FACEBOOK AND GOOGLE ARE RAPING YOU!
Is NOTHING private any more? Shocking extent of how big firms harvest
your data – from children's voice recordings, passport info and even
pregnant mothers' due dates
- Health details and copies of passports can be at
risk when customers tick an online consent box
- Analysis by the Mail found a number of companies
involved in hidden data harvesting and sharing
- Giant firms can use personal data to build a
profile of customers for targeted adverts or to pass to other
organisations
By
Sian Boyle For The Daily Mail
Investigations Unit
The disturbing scale of the personal data
harvested and traded by multinationals can be revealed today.
Health details, children's voice recordings
and copies of passports can be at risk when customers tick an online
consent box.
Analysis by the Mail found that Marriott
International, Facebook, Asda,
Paypal, BT and Tesco engaged in
hidden data harvesting and sharing.
Giant firms can use personal data to build a
profile of customers for targeted adverts or to pass to other
organisations.
Examples include:
- Pregnant women's due dates being farmed out by Asda to
mystery third-party companies for marketing;
- Children's voices recorded on the YouTube Kids app
being used by Google to promote other apps;
- Passport copies given to PayPal for account
verification purposes being shared with Microsoft for facial
recognition products;
- Health details, ethnic origin and political views of
Facebook users being used by the social network for targeted
advertising;
- Viewers of BT television being profiled for
advertisers according toprofiles of their television watching and
telephone call records.
Emails detailing how Facebook accepted cash
in exchange for access to its users' data were published by Parliament
last night.
The firm's staff discuss whitelisting
companies including AirBnB, Tinder and Netflix – allowing them to retain
access to Facebook user data if they placed enough advertising.
Mark Zuckerberg, Facebook's chief executive,
wrote in a private email that access to user data could be licensed to
advertising buyers.
But he adds: 'If the revenue we get from
those doesn't add up to more than the fees you owe us, then you just pay
us the fee directly.'
Last week Marriott International announced
that hackers had breached its database of 500million guests, with the
attackers having 'some combination' of passport numbers, names, addresses
and bank card details.
The hotel group also routinely stores the
names and ages of its guests' children, room service orders, social media
accounts and employer details and shares this across its operations in 150
countries including Venezuela, Gabon and Libya.
By ticking an online 'accept' box, Marriott
guests consented to giving up this data and to acknowledge having read the
5,600-word privacy policy which said that 'no storage system is 100%
secure'.
The hotel chain faces investigations from the
Information Commissioner's Office in the UK, as well as the FBI and five
separate American states.
Marriott International is one of a dozen
companies investigated by the Mail to assess the full scope of the data
taken from customers – details of which are buried within thousands of
words of legal jargon.
Last night a spokesman from the ICO said its
enforcement team was examining the material we provided. It has the power
to fine companies up to £17.7m or 4 per cent of a company's global revenue
for data breaches.
Tory MP Damian Collins, who chairs the Commons
digital committee, which published the Facebook emails, said: 'This
investigation clearly demonstrates that there is a complete data
free-for-all where big companies are building up huge banks of data on
their customers who, on the whole, are largely unaware of what they are
giving away and what happens to it.'
All companies analysed by the Mail state that
they keep customer details secure, according to new European Union GDPR
rules, and that the information is encrypted.
But the Marriott hackers were able to access
encrypted data, suggesting a new layer of security was needed.
There are also concerns over the companies
hoarding profiles on their customers to target them with advertising and
sell them more products.
The 'tick to accept' box is presented when
purchasing or signing up for a service online, for example booking a
flight, creating an email account or registering for a grocery
delivery.
Richard Lloyd, director of consumer action
group Resolver and former director of Which?, said: 'No one understands
the extent of what happens to their data.
'A firm will say you have to opt in, tick this
box, but what sits behind that is massively opaque or hidden. Individuals
are being ripped off, scammed, hacked and having their data used and
misused by firms that we all know are making mega profits.
The terms and conditions are enormous and
unintelligible – but you're forced to tick.
And forced to lie, effectively by saying
you've read it all.'
What the companies said in response
A Marriott spokesman said: 'We make our
guests aware that we collect personal data. Because Marriott is a
global organisation ... some sharing of data across borders is
essential.'
An Asda spokesman said: 'We take data
protection very seriously and always handle personal data carefully
and in line with data protection law.'
A Google spokesman said: 'We're
continually improving our privacy and security information. We want it
to be easy for people to understand and control their data and make
the privacy choices that are right for them.'
A Morrisons spokesman said: 'We do record
what customers buy from us and their marketing preferences so that we
can provide them with offers and coupons that are useful to them.'
Facebook declined to formally comment, but
denied using sensitive data to target adverts at users.
A PayPal UK spokesman said: 'We share very
limited amounts of information with trusted companies to help us
provide our services, reduce and protect against fraud and other
crimes, and keep our customers informed about our services.'
A Tesco spokesman said: 'We never sell our
individual customers' personal data, or share it with organisations so
that they can use it for their own marketing purposes.'
A BT spokesman said it used customer
information to provide services but credit reports did not form part
of their profiles.
Facebook's privacy policy details how it uses
highly sensitive information people share on its network to target them
with adverts even when they are logged out.
It states: 'We use the information that we
have to deliver… ads and make suggestions for you…on and off our product'
– and that this includes data 'with special protections'.
Facebook specifies elsewhere that
special-protection data includes 'life events about your religious views,
political views or your health' and 'racial or ethnic origin,
philosophical beliefs or trade union membership'.
Facebook refused to comment on the record.
Children's voice searches and watch history are stored by Google via the
YouTube Kids platform, a version of YouTube with child-appropriate
content.
Tesco gives its customers' data to Sky so the
TV giant can target them with tailored advertising. It also links its
Clubcard shopping data to insurance offers from its financial services
arm.
Sky, meanwhile, cross-references the data of
its own customers with Experian, Royal Mail and 'public sources' to create
profiles of them and their households.
These profiles form the basis of its
ultra-targeted advertising Sky Adsmart product. Sean Humber, who is head
of data protection at law firm Leigh Day, reviewed the Mail's findings and
said some company practices were 'unlawful'.
Arne Sorenson, the chief executive of Marriott
International, said of the data hack: 'We are doing everything we can to
support our guests, and using lessons learnt to be better moving
forward.'
Sky said no 'personally identifiable'
information is shared between the companies it works with and that it does
not target individual households. Microsoft declined to comment.
80-year-old
writer who took on Google
Judith Vidal-Hall was alarmed at the number of
online adverts that seemed specifically targeted at her.
Pictured: Judith Vidal-Hall
So in 2015, aged 77, she became the main
complainant in a landmark case brought by more than 100 British Safari
browser users.
They claimed Google illegally invaded their
privacy by tracking their Apple Safari browsing habits to target
advertising at them.
Mrs Vidal-Hall, a writer who lives in West
London, said before her court battle: 'Google is able to determine private
information such as age, health issues, gender, sexual interests and
preferences, and sell this information to advertisers who can target the
users.
'This is no different from what is commonly
called 'stalking', only on a global scale.'
The Court of Appeal decided Google had a case
to answer but the internet giant settled out of court.
Mrs Vidal-Hall, 80, is unable to discuss the
case with the Press because of a non-disclosure agreement.
But in the US, Google paid £17.4million to the
Federal Trade Commission and £13.1million in civil claims to settle the
same charges as those brought by her.
The cause was taken up by Richard Lloyd,
former executive director of Which?
On Tuesday affected web users started an
appeal against a High Court judgement, which said they could not
collectively seek action. Google denies all the allegations.
Share or comment on this article:
Shocking extent of how big firms harvest your data