/ Technology

Are you worried about your data being shared and sold online?

Do you feel you have a complete understanding of how your data is being collected, shared and sold online? If you’re unsure, you may not be alone, writes Caroline Normand…

How many members of the Cabinet, Whitehall mandarins or senior figures at regulators and FTSE 100 companies truly understand the extent of data being collected and bought and sold online? My wager is very few.

Of course, there are some people who understand all too well – most likely to be found flitting between the boardrooms, juice bars and ping-pong tables of sprawling Silicon Valley campuses.

Facebook, Google and other tech giants have been able to take advantage of this knowledge gap to rake in data – and profits – on an unprecedented scale. But at what cost?

Data breaches

Facebook’s CEO has been touring the globe to say sorry for sharing data of millions of users, which was then allegedly used to influence democratic elections.

Meanwhile Google is being sued in the high court for alleged “clandestine tracking and collation” of personal information from 4.4 million iPhone users in the UK.

Both cases raise serious questions about whether these companies can be trusted as responsible custodians of our data.

What we uncovered

Today we released a major new piece of research, giving a very detailed analysis of consumer attitudes and behaviour when it comes to data.

We found people had little understanding of how their data is used – and many were shocked when they learned the truth.

Two-thirds of people told us they are not comfortable with organisations using information they post publicly – such as Facebook photos.

A similar number were not happy with information garnered from methods like browsing history tracking being used, while eight in 10 people told us they are concerned about their data being sold on to third parties.

Do you consent?

Most of us understand that when we sign up to a social media website we will be sharing some data. But how can we really be deemed to be giving meaningful consent when we have no idea of the consequences – good or bad – of the agreement?

We generally have no idea who might use that data later to target us – perhaps to advertisers, political lobbyists or other third parties we would not approve of.

And away from social media, companies such as “data brokers” make money from selling individual profiles of almost all of us, which might feature information including income, home ownership and relationship status. This data might be spliced up with “inferred” information – sophisticated guesswork – to produce a more complete profile.

But when Deloitte asked more than 100 staff in the US to review the data held on them by a leading data broker, more than two-thirds found less than 50% of the information was accurate.

We are concerned about the possibility of such – possibly inaccurate – information affecting access to vital services like credit and insurance.

What we’re demanding

It is time to strike a new deal on data that restores the power balance between consumers and tech companies.

Thus far, transparency and responsibility have largely been optional for the companies that deal in our data and in that laissez-faire climate, ethics and profits have been balanced in an entirely predictable way.

We believe the Competition and Markets Authority should urgently carry out a market study of the digital advertising industry to ensure it has a firmer grip on the prevalence and impact of micro-targeting – and to check whether Facebook and Google’s substantial market power could raise prices for advertisers, which would lead to a risk of goods and services becoming more expensive as a result.

It is also time for a thorough review by the new Centre for Data Ethics and Innovation at DCMS (TBC) of how our data is collected, shared and sold in cyberspace – which should focus on finding a way to promote innovation while also improving oversight and enforcement.

These first steps should help restore consumer trust, which has been so severely dented by recent scandals – and set us on a path to securing a deal on data that works for all of us.

Are you concerned about your online data ‘profile’? Do you take steps to protect yourself online, such as changing your privacy settings or avoiding services that collect a lot of data?


It is a shame that the Which.net ISP was closed last month as Which? Ltd could have promoted a paid for ethical email service which did not read emails or extract information for adverts. But then Which.net was closed to new subscribers in 2004 which in retrospect looks a very poor decision given the obvious way we are being used.

Linkedin seems amazingly well-informed of the people I email and suggesting that I make friends of them on LinkedIn. I can only make the assumption that Google has been busy passing on information to them – for a price.

I believe Linkedin is now actually a Microsoft enterprise. In the past, I believe Linkedin has been guilty of generating automatic membership invitations from data such as the email contacts lists of its members. At one stage I witnessesed this myself, when I regularly received such requests, allegedly on behalf of an HSE Inspector that I know. I thought it was odd that he had never mentioned this at any of our actual meetings.

There’s a number of undefined terms and “techno-babble” in the lead article above. This makes scaremongering quite easy.

Before we get too deeply in the specifics of “data capture” it would be useful to see if we can reach any consensus on our expectations for internet privacy, within the context of our current surveillance society.

I think we should also differentiate between consensual sharing – e.g. as in the example of agreeing to let W?C run its cookies on our browsers and less consensual means, including ultimately the theft of data by industrial espionage or by hackers.

I think it also must be said that there can never be any such thing as absolute safety online. Any data that we upload or create by means of online activity will always be subject to some degree of risk.

Also, even if we ourselves post nothing online, we’ll still become “data subjects” through the actions of others. Hence we need to look at the risks and benefits of our on-line activities and then take a balanced view.

There has been plenty of warning that information that we put online can be shared and that information is collected without our consent. I doubt that Which? can do much to help, other than to raise awareness of the problem. Caroline mentions the possibility that the CMA could intervene and I would certainly support this approach.

We are beginning to learn how low the business world is prepared to sink to exploit the public. Sooner or later society must develop proper ethical standards for data use. In the meantime I’m not going to worry. As Derek says, we need to adopt a balanced approach regarding the risks and benefits.

This comment was removed at the request of the user

This whole issue has become so complex and convoluted, that it is safe to assume that anything put on line can be harvested by those who see a financial interest in gathering it. Thus, from a non-technical, lay point of view (I don’t pretend to understand the mechanisms of the various octopi and their tentacles) I must accept that my data will always be subject to scrutiny. The obvious conclusion from that is that I only put out information that I need not bother about in terms of harm if it is taken and analysed. However, that is easier said than done, since I do purchase things on line, do send e. mails to many people on diverse subjects, and occasionally put a word or two on here. I have become more suspicious and I do now question what comes up on my monitor screen more than I used to do, but there is a limit to the amount of safety checks that can be done, and, in the end life’s too short to get paranoid about this. As I’ve said before, I try and keep it simple and back it up. By doing this, I can limit the damage and, hopefully, have a few tools in the locker to defend against the crooks who roam out there. It is a very sad fact that the extremely useful internet with its many connections, wide knowledge base and consumer convenience is also a rouges playground. Typically, the wonderful net has been polluted by a few and that ruins it for the rest of us. What is even worse, is that the crooks can hide so effectively, that their crime succeeds more often that it fails. Until that balance is redressed the web will always be a mine field and one must tread carefully.

As a post script I would ponder on the definition of crook and crime here. How far in criminality is it for companies and organisations to deal in my data without my permission? Do they actually have the right to use it to target products and advertisement in my direction? Do the government and the credit agencies have the right to store my information without telling me and asking if it is correct? There are a lot of places that keep stuff about me, without telling me. I don’t know where everything is or who has got it. Is this right?

This comment was removed at the request of the user

Michael P says:
5 June 2018

What worries me is that most of the data gathering is driven by American giant companies. Some of these companies effectively have monopolies of computer operating system software through which data is gathered (Microsoft + Apple). Other American giant companies provide valuable information and “free” services, e.g. Google and social media. They have made us frighteningly dependent on them. To top it all now, the USA can no longer be relied on as friendly.

This comment was removed at the request of the user

As for domination … this from Connexion explains why France was pretty much untouched:

“This week, millions of people – especially in Ireland, the UK and Germany – were forced to use cash only to complete their payments, or abandon their transactions altogether, as Visa cards failed to work for around six hours.

Yet, although 40 million people in France have a Visa card of some kind, the country was spared most of the problems. This is due to the Carte Bancaire (CB) system put in place in 1984 by then-Minister for the Economy, Pierre Bérégovoy.

This system means that the vast majority of card transactions in France pass through a secure intermediary, the CB group, so French shoppers – even if their cards show the Visa logo – were not reliant on Visa’s operating system to pay. In France, over 90% of cards – some 65 million – bear the CB badge, meaning they use the CB system, and would have been spared the problems with Visa.”

I had hoped that the new GDPR regime would usher in a relief from the 60/80 new emails I receive each day. Transfering them to Deleted/junk mail is one thing (and time consuming) but UNSUBSCRIBE is not only a chore but is evaded or ignored by ingenious devices e.g you are not a member; address not recognized.
If the sender had our address to send the message it does not need us to type it into an unsubscribe panel
and should provide a fully effective tickbox
What to DO?

This comment was removed at the request of the user

Crofter – even if you use a simple email program like gmail you should still be able to:

Select mutliple emails and then delete them all together;

Report emails as spam;

Block the sender – so that any further emails from the same sender won’t appear in your main inbox.

I think some spam sources use varying senders’ addresses to try and twart blocking rules. One ultimate response to that is to use an email program with a “whitelist” option, so that only the senders named in your whitelist can reach your main inbox.

I never needlessly give out my main email address, so I get hardly ever get any spam.

I run a website for a charity and since a grant from the Heritage Lottery Fund was announced our enquiries email address has been been used by many companies selling products and services for charities – everything from collecting boxes and Telegraph banner ads to advice on our e-learning strategy, funding bid-writing workshops, and accounts management software. Although the Lottery funding is indirectly helping the aims of our charity and saved us over £200k by paying for work we had planned to do, we have not received a penny from the Lottery.

I just delete all the marketing emails and all their efforts have achieved is for me to put a note on our website contacts page that marketing will be ignored.

This comment was removed at the request of the user

Password hashing is generally supposed to be a one-way process, so you can’r recover the passwords from the hashes.

That said, if I’d just hacked someones email database and had secured 92 million password hashes, I could probably use statistical analysis techniques to find the most common hashes. For example multiple instances of 286755fad04869ca523320acce0dc6a4 and
7576f3a00f6de47b0c72c5baf2d505b0 would show that the passwords “password” and “password123” were being hashed with the md5sum code and crucially, without any form of “saltling” being used. Any secure site ought to be using a much more secure hashing method, so that different users would have different hashes from the same password (that’s one possible use of salting).

But, really, users should not use simple, easily guessed passwords, because that might end up compromising security for everyone on a given site.

Hackers will also be hoping that anyone who is reckless enough to use something like “password” on one site (e.g where their email address is their login id), will also use those same credentials on other sites too. So even though those latter sites won’t have been “hacked”, the hackers will still be able to access some users accounts on them.

This comment was removed at the request of the user

Duncan – thanks for the virus info.

Does this only affect Windows users who open spam emails containing suspicious office documents (i.e. with macros to install the malware)?

If so, the root cause of any “backdoor” in Windows isn’t really new news. Giving ordinary home users easy access to system administrator rights without any need for the user input of a root password has always been a known flaw. (Though I’m sure Windows champions don’t call it that.)

More challenging malware can be written so that only normal user permissions are required. If one were only setting out to steal user data (as opposed to maliciously damaging the OS on the PC), that should be all this were needed…

As ever, users should simply delete unexpected emails – without reading them or opening any attachments.

And, of course, it’s best not to keep sensitive data on any PC that can access the internet.

This comment was removed at the request of the user

Duncan – I think spam emails are easy to send out and even if 99.99% of folk correctly ignore them, some will fall prey to them in moments of weakness.

In safety cases, even the best trained humans are seldom claimed as being more than 99.99% effective (as regards doing the right thing) and software based systems (like ordinary PCs) would not usually be claimed at anything like that standard of reliability.

“The systematic data collection by intel agencies has been facilitated by the business models of companies like Facebook and Google. The internet habits of hundreds of millions are collected by these firms in the interests of targeting ads and this data also provides a high source of intelligence for governments as well as presenting a privacy risk in its own right.

“Tesco probably knows more about me than GCHQ,” as one delegate put it.

Full story here

In today’s news: Facebook confirms data-sharing agreements with Chinese firms https://www.bbc.co.uk/news/business-44379593

This comment was removed at the request of the user

Serious question, Duncan: why does it worry you?

This comment was removed at the request of the user

But why does it worry you? I can see you don’t like it, but it seems more than that.

Maybe we should have a Convo on tracking, covering the advantages (targeted advertising is a benefit according to a friend who provides tracking services to various clients) and disadvantages. I would like to know to what extent business is aggregating information about us and what it might be used for in the future. In view of the fact that many large companies have failed to keep data secure, perhaps it is time to put an end to tracking.

I’ve never seen the problem with being “tracked”, whatever that includes, but if someone gives me a good reason I’ll think again. The same with “targeted advertising”. I am quite capable of making up my mind about what to buy. Those who have particular interests and hobbies for example will have had targeted advertising for decades through their magazines.

So perhaps Which? could find an impartial expert to explain just why tracking is a clear and present danger.

The fact that you don’t see a problem might be where the problem lies. It is well established that marketing works and we are all affected to a greater or lesser extent.

I agree that we could benefit from input from Which? as you suggest, but what I want to know is where this is going and what threats could exist in future. At present my main concern is security of data.

The fact that you don’t see a problem“. Apart from the undoubted influence of advertising, which we all respond to to some extent, my question was about tracking, and to have someone explain why I should be concerned. There is plenty of tracking around through CCTV, phone records, sat nav presumably, credit and debit card transactions, for those who want to know where I have been. Being “tracked” gives rise to scare stories from some quarters, but why should we be bothered? Perhaps someone will tell us.

This comment was removed at the request of the user

I think it is the enormous extent of tracking and analytics that have been highlighted with GDPR.

We were under the illusion that tracking was a bit of harmless advertisement targeting. When we agreed to passing our info to 3rd parties, we assumed it was so they could also target us with their products probably through emails.

GDPR has highlighted there is a lot more to it than that.

Do I mind being analysed to the nth degree? When I see the minefield of opt-in/outs that nearly every website now presents you with, YES I do mind, it is too much, and we have no way of knowing what is behind many of those opt-ins.

I received an email from a store I have an account with but didn’t log into. It noted I had been looking at certain things and asked if I wanted to buy them and offered me alternatives. My internet cache would have been cleared many times since the last time I went on that website. If they can do that which is relatively harmless, what else are they doing with our data?

GDPR was supposed to give us control over our personal data. As far as I can see, it has granted companies the control, as unless you spend hours going through those minefields, you just accept their terms and conditions if you want to use their websites.

Some years ago, Flash Cookies were thought to be bad for privacy and security. Macromedia provided a useful utility for removing them and permanently blocking them if you wanted to.

GDPR should have insisted on operating systems installing a utility whereby companies could only leave data on your computer in certain files, and we had the control to list, delete or block them as we saw fit.

Then we might have control over our personal data and how it is used.

It is GDPR that has focused my mind on tracking. To use many sites the easiest way is simply to click on the button whereby you agree to whatever terms and conditions the organisation chooses. I can see the benefits of GDPR and it was very easy for the charities I’m involved in to comply with the legislation but I fear that overall the legislation may soon be seen as a mistake.

“Not liking it” and it causing you a real problem are two different things. Despite scares about tracking most people still go online. My request was to ask an expert where the real personal harm lay in being tracked.

I think it did not go nearly far enough. I don’t think many of us imagined the furtive and underhanded way our data was being mined.

You go on a website and get asked to agree to their T&Cs that will invariably include all their partners. If you go into any of those partners, they can present you with a whole new list of their partners. There could be hundreds just for one website, far too many to look at. We have no idea if we are giving one of them permission to sell our personal data and where it will end up.

So you either agree or leave. If I can still see the page, I usually ignore them, if I can’t, I probably leave and find my info elsewhere.

I seem to remember we called for it to be illegal to buy and sell our personal data. Now we can just give our permission without knowing.

Now that GDPR is in place I might issue unique and previously unused email addresses to organisations that I deal with and that might provide evidence of misuse of my information. I’m almost certain that a well known manufacturer has passed on the email address that I used to register two kettles.

It should certainly be illegal to buy personal data as well as to sell it.

This comment was removed at the request of the user

This comment was removed at the request of the user

“Finding that setting isn’t easy. At all.”

Actually, it’s fairly easy to find. They do make it harder to turn it off, however.

This comment was removed at the request of the user

There’s no argument from me that Google is the tool of the devil. It’s one reason I’m a Mac user and happy that the EU is fairly anti-Google.

I think George Orwell pretty much predicted all of this in “1984”.

I enjoyed the scene in BBC’s “Bodyguard” where someone gets interrogated by special branch for the heinous crime of having switched their mobile off, thus allowing them a few hours of surveillance free movement…

I loved the pitch that only subjects involved in unlawful activities would ever choose to switch off their personal trackers (“mobiles”), to evade surveillance by nanny state.

I picked up on that point too, Derek. It was laid on a bit heavy-handedly so I wondered whether it was a dig at modern life or pointing out a disciplinary issue and human rights question whether a police force personal protection officer had to remain connected even when off-duty. Since our hero cannot tell who are the enemy, and he knows he has to survive in case a second series is commissioned, it seemed to me that his action in switching off his mobile was fully justified.

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan – W10 users can use built-in commands to monitor internet activity.

…Task Manager …Resource Monitor …TCP Connections

will show all the programs in use and the external addresses involved.

This comment was removed at the request of the user

Duncan – my point was simply that, right out of the box, W10 comes with traffic monitoring built in, so its users don’t need to be installing extra stuff just to do that.

Traffic control is another matter entirely. In XP days, 3rd part fire walls did a nice job for that.

The Linux app your mentioned looks quite good, but isn’t provided by MX, so I cannot download it from their normal “app store”. That said, there are many others that I have been trying out, so getting the info isn’t a problem.

One related thing I notice recently was how resource hungry the latest Firefox versions seem to be – it seems to want oodles of CPU time – what can it be doing?

Another really bad potential source of spyware seems to be Which? Conversation itself. What on earth are all its trackers trying to do and why are they should they be allowed by default? (I block most or all of them.)

This comment was removed at the request of the user