Pandora’s Checkbox

The Information Age brought with it a cliché—that unread agreement you dismiss to get to the software you need to use. There’s no way you’re going to read it. For example, macOS High Sierra comes with a software license agreement totaling 535 pages in PDF form, which contain (by my count) 280,599 words of intensely detailed yet maddeningly vague legal language. On that operating system, Apple Music has another license, and the App Store has yet another, and so on.

It would take thousands of dollars in consulting fees with a lawyer to make a fully informed decision, or you can proceed regardless. So you proceed. You always have. Each little app, website, or gizmo peppers you with a new set of terms and conditions. Each upgrade gets a few extra clauses thrown in, and you agree again.

You’re not a fool. You assume you’re signing away rights and control you want. It comes in the bargain. You try to skim the terms and conditions, and this deal feels a bit more Faustian all the time—mandatory binding arbitration, data collection, disclaimers of liability, and so on.

None of this is really news to you if you’ve dug into it. You’re not really in possession of your software; you’ve merely licensed the use of it. You can’t really hold them responsible for flaws; you agreed to accept the software as is. You can’t really control what information they collect about you; you hand that over and get a free or discounted product in return.

However, where things get slippery is that a company with whom you’ve entered into a transaction has also signed agreements with yet other companies. Worked into those overwrought terms and conditions you clicked through, with their vague-yet-precise language, are ways of ensuring that you’ve already agreed to these subsequent proxy agreements as well.

What the T&C often allow is for your data to commingle at some broker whose name you’ve never heard of. A common situation in which this happens is when any entity responsible for handling money.

Say that you learn about a subscription service called Company A. You find them in your web browser or your mobile app, and you sign up, agreeing to their T&C. Then you ask to subscribe to a new e-mail about scarves every day, or whatever Company A does. They in turn ask for your credit card info, your billing address, and maybe a few other demographic details about you.

Company A turns to Company B to determine how risky you are. To do this, they ship off some information about you. If you used a mobile app, they’re possibly reading off what Wi-Fi networks are nearby, what Bluetooth devices are nearby, what apps are installed on your phone, what IP addresses you’re using, what fonts you have installed, and a wealth of other information. If you’ve used a browser, the information is similar but more limited. You’re being geographically located in either case. The headers from your browser are sent. The last website you were at before visiting Company A is probably sent.

Company B collects this information and compares it to all the other data it has on millions of other requests it’s collected from other companies. It has no real duty to sequester Company A’s data from Company Z (neither of which know anything about one another), and by putting it all together, it can detect patterns better. For example, it may have the ability to know where you are, even if you are behind a proxy. It may be able to track your traffic across the Internet as you move from Company A to Company Z and so on—because the number of details it gets are enough usually to uniquely identify you. It needs no cookies or other storage on your end for this.

This means that Company B has the role of an invisible data broker whose job it is to assess fraud risk on behalf of companies. The more clients it has feeding it data, the stronger its signals become, so Company B is incentivized to gather as many sources of data as possible, and it wants those data to be as rich and as frequently updated as possible.

Company A gets back something like a score from Company B indicating how much risk you pose—whether or not you’re likely to try to scam them out of free services (or if you’re even a human or not). Assuming you’re fine, then Company A sends your info off to Company C, a credit card processor who is the one actually responsible for charging you money and giving it back to Company A.

Company C is collecting data as well because they stand the greatest risk during this transaction. They collect data themselves, and they’re almost certainly using a data broker of some kind as well—either Company B or more likely something else, a Company D.

These interactions happen quite quickly and, usually, smoothly. In a few seconds, enough info about you to identify your browsing patterns and correlate you with your purchase of Scarf Facts has now been aggregated by one or two data brokers.

These brokers sell their services to companies hoping to prevent fraud, and they make money because they are able to draw from ever larger sources of traffic and gain a clearer picture of the Internet. You agreed to this, but I doubt it was clear to you that entities other than you and Company A were involved.

If you’re wondering whether or not this is really happening, this sort of collection has become increasingly common as businesses have tried to compete with one another by reducing friction around their sign-up processes. Simple CAPTCHAs have not been enough to hold back the tide of automated and human attempts to overwhelm large and small businesses attempting to sell services and goods online, and they have turned to data-based solutions to fight back. We can’t wind back the clock to a simpler time.

Unfortunately, most people are uninvolved and have become bycatch in the vast nets we’ve spun. It is likely, as time goes on, that the brokers who collect and analyze the data collected this way will try to sell them, or analyses of them, to profit in other ways. The value of these data increases as they become more representative of the traffic of the Internet as a whole.

I’m not asking you to stop and read the T&C on the next website you sign up for. That’s ever going to be practical. But now you know about another piece of your soul you’re possibly chipping off in return for clicking “Accept.”