, where we have far fewer citizens serviced by much longer postcodes, that probability is far higher. Professor Sweeney proved this in a rather cheeky way when William Weld, a former governor of Cambridge, Massachusetts, in the US decided to support the commercial release of 135,000 state employee health records along with their families, including his own.
These records did not contain a name or a social security number, but did contain hundreds of fields of sensitive medical information including drugs prescribed, hospitalizations, and procedures performed on these employees.
For $20, Professor Sweeney purchased the voter records for Cambridge, Massachusetts, containing the names, zip codes, dates of birth, and gender for every voter in the area, and then cross-referenced this with their health records.
Within minutes, she had pinpointed Governor Welds’ own health records. Only six people in Cambridge shared his date of birth. Three of them were men. And he was the only one living in his zip code. Professor Sweeney sent the governor his health records in the post.
Every day, we hear about new examples of companies digging ever deeper into our personal lives. In the November US presidential election, a little-known British company known as Cambridge Analytica was tasked with winning the election for a certain candidate: Donald Trump, using data analytics.
The company employed cookies online to track people around the web, logging every website visited, every search term typed, and every video watched. They also created a viral Facebook quiz to dig into people’s personalities, which was taken by over six million people.
In total, they managed to amass data on 220 million voting Americans with an average of about 5,000 pieces of data on each person. They then used this data to understand people’s inner feelings and then targeted adverts to them on Facebook. Researchers have called them a propaganda machine.
And it’s not just large companies digging into your life; it’s free apps and small startups as well. I realized on my phone that every time I logged fitness data into the app Endomondo, it was sharing my details including my location and gender with third-party advertisers.
WebMD, a symptom checkers app, was sharing even more sensitive information including the symptoms, procedures, and drugs viewed by users within its app with its third parties.
Fitbit was sharing data with Yahoo. A pregnancy tracking app was selling on information about its users’ ovulation cycles and fertility cycles with people or advertisers like InMobi.
As long as my phone is turned on, my location can be tracked, not just by the obvious apps like Google Maps, but a whole host of unrelated services from Uber to Twitter, Photos, Snapchat, TripAdvisor, and others.
You’re not even safe in your own home. In 2015, Samsung was found to be recording people in the homes in which their TVs had been sold using their voice recognition systems. They have now adapted this so they only record when the voice recognition is activated. But the creepy factor remains.