Who’s seeing your data and why?

  • Themes: Innovation and Espionage

While many social media users shrug their shoulders at the thought of tech companies selling their data, the transmission is unlikely to stop there. With China's new data protection laws, Beijing could have access to the sensitive information of billions of smartphone owners.

Thousands of citizens and many public advocacy organisations gather to rally on Capitol Hill in protest, resulting from recent reports of domestic and international surveillance. Credit: B Christopher / Alamy Stock Photo.
Thousands of citizens and many public advocacy organisations gather to rally on Capitol Hill in protest, resulting from recent reports of domestic and international surveillance. Credit: B Christopher / Alamy Stock Photo.

Four years ago, a nifty Chinese video-sharing app named TikTok had 55 million monthly users. By January 2022, it had more than one billion. Few people can resist TikTok’s viral fun; indeed, people don’t even seem to care that recording videos can be incredibly time-consuming and brings little reward except attention. They’re hooked. Almost everyone, in fact, gets dopamine highs when using social media and other apps. That addiction makes many disregard the fact that by using apps they are giving away personal data, and that data is extraordinarily useful to others. A culture of consumerism is clashing with a trend towards more government surveillance, especially by regimes that are up to no good.

One of the subjects I focus on is East Germany. People often wonder why I would devote so much time to a country that no longer exists and that was despised even during its brief life. But it is only 32 years since East Germany’s demise. Many of today’s Germans grew up there, spent their formative years there, and had short or long careers there before their country was inserted into the West German system and they had to begin anew. Like many other citizens of countries behind the Iron Curtain, they had experiences the rest of us will never have.

My focus on East Germany has, however, turned out to be surprisingly relevant in other ways too. In my book God’s Spies, I chronicle the Stasi’s phenomenally successful recruitment of pastors as spies — spies with a mission to keep a constant eye on their friends, acquaintances, parishioners and fellow clergy. Like many other unofficial Stasi collaborators, pastors delivered huge amounts of information and thus helped the Stasi establish an all-encompassing picture of their countrymen. East Germans, unsurprisingly, hated this constant snooping, just like Soviet citizens hated the KGB’s snooping and Poles hated that of the SB Ministry of Public Security. Around the world, the Stasi has come to symbolise surveillance. And around the world, people are relieved that this infamous secret police force is safely confined to the dustbin of history.

But surveillance is returning. It has sneaked up on modern society not through a sinister plan, but because modern society is so digitised. Facebook (now known as Meta) makes its fortune by monitoring its users’ every post, like, comment and movement, and selling ads based on this information. Facebook Messenger and Instagram, which Facebook also owns, join Facebook as the world’s top three data-collecting apps. Thanks to this data collection, users get adverts miraculously targeted to their interests and their location. Because this information is valuable to advertisers, Facebook makes staggering amounts of money: last year, $118 billion, up from $86 billion in 2020.

I boycott Facebook because I believe its algorithms promote division within our societies. But I do use WhatsApp, which is owned by Facebook (now known as Meta), and I use other apps. All of them collect data about me. WhatsApp, for example, collects information about my purchases, my finances, my location, my contacts, and much else. In fact, almost every app collects troves of information about its users. (Signal Messenger, which collects no personal data, is a rare exception.) These days, any user can find out which information each app collects about them by checking the app’s details on Apple’s App Store; and yet internet use keeps growing.

Already in 2018, researchers at the University of Oxford’s Reuters Institute for the Study of Journalism found that apps sold users’ details to an average of ten other companies. Users, though, seem fine with this arrangement, because the resulting ads don’t bother them and because they like their apps’ convenience (and the mostly non-existing fee). Besides, they may say, what’s the harm in a company knowing every detail about their lives? At a recent conference, I raised the issue of companies’ collection of consumer data in a discussion with a senior politician from a digitally sophisticated European country. He had no concerns about being a gläserner Mensch (transparent individual). ‘I don’t care if the Financial Times can find out, based on my data, where I am and reports on its front page tomorrow that I’m at this conference,’ he said. He would not be important enough to merit a scoop on the FT’s front page, but you get the idea. People aren’t too bothered about companies knowing everything about them because, unlike the Stasi, companies are seen as having benign motives. And even though they know that the companies they use share their data with other companies, they’re still fine with it, because companies simply want to make money.

Sometimes, users’ constant connectedness becomes a national security risk. ‘Our phones know basically everything about us,’ Staffan Truvé, CTO and co-founder of the cyber threat intelligence firm Recorded Future, told me. ‘When Russia was getting ready to invade Ukraine, observers in the rest of the world could figure it out because the soldiers had their phones with them and all of a sudden there was immense phone activity in the areas where they were being posted.’ Russian law forbids soldiers from uploading sensitive information on social media, but the troops could still be spotted thanks to their phones. But even when internet users aren’t part of a massive troop movement to encircle a smaller neighbour, their connectedness and digital trail raise red flags.

Why are we comfortable with Facebook and sundry other companies knowing every detail about our lives when the Stasi’s less extensive knowledge still fills the world with dread and outrage? Primarily because it’s a convenience. What’s more, most companies promise users a better experience if they leave their cookies on; users get ads targeted to their interests rather than generic ones. If having to view ads is part of the deal, why not view ones that are at least relevant to one’s interests? They are, of course, relevant because they are based on the user’s data. Apps, in turn, are said to need to capture a certain amount of personal information in order to function.

The internet-fuelled convenience of daily life has already made most of us less sensitive to surveillance. Oddly, even Western politicians who are passionately opposed to anything resembling ‘Big Brother government’ are happy to allow companies to know about their lives in detail. I know this because said politicians use social media.

But what happens if that data lake — or, more accurately, data ocean — doesn’t stay with the companies to which consumers give their data, or even with their commercial partners? What if, say, government decided to get access to it? The Stasi’s enormous files and wall charts mapping people’s connections would look like child’s play.

That’s already happening. For years now, law enforcement agencies have trawled through suspects’ internet activity as part of investigations into crimes ranging from murders to terrorist atrocities. In 2012, two thirds of law enforcement officers believed that social media helped solve crimes more quickly, and 80% accessed social media as part of their investigations. The police can, for example, ask Facebook for access to a specific user’s activity. Between January and June of 2021, UK law enforcement agencies made 10,678 such requests to Facebook, 88% of which the company complied with. Indeed, companies are obliged to comply with most information requests made by Western governments, as the requests can only be made with the aid of a subpoena or another court authorisation. It’s the rule of law in action.

But other governments are keen on internet users’ data too, and not just for criminal investigations. One such government is already delivering a masterclass in how the state can tap into its country’s tech sector — and thus into the personal data of any internet user. In November 2021, China enacted legislation called the Personal Identification Protection Law (PIPL), a Chinese version of the EU’s GDPR. Like GDPR, PIPL has extraterritorial reach; that is, it applies around the world. As PWC notes in a November 2021 advisory, ‘If your company processes any personal data from China to provide a product or service to Chinese residents or to analyse their behaviour, you will likely have to comply with PIPL’s rules — even if you have no business presence in China.’ Also, like GDPR, PIPL obliges companies to keep a safe inventory of consumer data to make sure it’s not accessed by people and groups who have no business viewing it; say, hackers. But unlike the EU’s institutions, the Chinese government can also demand access to consumer data. In 2017, China implemented its National Intelligence Law, which obliges citizens, organisations and companies to support the government’s intelligence-gathering.

The significance of these two laws for the internet age is obvious: companies have an obligation to provide Chinese authorities with the massive amounts of user data they collect. Chinese companies are under particular pressure. In countries including the United States, legislators have woken up to the fact that companies that were until recently considered simply another part of the commercial sector — social media platforms focused on teenagers, say — may now pose national security challenges. In late 2021, the US Senate Commerce Committee questioned executives at popular app companies including TikTok, which is owned by Beijing-based ByteDance. The TikTok executive, head of public policy Michael Beckerman, chose his words carefully. ‘We do not share information with the Chinese government,’ he said. He didn’t promise, though, that the company would never share such information, and indeed he could make no such promise. A recent study found that TikTok, Facebook’s successor as the world’s social media darling, is extraordinarily active in sharing user data with third parties, and that there is no way for the user to know where their data ends up. Should Chinese authorities request the data, TikTok would not be in a position to refuse.

For Chinese authorities, the trail left by users young and old, famous and non-famous, from all walks of life, would be a treasure trove in its surveillance of people, including exiled Chinese citizens and foreigners. What Beijing is willing and able to do when it comes to surveillance of individuals and entire population groups is already on display in Xinjiang province, where Uighurs are constantly watched by tools including government cameras and a commonly used Koran prayer app.

Even if TikTok executives are personally eager to safeguard users’ data, they need only look at what has happened in recent months to Chinese tech executives who have demonstrated independence from Beijing. In November 2021 and July 2022, the Chinese government imposed massive fines on tech giants Alibaba and Tencent for alleged monopoly practices. Last autumn, it also emerged that Beijing plans to break up Alibaba’s payment system, Alipay, a low-cost alternative to credit cards that can now be used in shops around the world, including the US nationwide chain CVS.

Indeed, Alibaba and Tencent are unlikely to now refuse Chinese government requests for user data. The same goes for DiDi, a Beijing-based ride-share company that has been expanding internationally at a rapid pace and narrowing the gap with industry leader Uber. By 2016 DiDi had become so successful that Uber withdrew from China and sold its operations to DiDi in exchange for a stake in the firm. But as was the case with Alibaba and Tencent, DiDi’s success made Beijing think the company was becoming too powerful — and therefore too independent. In December 2021, less than half a year after its triumphant entry on the New York Stock Exchange, DiDi withdrew following a Chinese government announcement that the firm would be banned from app stores in China for ‘privacy violations’. It is undoubtedly clear to DiDi, too, that it would be unadvisable to defy the Chinese government. And now that Beijing has set the tone, sundry authoritarian governments of smaller countries are likely to follow its example.

This should concern every internet user. You might say, I’m not an important person, so it doesn’t matter if the Chinese government or any other government gets my user data. True. But many so-called un-important people work for companies or government agencies that a foreign government might be interested in. A junior intelligence analyst or nuclear engineer, for example, might take DiDi for various errands, perhaps including visits to gambling shops or red light districts. A government official’s daily life can be tracked using his or her Alipay transactions. And TikTok, of course, knows virtually every detail of more than one billion people’s lives. Such information is a gold mine for intelligence agencies, which in past years deployed intelligence officers to painstakingly map out a potential agent’s life before approaching them, as did the Stasi with its informants.

The realisation that Beijing could tap into internet user data for intelligence purposes prompted, in 2019, a rare intervention by CFIUS, the US overseer of investments and acquisitions by foreign companies. The year before, the Chinese firm Kunlun had completed a takeover of Grindr, a dating app popular with gay men. CFIUS, which focuses on foreign takeovers’ national security risks, hadn’t paid any attention to the acquisition. Soon afterwards, though, CFIUS realised the potential for Chinese government snooping on Grindr users’ data — including HIV status and sexual preferences. If Chinese authorities requested access to Grindr data — which the takeover made possible — such users, who might be government officials or hold private-sector posts where they have access to important information, would be vulnerable to blackmail by Beijing. CFIUS forced a reversal of the acquisition. As for those many people who don’t work with anything remotely sensitive, it is also useful for a government such as China’s to have a complete picture of how individuals, population groups and entire societies lead their lives.

China isn’t the only country that has discovered how consumer technology can be used for surveillance. Pegasus powerfully demonstrates another way in which governments can keep track of any person on the planet or, to be precise, anyone with a smartphone. The Israeli company that made and sells Pegasus insists that it’s used only for worthy reasons, such as fighting terrorism. But the Pegasus spyware can be remotely installed by any buyer on any smartphone owner’s phone, without the targeted person needing to do anything or even noticing that anything is being done. Then the installer — Pegasus’s customers are thought to include the governments of Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates — can follow the targeted person’s every activity via the smartphone. Journalists, human rights activists and business executives have all unknowingly been kept under surveillance by Pegasus-using governments. Another recent victim was Princess Haya, whose own ex-husband — Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum — monitored her using Pegasus.

The future offers plenty of other opportunities for companies and authoritarian governments to keep an all-seeing eye on groups and individuals alike. A taste of that future arrived in 2022 when the upscale supermarket chain Whole Foods (owned by Amazon) premiered a fully digital supermarket. Shoppers simply enter the shop, where overhead computer-vision cameras, weight sensors and deep-learning technology watch their every move and register which items they put in their shopping basket. They can even exit the store without using a payment device, because upon arrival they scan their fingerprints. It’s an extremely convenient way of shopping that involves no interaction with another human being but does involve a massive data trail. And the more IoT — the internet of things — expands, the more personal data ends up with a company, possibly other companies, and possibly sundry governments. Consider, for example, the ‘smart toys’ that parents increasingly like to buy their children in the hope that they will make them smarter. The jury is still out on whether such products aid cognitive development, but what is certain is that they capture massive amounts of data. And so do voice assistants, led by Alexa. Where does the data go? The user has no control.

East Germans developed clever methods to avoid being overheard by the Stasi. If they needed to discuss something sensitive with a friend, they took a walk outside. If the discussion needed to happen indoors, they turned on loud music to make sure any microphones would be unable to pick up the conversation. Indeed, people living under authoritarian regimes have always managed to at least partly outwit the secret police. But how to outwit the internet? The first step is, of course, to want to out- wit it. Many twenty-first century citizens of Western countries will continue to tolerate their data being used, because they want to keep enjoying the pleasures of the internet. Others, though, may conclude that giving data away to be used in unknown ways is highly unsettling — and that they should reduce their data donation. In 2020, people spent a daily average of 145 minutes on social media alone, up from 90 minutes ten years earlier. Reducing the time spent interacting with digital devices would improve their mental health and reduce the risk of surveillance by corporates and governments. That’s surely a win-win.


Elisabeth Braw