U.S. vs. Britain: A Test of Getting Your Personal Data
Posted May 20, 2018 7:53 p.m. EDT
The European Union will put in place one of the toughest data privacy laws in the world this week. The law, among other things, gives people in Europe the right to obtain the personal data companies have on them.
That is a sweeping right to data access that Americans don’t have.
So we decided to conduct a privacy experiment: Request our data in both Britain and the United States, to get a sense of how easy it will be for people in Europe to access their personal information compared with people in the United States.
We conducted our experiment using a 20-year-old law in Britain that entitles individuals to see the personal data held about them by companies in that country. The British law provides similar data access rights as the coming European rules, known as the General Data Protection Regulation — offering a sense of how the new law might play out.
Prashant, an editor in London, and Natasha, a technology reporter in New York, requested their records in their respective countries from Amazon, Facebook, Google, LinkedIn, Twitter, their mobile providers and marketing analytics companies that profile users.
The results were not what we expected.
What We Got When We Asked Marketers for Our Data
Prashant: Quantcast, an analytics service that categorizes and targets online users for marketing purposes, sent me a spreadsheet with about 200 entries tracking my activities. They contained an astonishing degree of detail about my life.
It showed that I had used OpenTable to make a dinner reservation in March at a “casual” Indian restaurant in London, that I had read a CNN article on President Donald Trump’s steel and aluminum tariffs, that I was looking to buy a new cellphone and was considering a trip to Stellenbosch, South Africa.
Then there were the 343 marketing classifications Quantcast had obtained about me from data brokers, companies that sell consumers’ details for marketing purposes.
The categorizations had me pegged as a “heavy spender” on pet food (I have a cat), an owner of a flat-screen TV, and part of a “likely nonsmoking household.” My colleagues in London will be unsurprised to learn that among my “interests” are biscuits and chocolate.
But the report also suggested there was a 3 percent likelihood that I am a woman above the age of 65, and that I own a car. (I am, to be clear, a man in my 30s. I got my first driver’s license a few months ago and do not own a car.)
Natasha: My spreadsheet from Quantcast contained just one single line of data: It showed that on Jan. 19 at 7:01 p.m., I read an article on Forbes.com about how Google was eliminating certain features for parents to control their children’s web-browsing. The spreadsheet even listed the author of the article: Kevin Murnane.
As with all these companies, Prashant and I acted as much as possible like regular consumers when we initially requested our information. But after our requests, we followed up with the companies as reporters. When I contacted Quantcast to ask why I had received only one line of data, a spokesman said users’ privacy settings could influence what details Quantcast collected. (I use various software tools to monitor tracking.)
The Quantcast spokesman added that the company responded to data access requests under European law. So sending me any data at all had been an error — because consumers in the United States do not have a comprehensive right to obtain copies of the data held by U.S. companies. When We Asked Amazon
Prashant: A Kindle reader, a square cake pan, a carbon monoxide alarm.
Amazon sent lists of the items my wife and I had bought through the site, the credit cards we used to buy them, the addresses the items were shipped to and the devices we had used to access Amazon services.
But we had expected to receive a more substantial data trove from Amazon. So I wrote back to Amazon asking again for all of the details the company had on me, including our household’s video-viewing data.
The company said it was “investigating” and would send the missing data when it was ready. There is still no sign of it. An Amazon spokesman added that the company was committed to complying with the new European privacy law.
Natasha: I used Amazon’s self-service tool to download a copy of my purchase orders — including batteries for the outmoded BlackBerry phone that I was having trouble giving up in 2015. (I now own two iPhones.)
But I wanted the complete history of my account, such as my Amazon searches.
Amazon responded to my email request by telling me to call the company — because it was “not safe to get account details via email due to security reasons.” Then I called Amazon customer service and was put on hold for 15 minutes while an agent scrambled to figure out a response.
Finally, the agent came back on the line only to tell me that Amazon was keeping records on me for business purposes — but would not share them with me. “It’s all private,” the agent said. “I don’t have access to that information to provide you unfortunately.”
When We Asked Facebook, Twitter and LinkedIn
Prashant and Natasha: LinkedIn, Twitter and Facebook provide self-service tools for users to download certain information — such as their posts and messages. Google offers a tool where users can download files of the Google searches they have made, as well as the sites Google has tracked them to, their YouTube history and Calendar data. We used these systems and obtained some of our information.
Mark Zuckerberg, Facebook’s chief executive, recently told a Senate hearing that his company’s download tool contains “all of the information” that users have “put into Facebook or that Facebook knows about them.”
But Facebook actually collects much more data about its users. In addition to the updates and photos you submit to the site, for instance, Facebook collects data about users’ activities on millions of non-Facebook sites that use tools like the service’s Like button. And those tools allow the company to amass detailed information about users’ web-browsing.
We were unable to obtain that kind of information, however.
We each asked Facebook for copies of our web-browsing data, as well as any data the company acquired about us from data brokers or other services. We made similar requests of Twitter and LinkedIn, which can also collect details about users’ activities on other sites as well as personal details from third parties like employers or advertisers.
None provided us with copies of that raw information.
Instead, from LinkedIn, we each received emails directing us to use the company’s self-service tool. Among other things, our LinkedIn downloads included the email addresses of our connections.
From Twitter, we received emails saying the company required copies of our government-issued ID cards before it would provide user details beyond those available from the company’s self-service tool. Natasha, who regularly covers privacy, was hesitant to entrust Twitter with a copy of her ID card. Prashant sent his ID to Twitter and received data about a week later, soon after we contacted Twitter’s press department. The new set of information included IP address logs, direct messages and every GIF he has ever posted (there were a lot).
Facebook told Natasha that its self-service data download tool “has been reviewed by our data protection regulator” and would allow her “to access all of your Facebook data.” The company told Prashant that the self-service tool would allow him to access only “the Facebook information available to you” and that the company “isn’t able to provide additional information.”
Matt Steinfeld, a Facebook spokesman, said the social network’s ad preferences tool reflected information it received about users from data brokers and advertisers. The company recently said it was building a tool to show users a list of the apps and websites that Facebook receives data from when users visit them.
After we contacted LinkedIn’s press department, we received emails the next day saying that the company was working on our requests. A LinkedIn spokeswoman said that users could automatically download “the most commonly requested data” and that the company did not currently plan to change its data request process. Incomplete Responses
Prashant and Natasha: We were not just seeking our data for data’s sake.
As we all become more aware of fraudulent news and online voter manipulation, researchers, journalists and consumers have been seeking their personal details from companies to try to understand how we might be manipulated. The incomplete responses from tech companies do not bode well for such research efforts.
Nor does it seem to bode well for the companies, which will soon be facing the new European privacy regulations.
After we wrote to our cellphone carriers to ask for our records, for instance, Natasha at least heard back from T-Mobile, who told her that it would release her phone records only if the company received a subpoena compelling it to do so.
Prashant did not hear back at all from Three, his mobile phone service. When he contacted the company as a reporter, Three said it could not give details on the particular case for privacy reasons, but added that it would typically send a letter asking for proof of identity before proceeding with a data request. Prashant and his wife, whose name the phone contract is in, never received such a letter.
A spokeswoman for the Information Commissioner’s Office in Britain told us that companies that failed to respond to data subject access requests could be in breach of the country’s data protection law.
Under that law, penalties for noncompliance can reach 500,000 pounds (more than $670,000). And noncompliance with the new European law could come with higher penalties: up to 4 percent of a company’s global annual revenues, or 20 million euros, whichever is greater.
Even for a tech giant, that could get expensive.