Snoopers' charter? That's the least of your worries

Theresa May's plan to record details of all our calls and internet use has provoked outrage. But our online activity is being monitored all the time - and you probably didn't even know it. Kevin Rawlinson reports
  • @kevinJrawlinson

Max Schrems is no Luddite. The law student was savvy enough to know that, if he requested it, Facebook would have to release all of the data it has collected on him since he joined. Even he, though, was taken aback by the amount of information Mark Zuckerberg's social network had on him.

When his report came back - all 1,200 pages of data - he saw details of friend requests he had ignored; people he had "defriended" and even items he had deleted from his account.

"The scary thing was, with a simple 'Ctrl+F' search function on the computer, I could search for terms and key words. I found it was possible to build up a picture of who I am, what I like, who I might vote for," he said last year, after launching a campaign to highlight the issue.

Yet everything in the file was information Mr Schrems, 24, voluntarily gave Facebook, which - like most other internet giants - is a free service. His experience mirrors not only those of Facebook's estimated 900 million users, but those of everyone who has ever "Googled" something, entered their personal information into a website or - to some extent - even loaded a web page, whether they know it or not.

Today's headlines are about new powers for the police. But people and companies - both legitimate and illegitimate - have been using internet users' data for good and bad for years. Google and Facebook are probably the most notable examples of sites which feed off the data their users give them. Both have targeted advertising. For those adverts to be worth the pixels they are printed on, they need users' information.

The latest online data controversy has been over the use of cookies: the pins in an online map of where internet users have been. These allow sites to track where people go. Internet protocol (IP) addresses, which every user has, give a rough indication of location.

Those examples of pieces of information users routinely hand over, put alongside all of the data they volunteer while using a site, allow people to build up online profiles and to extrapolate what users might be into.

"One of the things, if you look at any social networking site, is that there are ways to slice and dice the information which is disclosed and what is done with it. But, in many cases, you have to look very deep to work out how to configure it in that way," said David Enn, the of Russian online security company Kaspersky Lab.

Google, one of the highest-profile sites when it comes to data collection, is also one of the most transparent about how it uses that information. It has a section on its site where users can go to learn about how to manage which information they hand over and, by not signing in, they can remain anonymous.

The company says that its products work much better when users let them learn their characteristics. Google's former chief executive, Eric Schmidt, spoke last year of building a "serendipity engine", which could go beyond simply returning bland results to searches but actually inspire users to visit sites they had not even thought of. But that requires personal data - and a lot of it.

"Services like Facebook or Google already have an astonishing amount of information about most people. Users are simply used to providing their contact details and sharing a great deal about their lives," said James Lyne, director of technology strategy at Sophos, another Web security specialist. "Many treat these services like they are speaking to a closed group of privileged friends, but it has been shown how widespread such information is actually exposed."

It can, of course, go wrong. In 2010, Google admitted it had inadvertently collected sensitive personal data using software installed in the cars it sent to photograph Britain's streets for its Street View application. And earlier this month, members of the professional social networking site LinkedIn became the latest to have their passwords leaked when about 6.5 million of them found their way on to a hackers' forum.

The inevitable discussion, as the new Data Communication Bill goes to Parliament, will be whether data should be collected about people who have not been arrested on suspicion of any crime - and the cost of the whole plan.

Vicente Diaz, an online security expert at Kaspersky Lab, said: "There are firms already working on building your public online profile. Once it gets this far, you have already lost control of your data."