There is already hidden surveillance inside some flagship retailers. Eye-tracking technology, which targets advertising at you depending on what you're looking at in-store, is yesterday's news. Target famously figured out that a teenage girl was pregnant before her dad did – years ago.
But unless you've been living under a rock or, like me, have opted to wait another 30 years for nature to download your floppier face, you've likely been bombarded by privacy panic about FaceApp in the last week.
Why? In the words of one cyber security expert, "We have all the elements for a good story… We have a Russian company [and security concerns]. But nothing changed over the last two years. There is no real story."
This is, and isn't true. Maybe FaceApp itself isn't the story. "Russia" appears to be the magic word sparking a reaction that's somewhat overdue. It's two years late for FaceApp, which has been around since 2017, and I'm not even going to bother counting how late it is for privacy in general.
The devil, as Washington Post writer Geoffrey Fowler puts it, is in the defaults.
You happily e-hail rides, giving Uber permission to find accounts on your device, add or remove accounts, read your own contact card, find your precise location at any time, send and receive messages on your behalf, make phone calls, read the contents of your USB storage, modify or delete the contents of your USB storage, access your microphone, take pictures, read your identity, modify system settings, prevent the device from sleeping and other permissions.
That's just Uber. The company argues it has reasons for asking all these permissions. But what about the permissions you give other apps and games? Ask yourself, does an alarm clock, for example, really need access to all your media, files, and contacts? (The answer is no. Many similar apps don't.)
Words with Friends came under fire for wanting not only your general location for finding game partners, but your precise location to sell to advertisers.
Kid's favourite My Talking Tom, for its part, has eight targeted ad libraries and, apart from gathering your phone's identifying information, also sends advertisers audio from the microphone. Spinoff games Talking Angela and Talking Ben also access the camera and microphone (for internal use, apparently) which, given that we're dealing with children here, doesn't make me feel much better.
How about Angry Birds? Angry Birds went viral, being downloaded several billion times, with several spinoffs. Several of these were poorly rated in the privacy department, criticised grabbing user phone ID information including call logs, device ID and number, and carrier information.
Angry Birds was also one of the "leaky" apps targeted by the NSA and GCHQ to snatch user information. As The Guardian reported at the time, "Depending on what profile information a user had supplied, the agency would be able to collect almost every key detail of a user's life: including home country, current location, age, gender, zip code, marital status – options included 'single', 'married', 'divorced', 'swinger' and more – income, ethnicity, sexual orientation, education level, and number of children."
Podcast Reply All aired an episode exploring Facebook's privacy policies late in 2017. Among the interviewees were former interview Facebook engineer, Antonio Garcia Martinez, infamously created Facebook Pixel, code that can be placed on a website, allowing companies to track, in detail, what users do there. They also interviewed ProPublica investigative journalist Julia Angwin, who shared in spine-chilling detail exactly how much information Facebook has about its users already but, worse, how easily it can supplement this information offline.
The good news was, your audio isn't necessarily being recorded*. The bad news: Facebook doesn't have to record your audio. It has access to vast swathes of purchasable data about its users, including from consumer credit reporting agencies – which have records of income, marital status, legal history, home details, and more. (This is why, when agency Equifax was hacked in 2017 and the hosting partner of three major agencies including Equifax and TransUnion was hacked again this year, so much user data was exposed.)
But that's not all. According to Angwin, the same data brokers typically manage loyalty programmes for many retailers, which means they don't need access to credit card records.
Possibly the creepiest part, in my opinion, is that Facebook has the ability to both track users and figure out if two people know each other by analysing the dust and scratches on the camera lens.
Between that and the Cambridge Analytica scandal, I don't think Russia is your biggest problem, frankly.
And I'm not even going to get started on Google, except to say that if you try to download all the data they have on you, it will take around a week and likely amount to hundreds of gigs. There's your location history. Data you deleted. Data you didn't know you stored in the first place. Comments you never knew you left on some random cat video in 2000-and-voetsek. You'll probably be happier not knowing.
As for that xenophobia-tinged fear that the Russians are coming? Local investigative journalist Heidi Swart wrote in an investigation of social media software MediaSonar in 2018 that in South Africa, social media surveillance is concerningly unregulated, leaving the door open for social media accounts to be used for surveillance purposes, even if only the public account details are known.
"Social media companies assure you that your information is protected, even if your data is sold to marketing companies, since marketers shouldn’t be able to identify you," Swart wrote. "Generally, advertisers tell the social media company what demographic they want to target... This is how specific adverts land on your Facebook page. Bottom line: a salesman or stalker won’t visit your house.
"But that doesn’t mean the state won’t. And that includes the South African government. To find you, intelligence services needn’t hack your social media account, or get a court order to force a social media company to release your private data. What they need [is] the right social media surveillance software." Just as data is sold to marketers, Swart explained, it is also sold to surveillance software companies, who in turn sell it to intelligence and law enforcement agencies. Indirectly, this means in an unregulated environment, public social media posts alone can lead to identification and even location.
"The state," Swart wrote, "can use your public social media posts to identify you and walk right up to your door."
So by all means, steer clear of FaceApp. But do it because you don't want to feel compelled to go for Botox, not because you’ve woken up, too late, to the fact that your every move can be watched.
* Update: In August 2019, Bloomberg reported Facebook had, in fact, paid external contractors to transcribe audio data from some users of its Messenger service. Facebook said users had opted in and that it had since paused the practice, though critics said users had likely not known their conversations would be accessed and transcribed by humans.