It’s no secret that companies like Facebook and Google scoop up personal information to serve users ads. But if anything became clear this year, it’s that consumers have a lot more to learn about what happens to their data online—how it’s gathered, who gets to look at it, and what it’s worth.
American corporations are expected to have spent over $19 billion this year acquiring and analyzing consumer data, according to the Interactive Advertising Bureau, from names and emails to the unique way we fumble with our smartphones. That info is used by marketers, advertisers, analysts, and investors for a host of purposes that remain largely opaque to the average person. In some places, seemingly irrelevant factors like the type of device you have, your email address, or the time of day you make a purchase may be used determine whether you qualify for a loan. Despite all the power and value this data can have, there are few laws in the US regulating the collection and sale of it.
Want more? Read all of WIRED’s year-end coverage
This year’s revelations about Facebook served as a wake-up call, starting with the Cambridge Analytica scandal. In March, news broke that the political firm improperly obtained the info of some 87 Facebook million users via a personality quiz app. It quickly became apparent that the social network had allowed a plethora of third-party applications to hose up the information of its users. (Facebook said it implemented new restrictions around user info, although a recent Times investigation revealed more than 150 companies still had access to data.) A backlash erupted among lawmakers, advocacy groups, and everyday users, and nascent movements like #DeleteFacebook were born.
Facebook, for its part, began emphasizing the word “control.” The company stressed that users have the power to see and adjust what information it can collect about them, but a series of reports this year suggest that’s not always the case. After Cambridge Analytica, people began downloading and examining their Facebook data and were surprised to discover the company had gathered things like private text message and call logs. (Facebook insisted that users have always had to opt in to provide this information.) That was creepy in itself, but the downloadable file Facebook provides is far from the only information it has on users. Gizmodo reported in September that Facebook uses information you never shared with it—but that might have been shared by someone else—to target ads to you. Even if you don’t have a Facebook account, the company may collect your information, it admitted in April, and there’s few ways to control it.
The problem goes beyond Facebook, of course. An AP investigation from August, for instance, revealed that Google continued to track users’ location even if they had selected a privacy setting that said it would prevent Google from doing that. (The search giant later revised how it describes the privacy setting.) Even when location settings are spelled out clearly, adjusting them may amount to very little in increased privacy. In May, The New York Times revealed how the prison technology company Securus could allow law enforcement to track people’s location, nearly in real time, without a court order. Don’t care if the cops know where you’re going? Well, it turned out that all four major US carriers sold your location data to companies you’ve probably never heard of, without your permission. (All four stopped the practice within weeks of the investigations.)
And of course, this is a privacy disaster in the making if any of these companies have security breaches—which they do.
Reports like these have attracted attention from lawmakers, too. This year, several governments took action to reign in the data economy. In the EU, the General Data Protection Regulation (GDPR) went into effect, greatly strengthening the rights of Europeans to control how companies collect and use their data. In the US, California passed a historic privacy law, while Vermont began regulating data brokers. The Supreme Court, meanwhile, ruled that law enforcement does indeed need a warrant to access long-term cell phone location records. But despite spending hours grilling leaders like Facebook CEO Mark Zuckerberg and Google’s Sundar Pichai, Congress didn’t do anything to change how their companies do business—at least not this year. The general consensus is that lawmakers will try to pass some sort of federal privacy law in 2019.
There are no easy answers for what to do about the vast data collection apparatus that powers the modern internet. Some pundits have argued we should push to gain ownership of our data, while others say that’s framing the problem the wrong way. Should we pay for Facebook instead of letting it surveil us for free? Might it be possible to shift) Google’s business model away from targeted advertising? Some writers have argued that these questions don’t even represent the whole dilemma; the real issue is that Facebook and Google have grown too large and need to be broken up. Most of these questions also don’t even begin to address things like data brokers, which collect and sell your information whether you use the internet at all.
Our personal data is being sold, traded, and shared in ways that we’re only beginning to fully unravel. In just the past year, we’ve learned how these troves of information can be used to influence elections, enrich hedge funds, and even catch a murderer. The next step in 2019 will be deciding what should be done about it.