Cloud providers, like Google, Facebook, Amazon, and Apple wield an incredible amount of control on their user's personal data. Most times they behave as though they actually do own their user's data, and they engage in practices to track them even using anonymous settings. They do this so they can run the most amount of user data in an algorithm that gives them behavioral results. After they have these analytics, they sell this knowledge in the form of advertising.
Their goal is to make targeted advertising cheaper, and this means making it easy to access user data. I've written about the control cloud providers have over access to essential services. Now, we'll explore the dangers they create under the advertising business model.
All cloud providers use bulk data from their collective of users on their platform for a lot of reasons. One lucrative case is showing targeted advertising to individuals. Sometimes, this business model works so well, there is no charge for access to the service.
The ad model is so effective because it relies on a lot of details from your personal life and habits. Cloud providers are able to get this information from users on their apps giving it to them. They need to have a lot of data from enough users. Once they do, they process the data into behavioral analytics.
The analytics shows which topics, products, and messages someone would most likely respond to. A common example of this at work is grocery stores buying this kind of advertising from an ad network to target pregnant women[1].
First, a grocery store customer uses a search engine to look up diapers. The search engine keeps track of everything the user searches for, and what they click on. Since this hypothetical person also uses the search engine's email service, it knows enough about them to fit them into several categories. As the ad algorithm processes the users, it assumes the grocery store customer fits in the parental category.
Second, the grocery store buys advertising from the cloud provider. The grocery store tells the provider what their customer's demographics are.
Last, the provider uses their analytics and the store's demographics to decide which users to show ads to. The issue is that this example is simplistic, and a traditional view of advertising. It does not show the risks of what is happening behind the scenes. Targeted advertising is highly effective at its goal. But, there are very few guidelines for using it, and no user protections.
Digital ad networks have already had a severe impact on a large population of people. In 2016, Facebook Ads had a heavy influence on the US Presidential election[2]. Google puts a unique and permanent tracking code on all computers and phones on the installation of Google Chrome. Google uses the tracking code to record all Chrome browsing history[3]. Because people use Facebook and Google for so many different things, providers have high fidelity data about people. This is data about people's real lives, business, and their internet habits. It is the core data that powers their behavioral analytics. Facebook has even gone so far to create "shadow" or "dark profiles" for people who do not, or have ever, used their apps. The goal behind their shadow profiles initiative is to optimize the way the ad algorithm shows ads[4].
Cloud providers combine their user's data together. Using this set they create new data and analytics about groups of people. Advertisers pay for access to various categories from some of the groups. Cloud providers and advertisers then work together to figure out which messages are most effective to create a reaction from a person[5]. There are few protections from bad actors spreading harmful messages on an ad. This makes it difficult to say what any ad is trying to draw someone toward.
None of this may be surprising to some people. The advertising industry has worked to better understand its audience since it began running ads. These days, the way they do that is by using a huge data set that includes people's personal details. This data includes sensitive information that in other contexts receive special privacy protections. HIPAA gives companies that work with sensitive information clear guidelines about what they can do with health data. Bad actors are already using ad technology to undermine democratic proceedings. It's difficult to say where other attacks have happened, or how to gauge their success. What is clear is that the tools to create misinformation is in the cloud provider's hands. The power of those tools comes from people's personal data. and nothing is being done to protect people from misinformation.
[1] How Companies Learn Your Secrets http://archive.is/Wibtv
[2] Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html
[3] Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth https://www.theregister.co.uk/2020/02/05/google_chrome_id_numbers/
[4] Shadow profiles: Facebook has information you didn't hand over https://www.cnet.com/news/shadow-profiles-facebook-has-information-you-didnt-hand-over/
[5] This is how Facebook uses your data for ad targeting(https://www.vox.com/2018/4/11/17177842/facebook-advertising-ads-explained-mark-zuckerberg)