Make no mistake, your personal data isn't your own. When you update your Facebook page, "Like" something on a website, apply for a credit card, click on an ad, listen to an MP3, or comment on a YouTube video, you are feeding a huge and growing beast with an insatiable appetite for your personal data, a beast that always craves more. Virtually every piece of personal information that you provide online (and much that you provide offline) will end up being bought and sold, segmented, packaged, analyzed, repackaged, and sold again.
The "personal data economy" comprises a menagerie of advertisers, marketers, ad networks, data brokers, website publishers, social networks, and online tracking and targeting companies, for all of which the main currency--what they buy, sell, and trade--is personal data.
[ FREE DOWNLOAD: 68 great ideas for running a security department ]
Their databases pull user information from a long list of sources--everything from birth certificates to browsing history to Facebook "Likes"--and they're becoming better at finding patterns in the data that predict what you might do or buy in the future. A child born in 2012 will leave a data footprint detailed enough to assemble a day-by-day, even a minute-by-minute, account of his or her entire life, online and offline, from birth until death.
And the databases that collect this information are increasingly hyperconnected--they can trade data about you in milliseconds.
Facebook, to many, is the face of the personal data economy. Its entire business is aggregating the personal data that its users give at the site. Today, Facebook uses that mountain of personal data to help advertisers target ads on the Facebook site. However, as many observers have said, Facebook's investors are likely to pressure the now-public company to look for new ways to "monetize" its personal data.
"We're accepting more privacy intrusions each day, sometimes because we don't realize what we're giving out, other times because we don't feel we have a choice, other times because the harm of this isolated transaction seems so remote," says privacy attorney Sarah Downey, who works for personal data security products company Abine.
She adds, "Once collected, our data ends up in unexpected--and unwanted--places, and spam emails, inclusion in harmful information databases, and even identity theft can follow."
In the following pages I'll try to add to the personal data economy story by describing some of the latest trends in personal data collection and analysis--the combination of online and offline data, hyperconnectivity and real-time ad targeting, browser fingerprinting and tracking, and finally the new methods of analyzing huge databases of consumer information.
Combining Online and Offline Data
Personal data has become far easier to access and aggregate than it used to be. Long before we started cataloging our lives on the Internet, much of the information about us lived in hard-copy public records documents at the city hall or the county courthouse. Those public records, which include birth data, real estate records, criminal records, political affiliation and voting records, and more, have in recent years been scanned, digitized, and otherwise fed into databases. That data is now being combined with our online personal data.
A whole industry of public records data companies has sprung up to aggregate public records data from every city, county, and state in the union, and to make the data easily available online (for a price). Some of these firms, like Intelius.com and Spokeo, are combining public records data (originally created offline, in the physical world) with online data (information that we give out via the Internet), such as personal data from social networks.
Spokeo aggregates data taken from social media and networking sites, and it augments user profiles with public records data, the company's chief strategy officer, Emanuel Pleitez, tells me.
Intelius Inc., which owns Intelius.com and other "people search" sites, has begun augmenting its core public records data product by adding social network data to its user profiles. "It's an area we're moving in now," says Jim Adler, chief privacy officer and general manager of data systems at Intelius.
He adds, "Our job is to pull data together from whatever sources are available. If it's publicly available, we'll use it."
Today Intelius is capturing only the most basic information from Facebook, Twitter, and other social networks--names, ages, and where a person has lived. But many aggregators are just beginning to explore the uses of social networking data.
Data Combination Could Pose New Privacy Threats
What may be a dark side to this mashup of public records and social networking data is this: Public records sites such as Intelius, Spokeo, and PeopleFinders.com distribute the kind of data that landlords, insurers, employers, or creditors could easily use to screen applicants--but the sites insist that their content is not intended for such uses.
"The use of our service to screen potential employees, tenants, or for any other purpose that's restricted by the Fair Credit Reporting Act is in violation of our Terms & Conditions," Intelius's Adler wrote in an email to PCWorld.
But many people suspect that personal data offered at public records sites is being used for exactly such purposes. As FTC Commissioner Julie Brill has commented: "I have long been concerned about data that [is] used in place of traditional credit reports to make predictions that become a part of the basis for making determinations regarding a consumer's credit [and] his or her ability to secure housing, gainful employment, or various types of insurance."
And in truth, the public records sites would have no way of knowing if this happened--and may not want to know.
Add social networking info, and an employer or landlord could get a more nuanced (but potentially misleading) picture of a person. Here, data from two parts of a person's life is being accessed--public records, formal and open, and social networking data, informal and intended for "friends." An applicant for a job, a housing rental, or insurance would probably have no inkling of his or her social network data being accessed.
Combining Data for Political Targeting
High-tech targeting isn't just for selling products anymore. It's now being used to sell candidates and ideas.
Political campaigns are combining online and offline data to form a detailed picture of prospective voters, and looking for clues that a voter might be swung by a well-targeted ad. Campaigns from both major political parties are hiring political advertising and consulting firms like Aristotle, CampaignGrid, RapLeaf, and TargetedVictory, all of which have amassed personal and political data on millions of people.
This data is gleaned from voting information in the public record--party affiliation, and how often the person has voted over the years.
Firms can combine that offline political data with other offline data such as real estate records, and then combine that with a subject's online activities, such as social network profiles, online shopping histories, contributions to charities and political causes, and articles read (the types of articles you read say a lot about your political leanings--whether you're pro-guns or pro-choice, say).
Political campaigns will spend more than ever before on advertising in the 2012 elections, according to a report from Borrell Associates, and they will spend far more on online advertising than in the past. Campaigns will spend a total of $9.8 billion (much of it Super PAC money) in 2012, up from $7 billion in 2008, and online advertising spending will rise to $160 million in 2012 from $22 million in 2008.
Still, online political advertising remains in its infancy. While TV will get 57 cents of each advertising dollar spent on 2012 campaigns, online advertising will get only 1.4 cents, the Borrell Associates report says.
Online Advertising 3.0
The online advertising business is powered by personal information. In fact, the industry is being defined by an arms race to develop both new ways to collect more (and more accurate) personal data and better methods to track and analyze people's online choices and behaviors.
Virtually every player in the Web advertising business is sitting on a big database of personal data. Those databases contain the demographic, preference, and social data of millions and millions of Web consumers, and those databases are growing larger and larger all the time. Those databases have also become hyperconnected; that is, various players in the ad delivery chain can share the personal data in those databases in just milliseconds.
In the Web's early days, advertisers were content to place ads in front of people they knew little about in hopes that two or three in 100 would click on them. That "blind" ad-serving model is giving way to "smart" ad serving, where advertisers and their agencies work with intermediaries, and a lot of targeting data, to place ads in front of users likely to click on them.
They judge that likelihood by identifying a person visiting a website, and then evaluating the person's profile in a database, which might contain the person's browsing history, online buying habits, demographics, and even the likes and dislikes of their Facebook friends. After the target prospect has been identified, advertisers want to use the data in an effort to serve up a highly personalized ad to the target.
In short, advertisers are moving away from buying clicks, and toward buying "audiences," instead. The audiences are defined by commonalities in their personal data, gathered from many different sources, both online and off.
"[A]n arms race [is] going on in the data economy right now," says Shane Green, CEO of Personal.com, which offers a personal data management tool for consumers. "Everybody is working hard to find differentiated data, and differentiated analytics."
The quality and variety of what's in those databases makes all the difference in the success of an advertising campaign. "The companies that are able to use their data to best identify and serve ads to site visitors in real time will win," one advertising executive who chose to remain anonymous told me.
Real-Time Ad Targeting
Here is a radically simplified explanation of how an advertiser would place an advertisement on a website today:
When someone visits a website, that site has an opportunity to deliver a targeted ad on behalf of one or more of its advertisers. To do this in real time, the website posts the availability of an advertising opportunity on an "exchange"--a Web-based open market where advertisers can bid to deliver targeted ads.
But before the advertiser buys the opportunity to show its ad, it wants to know a lot more about the person who will view it. So it looks for a small bit of identifying code (an HTML cookie) that it has installed on the visitor's computer in the past. The advertiser then determines whether the cookie ID matches an audience profile in either its own database or that of one of its technology partners.
The profile databases within which the advertiser looks can contain information from hundreds of sources of offline and online data, and can be augmented with information bought from large data brokers such as Acxiom or Experian, or from specialty data brokers like 33Across and Media6Degrees, which sell profiles based on people's social networking data.
If the advertiser finds a match, it then determines how much to pay for the impression based on factors that may include demographics, time of day, or even how recently the visitor last saw one of its ads.
The advertiser might then work with another technology partner to adjust the content of the ad (anything from the messaging to the color of the product) to match the likely interests and tastes of the site visitor.
All of this happens in milliseconds.
Fingerprinting Tech: Data Aggregators' BFF