Seeing Who Shared Your Private Data

Bob Leggitt | Sunday, 5 January 2014 |

Most articles about Internet privacy focus on individual infringements. But what I want to look at here is something much bigger. I want to express how easy it is to see who’s sharing our data on the Web, and look at why, despite being able to see all the obvious indicators, we ignore the issue and allow ourselves to be profiled into one enormous online dossier.

The Real Time function on Google Analytics is live, and gives webmasters a revealing insight into visitor behaviour. This generic image has had its info removed. See the body text for more...

People often imagine information-sharing as something that happens behind our backs, and that’s often the case, of course. But the bulk of the information-sharing we’re subjected to in the online world, is entirely visible. We can see who’s sharing the data, we can see who’s receiving the data, and yet we let it happen. Why do we let it happen? Well, that’s mostly down to a potent and highly manipulative regime in which big Internet powers bait us Web users into giving up our privacy, typically dangling convenience, or free services, as the bait.

Free services are a pretty obvious trade-off. An organisation lets you use its Web facilities without financial charge, in exchange for a valuable insight into your likes, dislikes, hopes and fears, which it can then sell on to those in a position to exploit that insight: the marketers. The people who can see you’re single and desperate for a date, and sell you an introductions service. The people who can see you’re avidly applying for a new job, and sell you a re-training package. And yes, even the people who can see you love pizza, and sell you a thirteen-inch Hawaiian with all the extras.

But one of the less obvious data-sharing tactics is connectivity. “Why not connect your email to Facebook and Twitter? It’ll be so much more convenient for you!”… Great! You just gave your email provider all your social networking details. It’s really none of their business, but what the heck? It makes life easier… Or, “Why not add a Twitter Timeline widget to your WordPress sidebar?”… Great! You just tied your Twitter account to an indelible WordPress account which I imagine will retain that association indefinitely. And it can also work in reverse, with social networks gaining an insight into your email use, and Twitter establishing more about you through the connection with your blog, your website, or anywhere else you place its widgets.

Even things seemingly as inconsequential as activation emails can be a way of inadvertently (but entirely visibly) sharing data. Your email provider had no idea you liked girl-on-girl pillow-fighting, but since you joined that epic girl-on-girl pillow-fighting discussion group and the activation email went out, your secret really hasn’t been quite such a big secret anymore. Think about it; if you subscribe to email alerts for all your new blog followers (or similar functions on other socially-driven sites), your email provider not only ties your identity in with your blog – it also knows who all your followers are. Then there's the information collected by Facebook Like buttons and Thanks buttons on forums. The more deeply you consider it all, the more frightening it becomes.

Twitter Notifications
Twitter's Notifications screen. Tick all these boxes, and you're getting a bit of extra convenience, whilst serving your email provider with a handy dossier on your Twitter activity. It's data-sharing before our very eyes, but do we notice it?


The thing I’ve found perhaps most thought-provoking in my ongoing analysis of Internet privacy has been the amount of info it’s possible to get through Google Analytics – the free webmaster utility for monitoring site visits. If you have your own website or blog, it’s possible using Google Analytics not only to see the approximate locations of your visitors, but also to see their exact behaviour on your site, in real time. You can watch them flitting from page to page, see which links they’re clicking and how quickly, and essentially determine what they’re reading vs what they’re flicking past. GA doesn’t literally tell you who the visitors are, but if you’re curious, and they’re coming in from networking sites, discussing the pages they’ve visited and so on, it’s possible in some cases to get a pretty firm picture of a specific individual’s behaviour.

I'm not saying that Google Analytics is a massive privacy issue in itself. Afterall, webmasters can only monitor people when they’re on their own sites, and even if they think they know someone’s identity, they can never really confirm it. But there’s a much bigger concern. Namely, if Google gives webmasters that level of monitoring capacity and depth of information, as a free ‘throwaway’, just imagine the sophistication of Google’s own monitoring systems. The top secret stuff it would never let the public see. Google probably knows more about many Web users than their own families know about them. And Google obviously isn’t an island.

The overriding message is that the Internet as a unit builds a linked picture of us all, and if anyone really has the determination to investigate, chances are they’ll find pretty much everything you’ve put out there, whatever ‘disguise’ you may have thought you were using. The real problem is the inadvertent way in which we keep leaking our traits, and linking our accounts, often unaware of how everything connects together, and how easy it can be even for members of the general public to find out who’s who. If I, without any insider knowledge, can fairly straightforwardly find multiple accounts people have set up and inadvertently connected, then just imagine what the likes of Google know.

The whole thing is like a slow-acting trap. You start with the intention of compartmentalising your life – ‘need to know’ only for each separate ID. But a few years down the line you find it’s all become one big picture. You’re no longer Dave X, Pete X and Joe X. Suddenly, you realise you’re just you, and the aliases are pointless. Google and/or Facebook has your real name, address, telephone number and ID photo, and everything else you’ve used is in some way connected to that. The drip-drip of data mining has beaten you. You’re not anonymous. Your privacy does not exist.


There are, however, a few things you can do to avoid this inevitable consequence becoming a painful experience. I conclude with a short list…

  • Don’t do anything embarrassing, or troll anyone, or behave in any manner you wouldn’t consider appropriate in the offline world. Just don’t – it’ll inevitably become the most interesting thing you’ve done on the Web, and unless you’re an absolute genius with privacy management, it’ll result in those with a wish to do so finding out much more about you than you’re comfortable with. They may even publish their findings.
  • Don’t provide any information you don’t need to provide. This, combined with the above point is an absolute cornerstone of good practice when it comes to Internet privacy. Realistically, you’re not going to stop your data being shared, or being associated through connectivity, and you can’t trust anyone to delete or keep to themselves the details you give. The only way to maintain the level of privacy you need is to keep your really private data off the Web entirely.
  • Think carefully anytime a site offers to make things more convenient for you. “Finding your friends” on networking sites, “Importing your contacts” to mail or messaging services, “Signing in” to anything you really don’t need to sign into (like Google Chrome), should be treated as red alerts. You’re getting what might be a small amount of added convenience (and sometimes no real benefit at all), but the privacy you’re giving up could have a much bigger, negative impact on you at some stage in the future.

Planet Botch is contactable only via Twitter.