It’s an experience every computer or smart phone user has had. After downloading new software or an app, a window pops up with a legal agreement. At the bottom is an “I agree” button. One click, and it’s gone.
Most users have no clue what they’ve agreed to.
That single action can empower software developers to extract reams of personal information – such as contacts, location, and other private data – from the devices. They can then market the information.
Even as privacy erodes in the digital era, little outcry arises over the digital tracking and profiling of consumers. Only slight murmurs are heard on Capitol Hill.
But a handful of security researchers, lawyers and privacy watchdogs voice increasing concern that consumers might one day wake up in anger at the collection of data by software companies winning rights to do so through “end user license agreements,” also known as EULAs. One researcher says the data collection potentially poses a national security threat.
For now, news about how companies collect data emerges in bite-sized stories. In late July, articles brought to light that certain models of the Roomba robotic vacuum not only collect dust as they whir across the floor, they also map the homes of users and send the data back to headquarters. The Massachusetts manufacturer, iRobot Corp., may share the data to enable the smart home and the devices within it to work better. It says it will do so only with customer consent.
iRobot chief executive Colin Angle said, “iRobot will never sell your data.” He added that such information “needs to be controlled by the customer and not as a data asset of a corporation to exploit.”
Other companies, empowered by the click-through habits of consumers that allow them to gather and sort through data, exploit the information by selling it to data brokers.
“We need legislation that basically forces these companies to be very, very clear on what information they are taking from us when we install these apps,” said Michael Patterson, chief executive of Plixer International, a Kennebunk, Maine, cybersecurity firm.
“If they change the EULAs, they have to tell us, and they also have to make what they’ve taken from us available at any time,” Patterson said.
“When you buy a box of cereal or crackers, on the side of it it gives you nutrition facts,” Patterson continued. “That’s what I want. I want nutrition facts on every piece of software I install so that I can … click on it and it says all the information they’re taking.”
Gary Reback, a Palo Alto, California, antitrust lawyer who has tangled in legal battles with Google and Microsoft over data privacy issues, said data harvested from consumers has led companies to create individual profiles, often at a level of detail that even family members may not know.
“When an online profile is created of you, which you never really get to see, it’s not just kind of what you buy, it’s who you might vote for,” Reback said in a recent telephone interview.
An old saying goes that when a consumer gets a service or product for free, the consumer becomes the product. His or her profile becomes an item to be marketed.
“You may think your identity is, you look in the mirror and that’s what you see, but it’s really not. Your identity is what they’ve compiled,” Reback said. “That is kind of scary when you think about it. I just don’t think people think about it enough.”
Internet-connected devices proliferate in homes. An estimated 8.4 billion such devices exist in the world today, the Gartner research firm says, and that number is projected to climb to 20.4 billion by 2020. Those devices are often lumped together as the “Internet of Things.”
“It’s getting worse because the Internet of Things is like where your location is, how much your heart rate is going, (and) what you’re saying with these new voice-controlled devices,” said Chris Wysopal, cofounder of Veracode, a Burlington, Massachusetts, app security company.
Wysopal is concerned enough about privacy that he avoids all voice-activated devices in his own home out of concern they may be feeding his private activities back to manufacturers. But he said young people may feel that “we enjoy all this technology so much that we’re willing to give it up.”
As time passes, added Reback, the growth of big players in technology may leave consumers with the sense they have little choice but to accept conditions imposed on them.
“You’ve got no alternative. Back when there was competition, if some people did a better job at protecting privacy, that might have influenced your choice,” Reback said.
The direction of where the issue may head is unclear.
“I don’t have a good answer for where it’s going to go. But I think that things might just change that people really start to think it’s fine to have all this data in the hands of third parties,” Wysopal said.
In addition to how the personal data of consumers is used, a corollary is whether companies can keep the data safe, said James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a Washington center that calls itself America’s cybersecurity think tank.
If U.S. adversaries hack databases containing consumer profiles collected and built up by data firms working with software companies, they could use the information to manipulate public opinion to stoke chaos, Scott said.
“What happens then is that nation states are able to fan the flame of alt right, alt left, Bernie Sanders supporters, Trump supporters, Hillary supporters,” Scott said, adding that a potential campaign could “fan the flame of distrust of the population against the government.”
Scott, too, said he stops using some products when he learns that companies are marketing his usage data, and did so after a lawsuit filed in April charged that Bose, the audio manufacturer of wireless headphones, “was monitoring your music and selling that data.”
“I’m a privacy rights kind of guy, so I tossed my Bose and will never buy Bose again,” he said.
Bose, on its webpage, says it “respects the privacy of our users.”
Patterson, the Plixer chief, said he is particularly wary of smart phone navigation apps.
“Maybe they keep track if I’m speeding a lot,” he said. “Maybe they sell it to insurance companies.”
On a trip to one of the main U.S. intelligence agencies, which Scott would only identify as a three-letter agency, he said he was stuck at security with an unrelated large delegation, and inquired of a colleague who they were.
“‘Oh, that’s Google,’” he said he was told. “‘They are always here begging us to buy their data.’”