Uri Gal* says the recent questioning of the heads of Amazon, Facebook, Google and Apple in the US Congress has highlighted the threat their practices pose to our privacy and democracy.
However these big four companies are only part of a vast, sophisticated system of mass surveillance.
In this network are thousands of data brokers, ad agencies and technology companies – some of them Australian.
They harvest data from millions of people, often without their explicit consent or knowledge.
Currently, this includes data related to the COVID-19 pandemic.
For instance, data giant Palantir has provided lab test results and emergency department statuses to the US Centres for Disease Control and Prevention.
How much do they know?
Data companies gather data about our online activity, location, DNA, health and even how we use our mouse.
They use a range of techniques, such as:
- web-trackers planted on almost every page on the internet, which follow our browsing activity
- “smart” home devices leaking details of our usage habits and location
- millions of mobile apps sending our data to unknown third parties, including sensitive information such as when we last had sex
- millions of retailers tracking our purchasing habits and in-store movements.
This expansive tracking generates billions of data points that can reveal every facet of our lives including our family status, income, political affiliation, interests, friendships and sexual orientation.
Data companies use this information to compile detailed individual consumer profiles.
These are used for purposes such as targeting us with ads, determining our eligibility for loans and assessing the riskiness of our lives.
The data industry in Australia
Some of the world’s largest data companies operate in Australia.
Quantium is an Australian data analytics firm that acquires data from various companies. In the past few years these have included NAB, CoreLogic, Woolworths (which owns 50 per cent of the company) and Foxtel, according to Quantium itself.
Such associations allow Quantium to “tap into the consumer data ecosystem with an unrivalled picture of the behaviours of more than 80 per cent of Australian households, spanning banking, household and retail transactions”.
A Quantium spokesperson told The Conversation most of its work is “data science and AI (artificial intelligence) work with first-party de-identified data supplied by the client”.
From this, Quantium delivers “insights and AI/decision support tools” for clients.
Anonymised or “de-identified” data still carries risks of being accurately re-identified, as explained in an ACCC report on customer loyalty schemes, published last year.
Generally speaking, even if a person’s details are de-identified by being converted to an alphanumeric code, the conversion method is identical across most companies.
Therefore, each code is unique to an individual and can be used to identify them within the digital data ecosystem.
A lack of transparency
With a revenue of more than US$110 million last year, the insights from Quantium’s data seem to be proving valuable.
From this revenue, more than A$61 million between 2012 and 2020 came from projects commissioned by the Australian government.
This includes two 2020 engagements:
- a “COVID-19 Data Analytics” project worth more than A$10 million with a contract period from March 17, 2020 to December 31, 2020
- a “Quantium Health Data Analytics” project valued at more than A$7.4 million with a contract period from July 1, 2020 to June 30, 2021.
Quantium’s spokesperson said they could not discuss the details of the contracts without government approval.
In the past decade, the Australian government has commissioned dozens of projects to other data analytics firms worth more than A$200 million.
These include a A$13.8 million Debt Recovery Service project with Dun & Bradstreet and a A$3.3 million National Police Checks project with Equifax – both started in 2016.
It’s unclear what and how much data has been shared for these projects.
Last year, the ACCC named Quantium as one of the companies that participate in the exchange of loyalty schemes data, often without consumers’ explicit consent.
Quantium’s spokesperson told The Conversation the company “does not deal with personally identifiable information and does not share data with any third party whether identified or de-identified”.
How do they work?
Data companies largely operate in the shadows.
We rarely know who has collected information about us, how they use it, who they give it to, whether it’s correct, or how much money is being made from it.
LiveRamp (formerly Acxiom) is a US-based company partnered with Australia’s Nine Entertainment Co.
This partnership allows the Nine Network to give marketers access to online and offline data to target consumers across Nine’s digital network.
This data may include the Australian electoral roll, to which LiveRamp gained access last year.
Similarly, Optum is a US-based health data company that collects information from hospital records, electronic health records and insurance claims.
It has data on more than 216 million people and used this to develop a predictive algorithm that was shown to discriminate against black patients.
Compromising our democracy
The prevalence, scope and stealth of the abovementioned data practices are not congruent with the basic principles of a liberal democracy.
According to philosopher Isaiah Berlin, liberal democracies can only thrive if they have autonomous citizens with two types of freedoms:
- freedom to freely speak, choose and protest
- freedom from undue inspection and intervention.
Our data-driven world signals an extreme diminishing of both these freedoms.
Our freedom of choice is harmed when our informational environments are doctored to nudge us towards behaviours that benefit other parties.
Our private space is all but gone in a digital environment where everything we do is recorded, processed and used by commercial and governmental entities.
How can we protect ourselves?
Although our ability to disconnect from the digital world and control our data is eroding rapidly, there are still steps we can take to protect our privacy.
We should focus on implementing legislation to protect our civil liberties.
The Australian Consumer Data Right and Privacy Act stop short of ensuring the appropriate data protections.
The Australian Competition and Consumer Commission highlighted this in its 2019 report.
In 2014, the US Federal Trade Commission recommended legislation to allow consumers to identify which brokers have data about them – and that they be able to access it.
It also recommended:
- brokers be required to reveal their data sources
- retailers disclose to consumers that they share their data with brokers
- consumers be allowed to opt out.
If we care about our freedoms, we should try to ensure similar legislation is introduced in Australia.
*Uri Gal is an Associate Professor in Business Information Systems, University of Sydney.
This article first appeared at theconvresation.com