A series of articles about privacy and trust in the era of tech overlords.
• Part 1: Data about you is being gathered by the big tech companies (as well as many other companies) in startling ways. Their ability to analyze that data and predict your behavior is more like magic than technology – and it has the potential to change the world, for better or worse.
• Part 2: It is impossible for us to detach from the big tech companies or prevent that data from being collected.
• Part 3: Although the scale of data-gathering is unprecedented, there is nothing new about big companies observing our behavior and it is not necessarily an invasion of privacy.
• Part 4: Some acts by the tech companies absolutely do invade our privacy. Facebook has abused our trust so often that it is a special case.
• TODAY: Our individual decisions about the big tech companies should be driven by trust and transparency. Well-considered regulation can help protect our privacy.
Privacy is a tradeoff. It’s not a treasure to be protected for itself. We give up information about ourselves in exchange for rich services that require data about us to work. We should keep doing that! Our lives are immeasurably better because of the devices and services brought to us by creative visionaries inspired by new technology.
It’s not very meaningful to say you just want “privacy.” There would be unforeseen and unpleasant consequences if the flow of information suddenly stopped.
Your decisions about what to do in the surveillance era should be guided by trust and transparency. I have some ideas about how to live with the knowledge that tech overlords are tracking your every move. Then we’ll talk about how lawmakers could restore some balance to the world.
What can you do individually?
Everything about your life is being tracked by huge companies, which trade the information freely and use it to target you with weaponized advertisements. Increasingly they’ll try to influence your behavior and opinions in sophisticated ways that we have no defenses against.
Poor you. Poor me.
Go ahead, run through the stages of grief, but don’t take too long – basically just skip to Acceptance. Nothing is going to stop that information flow in the foreseeable future. There’s nothing you can do individually that will make more than a trivial bit of difference. And there are so many other more important things to worry about! Chill out about the privacy stuff.
• Live a good life
Far and away the best way to stay calm in a surveillance state is to be a decent person without any important secrets. I’m being completely serious! If you have nothing to hide, it doesn’t matter as much if the details of your life are known to tech overlords. Don’t post offensive comments online in the belief that you are “anonymous.” Don’t harass people. Don’t send dick pics. Don’t have affairs. Don’t be racist. Don’t do things that would be embarrassing if they became known.
That’s not a complete answer, of course. Many of us, most of us, have parts of our lives that are meant to be private, for good and decent reasons. But, well, the surveillance economy has created some pressure to modify our behavior. There are good reasons that we don’t see as many pictures of drunk people at parties on Facebook. Make an effort not to do stupid stuff.
• Choose services based on trust and transparency
We don’t really have enough information to make an informed decision about who to trust, but you can do worse than consulting your gut instinct. Personally, I trust Google and Microsoft. They are gathering data from all directions but they appear to be genuinely committed to using that data to improve their services (yes, including better targeted ads), and they don’t seem to be sending personally identifiable information out to the shadow surveillance world outside the company walls. The corporate cultures at Google and Microsoft emphasize privacy and they take security seriously. Lapses are infrequent; when they occur, the companies seem genuinely committed to changing the policies that allowed them to happen.
On the other hand, I don’t trust Facebook. It seems to have fully embraced the surveillance information economy, gathering data that is wholly unrelated to improving its user-facing services, and sending personal data out all too freely. Lapses are frequent, the apologies are half-hearted and insincere, and there’s no indication the company intends to change its ways, despite Zuckerberg’s cynical “privacy” statement.
How much can you find out about your data and what a company has done with it? How easy is it to remove data from the stream?
Google’s Privacy Controls are perhaps the best disclosures possible in this complicated world. You can look at your data in many categories on pages that are reasonably clear and concise, and you can remove some types of data. Google collects far more information than is shown there, and of course cannot list all the inferences it may draw from what it knows about you, but its controls are fine-grained and helpful.
Facebook has privacy settings for things posted to the News Feed. There’s also a poorly designed “ad preferences” page where you can remove some of the categories used by Facebook to target your ads. It’s incomplete, frequently inaccurate, and poorly explained, but that’s okay because almost no one knows it exists.
Facebook has nothing that exposes the enormous amounts of information it is slurping up from websites and apps. Trust me, there’s nowhere to go on Facebook and tell it to stop tracking your menstrual cycles. (It’s only fair to give Facebook a chance to respond: “God, we said we were sorry! We didn’t even look! We wish women didn’t even have periods! No, wait, that didn’t come out right.”)
Google is a vast company full of mysteries but it comes out on the good side of the transparency scale. Facebook is on the other side where the scale is black and corroded and drips oozy stuff.
• Become knowledgeable and active
Privacy laws and regulations will be debated in the US and Europe for the next few years; support candidates with nuanced positions devoted to improving your privacy, even if that hampers the efforts of large companies to make money by treating the details of your life as a commodity.
• Choose apps wisely
Be careful of “free” phone apps. If an app asks for permission to read your contacts or track your location, and that doesn’t seem to be necessary for what the app does, then stare at that request as if it’s poison and argue with yourself before you tap “Allow.” Chances are the company is making money by selling that information (or giving it away to get “analytics,” which is the official explanation by many of the apps sending data to Facebook).
• Quit Facebook
Well, maybe, maybe not. Deleting your Facebook account barely slows it down in its collection of information about you. And Facebook is an undeniably important way to stay in touch with extended communities of people. Remember, Facebook has two billion users, many of whom use it for important things that cannot be handled anywhere else. Don’t hurt yourself out of spite.
But wow, Facebook deserves to suffer for its sins. Leaving Facebook would be awfully satisfying! Remember that you haven’t truly left Facebook unless you also disconnect from Instagram, Facebook Messenger, and WhatsApp.
What can lawmakers do?
The Facebook scandals have opened up global debates about privacy. Lawmakers will be arguing vigorously in 2019 and 2020 about laws, regulations and enforcement to rein in the largest companies in the world and to regulate the global surveillance economy that acquires and processes personal data.
There are common elements in all the proposals. As Wired summarizes it:
“Parties on all sides of the privacy argument, for instance, say that people should be able to see what data is collected about them and how it’s being shared. They also agree that companies should be required to get consent before processing user data, and that consumers should be able to request that their data be corrected or deleted. But there are a range of opinions on how those ideas should be implemented. Should companies be required to disclose every single piece of data they’ve collected on someone, or is sharing the categories of data enough? And what constitutes consent? Must consumers opt in to having their data processed, or is it sufficient to let them opt out?”
It is startling to realize just how much is already under way.
The European Union passed the General Data Protection Regulation (GDPR) last year, a sweeping privacy law for protection of European citizens’ data. Key components: requiring consent for data processing; anonymizing collected data to protect privacy; providing data breach notifications; and safely handling the transfer of data across borders. GDPR is imperfect at best; it has been expensive to implement and arguably has empowered big companies that could afford to meet its requirements and discouraged small companies or put them out of business. Every time you impatiently click the X to close a notice about cookies, you are dealing with a poorly considered consequence of GDPR, which quickly brought the same kind of notice fatigue that causes everyone in California to ignore the ubiquitous Prop. 65 notices about cancer-causing chemicals.
In the US, there has been a void that has allowed the big tech companies and data brokers to operate without inhibition. From Privacy Rights Clearinghouse:
“According to the FTC, there are no current federal laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes. Currently, no federal law provides consumers with the right to learn what information data brokers have compiled about them. Likewise, consumers do not have a right to “opt out”, that is, to prevent data brokers from collecting, sharing, or publishing their personal information. Consumers also do not have the right to require data brokers to correct or delete inaccurate, incomplete, or unverifiable information.”
The situation in the US is going to change quickly. Last year California passed the California Consumer Privacy Act, set to go into effect on January 1, 2020. California’s law follows in the footsteps of GDPR and gives consumers unprecedented control over their data. Individuals will be allowed to sue big companies in the event of a data breach, and businesses must provide an easy, simple and straightforward way for us to opt out of having our personal information sold to a third party. Since the law applies to any business that “does business in California” and meets certain thresholds, it will effectively have the weight of national legislation.
Many of the big tech companies, including Amazon, Apple, Facebook and Google, are pushing for federal digital privacy legislation, knowing that regulations are inevitable and hoping for something more industry-friendly that can preempt California’s privacy law.
Democratic senator Ron Wyden and others, meanwhile, are pushing to expand the powers of the FTC to enforce privacy and cybersecurity standards.
Laws and regulations are not the only remedies; the big tech companies are flush with cash but large fines still have an impact. Facebook and the FTC are in the final stages of hashing out the terms of a multi-billion dollar settlement of an investigation into Facebook’s privacy practices. It’s a step forward that might lead to the FTC taking a more active role in pursuing the big tech companies.
Attorneys general are investigating or filing suits against Facebook in more than a dozen states.
A few days ago, the New York Times reported that federal prosecutors are subpoenaing documents in a criminal investigation of Facebook’s privacy lapses, apparently focusing at least in part on the transmission of personal data to smartphone manufacturers.
And Elizabeth Warren expanded the conversation last week when she called broadly for antitrust actions to break up big tech companies like Amazon, Google, and Facebook. (“And Apple!” she added in an interview the next day.) That proposal attracted immediate reactions from all sides, none of them particularly thoughtful or interesting. Forget the headlines and the tweets and the feigned outrage, and hope that the debate will eventually become less reflexive and more nuanced. One place to start: Ben Thompson of Stratechery wrote a thoughtful criticism of Warren’s proposal that is worth reading.
There is hope.
I’m glad we had this little chat! Next week I’ll try to find something less scary for us to talk about. Sleep well, secure in the knowledge that everyone is watching you all the time.