Het is natuurlijk absoluut simpel om te registreren of een deelnemer aan een klinische studie fysiologisch man of vrouw is. Als je dan een nieuw ontwikkeld vaccin mag testen op pandemische schaal zijn de getallen ook best snel statistisch significant. Hoe logisch is het dan om ook even een kolom m/v op te nemen in je database van gerapporteerde bijwerkingen? Ik dacht dat medische onderzoekers allemaal wel een kopie van Invisible Women op hun nachtkastje hebben liggen. Wat een naïeve gedachte van mij zeg.
[…] de vaccinmakers hebben het element ‘sekse’ goeddeels genegeerd in het vaccinonderzoek en de behandelmethoden van Covid-19. Zo had geen van de gepubliceerde klinische proeven van vijf coronavaccins de opgetreden bijwerkingen uitgesplitst naar sekse.
Hoe vrouwen vergeten werden in het Covid-19-onderzoek (bron: Trouw)
I discovered a disturbing thing yesterday when exporting my Mailchimp e-mail contacts for IFF. Mailchimp has more personal data than I asked for. When signing up for my weekly digest, all I want to know is an e-mail address. It’s the only thing I need to know for sending an e-mail to a person. I deliberately do not ask for names or other details. The less I know, the better considering the chances of data breaches and GDPR legislation. After exporting my contact list from Mailchimp I found out the service has more data on record than I asked for. For instance for one person who registered for my e-mail subscription list I have a first name, a last name and birthday on record. I’ve never had input fields for that information in my subscription form, so how do those personal details end up in my contact list on Mailchimp?
The only explanation I can think of is that Mailchimp keeps unique ID’s based on an e-mail address. The data that person discloses to a Mailchimp mailing list then ends up in all other mailing lists that person subscribes to using the same mail address. A hint for that explanation are the ID numbers that I also received in my data export from Mailchimp. All users are assigned two ID numbers, a LEID and an EUID. This is Mailchimp’s explanation about these ID’s:
LEID is the unique identifier for a contact, specific to an audience. EUID is the unique identifier for a contact on the account level, across all audiences.
Whatever the reason and mechanics behind Mailchimp’s user ID’s, I’m really shocked to find out I own personal data I never asked for. Even worse, the person subscribing to my mailing list never agreed for me to have that data. A serious breach of trust (and the law).
There is more data in the export file. IP address is logged at opt in and again when confirming ones subscription. Latitude and longitude. And based on that information country and province are logged. I was under the assumption I only asked for an e-mail address and that would be the only thing on record. I was wrong.
My conclusion is that I should never have used Mailchimp in the first place for sending my automated blog digest. I exposed my readers to a data collector. I deeply apologize for that.
I am now switching to a WordPress plugin called Mailpoet. The sign-up data is stored in the database belonging to this blog. The only data I transferred from Mailchimp to my blog are e-mail addresses, as subscribers agreed to when signing up. The only extra information that is logged are IP addresses when signing up and confirming. With that data I can prove consent for signing up to anyone asking (or a subscriber to prove an e-mail address was misused for signing up). I will delete my account for IFF with Mailchimp and remove the export files on my computer.
This case clearly shows how easy it is to collect excess data. Lesson learned.
I downloaded my fb data and started digging in the data. The folder ads_and_businesses was my biggest interest. Not very surprising, but there is little data to go through. Five brands under ‘Who Uploaded a Contact List With Your Information’. Seven brands under ‘Your Off-Facebook Activity’. One brand on this list surprised me. Headspace. Headspace is a wonderful service to help me meditate. I’ve been a subscriber to Headspace for six years. It has been a big help to get me through rough patches in life. I pay good money for this service on a yearly basis (just under €45) so I was surprised to see Headspace participating in surveillance capitalism. Also, how could they make a match between my Headspace account and my Facebook account? Time to dive deeper into privacy policies and data collected by Headspace.
Headspace proactively shares data with Facebook, including paying customers
This is what fb logged on my Headspace behavior in the past few months. It does not seem to be a complete list.
1. DATA WE MAY COLLECT
Facebook profile information, such as name, email address, and Facebook ID, if you choose to log in to the Products through Facebook
9. USES MADE OF THE DATA
To serve our advertisements to you through third party platforms, such as Facebook or Google, on other sites and apps or across your devices, to the extent that you have provided consent for such uses under applicable law.
11. DISCLOSURE OF YOUR DATA
With third parties, such as Facebook, in order to serve Headspace advertisements on such third party platforms, to the extent that you have consented to such practices under applicable law.
I’m already a customer, so Headspace doesn’t have to show me ads on fb. If they want to communicate with me, they have a valid email address to connect with me. The only reason I can think of they want a connection to fb through me is to reach my friends. Well, guess what. I already recommend the service to my friends, by telling them in person. Way more convincing than an ad on fb. But knowing what I know now, they make me think twice about recommending Headspace to my friends. They even make me re-evaluate whether I’ll want to renew my subscription.
In a week or two I will file a new data request with fb to see if new data on Headspace log ins showed up or not. I’ll report back on that in a few weeks, when I have a better answer to the more disturbing question:
How does Headspace know who I am on Facebook?
The curious thing about this case is that I have absolutely no idea how Headspace was able to match my Headspace id with that of my fb account. In this article fb explains how businesses can match their clients with fb users. By uploading phone numbers, which will then be encoded, businesses can serve ads to their clients using fb. Fb implies this is done using email addresses, phone numbers or other personal information. Now here’s the thing. I can’t think of a single piece of information Headspace has on me to match me with fb. I use unique email addresses for both Headspace and Facebook. That can’t provide a match. And as far to my knowledge I never provided my telephone number to Headspace. I use a nickname for my Headspace account, and payment for the service is done through paypal, again using an unique email address. So how does Headspace know what my Facebook account is? In order to find this out I sent a data request to Headspace for my full record. Perhaps they know more of me than they show me in my account information. This story will be continued.
One of the topics I’m currently working on is how to tackle data obesity. Or rather I’m working on helping small companies and individuals stop feeding the very hungry caterpillars in this world. That is not an easy task, but I strongly believe the world will be a bit better when our personal data is treated with the utmost respect. Most people are sort of aware of this notion, but have no idea where to start. That’s the void I’m aiming to fill.
There are two main themes that I need to address: data ownership and social connection. The data ownership part is pretty straightforward. There are good services available to store your data in a self-hosted cloud, including open source tools to collaborate online. Generally speaking these services are very affordable for even the smallest businesses.
But then the social connection part. Connecting to others online without using the hungriest caterpillar of them all is the tricky part. I want to encourage people to stop using facebook. There. I said it. I’m going to climb the Mount Everest wearing shorts and sandals. On the one hand impossible. On the other hand, absolutely necessary.
Over the years there have been so many twists and turns of this company that it’s hard to begin to explain why I feel the need to show others the non-facebook road. To unravel my thinking I started a map. I wrote down arguments, patterns, concerns and everything else that came to mind when I think about facebook. I also started working on a path towards the other world. The world where we take ownership of our social connections and the data that comes with it. That world exists, but the journey there will be through rough terrain. We will lose some weight along the way and even though for some that will feel like losing themselves a little, as a group we will become healthier.
The map I show you here is by far a finished document. There are many things that I need to research before I can write about it. But writing about it I will. A lot. If you want to chip in with ideas or (re)sources, feel free to connect with me. Leave a comment below, or send me an e-mail.