“I’m shocked, shocked to find that tech companies are selling users’ data.”
“Your sales proceeds, sir.”
“Oh, thank you very much.”
As I’m writing this, Mark Zuckerberg is making some interesting stops on his apology tour. Zuckerberg, the beleaguered head of Facebook, has been invited to explain to legislators in the US, Britain, and other jurisdictions, just what exactly Facebook has been doing with its users’ personal data. My expectation is that the current congressional hearings will achieve little more than providing an opportunity for representatives to do a little grandstanding, and getting Zuckerberg to wear a suit and tie. Those representatives are not prepared to take the steps necessary to guard individuals’ privacy when dealing with not just Facebook, but thousands of companies. Much of the digital economy is driven by business models that owe their existence, let alone their success, to capturing as much data as possible from as many people as possible – people who provide it sometimes willingly, but often not. Data that we never would have shared with private corporations in the past (i.e. before internet and smartphones) is now offered up through ignorance, benign negligence, or hopeful naivety. That data is monetized by those companies in all sorts of weird and wonderful ways. Everyone, it seems, benefits from the use of personal data – least of all, however, the person supplying it.
Mr. Zuckerberg goes to Washington
Let’s recap why Mr. Zuckerberg is having some lively discussions with US legislators:
- Facebook provided access to extensive data relating to its users’ personal profiles and their use of the ubiquitous social media platform, to outside parties;
- One of those parties shared the data with Cambridge Analytica;
- Cambridge Analytica used the data to conduct psychographic profiling of millions of unwitting Facebook users, in order to target political messages and manipulate political attitudes.
- Whistle-blower Christopher Wylie brought the somewhat less-than-honourable practices of Cambridge Analytica in manipulating voters, including during the Trump campaign, to public attention;
- Suddenly, people are concerned about privacy.
The biggest surprise of the Facebook revelations is that people are surprised. After all, Facebook’s business model is based on the collection, analysis and exploitation of personal data. That’s how it makes money, and that’s why Facebook is worth $500 Billion. That the company was a tad nonchalant as to how its users’ data was protected from misuse is also not news. The Facebook app that gathered details of users and their Facebook friends was developed back in 2014. The use of improperly-obtained Facebook data by Cambridge Analytica in supporting Ted Cruz’s presidential campaign was reported by The Guardian in 2015. Facebook said at the time that the company was “carefully investigating this situation.” It also said that “[M]isleading people or misusing their information is a direct violation of our policies and we will take swift action against companies that do.” But, nobody (including Facebook, it seems) paid much attention to the questionable ethics of the situation until now.
So, Facebook is in the hot seat, but the issue goes far beyond Facebook and social media. In a world lived increasingly online, personal data is being collected, analysed and exploited by thousands of companies. They are likely keeping a low profile, hoping that Mark will take one for the team, or that the whole issue will blow over, leaving them to go back to business as usual – scooping up data on everything you do, write, read, browse, buy, and even think.
The Surveillance Economy; you’re being watched
Over a year ago, I wrote a little piece on LinkedIn about cyberstalking – the notion that the prevailing business model in the digital economy is predicated on spying on people. And, that we seem to tolerate corporate behaviour that would never have been acceptable before internet and smartphones – reading your mail, eavesdropping on personal communications, rifling through your address book, tracking your movements, analyzing your personal interests, scrutinizing your purchases, etc. All to provide companies with an endless stream of data points for them to analyze and use – in selling us more stuff.
This type of commerce has also been dubbed “surveillance capitalism” by Harvard professor and writer Shashana Zuboff. She describes it as “a logic of accumulation.” Virtually everything in the connected world is a potential source of data, including tablets, phones, connected appliances, digital assistants – everything flowing through our devices is a data point ripe for collection and exploitation. As John Danaher explains, “people simply do not realise how often, or how easy it is, for their personal data to be collected by the institutions of surveillance capitalism.” Franklin Foer, in his book World Without Mind: The Existential World of Big Tech, notes that these technology companies “have created devices and code that enable omnipresent surveillance; their pack-rat servers hoard personal data.” This continuous tracking and hoarding presents a far greater threat to individual privacy than just a sharing of someone’s Facebook “likes”. But, it continues unabated, while Zuckerberg squirms in his seat at the congressional hearings.
Hey, Google – Butt out!
Zuboff points the finger at surveillance capitalism’s primary practitioner, Google. If you spend time online, or use a smartphone, Google knows everything about you. No data is too trivial to escape Google’s attention – it even gathers data for which there is no immediate use, expecting to monetize the information at a later date. Nor are legal or ethical constraints a hindrance. Google has established a modus operandi of gaining as much personal data as possible, whenever possible, with or without permission, only relenting when discovered and when the shouts of opposition grow too loud. The company has been caught with its hand in the cookie jar multiple times, including when it was discovered scooping up data from private WiFi networks while its cars captured images for Street View, or scanning private emails, or bypassing privacy settings. Judging from its behaviour, Google doesn’t give a shit about privacy.
And it’s getting worse. Amid concerns that home digital “assistants” are listening in when they shouldn’t be, both Amazon and Google have filed patent applications for technology that would allow their digital assistants to monitor even more of the conversations going on around them. For example, Amazon’s “voice sniffer algorithm” could identify likes and dislikes expressed during a private phone call, and send commercial pitches based on that data. Google is working on similar capabilities, described as spyware by Consumer Watchdog. Both companies plead that they take privacy very seriously. Huh!
Time for regulation
The challenge of managing privacy in the era of surveillance capitalism is twofold:
- There’s a hell of a lot of data being collected.
- The companies collecting and using the personal data treat it as their own property.
Think of the oft-repeated phrase “If you are not paying for it, you’re not the customer, you’re the product.” Facebook gets 98% of its revenue from advertising. The services it provides at no financial cost to the user – platforms for chatting with friends, sharing photos, posting videos of animals doing funny things, insulting strangers whose political views differ from one’s own, etc. – are just means of extracting personal data and providing a targeted audience to an advertiser. Google’s search engine and email platform are similarly free to use, but provide the company with comprehensive data that present a detailed understanding of the user’s life, as well as an entrance point to other applications that add to the profile – all to drive targeted revenue-producing advertising.
The first step toward ensuring privacy is to re-establish the individual user as the owner of his or her own data. Here, for example, is a basic concept of control:
It’s a basic, intuitive right, worthy of enshrinement: citizens, not the corporations that stealthily track them, should own their own data. The law should demand that these companies treat this data with the greatest care, because it doesn’t belong to them. Possessing our data is a heavy responsibility that must come with ethical obligations.
Franklin Foer, in World Without Mind: The Existential World of Big Tech
If the Cambridge Analytica/Facebook mess has taught us anything, it’s that users have little control over their private, personal information gathered and used by companies such as Facebook, and that the tech companies cannot be trusted to oversee the use of that information properly and ethically. Time and again, tech companies with broad access to personal data have demonstrated that they are incapable of self-regulation.
Therefore, any restrictions on data collection and/or use have to come via government regulation. Let’s look to Europe for how to do it.
GDPR for Everyone
While legislators in North America have paid lip service to personal data security, Europe is taking the issue seriously. The European Union is set to apply, starting in May, the General Data Protection Regulations (GDPR), whereby European citizens will regain control of their own information. All companies handling personal data about any EU citizen must comply. Under the GDPR, personal data can only be collected and processed for “specified, explicit and legitimate purposes”. As Cennydd Bowles explains, features of the GDPR include:
- Vague or general purposes (e.g. “improving users’ experience”, “marketing purposes”) are prohibited
- Data cannot be gathered for unplanned analytics, future experimentation, or unspecified research
- Opt-out boxes are banned
- Consent must be separate from Terms and Conditions and must use clear, plain language
- Silence does not constitute consent
- Separate uses require separate consent
- Consent can be withdrawn simply
- There is a right to explanation – companies must explain to individuals, on demand, decisions made using the personal data
Take that, Google and Facebook! And the thousands of other companies that misuse personal data.
A simple legislative response to the Facebook fiasco would be global adoption of the GDPR. Simple and effective. As an added benefit, we wouldn’t be subjected to the image of Mark Zuckerberg in a suit and tie again.