The experts we spoke to agree on this point: the businesses that use our personal data have not put a high enough priority on preventing its misuse or giving us control of it.
As Lauren Solomon, CEO of the Melbourne-based Consumer Policy Research Centre (CPRC), puts it, "data science and coding experts are typically not provided with training in ethics or the fields that might relate to the way their data is being used".
"Data that might be shared with one party for a perceived particular purpose can very quickly end up being used in another sector for an entirely different purpose." Which is precisely what happened in the recent Cambridge Analytica scandal.
Professor Longbing Cao of the Advanced Analytics Institute at University of Technology Sydney, echoes that point. "The companies that own our data can make use of it as they want, even though their privacy policies may tell us something different.
"There is no third party, government regulations or other mechanisms to check compliance. And if we do not allow access to our data, we may not be able to use these services well."
Emeritus Professor Margaret Jackson of RMIT University, who has researched both Facebook and Google extensively, is also unimpressed with the platforms' commitment to consumer protection.
"Generally, neither Facebook nor Google protect users' privacy, as their main business model is to collect as much personal data as they can without really offering users the right to give informed consent. Neither of the two organisations offer an easy way to control the data you surrender to them."
These criticisms are echoed in the results of our survey of 2698 CHOICE members – who are generally more conscious of their consumer rights than other people – on the issue of data privacy.
Only three percent trust Facebook to protect our privacy, and only 10% trust Google.
Cambridge Analytica: legal data collection?
Companies can use our data in ways we might not approve of. Recently large amounts of Facebook data were used in attempts to influence the US election and the vote on whether the UK would remain part of the EU (Brexit).
While it's not clear how much of an impact the Facebook data actually played in either of these events, the firm caught up in the scandal – UK-based Cambridge Analytica – did get its hands on around 87 million Facebook profiles and was hired by the Trump campaign to create targeted pro-Trump messages.
Was Facebook complicit in the misuse of all this personal data? Our in-house digital expert and head of CHOICE's in-house innovation unit, Viveka Weiley, thinks they are
The social media leviathan, which has 2.2 billion active users and counting, had known about the Cambridge Analytica problem since 2015 but blindly trusted the firm to delete data in line with Facebook's policy (apps were allowed to harvest Facebook data but not share it with – or sell it to – third parties).
"Facebook desperately claimed that it didn't count as a 'breach' as no technical protection measures were bypassed," Weiley says. "Instead, they just had no serious protection measures in place."
The data that Cambridge Analytica deployed actually came from a personality quiz application called "thisisyourdigitallife". Using the app, 270,000 Facebook users gave it permission to access their profile information, including likes, birthdays and locations.
But Facebook's policy at the time also allowed the app to grab data from the profiles of the 270,000 users' friends, extending the total data grab to 87 million profiles. (It changed its policy to limit such permissions in 2014.)
Most of the profiles accessed belonged to US Facebook users, though about 311,000 were reportedly Australia-based and only 53 of those users apparently used the app in question.
How often do you use Facebook and Google
More than once a day:
- Faceboook: 33%
- Google: 76%
A few times a week:
- Faceboook: 11%
- Google: 8%
I don't have an account:
- Faceboook: 26%
- Google: 2%
How Facebook reacted
Facebook's initial response was slow, but in early April this year the company took the following actions:
- imposed new restrictions on the data apps could access
- added security updates
- committed to contacting all 87 million users whose profiles were obtained by Cambridge Analytica with a 'protecting your information' notice
- provided a link so users could check to see if Cambridge Analytica has their data issued a statement that made its terms of service slightly clearer (at least for non-lawyers) and reiterated its data policy.
Facebook CEO Mark Zuckerberg then apologised to the US Congress, where he admitted that perhaps a bit of data privacy regulation wouldn't be a bad thing.
The CPRC's Lauren Solomon agrees that there's a need for more regulation, especially in the Australian context.
"Adjusting privacy settings on phones and browsers are some good first steps, but in reality this only goes a very small way towards providing Australian consumers with greater control over what data is being collected and how it is being used," Solomon says.
"Part of this issue is the lack of transparency and vague terminology currently allowed in Australia by our privacy laws. While the EU has introduced significantly greater protections through their General Data Protection Regulation (GDPR), Australia is currently lagging behind. There needs to be a quantum leap in the transparency and control of consumer data in Australia."
Global shifts in data regulation
The GDPR will take effect in the EU on 25 May 2018, a development that CHOICE welcomes.
"The GDPR makes some great changes to the way privacy policies have to be presented," says CHOICE head of campaigns and policy Sarah Agar.
"Policies need to be user-friendly and informative, and can be coupled with short 'privacy notices' that state in clear language exactly why certain personal information is being collected. Any steps to make terms and conditions clearer, shorter and more useful for people is positive."
CHOICE has long supported the principle that consumers should be able to access their own data, including data around credit card use and how data affects insurance premiums.
Knowing how businesses use this data would be even better.
"While the GDPR establishes some new rules that will benefit consumers, it overlooks some things that are important in today's data-driven marketplaces," Agar says.
"Enabling consumers to know what data companies hold about them and why they have collected it is important, but more important than this is knowing what they are doing with the data, and how that affects you."
Data regulation in Australia
There have been some recent moves towards regulation of digital data collection in Australia, especially in the wake of reports that Google has been secretly harvesting the personal data of about 10 million Australian Android mobile device users and selling it to advertisers. The downloads are the equivalent to a gigabyte of data a month, costing the users a combined $580 million or so in year in data costs.
According to the US software giant Oracle, Google has been collecting location and other personal data from Australian devices even when location services were deactivated and no SIM cards or apps were in use.
In addition to this latest development, the ACCC is looking into whether Google, Facebook and Apple News are unlawfully undermining competition in the Australian media market.
In 2014 Google accounted for 40% and Facebook for 12% of referrals to major news and entertainment sites. In 2016 they accounted for a combined 75% of referrals (Facebook 40%, Google 35%).
With this kind of market dominance, less than a quarter of internet users in Australia go directly to a website or app.
In addition, Australia's privacy commissioner is looking into whether Facebook violated the Privacy Act by making Australian Facebook user data available to Cambridge Analytica, inadvertently or otherwise.
Solomon acknowledges that big data can have benefits, but argues its collection and use needs to be better regulated to protect consumers.
"Data can be used to improve consumer experience, reduce complexity and drive better service delivery," she says. "However, what is also clear is that where these data amalgamation and profiling practices result in consumers potentially being excluded from certain products or targeted with inappropriate products for their needs, this can come with significant consumer backlash."
"There are great benefits to be derived from data sharing, but it needs to happen with the right protections and with consumers ultimately in the driver's seat."
People want privacy to be easier
Our research suggests many Facebook and Google users (including Google Search, Chrome, Gmail, Maps and YouTube) don't know about, let alone use, privacy settings that let them limit what they share on the platforms.
In a recent survey of CHOICE members, about 90% of both Facebook and Google users were aware that the platforms collect their personal data. The number of respondents who are worried about this was almost as high (79% for Facebook and 71% for Google).
But only 51% of respondents said they had changed their Facebook privacy settings to limit access to personal information; for Google the figure was 35%.
That's probably because privacy settings can be so hard to find. An overwhelming majority of our survey takers (98% for Facebook, 96% for Google) believe the platforms should make it easier for consumers to understand how their data is being collected and used.
Ninety-five percent of the Australians surveyed said they wanted platforms to allow them to opt out of data collection, and 85% objected to personal information such as phone contacts and messages being shared.
Getting around local privacy laws
Professor Jackson of RMIT says neither Facebook nor Google makes much of an effort to help users control what they're sharing.
"Facebook does allow you to restrict the number of people who can read your posts by using a privacy setting, but that doesn't stop Facebook from collecting this data," says Jackson.
"Google doesn't offer a private setting, though it does allow you to delete your browsing history, as well as clear cookies and site data."
And while both Google and Facebook have features that let users see the data that's been collected about them, the features only go so far.
"What is still difficult, if not impossible, is to access this information to correct it or to have it deleted," Jackson says.
"Generally, requests to amend data and to obtain further information about what data is held are denied."
Jackson also says that Google and Facebook claim that privacy laws in individual countries do not apply to their operations.
For instance, the New Zealand Privacy Commissioner recently determined that Facebook is non-compliant with its Privacy Act, "but Facebook denies the Act applies to it, although it collects data from NZ users," Jackson says.
"Both claim that they have obtained users' consent to collect, store, use and disclose their data. They also rely on the argument that the personal data has been 'shared' with them which implies consent. Consent means that the privacy principles do not apply."
Jackson says Facebook can expect increasing scrutiny from regulators around the world following the Cambridge Analytica breach and previous transgressions.
"Facebook was aware of the unauthorised access to its users' and users' friends' data in 2015 but failed to comply with the obligations to notify government representatives and individuals of a data breach. This will be an area of future litigation."
How to find out what information you're sharing
You can get better acquainted with your digital self by having a look at the "my activity" function in your Google account or similar functions on Facebook (see below).
One avid Facebook user who recently unearthed her data and shared it with CHOICE was stunned at the size of the file. "They know everything," she says. The list of her ad engagement history alone reads like a point-by-point profile of her enduring interests and concerns.
- Things you search for
- Websites you visit
- Videos you watch
- Ads you click on or tap
- Your location
- The type of device you're using
- Your IP address and cookie data
- Emails you send and receive on Gmail
- Contacts you add
- Calendar events
- Photos and videos you upload
- All of your Docs, Sheets, and Slides on Google Drive
- Your name
- Your email address and password
- Your birthday
- Your gender
- Your phone number
- The country you live in
And here's what Google says they use it for:
- Customised Google maps experience
- Auto-complete search and tailored results based on previous searches
- Auto-filled forms
- YouTube suggestions
- Content and information you create and share
- Location and date of photos you post
- The type of content you view or engage with, and the frequency and duration of such engagement
- Information other Facebook users provide about you or send to you, including photos, messages and contact information
- The people and groups you're connected to and how you interact with them, including address books you upload, sync or import
- Information about Facebook-based financial transactions, including credit or debit card numbers and security identifications and billing, shipping and contact details
- The types of devices you use and their locations, the types of browsers you use, the name of your mobile operator or ISP, your mobile phone number and email address
- Information on the websites and apps you visit that use Facebook services (such as "like" buttons or Facebook logins)
- Information about how you respond to ads on Facebook
- Information from other companies that are owned and operated by Facebook (such as Instagram and WhatsApp)
And here's what Facebook says they use it for:
- Personalised features and content, including news and Instagram feeds and ads
- Suggestions on who to connect with
- Auto-filling registration details on different Facebook products
- Location information (if enabled) for geographically targeted ads and other content
- Research to develop and improve products
- Face recognition (if enabled) in photos and videos
- Helping advertisers measure the effectiveness of ads
- "To conduct and support research and innovation on topics of general social welfare, technological advancement, public interest and health and well-being"
Giving it away for free
It's no secret that Google and Facebook's business model is selling your data to advertisers. The question is whether we're giving away more than we get in return.
According to one prominent US Big Data expert, Nathan Newman, the answer is a resounding yes.
"Users undervalue the personal data they provide and most users don't even know their data is being shared with third parties" Newman wrote in a 2014 research paper, adding that the "economic value of content and data flows largely for free to the big data platforms" and users "are largely disempowered from demanding protection for their privacy".
Text version of infographic:
Facebook: $US 6.08 per user (over 4th quarter 2017 worldwide. Source: Facebook earnings report)
Data gone bad: behaviour profiling
One of the primary ways data is being used by third-party advertisers to the detriment of consumers is through behaviour profiling, Newman argues. A couple of examples:
- Price discrimination: Advertisers offer goods at different prices depending on your data profile (where you live, what kind of car you drive, who your friends are, whether you have a university degree, the online content you consume, etc.), in an effort to extract maximum revenue from each customer.
- Targeted scams and dodgy products: Unethical companies use data to identify people who may be vulnerable to financial scams and dodgy financial offerings like payday loans or debt consolidation.
Protecting your privacy on Facebook and Google
If you want to be as private as possible on Facebook or Google, or learn which data is stored about you, here's a guide to some of the platforms' key privacy features along with a few tips.
- To limit what Facebook collects about you, you can choose not to log onto other sites and providers with your Facebook password and consider whether you want the information you are about to post to be collected by Facebook.
- Facebook lets you access information about your activity on the site, but it will only show the data you've provided rather than exactly what's been collected, how it's used, and who it's been shared with.
- You can also request a file that will show more of the data Facebook has on you, including a list of ad topics that have been based on your likes and behaviours, a list of Ads History showing every ad you've clicked on, and a list of advertisers with contact information.
- You can edit the privacy settings for Facebook-based apps and games, though this may affect whether you can still use the app or game.
- But be forewarned: if you delete your Facebook data you won't be able to log in services that you have previously accessed with you Facebook login.
- If you're not a Facebook user, you may be surprised to know that Facebook also collects data on you. The company claims people who don't have a Facebook account can access the data it holds about you by downloading and submitting a data access form.
- Google Chrome privacy controls let you delete your browsing history and clear cookies and site data, and Google account settings let you see which apps have access to your account and check your privacy status (such as location services).
- You can delete your Google activity history by going to myactivity.google.com when you're logged in.
- You can also reject Google's offer to store your passwords on other sites and decline to provide your location when asked.
- You can decline to allow Google to access the photos you take on your smartphone and alter settings on apps to reduce what Google can access.
- But if your employer uses Gmail, all of your sent and received emails, including attachments, as well as your calendar and contacts, are accessible by Google whether or not you've given consent.
- Google Dashboard and Google Takeout let you view and manage the information Google has collected on you.
Some experts argue that Australia is behind the times when it comes to data privacy and protection.
Meanwhile, protections for consumers in the EU will include the following from 25 May 2018:
- Companies are required to improve transparency around consent to data collection and use so that the policy is easy to understand, specific to purpose, easily accessible, and allows for consent to be easily withdrawn.
- Consumers have expanded rights to access their data, have their data deleted, and to transmit their data.
- Consumers have the right to be notified of any data breaches.
- Projects and products must have privacy compliance built in from the start (privacy by design).
- Companies can be fined up to 4% of annual turnover or €20 million (whichever is greater) for contravening the GDPR.
- Jurisdiction applies to all companies (including overseas companies) processing the personal data of people in the EU.
CHOICE members weigh in
We received comments across the spectrum in our survey of 2698 CHOICE members, ranging from very worried to 'what's the big deal?' Many respondents have taken steps to protect their privacy.
"How can anyone be certain of the trustworthiness of any site? I am deeply concerned over the astounding power held by these companies."
"Both Google and Facebook are very arrogant companies, and they are so big and powerful and greedy for money to satisfy shareholders that they will stop at nothing and continue data mining."
"I'm very worried about them tracking me."
"I'm feeling quite pleased that I decided many years ago that Facebook was way too scary to use."
"My friends and family laughed at me when I set up an alias account with a fake birthday, etc. Now they understand!"
Not so worried
"I don't care about privacy at all. Happy to be public about almost everything."
"Let's get government sorted out first. They are far worse than Google or Facebook because you can opt not to use them or use VPN, blocking and security tools to stop them."
"People are obsessed with their boring personal data. How important do they seriously think they are in a world of eight billion?"
"Really I am not too worried about the data Google has on me. I have nothing to hide."
"I think Facebook does a good job at giving you tools to protect your privacy from other users, and I am confident in Google to protect my data from being hacked."
Have taken steps
"I always use a VPN with maximum anonymity when browsing. Google apps on your phone can also track your movements. The only way to stop tracking of any nature on your phone is to remove the battery."
"I have felt uncomfortable for some time using Google Chrome. I no longer use Chrome for banking, Facebook or any shopping including eBay/Amazon/Gumtree, etc."
"It is essential that consumers learn how to play Facebook at their own game. The best way to do this is to create multiple accounts for different purposes. I use one Facebook account, created using my main pen name (I have many), for logging easily into websites and commenting."
"I have modified my Google account to remove collected data and prevent further collection. I assume that Google has actually complied with the setting changes."
"I use various pieces of software to limit Facebook and Google's power such as adblocks, script blocks, etc."
What have consumers done to protect their personal data?
5 out of 10 Facebook users and 3 out of 10 Google users have Updated privacy settings in their account to limit access to personal information
4 out of 10 survey respondents didn't provide or have removed personal information such as birthday or gender on their account profile
3 out of 10 survey respondents disabled Facebook or Google sign-in on other platforms
1 out of 10 survey respondents provided fake information on their account profile
Source: n= 2698, Voice Your Choice survey conducted March 27 to April 9, 2018, unweighted.