
If you were one of the visitors wandering around MicroMarché ‒ a creative platform in the centre of Brussels ‒ with your smartphone on 3rd October, then you probably received weird and unwanted text messages. “Welcome to Candygram. Reply with your personal e-mail address to start”. Depending on how paranoid you are, you may have deleted this spam message immediately, wondering how the company could have got their hands on your phone number.
However, if you were feeling particularly adventurous and curious, you may also have replied to the suspicious invitation. What would have followed is a second text message to reward you for your choice and then other slightly more worrying ones. “Would you like to be more than just a number to us? Reply with the word GOPHERSET to find out how”. “Thank you! Did you know that GOPHERSET is the name of a GSM software which uses the API of a phone’s SIM card to control it remotely? Answer with the word CROSSBEAM if you would like to register for a free personal data review”.
When you get to this stage, going back is difficult. “Great. Visit our pop-up booth at MicroMarché to find out what we know about you … Oh, by the way: CROSSBEAM is a GSM module capable of collecting voice data …”.

In the mean time, the booth of the unknown phone operator MicroMarché is alive and kicking. Designed in the colours of the company, it includes a banner, a logo, brochures and sellers calling out to customers outside. To begin with, it may look like any other phone operator booth. But going back to the second option (if you had been curious and adventurous), soon enough you would be sitting face-to-face with a Candygram representative wearing a white coat. The representative would introduce himself to you as “Personal Data Consultant” ‒ something in between a therapist and a fortune-teller ‒ and would ask you to follow him behind a white curtain and sit in a private area in front of a computer screen.
Then a slide show would be shown revealing everything the company knows about you by carefully analysing your digital traces and online profiles which are publicly accessible. Every slide presents an aspect of this digital double: name, age, gender, work experience, interests, as well as keywords and associated images.
“When participants sign up to get a personal data review, we ask them for their e-mail address”, explains Mark Shepard, who is one of the three artists behind this artistic project called False Positive (together with Moritz Stefaner and Julian Oliver) and also the beardy Personal Data Consultant of the fictitious phone operator Candygram. “This address reaches our server, where the code written by Moritz Stefaner searches the web, collecting data on the individual through several tools and APIs. With this data, a personality profile is created”.

The last slide gives you a score on the basis of five criteria: willingness to try new experiences, awareness, outgoing behaviour, pleasantness and emotional weakness. These five main aspects describing personalities are those used in the famous
Big Five. Although this widespread empirical analysis model is criticised by many, it is becoming common and nowadays it can be found in most profile analysis constructions. By showing us how we are fitted into moulds and standardised through algorithms, the artists hope to involve their visitors in conversations on the digital doubles they generate.
The slides function as basis of a series of questions asked by the consultant. “What does this portrait mean to you? It seems you have been associated with these keywords. Could you tell us more about each of them and what they mean to you? Does this digital double correspond to the perception you have of yourself?”. However, although we are subjected to more and more sophisticated profiling forms, both online and off-line, the “data-bodies” which are algorithmically generated could nevertheless contain errors. Shepard has explained that the distortion between an individual and his digital portrait depends on the individual, how much he connects with other people online, his activity on social media and his privacy settings. He added that “usually people panic when shown this data, as often they are not aware that an unknown person could know so much about them”.
At the end of the meeting, participants are asked to confirm (or not) that they are the person described in the profile and whether they accept that this information is used to promote the project. Then the visitor is given a Candygram brochure which includes some online resources to improve the protection of digital data, links to learn about e-mailing, voicemail and secure browsing, cryptographic tools, etc.

In English the term ‘Candygram’ refers to a box of candy which is delivered with a greeting or message. But it is also the name of one of the special tools which are part of NSA’s “implants catalogue” (of spying technologies). Through this tool, mobile phones and computers can be surveilled and their data can be hijacked or even modified.
This is what we can read on the
leaked Candygram description sheet: “Imitates a GSM relay tower on a targeted network. Capable of operations at 900, 1800 or 1900 MHz …”.
The Candygram operator probably used this type of stealth infrastructure to send text messages to devices within its influence area. This project by Mark Shepard, Moritz Stefaner and Julian Oliver, which was commissioned by
Imal as part of Connecting Cities, explores both the insecurity of mobile networks and the unreliability of online profiling by making (partly) visible the mechanisms behind our new generation smartphones. By doing this, the artists pinpoint the imbalance of knowledge and power underlying the relationships between governments, companies and the ordinary citizen ‒ who is eager to exchange some personal data to access online services.
Resources presented in the brochure:
Security in-a-box
Security-in-a-box is a guide to digital security for activists and human rights defenders around the world. The Tactics Guides cover basic principles, such as some advice on how to use social media platforms and mobile phones more securely.
PRISM Break
This tool puts forward alternatives to proprietary software to stop reporting your online activities to the American government (some global data surveillance programmes are PPRISM, XKeyscore and Tempora). PRISM-break.org presents open source alternatives to the most popular applications.
The CryptoParty Handbook
The CryptoParty Handbook provides an easy guide to all fields of IT security and Internet. CryptoParty is a global and decentralised project with the aim of making basic encryption software easily accessible to anyone. It is important to bear in mind that digital security is a “practice” and not just an application that you can download and install on your mobile or phone.
https://www.schneier.com/