Data Rape

Date rapists drug their victims for two reasons. First, to make the act of rape as easy as possible. Second, to make it all but impossible for victims to remember or dispute what happened. Unless a victim is willing to act on what may only be dim suspicions, subjecting themselves to the rigors and indecencies of a dubiously predisposed legal process, including invasive testing, there’s no possibility that the perpetrator will be prosecuted, let alone convicted. Date rapists can always claim sex was consensual and point to the victim’s willingness (if not eagerness) to be in the perpetrator’s company. Because the victim’s memory will be impaired due to the date-rape drug, they will be incapable of contradicting the assertions of the rapist absent any forensic proof to the contrary. Worse, if the victim doesn’t know what happened, how can they themselves be sure they said no?

Not surprisingly, the people most at risk for date rape are innocents who have no idea of the existence of date-rape drugs. If you’ve been around the block a few times, or gone to college, you know to keep an eye on your drink at the parties you attend. But if you’ve led a fairly sheltered life and genuinely believe that mommy, daddy, god and law enforcement are watching out for you when you venture into the world, you may not know that some of the people who seem most excited to meet you are flashing practiced smiles and reciting well-honed sales pitches designed to victimize you in ways you might object to if their intent was fully disclosed.

That charming person picking you up at the door and complimenting you on your appearance and buying you flowers or a nice dinner or taking you to their home in the country may be thinking the entire time about how they are going to put drugs in your drink and have sex with you without your consent, but they’re not going to disclose that fact. Because if they did you might reasonably object to that kind of treatment and opt out of the date, thereby denying the rapist what they want most.

Innocence Lost — Again
Hailing originally from the Midwest as I do, I have more than once been accused of being a country bumpkin. Having gone on to live in Los Angeles for a few years, and in the bustling Northeast for a few years after that, I flatter myself that those stops instilled in me the kind of street savvy and deep cynicism that allows people in those media centers to simultaneously dismiss and lampoon everyone else in the country. Unfortunately, a few weeks ago I was reminded once again that you can never really leave the turnip truck when I read a Wall Street Journal article detailing the degree to which e-readers mine personal data from those devices. Even as I know one of the main goals of any internet-connected business is the procurement and exploitation of user data, including the selling of customer information to third parties, it still never occurred to me that e-readers were mining information about the private reading habits of users.  

Yes, I figured out that Facebook was a predatory psychopath masquerading as a family friendly community, but how hard was that? Even their recent unilateral and unnanounced decision to replace user email addresses with proprietary accounts was greeted with a yawn because Facebook was simply being Facebook. After you’ve watched a serial killer dismember five people in the first hour of a movie, do you really expect the same bloodthirsty murderer to develop a conscience in the second hour?

Unfortunately, the blatant obviousness of Facebook’s abusive practices only makes it all the more embarrassing that I didn’t realize Amazon, Barnes & Noble, and everyone else making e-readers or providing related services are mining personal data from their customers:

The major new players in e-book publishing—Amazon, Apple and Google—can easily track how far readers are getting in books, how long they spend reading them and which search terms they use to find books. Book apps for tablets like the iPad, Kindle Fire and Nook record how many times readers open the app and how much time they spend reading. Retailers and some publishers are beginning to sift through the data, gaining unprecedented insight into how people engage with books.

But wait, there’s more:

Barnes & Noble, which accounts for 25% to 30% of the e-book market through its Nook e-reader, has recently started studying customers’ digital reading behavior. Data collected from Nooks reveals, for example, how far readers get in particular books, how quickly they read and how readers of particular genres engage with books. Jim Hilt, the company’s vice president of e-books, says the company is starting to share their insights with publishers to help them create books that better hold people’s attention.

Believe me, I understand that almost every aspect of the internet these days is a long slinky leg designed to get me to cough up personal information that can be used against me by both advertisers and content creators alike. Really, I do understand this. But the idea that the act of reading a book has become the equivalent of putting on a data-driven peep show for faceless drones lurking in dimly lit, heavily air-conditioned bunkers full of server stacks leaves me aghast. Where I normally loathe marketing weasels for their profit-above-all amorality, I find myself tipping toward actual hatred of anyone who would siphon off information about my reading habits — if, you know, I actually owned an e-reader. (As regular readers know I have yet to take the plunge. The new Glowlight Nook managed to turn my head, but the revelation that e-readers would be eavesdropping on my reading habits has snapped it back.)

All the usual legal dodges and corporate excuses apply to this invasive practice, of course, including the idea that much of what’s collected isn’t personally identifiable. Users take this to mean that the information being sent back to the company can’t be tied to their name, address or the credit card they used to purchase the device or service, but what companies actually mean is that they can easily do all of that but they’re currently probably not as far as you know. As past disclosures about browser cookies have demonstrated, plenty of what’s being collected these days actually is personally identifiable, yet even at that the stealthy pilfering of e-reader information feels like data mining has broken new ground, and not in a good way.

Consenting Adults (and Kids)
To be fair, according to the Wall Street Journal everybody but hayseed me already knew this was happening:

It’s no secret that Amazon and other digital book retailers track and store consumer information detailing what books are purchased and read. Kindle users sign an agreement granting the company permission to store information from the device—including the last page you’ve read, plus your bookmarks, highlights, notes and annotations—in its data servers.

I have no doubt that Kindle users (and users of other e-readers) “sign an agreement,” but in the real world that means “check a box at the end of a massive and confusing license or terms-of-service contract that no one ever reads, which has in any case been written to be both as reassuring and deceptive as possible.” These compulsory agreements provide legal cover to companies in the same way that a date rapist can argue you “signed an agreement” by voluntarily going out with them, yet in neither case is the predatory party being up front. No matter what questions you ask, a date rapist is not going to tell you that you will be drugged and raped, and no matter how closely you read the data rapist’s legalese you are never going to learn how your personal data will be mined, collected, aggregated (either by that company or a third party) and exploited.

As savvy as I am about such things I’m still obviously quite naive. But I’m also willing to bet that the great majority of people using e-readers or tech of any kind have no idea how abusive, invasive, evasive, duplicitous and outright fraudulent many of these legally binding agreements are. Mainstream users — meaning your parents, your grandparents, even your kids — cannot comprehend how completely outgunned they are against companies that intimately understand how to gather and analyze data that otherwise never sees the light of day. Throw in routine industry claims that methods and practices are proprietary and thus cannot be disclosed, and there is no possibility of full disclosure even if you want to know what you’re getting into before you check the little box that legally allows companies to do whatever they want. Like date rapists, data rapists offer a simple choice: trust me or miss out on all the fun, because I’m never going to tell you what I’m thinking or what I really intend to do to you.

Asking For It
To be clear, I’m not outraged by the idea that book sellers and even book creators want all the marketing information they can get in order to better hit whatever target they’re aiming at. If the book business is hell bent on becoming as widely respected and culturally invigorating as television or talk radio I’m all for it. You can never have enough pablum I say, and the only way to make sure you’re getting really good pablum is to focus-test your products on the specific lowest-common-denominator audience your marketing department or editor wants you to write for. And that obviously requires collecting objective data, even as that data will inevitably be subjectively analyzed by people with conflicting motives and personal agendas, who may or may not have any idea what they’re talking about.

Reassuringly, some of the information the book industry and its tech henchmen have so far gleaned strikes me as a tad underwhelming:

But the data—which focuses on groups of readers, not individuals—has already yielded some useful insights into how people read particular genres. Some of the findings confirm what retailers already know by glancing at the best-seller lists. For example, Nook users who buy the first book in a popular series like “Fifty Shades of Grey” or “Divergent,” a young-adult series by Veronica Roth, tend to tear through all the books in the series, almost as if they were reading a single novel.

Shocker. How did I not notice this myself when I first ran across Raymond Chandler and Dashiell Hammett and buzzsawed through everything they’d ever written in one long, delirious, glorious bender? Honestly, if there really are writers out there who think the data they get back from e-readers (or more importantly, from the people who build and code those e-readers, who have their own commercial agendas) will be helpful to their authorial goals, then I hope they drown in data about who stopped on what page for how long. One of the things I’m left wondering, however, is just who owns that data, and how often authors actually get to see it. Is such information being passed along as part of the normal business relationship between the writer/publisher and the e-reader manufacturer? Do you have to ask for it? If you’re a self-publishing writer do you have to pay for it? Is there an option for individual authors to recover that info, or does data about content they created belong to the device manufacturer by default?

At least with Facebook the transaction is clear. You get to use the site for free, and in return they get the right to serially abuse you like a battered spouse, taking what they want when they want, going back on their word, changing the terms of the relationship without notice, and generally behaving like a biker gang in hooded Harvard sweatshirts. (And who can blame them? After what happened to MySpace the insiders at Facebook must be crapping their pants about maintaining the appearance of profitability long enough to sell their shares to the suckers who will eventually go down with the ship.) With e-readers, however, not only do you pay for the device, but you often pay for the content. Then on top of that the people who just took your money in both of those transactions take your personal information in perpetuity and profit from that as well.

I know it’s my job to protect myself from data rape. I get it. My default browser currently uses Ghostery and NoScript to speed the loading of content I actually want while crippling advertisements and popups, which in the case of JavaScript can also be triggers for malicious code and other exploits. And I don’t allow third-party cookies on my machine, ever.

Spying on what I read, however, and how I read it, and accessing my notes and highlighted passages seems more like an invasion of consciousness than anything else I can think of. And it’s all the more insulting because the premise of legality is based on purportedly-specific but intentionally-vague licensing and terms-of-service agreements, which, when carefully linked to equally impenetrable privacy policies make any exploitation of user information fair game. Even if something illegal is being done, who’s going to expose those crimes or abusive practices? And if they’re exposed, who’s going to prosecute the people involved? And if they’re actually convicted, how many four-dollar class-action coupons that require notarized copies of the original receipt in triplicate will end up constituting the bulk of the settlement?

Assuming the Worst
If nothing else, this e-reader, e-spionage business has helped clarify something that’s been rattling around in my head for a while, and that’s the fundamental difference between providing an honest product or service for a fee on the one hand and the weaselly, cowardly, deceptive business of data mining on the other. It’s become an industry if not cultural norm that you have to submit to the risk (if not certainty) of data rape and sign away any legal recourse in order to use almost any data-driven device, yet these capitulations quite often have nothing to do with the product or service being used. It’s simply a practice people have gotten comfortable exposing themselves to, often as de facto compensation for the equally absurd expectation that everything on the web will be free. Unfortunately, like a three-drink minimum or other voluntary business commitment, this acceptance makes it all the more likely you’ll blow money on drink number four because your defenses are down, which in turn makes it more likely you won’t notice someone slipping something into your drink.

To my mind there’s a fundamental difference between businesses that can survive by providing a product or service and businesses that can only survive by mining data. I also think it’s interesting how Kickstarter and other crowd-funding sites upend the conventional wisdom that nobody will pay for anything on the web. You don’t get anything free on Kickstarter, but you also don’t have to drop your drawers, or put yourself in the ugly position of hoping that the people who are going to probe your inner data recesses are so good at their job you won’t have to confront the horrible, awful things they did to you. (That’s how twisted data rape has become. We’re subconsciously rooting for the data rapists to get away with it so we won’t feel stupid and dirty when we’re taken advantage of — like Facebook users routinely do.)

The idea that people won’t pay for something they want on the web is false. What people won’t pay for is stuff they won’t pay for. Give the same product to them for free, however, and you might be able to induce consumers to act like obsessive rats pressing a pill-dispensing button, while you set about mining those same rats for all kinds of data that can be sold under cover of darkness down by the docks. That’s the dubious basis for a whole swath of products and services that are tied to the internet, including, lately, all kinds of online games that are free-to-play because nobody would ever pay for them. The actual business model driving these ventures has nothing to do with consumers purchasing and using a product or service, and everything to do with making the consumer the engine of profitability by making them feel all warm and fuzzy and dreamy, then charming them into exposures of data that they may or may not remember in the morning.

And I guess I’m at a point where that’s simply not something I want to support or expose myself to any more. If you’re not able to give me a straightforward business proposition in which I understand what I’m paying for and what I’m getting, and what I’m exposing myself to, then I think I’m morally and historically justified in assuming you’re planning to do things to me that I don’t want you to do.

Hostile Intent
If you happen to be a fine upstanding person who works for Amazon or Barnes & Noble, or Apple or Microsoft or Google, or any other company that shuttles data from user devices to corporate monkeys, you’re probably a little put off by the notion that you’re raping your customers. I mean, who wants to think of themselves as constantly violating other human beings without their consent? (Other than rapists, obviously.) It’s super-creepy, and makes me feel sick just thinking about it, so I do recognize that it’s an ugly accusation to make.

The problem I have is that I see no evidence that data rapists fully disclose what they’re doing, or are intent on doing, any more than date rapists do. A date rapist is someone who ingratiates themselves, who seduces you and entertains you and professes interest in you, and who for all appearances is a normal human being with a soul. Until you get to the point in the date where you’re actually drugged and taken advantage of there’s no apparent difference between a normal date and a date rapist, and yet a difference exists. Normal dates aren’t hiding hostile intent that you would call the cops about if it were disclosed, which means long before a date-rape is actually committed it’s the lack of disclosure that differentiates between the two types of dates.

Similarly, data rapists do everything they can to make you feel special and loved and wanted through branding, advertising, peer pressure, features, pricing, and on and on, but a big part of what they’re really interested in doing is getting their hands on your data. Yes, you may “sign” an “agreement,” but that doesn’t exonerate data rapists of their deceptive conduct any more than voluntarily going out with a date rapist makes you responsible for your own rape. Even if you voluntarily go out with someone and drink yourself stupid and venture into what used to be called heavy petting, and you get overwhelmed with hormones and passion and lust and backed-up sexual tension that has been dogging you for weeks if not months, you still reserve the right to say no at any point. But you can only say no if you know something’s happening that you disapprove of.

The reason this is important is because just as date rapists render their victims unconscious with drugs, data rapists are masters at rendering their victims unable to consciously monitor what’s happening to them. Over time data rapists have not only created an entire culture which encourages people (and particularly naive young people) to post a greater amount of personal information about themselves than any previous generation would have imagined possible, but they’ve figured out how to completely segregate the permission process from the data-rape process so no accountability is possible. And they’ve done all that on purpose, with the same ruthless premeditation of a date rapist, because they know without a doubt that if they were up front about what they wanted the vast majority of people would object and say no. So they make sure, above all else, that you never get a chance to say no to the specific things they are doing when those things are actually happening to you.

Anyone who’s used computers and software for any length of time can clearly see the omission of full disclosure in data-mining simply by noting what’s missing. If you’ve ever used a browser you’ve had security warnings pop up repeatedly, letting you know a connection was not secure and asking whether you wanted that same warning to be displayed next time. Or maybe you’ve had a new app open a window or dialogue box with a hint about what to do at that point, or a tip on how to make better use of the program. What you’ve almost never seen, however, is an application ask permission to send data about what you just looked at, clicked on, wrote or otherwise did with a device, even though there’s absolutely nothing preventing companies from providing this informative and timely functionality.

Data rapists don’t tell you what they’re doing when they’re doing it because they don’t want you to know. Data rapists don’t ask if what they’re doing is okay because they know most people will say it’s not okay. Data rapists don’t want you to have the right to say no, so they do everything possible to deny you any opportunity to object, including making you sign away your right to object before they actually do anything objectionable. There’s no full disclosure, there’s no contextual disclosure, and there’s no chance to opt out except to not use the product at all.

If you work for Google or Amazon or Microsoft or Barnes & Noble or Apple or any other company and you’re not willing to fully disclose your data collection practices and let your customers know what data you’re collecting, when it’s being collected, and why it’s being collected, then you’re a data rapist. Like a date rapist you have an agenda you’re not willing to disclose, which your customers would prefer to be informed about, or at least prefer to have the option of being informed about. But you intentionally do not provide that disclosure because you don’t want to give the customer the opportunity to make a fully informed decision. Like a date rapist, you prefer that your victims be completely unable to defend themselves, and you do everything you can to make sure they never know what’s happening and never have the chance to say no.

The Morning After
I’m not sure it’s possible to completely avoid this almost omnipresent threat, but I think it’s worth trying. I encourage you to read the WSJ article and think these issues through, because it really is possible to move the market by making reasoned choices about where your time and money goes. It’s not inevitable that we simply have to put up with this kind of abuse, and the best way to prevent it is to make it unprofitable.

Companies have always wanted to know more about what customers think, but they used to access that information the old-fashioned way, with surveys, focus groups, and product testing in Columbus, Ohio. Whether e-readers really do cross a line, or I’m simply burned out after a lifetime of being played for a sucker, I have come to the conclusion that I’m sick of applications and websites and hardware sidling up to me with a sultry smile when I know that what they really want is blanket access to my clicks and taps.

When you buy a car you know you have to be on guard because most of the people who sell cars (and particularly used cars) are former SERE instructors. When the nightmare of negotiations is over, however, you get to take the car home from the dealership without the salesperson hiding in the trunk. (Yes, I know about the little back boxes. No, I’m not thrilled about those either, but if they can reliably prove who caused an accident I can’t ignore the importance of that functionality.)

With Facebook and Google and Microsoft and Amazon and now the whole e-reader industry that’s not the case. The minute you start doing business with them they’re collecting data that they won’t talk about, including the degree to which you really can be personally identified, and they’re never going to stop. They don’t have the guts to tell you to your face what they’re up to, or ask for specific contextual permission, because they know you’d be disinclined to comply. So instead they give you a warm, welcoming smile, then hold the product you just paid for or downloaded hostage until you click the little box that legally signs away your right to object to anything they do to you in the future. (Imagine if you had to do that to buy a pair of shoes or get a meal at a restaurant. You’d never do it, ever.)

You use your new product for a week or a month or a year, then one morning you wake up in a daze with your underwear around your ankles and an uneasy feeling that you’ve been taken advantage of. But because the people who made that product are world-class experts at covering their tracks both legally and technologically, you have no proof that you’ve been wronged. You suspect something happened that you wouldn’t have agreed to if it had been spelled out beforehand, but you don’t know what it is, you don’t know how to prove it, you don’t know how to keep it from happening again, and there’s no one you can appeal to for help.

Until there’s a legal requirement that personal data collected or transmitted be fully disclosed in context — preferably with an opt-in/opt-out pop-up that explains what’s about to happen in language that can be understood by children and the elderly — users will never have the chance to say no when they’re actually being victimized. Most people wouldn’t sign an agreement at the beginning of a date that obligated them to accept whatever subsequently happened, including being rendered unconscious or otherwise unable to object to or resist being raped, but that’s the way data rapists work. Without disclosing their intent data rapists get you to agree up front that whatever they are going to do is okay, then they render you effectively unconscious by refusing to disclose what they’re doing when they’re actually doing it.

— Mark Barrett