Photo illustration of binary code and a finger print

Companies are collecting more consumer data than ever before, and there’s “no clear line” between what’s normal and what’s invasive, says computer scientist Ben Zhao. (monsitj/iStock)

A computer science expert on the data privacy crisis

Worried about online privacy? So is Ben Zhao.

Ben Zhao and Heather Zheng are internet good guys. The Neubauer Professors of Computer Science study security, privacy, and artificial intelligence—research interests that led them to discover security vulnerabilities in popular services including Facebook and the navigation app Waze.

When they ran across these slip-ups, in 2009 and 2016, respectively, Zhao and Zheng did what white hats do: they told the companies, and counted on them to make the changes that would keep users safe. Zhao says in his experience, most companies in similar situations were responsible enough to follow through. Crisis averted.

Today, in rough-and-tumble 2019, Zhao isn’t opposed to telling companies when they’ve messed up, but he’s no longer sure that alone is enough. The digital landscape has changed and so has his perspective on privacy.

The number of internet-enabled devices—not just phones and tablets, but also things like smart fridges—has grown from 12.5 billion to 26.7 billion over the past decade. The firms manufacturing these devices can be so small that “there is no hope of ensuring that they’re responsive” to privacy concerns, “because they have no pressure to do so; they have no public reputation,” Zhao says. Another consequence of the new generation of gadgetry is that more firms are collecting (and potentially losing or abusing) your data than ever before.

And collect your data they do. Twenty years ago, believing your phone was monitoring you was strictly tinfoil hat territory. Now we know it’s happening and blithely go about our business. The mechanisms of tracking user behavior have become “ridiculously sophisticated,” Zhao says. In the past five years, “we for sure crossed some line where … data mining went way beyond what normal people might expect.”

Take, for example, ultrasonic tracking. Imagine a seemingly innocuous retail app asking for permission to access your phone’s built-in microphone. Without thinking much about it, you hit “allow.” The simple tap of a button allows the app to listen for inaudible, high-pitched beacons emitted from its partner websites in addition to advertisements and storefronts. That means the company can know where you’ve been and what ads you’ve seen, online and offline.

Putting these two things together—the proliferation of internet-enabled devices and the rise of data mining–fueled marketing—has brought us to a world where the company that makes your toaster knows you’re a lefty who drives a Honda. (How much this worries you may depend on how many times you’ve seen 2001: A Space Odyssey.)

Yet awareness of privacy concerns hasn’t provoked large-scale digital disconnection. Users remain on platforms such as Facebook that have a long history of privacy faux pas. They may wish the company would be more conscientious about protecting their information—just not enough to log off.

But Zhao thinks we may be in the midst of a sea change, due in part to the Cambridge Analytica scandal, in which the political consulting firm improperly gained access to information from up to 87 million Facebook users. The breach provoked more serious and sustained outrage than Facebook had ever seen before. As Lior Strahilevitz, Sidley Austin Professor of Law and a fellow privacy scholar, told Chicago magazine, this scandal was different because “it got tied into bitterness over the presidential election. … They haven’t figured out a way to make this story go away.” And the outrage had a cascade effect, sparking a serious and sustained conversation about online privacy beyond Facebook.

Zhao is asked—more often than almost anything else, he says—how people can protect themselves in this new age. As a first step, he suggests users limit the companies that have access to their real personal information. Most online retailers don’t need to know (for instance) your birthday, so don’t give it to them, or consider providing inaccurate information.

And in the spirit of fighting fire with fire, he’s designing a high-tech workaround for devices such as Amazon Echo and Google Home, which, Zhao says, are rife with possibilities for hacking and abuse—and are listening to more audio than consumers realize. To combat the risk, he and his graduate students are developing a bracelet that, when activated, emits ultrasonic waves that jam nearby microphones.

There’s an early prototype of the bracelet and its components in Zhao’s lab, just down the hall from his office, which looks like a Best Buy after a hurricane. Phones, cables, and batteries are strewn across a large table, and two computer towers are labeled “Groot” and “Baby Groot.” Zhao picks up one of the microphone-disabling components of the bracelet. Around half an inch in diameter, it looks like a tiny round speaker.

Until recently it would have been hard to imagine anyone would want such a device. (Of course, until recently it would have been hard to imagine a smart speaker in your living room accidentally recording a personal conversation and sending it to a colleague.) “I think now it is completely believable for there to be a market, maybe even an industry, for privacy-enhancing products,” Zhao says.

As he exits his office, Zhao discovers a crucial vulnerability in perhaps the world’s oldest security system—his door, which won’t close. The irony isn’t lost on him. “Privacy!” he says, gesturing to the knob in mock frustration. Whether online or off, you can only do so much.