I work in an industry supported by advertisements. We give you something for “free,” and in exchange, you agree to view ads from companies and organizations that want something from you. Connecting you to an advertiser is called “targeting.” The better we do at matching you to an advertiser, the more money we make. If I know you are in the market for a car, I can make a lot of money putting GM ads in front of you. If I know you’re looking for a minivan, I can make even more money connecting you with ads from GM, Pampers, and Fidelity 529 college savings plans. Better targeting equals more revenue for us, and presumably for our advertisers too.
Before the Web
Up until about a generation ago, targeting was pretty coarse, and therefore the cost to reach a potential consumer was high. Twenty-five years ago personal data meant buying bulk credit reports and using public census data to “target” physical junk mail to your house, or putting an ad in a newspaper or on TV and hoping the right people would see it. Much of the impact of those ads were lost on people who were outside the target market. Then the web and the browser “cookie” were born, and the age of the “profile” was upon us.
The Web 1.0
The web began to both reduce the cost and improve the targeting of advertisements. “Ad Tech” business began assembling databases of “profiles” – somewhat anonymous collections of information roughly corresponding to individual people. Advertisers could spend less on TV, and more on digital ads that they knew would only be displayed to targeted profiles. For example, Budweiser could target their beer ads at profiles who have been on both nfl.com and espn.com in the last 7 days. These more specific profile targets meant less wasted ad dollars, and more ability to tune a message – and so more profit.
The Web 2.0
With the rise of mobile devices and social networks, these profiles have become more and more detailed, and less and less anonymous. Somewhere around the year 2013 we reached the era of the individual target, and in the last few years with the commoditization of “big data” and machine learning, the profile has essentially become a complete record of every aspect an individual’s life. Pause for a moment to consider that: an advertiser can now target you, individually, based on almost any material detail of your life. You are now a profile.
An advertiser can target 25-30 year old Hispanic males who are currently in a Starbucks and who recently visited a Wendy’s, have more than $5K in debt and are probably looking for a new phone. If an advertiser has a specific message that they want to use only for Robert Jones, email rjones@example.com, tel #408-555-1212 in that exact same Starbucks, that is possible too. Moreover, that message is computer controlled and tested on-the-fly to ensure it has the greatest possible impact on Robert.
Facebook and the Profile
Much of this targeting power comes from Facebook. We have been willingly putting volumes of personal information into their systems for more than a decade. Facebook and tens of thousands of affiliated companies are using that information to put ever more specific ads in front of you. To be sure, Facebook is not the only player here. There are perhaps a dozen very large companies that can and have assembled very rich profiles on nearly everyone in the online world. However Facebook stands out for its combination of breadth and depth of information on us.
Until recently, essentially all of our “personal” information Facebook hosted was available to anyone with the skills to write a Facebook affiliated app (full disclosure – including my company). Each application developer was bound by a Terms of Service on how that data could be used, and most of these developers carefully accepted that responsibility and followed these terms closely. But not all. As I showed earlier, that personal information is very valuable, to legitimate advertisers and others too. Once the data is out, it cannot be put back. By poorly policing their partners, Facebook contributed mightily to the proliferation of personal information.
Is this a Facebook specific problem? Yes and no – there are many companies that are careful, conscientious, and trustworthy with personal data. However once a company makes personal data available to partner companies (even in a limited way), all bets are off. Keeping careful track of users' personal data is a pure cost - there are no monetary rewards, and in much of the world the penalties for failing to do this are effectively non-existent. Only the EU’s GDPR regulation, which comes into force this year, comes close. I’m not an expert in this law, but I don’t believe it would have prevented Cambridge Analytica from misusing Facebook’s data. At least, to me it seems likely Facebook could claim they were largely in compliance, and their 3rd party application partners were the ones that misused the data, and hence should be subject to any penalties.
You might be bothered that an advertiser, political entity, or government can find out so much about you, and then quickly and cheaply craft a message desgined to influence your behavior. I know I am. So what can we do about it?
Your Options
If you completely disconnect from online life – no email, no mobile phone, no web browser, no cable tv, always pay with cash, don’t drive a car or travel on a commercial flight, never apply for any credit, don’t register for a political party or to vote, never apply for insurance, and refuse to have your face photographed, you stand a reasonable chance of mostly staying out of all personal analytics databases.
Alternatively, you can ignore the whole issue. In that case you should not be concerned if companies, governments, political parties, non-profits, anyone who works at a data analytics firm, or any moderately determined hacker know essentially every single important detail of your life. This includes health details by the way, despite regulations like HIPAA. Why do you have $10 charges on our credit card from Walgreens once a month? Could that be a prescription? That data can be cross referenced with medical office location data, online search activity, and personal email scans (all available for purchase). I don’t need your medical records to know with very high probability you have diabetes. That’s valuable information to a life insurance company.
You’re not a person – you’re just a profile. Your information – from your birthday to your bank balance to your blood type – is bought, sold, rented, and targeted every day. There’s not a damn thing you can do about it.
References
Some example from the industry, without implying any bad acting on the part of any of these companies: