How Tech Companies Control Your Personal Data

Once digital traces are created and transmitted, they leave our immediate control and generally land up in the hands of others, stored on servers that don’t easily forget.

A new report from Engadget attempts to shed light on this issue, sending 150 subject access requests — requests for personal data — to more than 30 popular tech companies, ranging from social networks to dating apps to streaming services.

How the companies responded says a lot of the issue of personal data and its importance to various tech companies. “Data requests are a window into the soul of an organization,” said Hadi Asghari, an assistant professor at Delft University of Technology in the Netherlands, whose research has shown how little EU access laws have been adhered to in recent years.

Netflix, in response to one of the reporter’s data requests, provided full glossaries for its table of data in a single PDF file. Spotify, in contrast, provided its data through an online-download function, providing a number of JSOL files to the reporter, as did Instagram. “While admirably comprehensive, these are dumps from databases normally read by computers: There’s no way to reasonably make sense of the file names, let alone their plain-text contents,” reads the report.

Dating app Bumble sent a UK-based reporter nothing more than basic personal info (name, age, language), as well as the photos he’d uploaded and the last year of IP addresses and login times.

The important thing to keep in mind is how exactly our data is used. “The GDPR provides for full explanations as well as the ability to opt out of automated decision-making and profiling when it involves ‘legal’ or ‘similarly significant’ effects,” reads the report.

Thus, in reply to our access requests, Netflix said nothing more about why we were recommended certain films other than that those recommendations were “driven by members’ viewing activity and service interactions.” The posts we see on Instagram are ranked, according to the company, on “timeliness of the post, your connection to the person posting, and the likelihood you’ll be interested in the content.” Tinder claimed to have moved away from the desirability rating named an Elo score that it assigned to every user but said that “we cannot provide any information that reveals or otherwise compromises all or any part of our proprietary trade secrets or know how, which risks potential infringement of such intellectual property.” […]

There are three types of data, said Frederike Kaltheuner, a data privacy and security expert at London-based nonprofit Privacy International. The first is data that you consciously give companies: your name, email, date of birth. The second is automatically monitored: where you log in from, what time you do it, where else you visit on the web. The third and most difficult to obtain is data that’s modeled or predicted from other data, such as your quantified attractiveness or trustworthiness.

“A lot of organizations don’t consider modeled data to be personal data,” said Kaltheuner. “The main misunderstanding is people only ever think about the data that they actively share. And also companies love to talk about the data that we share.”

Read Engadget’s comprehensive report on data collection here.