The NSA has a bit of a problem with people poking their noses into data they shouldn’t be poking their noses into. Sometimes, it’s their lovers—or their ex-lovers. It’s common enough that the intelligence service employees have a term for it: LOVEINT. Think about it: if you had access to the communications data for every American, wouldn’t you see what you could dredge up? Especially if you’re a jilted ex. LOVEINT, fortunately, carries consequences if it’s caught—well, sometimes.
Of course, the NSA isn’t the only people collecting data on our every move. The data stockpiles owned by Google and Facebook, as well as older-school data brokers like Axiom, are massive enough to rival the NSA in size. The key difference between the NSA and the data we fed to tech companies however, is that we give our data up to technology companies willingly. Perhaps unwittingly, but there’s a key sense of apathy every time Facebook and Google sink their claws deeper into our data. Though it looks like that might be changing.
But another aspect of all that data collection is whether we trust who has access to it. I’m not talking about malicious hackers getting access into the Facebook database and finding out everything it knows about everyone. I’m more concerned about the stereotypical jilted ex who uses their access to do a deep dive into what their company knows about their former partner. No matter how well you lock down what other people can see on Facebook, someone—likely multiple someones—at the company have access into the database.
Data Facebook and Google sell to advertisers is anonymized, but we don’t know where that anonyimization happens. Someone buying targeted advertising through DoubleClick might not know they’re targeting 32-year-old male, Richard J. Anderson of Briarwood, New York—just a male between the ages of 18–35 who lives in the Northeast, and likes Apple products and 80’s music. The full profile that connects to me has to exists somewhere, though—as does the full profile that connects to you.
I would not be surprised if Facebook, Google, et. al. have procedures, plans, and security audits in place to prevent unauthorized access. I would also not be surprised if they didn’t, or if those plans existed only on paper. The truth is that we don’t know. There have been data leaks from Facebook, but only their shadow profiles, due to a bug, but that’s a large-scale issue.
LOVEINT is smaller scale: sneaking a peek at data for a few people, often just one. A leak that small could fall through the cracks of any sort of protection system. Without transparency into the data collection and protection policies of Internet data brokers, however, we don’t know how unsafe we are. We’re not just putting our trust in these companies to use our data responsibly. We’re trusting that every employee with database access will do the same. That’s asking a lot, and if the NSA can’t avoid it, what makes any of us think Facebook and Google can?