How Tech Companies Track Your Every Move And Put Your Data Up For Sale

Jul 31, 2019
Copyright 2019 Fresh Air. To see more, visit Fresh Air.

TERRY GROSS, HOST:

This is FRESH AIR. I'm Terry Gross. If you ever get the creepy feeling you're being monitored when you use your computer, smartphone or smart speaker, our guest Geoffrey Fowler is here to tell you you are. Fowler writes a consumer-oriented technology column for The Washington Post. He's been investigating the ways our browsers and phone apps harvest personal information about us even while we're sleeping. And he discovered that Amazon had kept four years' worth of recorded audio from his home, captured by his Alexa smart speaker, including family conversations about medications and a friend doing a business transaction.

Geoffrey Fowler joined the Post in 2017 after 16 years with the Wall Street Journal, writing about consumer technology, Silicon Valley, national affairs and China. He writes his technology column from San Francisco. He spoke with FRESH AIR's Dave Davies.

DAVE DAVIES, BYLINE: Well, Geoffrey Fowler, welcome to FRESH AIR. You have a recent column. The headline is "I Found Your Data. It's For Sale." What kind of personal data did you find available for sale on the Internet?

GEOFFREY FOWLER: I found all kinds of things that normal people would consider secrets and that corporations spend a lot of money - millions and millions of dollars - to try to keep out of the hands of their competitors and criminals. I found people's flight records. I found people's records from their doctors prescribing them medications. I found people's tax documents that they were - thought they were only sharing with their tax preparer. And they were available with one click. I could have opened them up and downloaded them.

DAVIES: Right. And where did this data come from?

FOWLER: It came from their Web browsers. And what we discovered along the way is that there is a giant hole in people's Web browsers that we're installing ourselves, and they're called extensions. These are these little apps, these little programs that you add into Chrome or into Firefox that are supposed to help you do things on the Web more easily, like keep track of your passwords or, you know, maybe get discounts on certain websites.

A lot of them do that, but it turns out a surprisingly large number of them have a side hustle in your data. And they were in the business of watching everything you did on the Web, sending it out somewhere else and then that site was sending it on to someone else, who then made it available for sale.

DAVIES: So when we click on the I agree box after not reading all - the long thing, what does that allow the add-on to harvest from us?

FOWLER: It allows the add-on to look at every webpage you go to. They can read the contents of the page. They can also look at the exact address at the top of the page. That's all the letters that appear after - through the HTTP that you see. And that actually contains a lot more secrets than you might realize. For example, it might contain your username or your password or, in the case of some pages that we saw in this system for sale from doctor's offices, contain the name of the doctor and even medication that was being renewed.

I have to say - I, as a technology journalist, knew that extensions were a risk, but I had no idea how much of a risk they were until I heard from an independent researcher - a guy named Sam Jadali, who runs his own Web hosting service and found some of his customers' data for sale and kind of became a half-a-year-long investigation for him to figure out how this happened. What he showed me, actually, was data coming from the Washington Post's own newsroom for sale on the Internet.

DAVIES: Wow. Before we get to how this ends up for sale, let's get to the mechanism of how it gets into the wrong hands. So we install an extension on our browser. It's by some company, whatever. They then harvest the data. Then what do they do with it?

FOWLER: They either use it for themselves - there's actually a lot of companies that are in the business of - like, sometimes they call it marketing analytics - of trying to figure out what people are doing on the Internet. Amazon has a very large business doing this with a company called Alexa. In Amazon's case, though, they only keep it for themselves. They don't sell that and share it to other people. And they anonymize that data so that people who might tap into it can't see the exact page that you, Dave, were - was looking at.

But not everybody in this sort of shadowy business is so ethical. And so we found this data through the research of that independent researcher I mentioned, Sam Jadali. We found it for sale on a site called Nacho Analytics. It was buying it from perhaps some other party who perhaps was getting it from some other party. It's really hard to connect these dots because the companies won't talk about who they are getting their data from - and then, you know, putting it all for sale, down to the individual pages that people were clicking on, on a site called Nacho Analytics.

DAVIES: Right. So you went on to Nacho Analytics. And what did you find?

FOWLER: On Nacho Analytics, you could pay, starting at about 40 bucks per month, to look at the webpages that people were surfing on individual domains - so places like NPR.org or even onedrive.com, which is Microsoft's cloud storage service. And when you pulled up those pages, you could see the exact URLs of pages. So - and then search through them and search through the metadata. So that's things like the titles and the address of the computer that they were using to surf there. You could see all of this information and search through it.

DAVIES: And in some cases, things that appeared to be tax returns or medical records, right?

FOWLER: Yeah. For example - so we went to onedrive.com and typed in tax, and that pulled up a bunch of documents based on the title of the page that appeared to be tax returns. Now, I did not want to further dig into anybody's privacy, so we did not actually click on those links, but we could have to see them.

DAVIES: So if you wanted to look for a specific person on Nacho Analytics, you could find them.

FOWLER: Well, I'll take the case of what we found from the Post newsroom. So I asked this researcher, Sam Jadali, to see if he could find any data from the Post's internal network. That's washpost.com. So he pulled up the pages he could see being surfed there. And there we saw someone logging into our internal networks - so not even something that's public to the world. And it turned out to be one of my colleagues, Nick. And we saw his username.

So then I quickly called up Nick, and I said, hey, Nick, did you know that your data is for sale on the Internet? And he was like, what? And I said, well, I think the problem is an extension that you've got running on your computer. And we looked through them together. And sure enough, there was an extension there that looked really innocent but was sending out every page that he was visiting.

DAVIES: Now, Nacho Analytics that provided all this information for a fee - you talked to them, I assume. What did they say?

FOWLER: They said that they didn't do anything wrong. And they may have a point - that their business is not necessarily illegal. And I think it's really telling about sort of the state of the economy - of the Internet economy that what they're doing is actually considered pretty common. So they said that before they put data up for sale on Nacho Analytics, they would scrub it for personally identifiable information. But as we saw when we looked through the data together, clearly, they were not doing a very good job at doing that 'cause we found lots and lots and lots of secrets that were still available in the data.

When I also - as well as this researcher, Sam Jadali - contacted Google and Firefox, they immediately shut down some of the extensions that were doing this leaking. So that, I believe, cut off some of the data supply for Nacho Analytics because a few days later, Nacho said it was essentially pausing its business. It would no longer take new customers, and it had suffered a data outage. And so it couldn't even provide data for people who'd already paid for it.

DAVIES: Right. But again, I'm just a little puzzled by what kinds of extensions - like, for example, when I checked - after I read your story - on my Google Chrome browser, I had several extensions that allowed me to access Google Documents. Those are OK?

FOWLER: Those are made by Google itself. So you know, I think with each of these cases, you have to ask, do I trust this company? We should have a conversation about whether you should trust Google. That's a whole other topic. But with a lot of other people, there are many other kinds of extensions in there. I'll take the example of the one that my colleague at the Post was using. It was called Hover Zoom. He had read about it on the website Reddit. And it's for people who use Reddit a lot and want to quickly be able to enlarge the photos on the Reddit website. He installed it, didn't think twice about it, and it was just sitting there running. And when you press certain keys, it would automatically enlarge the photos on any page. Turns out, they had a side business in taking every webpage he was going to and selling it on the Internet.

DAVIES: Are ad-blocking extensions a good idea? Do they track you?

FOWLER: They can be good or they can be bad. And this is one of the problems with these extension and add-on stores. It's really hard to know what these guys are up to. I have seen evidence of some that are really, really good and some that are just collecting your data.

And, you know, you can't really tell just from the reviews or from sort of the presence in those stores what they're up to. You know what other kinds of software is frequently in the business of tracking you is actually VPN and other kinds of security software; sometimes antivirus software even. You'll think these are the companies that I trust to protect my privacy and security, but they may be paying for it by taking data about what you're doing on your computer and selling it.

DAVIES: Including the big, well-known names in security?

FOWLER: Yes. Some very big names in the antivirus and VPN world may be providing the services that they offer but may also be in the business of collecting data about what you're doing on your computer.

DAVIES: Geoffrey Fowler writes a consumer-oriented technology column for The Washington Post. We'll continue our conversation after a short break. This is FRESH AIR.

(SOUNDBITE OF ALEXANDRE DESPLAT'S "SPY MEETING")

DAVIES: This is FRESH AIR, and we're speaking with Washington Post columnist Geoffrey Fowler. He writes consumer-oriented columns about navigating the confusing world of personal technology, including computers, smartphones, smart speakers and so on.

So you wrote in June that you looked under the hood of the Chrome web browser, which is commonly used, and found it had brought along a few thousand friends. Who were the friends?

FOWLER: They were lots and lots of companies that are in the business of tracking everything that you do on the Internet. Some of them are advertising companies. Some of them are analytics companies that help, you know, figure out how to make websites run better. Some of them were tech giants - Google and Facebook. Others were data brokers that are just in the business of trying to connect the dots in your digital life to build out a profile of you so that they can sell it.

DAVIES: Right. Now, these are not the browser extensions - right? - that are specifically - you download. These are cookies, right? What exactly are cookies?

FOWLER: Yeah. Cookies are baked in - pardon the pun - baked into the way that the Web works these days. So they're tiny little files that basically tag your browser and say, yep, Geoff was here. And then when you pull up another site, they'll check, oh, I see this cookie from before. So now we can - they can connect the dots. Think of them as little breadcrumbs that follow you around on the Internet.

Turns out, the biggest maker of cookies on the Internet is Google itself. That's one of the ways that they help track you down and build out a profile and help advertisers target you with advertising. So Google also makes the most popular web browser, Chrome. So Chrome does not do very much to stop this cookie behavior from happening. In fact, they quite actively encourage it.

DAVIES: Now, you've written about how these browser extensions that we get on, we at least agree to download them. Do we agree to accept cookies in some way? How does that happen? Are we informed? Or is our consent sought however passively?

FOWLER: This is a really good question, and this goes right to the heart of a big conversation we're having about technology right now. What is consent? What is being informed? Yes, lots of websites now, because of a European data law, put up a little notice on the bottom that says, oh, by the way, we use cookies. Are you cool with that? And you either ignore it or you click OK, and you don't really think about it. But does that mean that we really understand that, you know, in the course of a week that over 11,000 times - at least for me - that companies are going to be able to be pushing out these requests to track and follow you around? I don't really think it does.

I think, in fact, that we rely on the company that makes the web browser software, Chrome or Firefox, to have our interests at heart, right? And our interests would be to not be tracked. And yet Chrome is not doing that for us. That's in pretty big contrast to its much smaller rival, Firefox, which is made by a nonprofit called Mozilla.

Now, as of a couple of weeks ago, it changed its default settings so that when you install it, it blocks those cookies by default, the ones that are involved in tracking. So in the case of my week of web surfing, the 11,000 cookies that Chrome would've let through, Mozilla let through none.

DAVIES: Wow. And is there an option to opt out of cookies on Google Chrome?

FOWLER: There are options to say block all cookies in Google Chrome, but that would then break some things about the way websites work. Not all cookies are bad. Some help remember, for example, your login to the Washington Post website. So if you turn those on, it really kind of tends to sort of break your web experience. One of the things that Mozilla figured out how to do was block just the ones that are sort of naughty, that are in the business of tracking you for advertising or for marketing, and allow through the ones that you want. So it's about sort of seeking that balance.

Now, for me, this experience made me realize that Chrome has essentially become surveillance software. It's surveillance software for the advertising industry and for Google itself. So I made a switch to Mozilla, and I'm very happy I did.

DAVIES: You recently did a report on what your iPhone was doing while you were sleeping. What did you find?

FOWLER: I found that my iPhone is very busy while I'm sleeping, talking to lots of companies that I've never heard of and sharing with it lots of personal details, things like my exact address and my email address and my name. And that really, really surprised me.

DAVIES: So what's happening here?

FOWLER: We fill up our phones with apps. And when we do that, we presume that because they came from Apple's app store that they've been vetted and they're not - you know, they're respecting all of the privacy practices that we have come to expect from Apple because of its marketing. But it turns out, apps use something that are called trackers. They're a little bit like cookies that you get on the Web, but they're just embedded inside the apps themselves. And these trackers do lots of different things. Some of them help app-makers just figure out how people are using the apps so that they can make them work better.

Others belong to data companies and advertising companies. Google makes trackers. Facebook makes trackers. Some are in there to gather data about people that are using apps so that they can sell it. And that's one way app-makers can make money. And these trackers inside the apps, as long as they're on your phone, they have the ability to essentially run whenever they want to, including while you're sleeping at night and not even using your phone.

DAVIES: Wow. Can you shut them down at night? Should you - if you power your phone off, does it inhibit this?

FOWLER: If you power off your phone, nothing will be coming out of your phone, either from trackers or from calls that might come in or go out of your phone. But that doesn't really stop the problem. Because as soon as you power your phone back up, the apps will wake back up, and they'll get back in touch with their trackers. The problem is really at the core of how apps are made and the kinds of requirements that Apple and Google and other phone, you know, store, app store-makers place on them.

DAVIES: What kinds of requirements they place or fail to place - what do you mean?

FOWLER: Indeed. Right now, you know, to get into the Apple app store or the Google Play store, you have to have your app reviewed by one of those companies. They do look to make sure that, you know, they are - that they have a privacy policy, that they are generally abiding by, you know, the rules that they set out in their app store guidelines. But they don't really look under the hood to understand, who are these other companies that they might be talking to, these tracker companies? And what sorts of data are they sending to them?

They don't do that vetting for us. And unfortunately, we as consumers can't really see that, either. To figure out what my phone was doing while I slept at night and also during the day, I had to hack my phone. I went to a guy who used to work for the NSA. His name is Patrick Jackson. He now works for a technology company called Disconnect. And he showed me how to do something called a man-in-the-middle attack on my iPhone that basically, you know, kept a copy of all of the data going in and out of my phone while I slept at night so that we could look through it together.

That's the level I had to go through to figure out what kind of data was flowing out of my phone and what trackers were running. I couldn't learn any of that from - either from Apple's software or from reading the privacy policies of these companies.

DAVIES: So I understand this - so when an app is permitted to be sold in the iPhone store, does Apple require them not to use trackers and some people just aren't honest about it, or do Apple's rules permit them to include trackers in the apps that you download?

FOWLER: Until very recently, Apple's rules permitted them to use whatever trackers they wanted. If you had given an app permission to collect your location - and it does pop up a thing saying, can we collect your location? - if you'd given it that then it could share that with whatever trackers it wanted. About two weeks after my story came out in The Washington Post about what my iPhone did while I was sleeping, Apple announced that it was going to now ban trackers in children's apps. So ones that were, you know, targeting, you know, people under the age of 13, they said they would no longer allow them to use third-party trackers. That is an admirable move in many ways. But then my question is, why is it OK in adult apps but not in kids' apps?

DAVIES: And what kinds of information is the tracker transmitting about us?

FOWLER: It could really be a wide range of things. You know, when I looked, you know, underneath the hood, just while I was sleeping, apps that I saw were using trackers included things like weather.com or - The Washington Post website had trackers. There was another one that's a popular app for kind of, like, checking with the police scanners, called Citizen. It was sending its trackers a lot of information, including my exact GPS coordinates and my email. And in that case, that violated its own privacy policy, and it later changed that after I called them. But still, it was happening.

GROSS: We're listening to the interview FRESH AIR's Dave Davies recorded with Geoffrey Fowler, who writes a consumer-oriented technology column for The Washington Post. They'll pick up where they left off after a break, and critic Soraya Nadia McDonald will review the final season of the Netflix series "Orange Is The New Black." I'm Terry Gross, and this is FRESH AIR.

(SOUNDBITE OF MUSIC)

GROSS: This is FRESH AIR. I'm Terry Gross. Let's get back to the interview FRESH AIR's Dave Davies recorded with Washington Post technology columnist Geoffrey Fowler. Fowler has been investigating ways our computers, smartphones and smart speakers collect our personal information and what they do with it. Fowler has covered digital technology and Silicon Valley for years.

When we left off, Fowler was describing how some phone apps have trackers that collect our data, which is often then sold to marketing and advertising companies. One example Fowler found was food delivery apps like Grubhub, Caviar and DoorDash.

DAVIES: You found one food delivery app called DoorDash sends data to nine different trackers.

FOWLER: Yeah, this one was pretty shocking to me. Again, think about this from the perspective of all of us. You know, you put an app on your phone like DoorDash. And you think, OK, DoorDash is here. When I open DoorDash, I have a relationship with DoorDash, with this company that's going to have someone bring food to my house. You don't think that you're going to have a relationship with nine other companies, including Facebook and Google, who get to know now and keep a log of every time you're hungry (laughter) and open this app and, you know, want to order some pizza. None of that is disclosed to us. This is all lost in this murky world of data.

And that's sort of been the impetus behind a whole series of stories I've been doing for the Post. I kind of call it the secret life of your data, just kind of looking under the hood at all the things, all the data about us that's being passed around and traded and sold that we don't normally have a way to understand or see. Because if we don't know where our data is going, how can we even begin to hope to protect our privacy?

DAVIES: And just so I understand the relationships, a food delivery app would would give data to nine trackers because each of them pays them a couple of fractions of pennies for it, or - why?

FOWLER: There might be a variety of reasons. So for example, one tracker might be in the business of just giving data back to DoorDash to say, like, this is how your app functions. This is the areas of the app that people spend the most time on. These are the areas where people swipe around the most.

It might also help them combat fraud. I guess there's a problem with people setting up fake phones to put in fake orders. So they say they want to be able to tell whether your phone is literally physically moving using the gyroscope in it to see if it's a real human on the other end of it. That's another kind of tracker.

There's also trackers in there for advertising companies. So Google and Facebook are in there. And DoorDash says, oh, well, they put them in there just so that they could see whether their advertising was working because DoorDash does a lot of advertising with Google and Facebook. But the cost of all of this is that all of these different kinds of companies get to know every time you're opening DoorDash.

And any time a company has data about you, who's really making sure that they're using it appropriately? Who's making sure that they're going to delete it soon enough? Who's making sure that they're - they have good security, and it's not going to get stolen and sold off somewhere?

DAVIES: And do these trackers slow the apps down or cause further battery drain, or do they impose data charges on us?

FOWLER: That's the other piece of app trackers, is that they do a whole bunch of bad things for our phone. Over the course of a week, I found 5,400 different trackers activated on my iPhone. Yours might be different. I may have more apps than you. But that's still quite a lot. If you multiplied that out by an entire month, it would have taken up 1.5 gigabytes of data just going to trackers from my phone. To put that in some context, the basic data plan from AT&T is only 3 gigabytes.

So imagine (laughter), half of your data plan is just eaten up by tracker companies who you don't want running anyway. So it's not only eating up your data. But then, every time it pings the network, that's another hit on your battery life too. So it's - this stuff really isn't in our interest, either from our privacy or from just keeping our phones running.

DAVIES: You know, and sometimes when we're browsing, and we want to go to a site or fire up an application, we get a screen that says, do you want to sign in using Facebook? What happens?

FOWLER: No, you don't.

DAVIES: OK.

(LAUGHTER)

DAVIES: Why?

FOWLER: Because you're giving Facebook the ability to then track every time you're using that website or every time you're using that app. And I'm sure that that website and app then have lots of other tracker pixels or cookies or software baked into them that send other information to Facebook about what you're up to. Google does the same thing. You'll sometimes get a button - do you want a sign in with Google? Same problem.

These companies are in the business of data. They might tell everybody that they don't sell our data, but it is certainly very valuable to them. Actually, that's why they don't sell it because they want to keep it for themselves because they then use all this information about what apps you're using, what you're doing in them, what websites you go to, where you are physically with your phone - like, where you are in the world according to your GPS coordinates. They put all of that into their dossiers on each of us to - so that companies can target us with advertising.

DAVIES: So if I'm going to sign into a music service like Spotify, and I sign in with Facebook, does that mean Spotify then has access to all of my Facebook data and my friends' data?

FOWLER: Not necessarily. It used to be that Facebook was a lot more open about sharing your Facebook data and your friends' data with apps. They shut down a lot of that a couple of years ago. And that's the problem they got into with Cambridge Analytica as well, that they were allowing apps to collect data about your friends and then pass that along. So Facebook has gotten a lot more controlling with its data. Again, they'll say that's for privacy, but it's really because they realize that data is too valuable. They want to keep it for themselves so they can charge companies to market to you through them.

DAVIES: You know, you have some columns that are on very specific topics that are really interesting. And one of them - you write about how to handle robocallers on your cellphones, and you mention getting the Do Not Call list. But there are some fight-back apps that people pay for that really get aggressive on this. You want to explain this?

FOWLER: Yeah. There are some apps out there that - beyond just blocking bad calls, that they actually will try to torture robocallers. So they intercept the calls, and they listen briefly to see if they detect it as being a robocaller. And if they do, instead of passing the phone call on to you, they'll stay on the line. And they use artificial intelligence to try to keep the - either the person or the robot on the other end on the line by sort of teasing them. Sometimes they'll have, like, a Donald Trump impersonator voice that talks to them or somebody snoring or somebody just talking a lot. And then, for kicks, they will send you - they'll send you a recording of what happened afterwards.

DAVIES: All right. So if you're really into it (laughter).

FOWLER: If you're really into it.

DAVIES: You write about smart speakers like Alexa and their potential to be conducting surveillance. And I guess it's worth noting that Alexa's owned by Amazon, whose chair, Jeff Bezos, is the owner of the paper that you work for, the Washington Post. How much is - are Alexa smart speakers recording of our lives?

FOWLER: First, I'll note, yes, the Post is owned by Jeff Bezos, but I'm happy to report that I am at liberty to criticize Amazon as much as I'd like, including by digging into what Alexa is really getting up to.

So I think one thing that a lot of folks do not realize about smart speakers with Alexa or with Google's Assistant or Siri is that, by default, they're keeping the recordings of everything that you say. So that means that you sort of think like, OK, well, but it only records when you call out the name, when you call out Alexa or call out Siri. Well, actually that's not the case. It records whenever it thinks it hears one of those calls to action.

So I did an experiment where I went back to four years of recordings that Alexa has made of me and my family at home because, again, they're all kept there by default. And I spent a couple of days listening to all of them. And when I did that, I found, you know, all of these strange fragments of my life. So things you would expect, like setting the spaghetti timer or, you know, asking to hear a song, that was in there. But there were also lots of times, dozens of occasions, where Alexa was recording snippets of conversation or television just kind of randomly on its own. For example, it seemed to kind of go off a lot on its own whenever I was watching "Downton Abbey."

DAVIES: (Laughter).

FOWLER: I had a lot of people with that particular posh British accent in the collection. It also went off when my family members were talking about medication. It went off when a friend was doing a business transaction. And listening to this archive, which any of the listeners can do themselves - if you go to amazon.com/alexaprivacy, you'll be able to dig into your collection as well - listening to this really made me think differently about what Alexa has become in our lives.

It's - it is, yes, an assistant, but it is also an eavesdropper. And it is collecting this information and not giving us the power to tell it to stop. Now, Amazon does give you an option that you can go in and delete past recordings. But you can't tell it just don't keep the recording in the first place.

DAVIES: And they keep everything forever?

FOWLER: They keep everything forever. What's interesting is we were talking before about how these tech companies sometimes give us false choices. And this is, again, one of these false choices. Amazon says it needs all of this data to make Alexa smarter, to improve its artificial intelligence. And yet, archrival Google actually now by default does not do this. It does not keep the recordings from Google Assistant or its smart speakers or its phone-based assistant. It does not keep those by default. It deletes. You have - you'd have to go in and tell it that you want it to keep those.

So here, you know, who's right? Do you really have to keep it, Amazon? I think not. And the reason they're doing it is because they can get away with it because most of us haven't noticed and haven't sort of spent the time to kind of dig into the details.

DAVIES: We're speaking with Geoffrey Fowler. He writes a consumer-oriented technology column for the Washington Post. We will take a short break here, then we will talk some more. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

DAVIES: This is FRESH AIR. And we're speaking with Washington Post columnist Geoffrey Fowler. He writes consumer-oriented columns about navigating the confusing world of personal technology, including computers, smartphones and smart speakers. Alexa seems to listen to an awful lot. Does Siri do the same thing on our iPhones?

FOWLER: Siri does do the same thing on our iPhones and on the HomePod, which is their home speaker. So I have a corner of my living room where all of the virtual assistants live together. I have all of the connected speakers. I'm sure someday they'll start talking to each other. But I watch to see which ones go off at random times.

I have to say, the Apple one goes off quite frequently, maybe even more than the others. Apple's policy is it keeps the recordings of everything that it hears, and it does not give you the option to tell it not to keep the recordings. But they anonymize it, so they don't associate it with your individual account in your name. Amazon still associates it with who you are.

DAVIES: So you - when you say that the Apple device goes off more frequently, it starts recording more frequently, or seems to.

FOWLER: That's right. Last night, I was watching a TV show. And in the middle of it, Siri, on the HomePod, perked up and said, sorry, I can't answer that question. And no one had asked Siri a question.

DAVIES: (Laughter) Does this make you want to disconnect Alexa?

FOWLER: I have to say, after doing this reporting, I now keep my Alexa speaker on permanent mute. There is a button on the top, that physical button you can press, that says, don't record and don't activate when you hear the name Alexa. But that, of course, sort of defeats the purpose of the device. So again, I just think this is really bad product design on the part of Amazon. They shouldn't put us in a situation where, again, the choice is don't use the technology or give into this kind of surveillance.

Thing I would add is that this project of listening to my Alexa recordings made me wonder - I wonder what all the other ways are that Amazon is eavesdropping on my home because anybody with one of these smart speakers probably knows that, like, oh, you can hook them up to connected devices in your home, right? You can connect it up to light bulbs and thermostats and doorbells and all sorts of things. And I had certainly done that. I'm a technology journalist, and I review all this stuff. And my house is filled with gadgets.

And so I went down the path of trying to figure out, OK, well, what other data from my home other than just me and my family's voices is it keeping? And I found, I mean, enough that would make the - you know, the East German police blush to see this kind of data. For example, my Nest thermostat was collecting in 15-minute increments over the last six or seven years not only the temperature in my home, but also whether there had been a person that passed in front of it. So there was this perfect record of every time there had been someone in my hallway for years and years and years that was being sent both to Google and to Amazon - because Amazon's requirement is if your gadget connects in with Alexa that they get to keep a copy of all this data, too.

And then it started multiplying. So yeah, there was the thermostat, but there's also my garage door. It was doing the same thing. Then there was my connected lights. Literally, Amazon was getting a record of every time a light switched on and off in my house.

DAVIES: And how did you discover that Amazon had these records of your thermostat changes and when people were walking down the hallway?

FOWLER: I started asking. So I went to the companies that make these devices, and I said, hey, can you tell me what data you're collecting and who you're sharing it with? Some of them would not answer that question. And that - my frustration with that really animated what's become a yearlong project by me to sort of see if I can look under the hood and figure out what data is being collected and who it's being shared with. I've been looking at that and all sorts of things - connected devices in our home, our Web browser. And I've got even more - more and more projects coming down the pike.

But some companies did answer. Some just pointed me to their privacy policies, which didn't really specify what they were up to. So it's really quite difficult for us as consumers to understand the secret life of these devices and the data they're collecting and who they're sharing it with. And I think that's a big problem.

DAVIES: There's a lot of talk of congressional regulation of digital media. Are you seeing things that encourage you?

FOWLER: There's a lot of talk in Congress, but not a lot of action when it comes to data and privacy. You know, we see a lot of individual members of Congress, you know, writing letters or holding hearings. But there's been little effort to really turn that into legislation that could even get to the point of being voted on.

Right now, we see Congress also interested in these big questions about whether these tech companies are too big - right? - and that they need to be broken up for antitrust reasons, which, at the end of the day, is also about data because the reason why they're so big and so powerful and have made billions of dollars is because they have control over so much data about our lives.

The thing that actually gives me the most hope is what I see happening in the states. So California passed the California Consumer Privacy Act, which is going to take effect in January. And it is, I think, going to become the closest thing that we have to an American privacy law. Of course, it only applies to the residents of California, but there are so many residents of California that a lot of companies are going to have to sort of essentially comply with it for everyone.

And it really - it's about disclosure, which is, I think, where this all needs to start - you know, when this law takes effect, that these companies - even if they're not tech companies - any company that collects data about you is going to have to be able to say - you know, answer the question that I - some of the questions I posed before. What's being collected? Who is it being shared with? Tell me if it's being sold. Give me the chance to say, no, you're not allowed to sell it.

I'm actually super excited when this law kicks in. I already have plans for January 1, 2020, to send out lots of request letters to companies as a California resident to tell me what data they're collecting and what they're doing with it.

DAVIES: Well, Geoffrey Fowler, thanks so much for speaking with us.

FOWLER: My pleasure.

GROSS: Geoffrey Fowler writes a consumer-oriented technology column for The Washington Post. He spoke to FRESH AIR's Dave Davies.

Coming up, Soraya Nadia McDonald reviews the final season of "Orange Is The New Black." This is FRESH AIR.

(SOUNDBITE OF GILAD HEKSELMAN'S "DO RE MI FA SOL") Transcript provided by NPR, Copyright NPR.