Did you know that you are sitting on a goldmine? Data has become the world’s most valuable resource. As we all use technology to power our daily lives, the data about ourselves spills out across the web and, sometimes, into the databases of marketers and other information-hungry organizations. Wharton Global Youth connected with Kevin Werbach, a Wharton School professor of legal studies and business ethics, to begin our exploration of personal data and privacy. How much are you willing to share?
Wharton Global Youth Program: What is personal data and how is it generated?
Kevin Werbach: Personal data is information that is somehow connected to a person. It’s something that can be used to identify that individual. So, I happen to be wearing a blue-checked shirt right now. That’s a fact about me. That doesn’t let you identify me simply because I’m wearing a blue-checked shirt. On the other hand, if I told you my Social Security number, then you would be able to use that to figure out what individual I am and to cross-reference that with other information about me, like the fact that I’m a professor at Wharton. And you could make other kinds of judgments about me. Information about us is generated as we go through the world and as we interact with government systems and private organizations. For example, anytime we buy something or interact with a business.
Wharton Global Youth: What is data privacy and why is it important?
Werbach: Privacy is about you controlling who you are and how you represent that in the world. We all have a sense of ourselves that we, as autonomous individuals, want to construct. I may not want to tell you some fact about me. To some degree, I should have the ability to define who I am. Now, privacy has limits. We live in public. If I’m walking down a street and you happen to take a picture of people walking down the street and you see me in that picture, I don’t have a right to say, ‘No, you can’t use a camera on a public street because I might be in your photograph.’ On the other hand, if you want to use facial recognition technology to scan billions of photographs and then identify the fact that I was on this street corner at this time, and then use that to also connect it in with other sorts of photos you have about me, then we start to get to the issue of privacy. Should private organizations and governments be able to know everything about us at all times? That’s the issue of privacy. It has limits. I can’t rob a bank and then say my identity should be private and therefore I can’t be arrested. But if I’m not robbing a bank, then we really don’t want to live in a world where someone knows everything about you and can use that in ways that may benefit them and not benefit you.
Wharton Global Youth: How do you balance the motivation to share lots of information on social media, for example, with data privacy demands?
Werbach: There’s this notion that young people today don’t care about privacy, which is a complete misnomer. Researchers have studied this, and most high schoolers understand privacy. The fact that you have a public persona and are on social media doesn’t mean that you don’t care how people think of you. In fact, high school students I’ve encountered are the most conscientious about considering what they share and who they share it with. Should they have multiple accounts like a Finsta, so they can construct different personas with different communities; do they have a private story that’s different than a public story? Privacy does not mean you hide in a hole and don’t let anyone know you exist. Privacy means that you want to have some control, rather than other people, the government or some platform getting to decide what information about you is available.
Wharton Global Youth: We’ve all heard about high-profile breaches, often involving the theft of financial information or personal data of hundreds of thousands of users that is sold on the dark web. Can you help us understand the landscape for cybercrime? How has it given rise to data-protection technologies and efforts across industries?
Werbach: The first thing to understand is that there is value in personal data. The value is generally collective. The fact that I like Ethiopian food is not worth a lot of money. It’s not worth any money to me and it’s not worth any money to someone else just to know that piece in the abstract. On the other hand, if I’ve got a hundred million users of a service and I want to market to advertisers and an Ethiopian restaurant wants to advertise to people who like that kind of food and not to people who don’t, then it’s valuable to know that about me. Personal data has become a massive, multi-hundred-billion-dollar global industry. We have such great tools now for aggregating it and for building markets around that personal data.
Because personal data is valuable, it’s a target. Just like money in the bank is valuable and therefore people try to break into the bank, data that companies have aggregated about their users becomes valuable for criminals. We have such massive assemblages of data that it’s incredibly hard to keep them secure. Many organizations are not particularly good at keeping them secure. So, we have this challenge. We need to create the right set of legal restrictions and the right set of incentives, and support the right set of technologies to protect against these breaches of integrity of personal information.
“Just by walking around the world carrying a smartphone, it’s keeping track of where you are at every moment…what applications you’re using, what you’re looking at and what you’re buying.” -Kevin Werbach, Wharton Professor of Legal Studies and Business Ethics
Wharton Global Youth: Data scandals don’t just involve cybercriminals and hackers. Companies look to get their hands on personal data as a way to analyze people’s patterns and habits. How do companies use our data for commercial activities, like targeted advertising?
Werbach: Targeted advertising is nothing new. For many decades, companies have spent large amounts of money trying to sell things to people who want to buy them. What’s changed in the last 20 years or so is that now everything is digital. The volumes of information you can get digitally is orders of magnitude greater than what you can get any other way. Just by walking around the world carrying a smartphone, it’s keeping track of where you are at every moment. It’s keeping track of what applications you’re using, what you’re looking at, what you’re buying, and all sorts of other information, which is combined with other kinds of databases. Then we have increasingly sophisticated analytics to be able to slice and dice that information. And we have a whole ecosystem of data brokers who buy and sell that information and make it available to companies. Most people have no idea how much information is available about them in so many places. That’s what raises a lot of these concerns. Even though the basic idea of advertising is not new, there’s something now that’s happening that’s different and in a lot of ways scarier. One of the ways that it’s scarier is that you can be incentivized to give up personal information under false pretenses.
Wharton Global Youth: Cambridge Analytica [a British political consulting firm that harvested Facebook users’ data without their consent] is one example of this. Why was this scandal so astonishing?
Werbach: It was shocking for a lot of reasons. One reason was that they used a cute little quiz as a way of extracting personal information about people that they were using for really problematic purposes, like influencing elections. A second element that was shocking about Cambridge Analytica was that they were able to get information not just about the people who took the quiz, but about their friends, people who never volunteered to participate in anything. The third thing that was shocking was that when Facebook said you can’t do that because it violates our users’ privacy, they did it anyway. They ignored those restrictions and then made the data available for use in manipulative political activity. There’s this gap. It’s fine to say that I understand if I go on a social media site, I’m uploading pictures and therefore other people can see them. But at some point, there needs to be a negotiation where you understand what you’re giving up and what’s being done with your personal information. Cambridge Analytica was by no means the only example of this, but it was so shocking to people that it illustrated how that whole paradigm is broken: the ways the data was being used in no way connected with the ways that individuals consented to have their data used.
Wharton Global Youth: What should youth know and do about data protection as they increasingly use apps and technology to power their lives, everything from TikTok to Venmo? How can they safeguard themselves?
Werbach: My guess is that the average 16-year-old is savvier about this than the average 52-year-old, like me. They’ve grown up in a world where this sharing of information digitally has always been there. I would say you should think about what your limits are. Assume that everything is going to be shared. And that every entity you deal with online may be interacting with other entities in ways that you don’t know about. Decide for yourself what limits you want to put on the ways you generate your online persona. It’s not an option typically to drop out. But be very cognizant about which information you’re comfortable sharing and which information you’re not comfortable sharing. And think about where there are choices that you have. If all of your friends are on Instagram or Snapchat, you may not feel like you have an option not to be there. But there may be alternatives for other services you use. There are a growing number of privacy-protective tools out there to limit the advertisements you get, or to limit the amount of personal information you share when you browse the web. It’s worth spending some time seeing what is out there, so you can have some degree of control over your personal information.
According to Professor Werbach, “personal data has become a massive, multi-hundred-billion-dollar global industry.” What does he mean by that? What is the commercial value of personal data?
What is Cambridge Analytica and in what three ways were its actions “shocking?”
Do you regularly consider your personal data and privacy when you are on social media or using a financial app? In what ways do you think about it and intentionally exert control over your personal information?
Every day, no matter where I am or what I’m doing, I always find that I have the time to look through social media and Google random things. I use technology almost every minute of the day, from doing homework on the laptop to binging TV shows at 12 in the morning. However, while I’m on the internet, security and privacy are two of the many things that I am concerned about. And yet, I can do little to nothing about it. While people are using technology, personal data is being created as they browse the web, and that personal data is being shared and stolen right beneath our noses.
The first time I learned of the stealing of private information was when I was 8 years old and was desperately searching for a way to get free robux in a game called Roblox. Robux was an in-game currency used to buy in-game purchases and accessories. I spent days upon days playing the many games that Roblox offered and there was this cool cosmetic that I desperately wanted. Even after begging my parents, they wouldn’t allow me to use their credit card so I started searching the internet for a way to get free robux and happened upon this website. All I needed to do to get the free robux was to enter my account information. Since I was the person that believed that Santa Claus went down chimmies and the tooth fairy was real, I was like, what was the harm in giving them a password? Ultimately, I lost my roblox account and lost months of progress on games I loved. But that moment taught me a pivotal lesson about the need to keep your data safe.
Learning that personal data was a multi-billion dollar industry was shocking. After all, how could a person’s personal data be worth a lot? The article mentions selling the data to companies, and after I thought about it, it made much more sense. After all, all the ads I was getting while browsing for free robux was about Roblox, so someone must’ve paid money to put that ad there. Do this for every person on the web, and there’s gonna be a lot of money being paid to these websites.
Of course, I’m not saying that selling my personal data is horrible. After all, websites need money to keep their servers up after all, and a lot of these social media apps make their money from selling advertisements. However, in order to pay the workers, keep the light running, and make profit, these social media companies also make their money selling the data collected to companies dealing with data collection. And the problem is that there is no filter for the information sent. It’s the fact that I don’t know what information they are sending that makes me hesitant about it.
This limit of control is something I despise. Of course, you can control not giving your bank information to anyone, or declining a scam call. But the problem is that when you do anything on the internet, the U.S requires that the internet service provider keeps the information stored for at least 90 days. Search engines like Google and social media like Instagram can simply sell this stored information to companies and you won’t ever be informed. Smart Home products such as Google Home and Alexa listen to our every word, making privacy practically non-existent, and these companies could potentially know everything, down to which type of socks you prefer. Even if you don’t have these devices, “Just by walking around the world carrying a smartphone, [phones are] keeping track of where you are at every moment”. Truly, none of us are safe.
All of this attacks the nature of personal data, making it hard to say that our data is truly “personal”. However, there are a few ways we can try to defend ourselves. One of the many examples is the use of a VPN, which stands for a Virtual Private Network. VPN’s help mask your IP address, which is a unique code for every single computer, like your own DNA. By masking your IP address, your internet service provider doesn’t know who the information is from, so you become more anonymous on the internet. Another way to defend ourselves is to not use any personal data on public Wi-Fi Networks. These Wi-Fi networks have very weak security measures, so hackers can easily see any data you enter. Although data privacy is almost non-existent, by knowing the proper ways to protect our personal data, we can have more control and feel safe while on the Internet.
Sorry to hear about your loss in Roblox, Adrian. You are not alone in the personal data loss on the Internet. I’ve also learned some hard lessons myself about online information leaking.
In the age of the digital economy, we have been used to giving out information about ourselves online, from an email and a phone number to a home address and a credit card number, for different purposes like joining a mailing list or purchasing a jersey online. Many other times, we give out our personal data without even being aware of it, like when websites or social media track our online activities and collect our information to package and sell the data to interested parties.
While user data, to some extent, can provide information for studying online behavior and providing personalized services, the main reason why a company collects personal data is money, operated with minimal scrutiny. As you stated, companies sell data for profit. When personal data is so valuable, companies treat it like merchandise and sell or swap it with other companies or organizations. It is particularly worrisome when they collect data with private details that we are not willing to share or to be used unscrupulously. As Dr. Kevin Werbach noted in the interview, “Most people have no idea how much information is available about them in so many places.” Rarely are we informed on how our data will be used, nor are we asked whether we agree to let our data be shared with a third party.
Data breaches are also a big concern that can put our personal information at risk and result in financial losses, identity theft, and many other crises. Companies keep screwing up with the data they’ve collected, and even well-known companies are not effective in protecting their users’ data. In 2013, Target lost 40 million credit card and debit card records and 70 million customer records. In 2017, Equifax announced a breach that impacted the personal information of 147 million consumers, including birth dates, addresses, and Social Security numbers. Although these companies paid a settlement for the breach, the notifications of the breach to their users were delayed and lacked transparency.
As users, we should be more cautious in giving out our personal information. Dr. Werbach gave insightful advice on being “very cognizant about which information you’re comfortable sharing and which information you’re not comfortable sharing.” I like the methods you suggested, including using a VPN to mask the IP address and not using any personal data on public Wi-Fi Networks. In addition, protecting our computers by using security software and regularly backing up data on our devices are also helpful in protecting our personal information.
Meanwhile, just as you mentioned in your comment, we have limited control over the traces we leave on the Internet. Therefore, I’m hoping companies and organizations are more responsible and sensible in collecting data from their users and can be transparent in communicating the risks of data sharing. While a data breach may not be totally avoidable, a well-laid response plan is imperative in reducing threats and losses.
As the Internet has been so intertwined with our daily lives, personal data is a critical issue that everyone is facing and deserves more open discussion. Adrian, I enjoyed reading your comment and am glad to share my own thoughts on this important topic.