The surveillance program PRISM by the US secret service NSA has reminded us that all of our activities online may be monitored without giving us the chance to understand whether we really are targeted or what the purpose of this monitoring is. Information is being collected about us all but we have little understanding about how it is being used.
We do though have some means of learning what information we are giving away and this can allow us to make conscious decisions about how we want to continue to use the internet. Some traces are difficult to avoid, but there are also many things we can do to reduce our digital shadows.
Trace My Shadow
"Trace My Shadow" is an interactive visualisation designed to help you learn in detail about the effects of using online services and devices.
Select what device you are using - a computer that has a Microsoft operating system, an Android mobile phone - and then what you are using it for: Google services, Facebook, or online banking. You will then be able to see how each device and each activity leaves its traces. For example, let's say you are using a mobile phone with a prepaid SIM card to create and use a Facebook account. Trace My Shadow will list 26 separate traces about yourself that are stored on different servers - that you don't have access to. This tool allows us to know what the traces are, and also whether we can do anything to minimise the digital shadow they cast.
Why are there so many? Buying a mobile phone even with a prepaid card in usually requires you to give contact information about yourself: your name name, address, date of birth, sometimes more. If you pay with a credit card, your banking information will be tied to the profile that emerges about yourself in the databases of the phone company. The phone itself has a built-in number - the IMEI - and the SIM card does, too, called IMSI. Both are tied to your name just like the phone number is. Another traces about yourself are given when you set the language and time zone.
Nearly all online services ask you to give an email address and some also ask for your name, address and profession. If they offer two stage identity authentication (which is designed to protect you from being hacked) you will be asked to enter a phone number or other self-identifying information. Using Facebook adds even more traces as it serves its purpose better, the more information you add. You will be prompted again and again to fill in details about your life, your work, where you were born and many more. You might also share pictures, videos, join groups or events. Facebook logs when you click the 'like' button or when you mention Facebook posts in your Facebook messages. 12 or the 26 traces in our example are related to Facebook.
You can request that all the information in your Facebook account is sent to you. But it's not possible to know whether you receive all information that is being kept about you. You can find the option to request this information in the 'General Settings' page. Make sure to ask for the expanded archive by clicking the link further down in the text. Find more information in the Facebook Security Guide in Security in-a-box.
Trace My Shadow helps you to discover what your digital shadow is made up of and it also helps you to find ways to reduce it. Once you have checked the boxes indicating what you do when you are surfing the web, you will be able to find context information, tips how to reduce your shadow, and much more.
Here are some tools to help you understand about Facebook in more detail:
Europe vs. Facebook
The campaign Europe vs. Facebook was started when Max Schrems asked Facebook to send what Facebook stored about him. After he had received many pages he started disputing in court that Facebook complies with the EU data protection regulation, accusing the company of not telling the truth about what data is being kept about its users.
The campaign currently lists almost 60 types of data to be found in Facebook profiles and it also gives information about data breaches that do not respect data protection laws.
How grabby are your Facebook apps?
An interactive visualisation that was published by the Wall Street Journal in 2012 How grabby are your Facebook apps has analysed 100 Facebook applications and lists which data they collect from its users' profiles.
With one click you will learn that Foursquare has access to 15 types of personal data. Among them is your birthday, and there is no option to remove this specific permission without removing the app completely. With the next click you will then see that 34 of the 101 apps that were tested request to know your birthday. We tend to quickly click "Yes, I agree" when we want to install a new app. This visualisation demonstrates that it's worth the while to think twice before we check the box. It also shows that there are, in fact, differences between how much of you data they collect. When we take a closer look we can easily see that some apps are asking for more data than others without actually needing them to serve their purpose.
My Permissions is an application that offers a different way of finding out how data-hungry many third party apps are. Third party apps are applications that interact with your social networking profiles like Facebook, but also Flickr, Foursquare or even Dropbox and through them, can access their information. On most browsers, you can install it as a browser app as well as on your iPhone, Android phone or even an Amazon Kindle ebook reader. Once you have installed it, it shows which other apps you have installed and asks you to review the permissions they have, to access your data. Do they know your location? Can they access your information all the time, even when you have logged out of the accounts, or post in your name? Once you know, you are given the option to decide which apps to remove, add to the list of trusted apps or report any abuse of your permissions.
Collusion and Panopticlick
If you want to find out more about how and which third party applications interact with websites that you visit, you can install Collusion, an app that only exists for the Firefox browser. What's interesting to see is how advertising companies follow you across different websites. Either with the help of cookies (little text files you download when you visit websites that store information about your browsing behaviour) or through the unique 'fingerprint' your browser leaves on their server, they know that in the morning you read several news websites (and what articles you're interested in), later that you research specific topics and that you spend quite a bit of time browsing through online shops selling hiking shoes.
There's also a demo which doesn't require installing and that can give you a good impression of how tracking by third parties works and how this is used by companies which, when in the USA, might also be subjected to requests by the NSA or other legal institutions.
But how can someone identify you if you don't log into that news website and you don't fill in any personal information? This is increasingly being done by organisations looking at what is called the browser fingerprint: the combination of special characteristics of your browser, the combination of information that travels from your computer to the server that hosts the website you are looking at. This information is what's most valuable to the advertising companies and possibly also for law enforcement agencies that attempt to collect as much information as possible to be able to detect unusual patterns which look suspicious.
Panopticlick by the Electronic Frontier Foundation (EFF) is a website that offers to analyse your browser fingerprint. The idea behind it is to give you an idea of how unique your fingerprint is even though you might think that you're not using anything that's very different from the software and devices most everybody else seems to be using. What makes your browser unique is the variety of information: the time zone and language you chose in the settings, which browser plugins you have installed, which fonts are installed and whether you accept cookies or not.
Who has your back?
A different service by the EFF is a chart called Who Has Your Back explaining how 18 popular internet companies reacted to government requests for user data. Some of them stand up for their users' right to privacy in courts - but not the majority of them. If you want to find out whether your favourite services publish a transparency report that documents whether they'll go out of their way to protect your privacy, have a look here.
If you like games and want to learn about who is interested in your data and what they it's being used for, have a look at "Data Dealer". The educational game puts you in the role of an unscrupulous "data dealer" who is out to collect your personal data. In the course of the http://datadealer.com/play/ playable demo, you will learn what type of data is being collected and how it information can b used to generate profit.
A health insurance, for example, might be interested in acquiring information about user behaviour related to health such as interest in diets, height and weight, or web searches about chronic illnesses. An online dating site, on the other hand, might want to collect and sell information about things like sexual orientation, location or political attitudes. Reading the detailed information about how user data gained from social networking sites, sweepstakes or loyalty cards is being used, might help you reconsider how much information you want to give away.
What they know
What they know is another interactive data visualisation by the Wall Street Journal that shows you the behaviour of the most popular smartphone apps both for iPhones and Android phones. It tells you which apps give your information to marketing companies and describes what each app told users about the information it gathered. You can find out also about smaller companies that don't usually get so much attention. You will learn about what YouTube and Tweetdeck might know about you, also the New York Times app and Angry Birds. Click a specific app in the chart to find more detailed information.
They Know What Your Shopping For, again by the Wall Street Journal, shows similar information but this time on the 50 most popular websites in the US which ask you to a create user account to log in.
Of course our Digital Shadow doesn't only exist on the servers of ad-selling companies or third party applications. We also add to it by making phone calls or sharing information about ourselves and others. The revelations about the Prism programme and NSA surveillance show clearly how relevant metadata is.
When we call someone with a mobile phone, the phone companies have the ability to keep records of who talked to whom, where each phone was at the time of the call and how long we talked: the metadata. This seems irrelevant at first but if a lot of this information is combined it paints a picture of you: who do you talk to a lot, where are you in the mornings, in the evenings, on the weekend.
If you use an iPhone you can use a tool to tell you what all phone companies know about their customers. The iPhone Tracker is an open source application you can install on a Mac, iPhone or iPad. It will use the information about your movements already stored in your iPhone and display them on a map. A well known example of looking at the metadata of a mobile phone is a visualisation by a German politician in 2010, Tell-all telephone, which shows how much can be seen in such seemingly innocent bits of information.
Another tool that uses maps to demonstrates the importance of location data is Creepy. Many tools and social networking platforms ask you for permission to use your geo-location data: information about where you were when you took a photo or published a Tweet. Creepy presents this information about you or other users in a map. You can see over a specific period of time where you, or others, took pictures that were published later. Unless you actively turn the geo-location feature off, this information is available to anyone who is interested in finding out how, where and when you are spending your time.
TinEye Reverse Image Search
If you are curious whether the pictures you post have been copied and used by others for purposes you never thought of you might want to try out TinEye Reverse Image Search. It is availble like any other search through a website, but you can also install a browser add-on. It is very simple to use: paste the web address of any picture into the search field or upload the original picture. TinEye will then tell you whether this image can be found elsewhere, whether there are modified versions of it or, if you are searching for information about a photo not taken by you, which is the original version and where it was published.
These are just some examples that help you find out how you can increase or decrease the size of your digital shadow. To understand what we can do we need to first find out how the things we do online contribute to that shadow. The Prism surveillance program by the NSA has reminded us how difficult it is to avoid leaving traces but it is also important to know that there are things we can do.
Tactical Tech also produced five A5 cards that are aimed at raising awareness about our 'digital shadows' and providing information about how to protect our privacy. Their topics are What are Digital Shadows?, Nothing to Hide, Assessing the Risks, Endangering Others and Tracking. You can read them online but we also endorse them to be printed and shared.