Who wants our data?

It’s hap­pened to just about all of us – we’ve gone to a travel web­site and then been bom­barded with an avalanche of ads re­lated to the des­ti­na­tions we looked up. It’s the same with prod­ucts we’ve bought or ser­vices we’ve con­sulted. Our on­line brows­ing his­tory is very valu­able for com­pa­nies that want to offer per­son­alised ad­ver­tis­ing: it al­lows al­go­rithms to be gen­er­ated about what we like or dis­like.

It can also be used for non-com­mer­cial pur­poses, even help­ing to cre­ate states of mind. This is what hap­pened in 2016 in the US elec­tion that gave Don­ald Trump vic­tory. Two years ear­lier, Cam­bridge An­a­lyt­ica had col­lected data from 270,000 Face­book users. This in­for­ma­tion in­cluded data on the friend­ships of these users, so that the con­sul­tancy amassed ma­te­r­ial on 50 mil­lion ac­counts. This in­for­ma­tion was later used in the Re­pub­li­can Party’s elec­tion strat­egy, dis­sem­i­nat­ing ma­nip­u­lated data and con­tent to bol­ster Trump’s vote. The scan­dal over the pri­vacy of this data that fol­lowed was a major blow for Face­book, and in 2019 Mark Zucker­berg had to reach an agree­ment with the US Fed­eral Trade Com­mis­sion to pay a com­pen­satory fine of five bil­lion dol­lars. After apol­o­gis­ing in his own coun­try, Zucker­berg did the same in the Eu­ro­pean Par­lia­ment, as 2.1 mil­lion of the leaked ac­counts be­longed to Eu­ro­pean cit­i­zens.

The data we post on the in­ter­net is not only of in­ter­est to large multi­na­tion­als who want to tar­get us with per­son­alised ads or to sell it to third par­ties. There are also cy­ber­crim­i­nals who want our data to en­gage in il­le­gal ac­tiv­i­ties. One ex­am­ple is the case of im­per­son­at­ing a small craft busi­ness that was taken up by Spain’s In­ter­net Se­cu­rity Of­fice. The owner used so­cial media to pro­mote her prod­ucts and had man­aged to gather a thou­sand fol­low­ers. To re­ward their loy­alty she de­cided to or­gan­ise a raf­fle. The cy­ber­crim­i­nals opened a fake but al­most iden­ti­cal ac­count with all the in­for­ma­tion of the craft busi­ness and began con­tact­ing fol­low­ers, mak­ing them be­lieve that they had won the draw. To claim the prize, how­ever, they were re­ferred to a dif­fer­ent web­site where they were of­fered the chance to watch free movies... but only after reg­is­ter­ing their bank de­tails. For­tu­nately, the busi­ness owner re­ceived a call from a fol­lower and im­me­di­ately re­ported what was hap­pen­ing on so­cial media, blocked her real pro­file and doc­u­mented every­thing she had learned so that she could re­port it to the au­thor­i­ties.

Cyber im­per­son­ation can be big busi­ness: at the end of last year, the courier com­pany MRW suf­fered an SMS phish­ing at­tack: fake mes­sages di­rected cus­tomers to a web page that was very sim­i­lar to the real one, but where a fake ship­ping lo­ca­tor asked them to pay a fee to re­ceive their pack­age.