- Center for the Digital Future - http://www.digitalcenter.org -

Why using cash won’t protect your privacy

Many Americans are worried that in a cash-free future, we won’t be able to keep some purchases private.  But does cash really preserve anonymity?

_______________________________________________________________________________________

By Brad Berens

We need to upgrade our nightmares, thank and excuse the monsters under our beds, and tell our bogeymen that it’s time to make room for a new generation of things that make us go “eek!”

Some of our fears are analog antiques in a digital world.

Here’s an example of what I mean: in our recent Future of Money and Banking survey, we asked how Americans would feel about a cash-free society [1] and provided different responses:

Our respondents indicated how much they agreed or disagreed with each response.

The option that generated the most agreement was that people would like to keep some purchases private by using cash: 72 percent of our respondents either somewhat or strongly agreed with this statement.

This shows that nearly three-quarters of Americans are at least somewhat concerned about their privacy and aware that anytime they use a credit card, debit card, check, or mobile payment service a variety of businesses record the purchase in laundry pen. (And this is far from the only indication from our work at the Center [2] that Americans are worried about privacy.)

These worries are appropriate. The stores and services we frequent (in real life and online) track and store everything we do with them and also acquire other data in order to build profiles of us and of customers a lot like us. If you’re an optimist, then the profiles exist so that the companies can do better jobs of getting us the things we want at the best prices. If you’re a pessimist, then the profiles exist so that the companies can dupe us into spending money we don’t have on things we don’t need.

Both conditions are probably true.

_________________________________________________________________________________________________

As Simson Garfinkel observed, “the future we’re rushing towards isn’t one where our every move is watched and recording by some all-knowing ‘Big Brother.’ It is instead a future of a hundred kid brothers that constantly watch and interrupt our daily lives.”  Those kid brothers are corporations.

_________________________________________________________________________________________________

What most people don’t realize is how freakishly comprehensive the data profiles of us are, and the extent to which algorithms can identify patterns that human beings simply cannot see.

For example, in a famous 2012 New York Times article [3], Charles Duhigg told the story of a father who discovered that his 17-year-old daughter was pregnant when Target sent her coupons for baby clothes and cribs. The data-mining team at Target had figured out that changes in shopping patterns — for example, buying more unscented skin lotion than usual — could indicate that a woman was entering the second trimester of a pregnancy. (Read the article if you have a high threshold for being creeped out.)

Algorithms and artificial intelligences are our new digital bogeymen.

Cash is no protection

Since companies track and profile us 24/7/365, our respondents’ desire to keep the pay-with-cash option available makes perfect sense. However, what’s antiquated and analog about this desire is the belief that using cash provides any kind of protection against tracking purchases.

It does not.

Either today or in the near future, technology can track what we buy, where we buy it, how much we paid, and how that purchase connects to all our other purchases as well as those of our family and friends — even if you use cash.

Let’s dispense with the obvious scenarios. If you type your phone number into a little keyboard when you make a purchase, then it doesn’t matter if you pay with cash: the business adds that purchase to the profile it has built up for you over the time you’ve frequented that store, combo-plattered with data about you that it has purchased from credit bureaus, other information brokers, as well as digital services like Facebook, Google, Pinterest, Twitter, Amazon, and more.

Less obvious: you walk into a store to make a purchase that you’d like to keep private (an early pregnancy test, an STD test, a magazine supporting a point of view that your spouse rejects), so you pay with cash. However, your smart phone is still in your pocket or bag; your phone logs back into the store’s wifi, whereupon the store knows that it’s you. Even if you don’t use the store’s wifi, the store might use beacon technology to record when you arrive at and leave the store because you’ve signed up for a mobile points and promotions service like Shopkick at some point. You pay with cash, but because you have your smartphone the store still knows you were there and can infer from the data that you made an embarrassing purchase.

At this point, you might be thinking that all you have to do is leave your smart phone at home in order to make a private purchase.

Not so fast.

Biometrics, like fingerprints, voiceprints (how Siri or Alexa know it’s you talking), and facial recognition allow people to unlock technology in order to get access to different accounts. Companies can use the same biometric technologies to identify you even when you’re not deliberately logging in. There’s also “gait analysis” that can identify you by the way you walk. Even if you leave your gadgets at home and pay with cash, you still have no guarantee of anonymity.

_________________________________________________________________________________________________

Since companies track and profile us 24/7/365, our respondents’ desire to keep the pay-with-cash option available makes perfect sense. However, what’s antiquated and analog about this desire is the belief that using cash provides any kind of protection against tracking purchases. It does not.

_________________________________________________________________________________________________

(If you follow privacy issues at all, then you’ll often hear about Personally Identifiable Information or PII. Corporations’ privacy rules often prevent them from selling or leasing your data to other companies, but there’s no guarantee that the corporations will be acting in their customers’ best interests. Ordinarily, chief privacy officers are lawyers, and it’s the lawyers who write the End User License Agreements or EULAs that you have to agree with in order to use a service. Those agreements are neither short nor easy to understand [4], so most people don’t read them.)

In order to make a private purchase, you’d not only have to pay with cash but you’d also have to cover your face (don’t forget the ears), do something to change your voice (or don’t speak), and put a rock in one shoe in order to change your gait.*

How likely is it that people will do this?

Is there a right not to be tracked?

“The Right to Privacy,” an 1890 Harvard Law Review article by Samuel Warren and Louis Brandeis, articulated that Americans have a right to be left alone, but Warren and Brandeis were thinking about preventing the press from violating the rights of private citizens, particularly when there was nothing that the public would gain from knowing about people’s private lives beyond voyeurism.

Mostly, when we think about privacy, we think about it being violated by the press or by governments.  But as Simson Garfinkel observed in his 2000 book, Database Nation: the Death of Privacy in the 21st Century [5], “the future we’re rushing towards isn’t one where our every move is watched and recording by some all-knowing ‘Big Brother.’ It is instead a future of a hundred kid brothers that constantly watch and interrupt our daily lives.”

Those kid brothers are corporations.

At the present moment it is difficult for Americans to protect their private lives, but there is some hope that this won’t always be the case. The European Union has enacted the General Data Protection Regulation or GDPR [6], which aggressively protects the privacy of EU citizens. Many of the GDPR rules will extend to corporations outside the EU with shockingly stiff fines, so companies around the world are scrambling to comply with the new regulations before the rules take effect in May of this year.

Compliance with the new EU rules might have some spillover benefit for Americans, and perhaps the EU’s example will inspire the United States to protect the privacy of its citizens.

Someday.
__________

* If you are interested in more detailed explorations of these scenarios, please see my 2011 book, Redcrosse [7].

 

Brad Berens [8] is the Center’s Chief Strategy Officer.

 

 

See all columns [9] from the Center.

January 4, 2018