The term “invasion of privacy” is distracting us from understanding important issues.
Invasion of privacy is frequently thrown around as a core issue where consumers need protection against tech companies. Apple has made it the cornerstone of its marketing.
The European Union has enacted strict privacy laws for websites that obtain any kind of identifiable information about users. There are increasingly insistent calls for legislation in the US to control data collection by tech companies and social networking sites – particularly Google and Facebook. Congress has held hearings with executives from Apple, Twitter, Facebook, Amazon, and Google, which have mostly served to demonstrate how spectacularly uninformed our legislators are about big data and technology. Tim Cook recently delivered a widely reported speech devoted to the need for privacy legislation: “Our own information is being weaponized against us with military efficiency.”
Bad laws would likely make things worse. When it’s time to wrestle with these issues seriously, let’s at least bring a little nuance to the conversation. Here are three points that might help you think about privacy issues and legislation as we launch into a national debate over the next couple of years.
• Companies collect information about you when you use their services. You may be surprised how much information the tech companies keep track of, but this is nothing new – companies have been tracking data about you for a long time.
• You will likely be surprised to discover the conclusions companies can draw from what they know about you. Why, they’re so good at drawing inferences that at times you’ll find it creepy. And there’s a lot more creepiness to come.
• As long as a big company like Google keeps your information to itself, only sharing it with you, that’s not an invasion of privacy. It only becomes an invasion of privacy if they share your personally identifiable information with others. Facebook has done that far too often. So far, Google has been trustworthy.
Companies collect information about you when you use their services
Banks track where you use your credit cards and how you spend your money.
Grocery stores track your purchases when you use your loyalty card to get discounts.
Department stores track the clothing you buy.
They use that information to decide what catalog to send you, what ad to enclose in your monthly statement, what coupons to print when you check out.
This is nothing new. It’s part of the definition of commerce and advertising. Since the beginning of civilization, face to face sales have been built on what the seller knows about the buyer. “She bought a goat last time and her mother is living with them now – I’ll bet she’ll buy two goats this time.”
Tech companies remember things about you too. The only change is the scope of what they track and the length of their memory.
Facebook remembers what you post, of course. But it also tracks how long you spend looking at other posts, how much you watch of a video, which ads make you pause, and quite a lot about your interactions with others – who they are, what your relationship is, who gets private messages.
And Google, my goodness, Google! It sucks up information like an industrial vacuum cleaner. Log into Chrome with your Google account and Google is taking detailed notes about everything you do online – every website you visit, how you got there (a link from another site? a search?), how long you spent, what ads you looked at, what you clicked on to leave the page.
Turn Location History on with an Android phone and Google is tracking your movements 24×7. Some of the same information is collected every time you use Google Maps. You can look at maps of your walks and drives and travel whenever you want, because Google stores the information forever.
Upload your pictures to Google Photos and Google will analyze all of the characteristics of the photos in exhaustive detail. Photos taken on a phone record the time and the location using GPS and encode it with each picture, so Google knows exactly when and where you have been every time you’ve taken a picture. Everything in each picture is analyzed by Google’s increasingly accurate AI, so Google knows what clothes you wear, what your kids look like, what car you drive, where you live, what furniture is in your house, when your birthday is (those pictures of you blowing out the candles, right?), what you like to eat, and oh my goodness so much more. Imagine that someone took your photos and obsessively studied them for years, trying to tease out every bit of information about you. Google is smarter than that person – its servers are smarter than the human being studying you and they have better memories.
Imagine that Google knows all that information about you – and it doesn’t tell anybody. The only person it tells is you. You do a search for all the pictures with your mother and Google says, Oh, yeah! I got this, and it shows you all the pictures of mom because it knows which ones they are. You go to Google’s page about your movements and ask for a map of where you were on June 22 and Google says, I know that!, and it shows you the map.
That’s not an invasion of privacy. It’s just you and Google in the room, chatting together with no one listening, about things that you and Google did together.
Google is more open than most other companies about the data it collects. It tries sincerely and openly to explain what it’s doing. One of the frequent demands is for tech companies to “disclose” the information they’re collecting. Google practically visits each person’s home individually for counseling about the data it collects. It seems genuinely interested in improving its communication and not overstepping its bounds, even when it stumbles, as it did recently when it was found to be collecting some location information even after the feature appeared to be turned off on Android phones.
Disclosure and controls over data collection are valuable for the people who care. Well-written legislation (emphasis on “well-written”) would be a step forward. The reality, though, is that almost no one will read a disclosure or look at options for changing settings for data collection, regardless of how it’s presented – dense legalese or a nicely formatted web page with lots of white space written at an 8th grade reading level.
You will likely be surprised to discover the conclusions tech companies can draw from what they know about you
Tech companies know you better than you think. Advances in AI and machine learning mean the companies can draw inferences about you that are creepy.
Imagine that you’re pregnant but you haven’t told anybody yet. Out of nowhere, you start to see ads for pregnancy products and items for new babies. OMG how do they know! Creepy creepy creepy!
Well, in March you bought cocoa-butter lotion, a purse large enough to double as a diaper bag, zinc and magnesium supplements and a bright blue rug. And you know what? A company that has studied purchases closely enough can figure out that there’s a very high probability that you’re pregnant and your delivery date is sometime in late August.
But that turns out to be a trivial example of what companies can figure out by studying data about you. See, if you have a long memory, you’ll remember that story. It was in a New York Times report about what Target was doing to analyze its customers’ purchases – and that article appeared six long years ago, in early 2012.
Since then, tech companies and retailers have been advancing by leaps and bounds in their ability to study data and draw unexpected conclusions. Google, in particular, is on the verge of being able to predict things about you that will seem magical or creepy or both – perhaps turning up driving directions to a place it shouldn’t know you intended to visit, or showing you ads for products you would swear you had only thought about, or who knows what else.
So there are two very different ways to think about your private information. On the one hand, there is the information you have given to the tech companies by using their services; and on the other hand, there is the information they know about you, which is far deeper than you realize.
A frequent demand is for a law that requires the tech companies to disclose all the information they have about you. Google is already quite open about allowing you to see all of the information it has obtained from you; Facebook lets you download a big blob of your data. But there is no way to display what one of these companies knows about you. There is no database that says, “likely pregnant and due in August, may have undiagnosed sleep apnea, pre-diabetic, will probably book a trip to Hanalei next October,” or whatever applies to you that would leave you breathless because how do they know that?
Instead, for example, an advertiser places an ad request with Google that targets women living in urban areas in California aged 30-40 who are pregnant and whose family incomes are likely above $75,000. Google’s algorithms run through the data and if you fit, those ads begin appearing on the websites you visit. No human being at Google or at the advertising company knows any of those facts about you individually. None of that is explicitly written down anywhere so you can see it. All of that can be inferred from your posts, your photos, your purchases, your movements, your web browsing, and everything else in the digital trail we leave behind. Google, Facebook and the others have algorithms that draw conclusions about each of us every day, partially for advertising and partially to improve its services to us.
Creepy? We’re only at the beginning. We will be confronted by creepy every day, and a lot of it will come from companies that are far less careful than Google.
But an invasion of privacy? I don’t think so. Again, it’s only you and Google in the room for what I’ve described so far. You may find yourself thinking, “I wish the companies would stop studying what they know about me and be less good about analyzing data.” The genie is out of the bottle. That’s not going to happen. Legislation won’t change that.
As long as a big company like Google keeps your information to itself, only sharing it with you, that’s not an invasion of privacy
There are three ways that tech companies can invade our privacy in ways that deserve legislation.
(1) The tech companies might share information with others in which we are individually identifiable. Google does not do this – full stop, period. Facebook has done it over and over. Its whole business has been built on allowing advertisers and apps to obtain personal information from Facebook. A bad thing about the Cambridge Analytica scandal was that personally identifiable information was given to bad actors – but the far more egregious thing was that this was standard practice for Facebook, which had more or less freely allowed “researchers” to obtain personal data as long as they promised good behavior.
(2) They might share other people’s private information with us. We haven’t seen any gross examples of this yet but it is the primal fear of what could go wrong if Google or Facebook abandons any sense of privacy or morality. If Facebook identifies someone in a photo by name, and you didn’t supply that name, it’s an invasion of that person’s privacy. If Google turns evil and tells us that our spouse visited the office of a divorce attorney or our coworkers are having affairs, we will descend into a hellish nightmare that rivals any SF dystopia about AI run amok. (If you’re an SF fan, by the way, don’t miss Rob Reid’s wonderful novel After On. The first hundred pages shows exactly what it might be like if we all used a social network service that combines aspects of Facebook and Google but without any moral constraints. And it’s funny.)
(3) And last, of course, the tech companies might be hacked and lose control of our private information.
Legislation is called for to establish protection against leakage of our private information in any of those cases. Companies could be required to provide disclosures and guarantees to users, security for your data, and liability for preventable breaches. Each of those things deserves to be called “invasion of privacy.”
Let’s have our legislators work on protecting our privacy, but let’s make sure we protect the right things. We can’t stop companies from collecting data about us and we don’t want to deny ourselves the rich services that will become available as those companies analyze that data. We should know what data they are collecting and we should have the opportunity to stop them from collecting it if we choose, but a legislative requirement that they stop collecting data would stifle innovation and prove ineffective.
And the big companies should have clearly defined limits on what they can do to share your information and on what the consequences are if they invade your privacy by giving your data away inappropriately or losing control of it.
In the meantime, don’t be surprised or shocked by the creepy stuff. There’s lots more to come.