My media diary is back! This time, though, we’re going to dig behind the scenes a little bit and find out what tradeoffs I’m making in privacy and security, and examine what data usage may be taking place downstream of my transactions. As before, I’m using a 24-hour clock, and since I’m writing this at 1400, I’ll start at about that time yesterday:
June 3, 2023
1400: I’m taking a trip from City A to CIty B by way of some C-nery. Since I’m only partially familiar with the roads, I’m enter my destinations into Google Maps, along with route preferences. Even though I’ve got my location history turned off, my GPS data about speed and location to a server, and it will be mixed in with other location data to help warn about slow traffic, advise alternate routes, likely tolls, and more. I’m not using the incognito mode, so traces of this data will be available for some time.
1500: Spotify, YouTube Music: While on this short road trip, I’m listening to tunes from either Spotify or YouTube Music at any given moment. While both are available to operate through Google Maps, and they in turn together can be connected to my car via Android Auto, I’ve declined to operate them in this way together, primarily because I don’t want to associate my listening history with my car. I’m missing out on convenience, but I don’t trust auto makers to be well-versed in software security, and I don’t want a bunch of my personal or behavioral data flowing through my infotainment system. Call me paranoid, but since hackers are able to remotely start cars via SiriusXM’s services umbrella, I’m not keen on this. What is still being tracked, though, is what I listen to on these services – and that valuable data is likely funneled into larger models.
1600: It’s time to get some gas, and I’ve got an app that can help called Gas Buddy. While it’s great for locating the cheapest gas in my area (often updated by other users), it’s also apparently sucking up all kinds of other data from me including
personal information and other data, including precise location, trip location, and driving event data such as speed, change in speed and other aspects of how, how much, where and when you drive (collectively “Driving Data”).
1730: A little later, and it’s dinner time. Based on reviews of some restaurants ahead, I choose an Italian chain restaurant. The reviews are part of Google data, surfaced through the Maps app. If I choose, as I have previously, to submit a review, it can be publicly displayed and associated with this place. Similar to other products—remember Four Square?!—the inherent danger is in painting a comprehensive picture of where one’s been over time. It appears Google is learning from regulatory scrutiny and consumer demand, though, and offering more fine-grained privacy controls for its services. Still, as the saying goes, if you’re not paying for the service, then you yourself are the product.
2130: Checking out, I notice and pick up a National Geographic magazine. Perusing it, I wonder how much of my years worth of visits to US National Parks is available to data brokers. While researching that, I instead found out that defense contractor Booz Allen collects fees and data from everyone who uses recreation.gov to make camping or visit reservations.
2300: While working on some assignments for my classes, I’m visiting multiple sites and interacting with their privacy cookies. Many of these were created in response to European regulations. My default stance is to go for necessary cookies only, since I don’t typically want to evaluate other uses. It can be a pain, but I think the tradeoff is worth it. Of course, we’re heading towards a cookieless future, so I’ll be interested to see how privacy regulations adapt.
1000: It’s morning time, and I’m making breakfast. My daughter is watching Mickey Mouse Club or something similar on the Disney app on Smart TV. As I’m buttering toast and cooking eggs, I’m wondering where these watch histories end up beyond Samsung and Disney.
1300: Sitting down to write some of these things, I restart my computer and apply a security update. Coming back from this, I sign into several Google Chrome profiles I maintain. One of them asks for a new type of Multi-Factor Authentication: a passkey. I’ve known this was coming for a while, but this is my first time seeing it. To enable it, I need to allow Chrome to use Bluetooth, and it and my phone to detect nearby devices. So now, Google will know, passively or actively, I’m sitting down at my computer and logging into my email.
Now that I’m down that rabbit hole, I look through my location history, Chrome history, Web & App Activity – all separate, mind you – and see queries and trips I’d long forgotten. It makes me wonder, for another time, what differences I can generate between my ads. Already, what LinkedIn, Facebook, and Google feed me at different times is uncanny, and all of the result of the tradeoffs I’ve made along the way.
As I reflect on the previous 24 hours, I note the last part of this diary was pretty disturbing, and yet it merely confirms that which I’ve known or felt for years: so much of what we do and how we interact is shared far beyond our ability to recall it. The real surprise for me today was Booz Allen. I had no idea, even as someone practiced at privacy and security online, that I was handing data over every time I thought about visiting one of my National Parks.
All of this makes me realize that I would gladly pay for a product that acts as a privacy armor and shield, for the ability to selectively apply preselected filters to how I interact with all of this data, and provide me with some modicum of control. I don’t think that product exists yet at scale, but I’ll be watching for it.