A series of articles about privacy and trust in the era of tech overlords.
• Part 1: Data about you is being gathered by the big tech companies (as well as many other companies) in startling ways. Their ability to analyze that data and predict your behavior is more like magic than technology – and it has the potential to change the world, for better or worse.
• Part 2: It is impossible for us to detach from the big tech companies or prevent that data from being collected.
• Part 3: Although the scale of data-gathering is unprecedented, there is nothing new about big companies observing our behavior and it is not necessarily an invasion of privacy.
• TODAY: Some acts by the tech companies absolutely do invade our privacy. Facebook has abused our trust so often that it is a special case.
• Our individual decisions about the big tech companies should be driven by trust and transparency. Well-considered regulation can help protect our privacy.
If you were disturbed by the last article describing how much companies know about you, you might want to fix a cup of tea or perhaps go for a nice lie-down instead of reading this one. The obsession with collecting and trading information about us is leading to things that are invasive and offensive by any measure. Later we’ll talk about some of the regulations that could help, but those depend on well-informed legislators working in the public interest, which it appears will happen later in the next geologic era after humans have vanished from the earth.
The last year has brought a series of revelations of unforgivable invasions of your privacy by Facebook. Some of the same points could be made against the other large tech companies that participate in the global flow of your personal data; Facebook happens to be the worst.
Last week Mark Zuckerberg promised that Facebook was going to completely remake itself as a privacy-focused company. He was lying. We’ll take a look at that, too.
What’s the harm?
Things have gone terribly wrong.
Here’s an example.
Twenty-five million women have installed the Flo Period Tracker app and use it to track their menstrual cycles, with a box they can check if they become pregnant. Unbeknownst to anyone, and certainly undisclosed, that information was being immediately transmitted to Facebook. Facebook literally knew where women were in their menstrual cycles, and if they were trying to get pregnant, and if they succeeded, even if they had not told anyone else. And that was happening regardless of whether the individual was a Facebook subscriber or not, because Facebook has profiles of just about everybody on the planet, regardless of whether they have an active Facebook account.
Facebook has been secretly tracking women’s menstrual cycles.
The Wall Street Journal reported that story a few days ago. (The WSJ article is behind a paywall, so here’s a writeup from another source.) In addition to Flo Period Tracker, the article called out eleven other major apps with millions of users that immediately transmit heart rate readings and home buying info and more to Facebook.
After the article appeared, Facebook said, golly, we didn’t ask for that data, we’ve barely looked at it, we are so sorry, we’re going to throw everything away next time the wastebaskets are emptied, we promise.
But a few days later Privacy International released a report that said the previous coverage had only seen the tip of the iceberg; Yelp, Duolingo, and many other phone apps also send personally identifiable data to Facebook immediately upon logging in, even if you’re not logged into Facebook on that device, even if you don’t have an active Facebook account at all, without consent or disclosure. The Facebook app collects contact logs, call histories, SMS data, and real-time location data, but Facebook has gone far beyond that by getting information from third party apps on iPhones and Android phones. Some apps have pulled back now that Facebook is under fire for its bad behavior, but many still feed Facebook’s ravenous appetite for data about you.
Facebook has abused our trust so often that it is a special case.
A few weeks ago a report revealed that Facebook had paid $20 to thousands of users to gain access to all their phone data, vacuuming up data about what apps they used, what sites they visited, and much more. Facebook said it was a swell research program and, hey, what’s the big deal, only 5% of the participants were minors. Only Facebook was lying and eventually admitted that almost 20% were minors and maybe the “parental consent” wasn’t always checked very rigorously, like at all.
But Facebook does not just vacuum up our data. It also sends our data out to other companies.
The New York Times broke the news last year that Facebook had made deals to supply personal data to Apple, Samsung, and dozens of other device manufacturers. Following that report and the Cambridge Analytica debacle, Facebook was forced to reveal to Congress that it also had been sharing information about users and friends with dozens more companies, and had continued to do that for years after claiming to have ended the sharing, including a giant Russian Internet company. Later in the year, the New York Times reported that Facebook’s data sharing was far greater than anyone suspected; giant tech companies like Microsoft, Netflix, Spotify, Amazon and Yahoo had been exempted from the company’s privacy rules and obtained everything from private messages to news posts without any disclosure. In total there were more than 150 companies – online retailers, entertainment sites, automakers, media organizations – getting data about hundreds of millions of people each month.
Facebook is being investigated and may be fined by the FTC, attorneys general in many states, and regulators in the UK and Europe. Facebook’s stock price has fallen, shareholders are angry, and users are leaving the platform, especially in the valuable 18-34 group. From Wired:
“Mark Zuckerberg, the CEO of Facebook, is 34. He’s seen his company get burned for ignoring user privacy, and he’s seen that the platform he built to make the world more open and connected can also be used by harassers, racists, trolls, bullies, and Vladimir Putin. His company’s reputation has faltered; growth on the main platform has slowed, and employee morale has dropped. It seems like a good time for a change.”
Is it any wonder that Facebook wants to pretend to have a new focus on privacy?
Mark Zuckerberg’s cynical claim that Facebook is going to focus on privacy
Last week Zuckerberg published a long manifesto titled “A Privacy-Focused Vision For Social Networking.” The first paragraph added an interesting reference to “messaging” – “I’ll outline our vision and principles around building a privacy-focused messaging and social networking platform.”
Then Zuckerberg spent 3000 words outlining a privacy-focused messaging platform and completely omitted anything about social networking as we think about it today.
In Zuckerberg’s vision, Facebook’s three messaging platforms – Facebook Messenger, Instagram Direct, and WhatsApp – will be interoperable and encrypted end-to-end. Messages sent through those systems will be private, automatically removed if users choose to do that, and secure – including not having data centers in authoritarian countries. (In other words, Facebook won’t store data in China, where it is not permitted to be anyway.)
These are welcome improvements. Great! Applause! As it happens, merging the three messaging services makes it more difficult to break up those parts of Facebook, which makes the most extreme legislative remedies more difficult, but let’s call it a win-win for users and Facebook. Yay, Mark!
But there are two things that Zuckerberg hopes you will not notice.
• There is no business model for Facebook’s private messaging services. If the messages are encrypted, Facebook cannot serve targeted ads against your messages – and users will not want to use a messaging service with ads in any case.
There is a financially successful model for a messaging app. WeChat generates huge amounts of money in China for its corporate parent Tencent because it has one unique feature that Facebook does not currently have in any form: WeChat is used for almost all face-to-face financial transactions in China. Every retailer, restaurant, and entertainment business expects customers to use WeChat to settle the bill. WeChat’s tiny share of all those transactions makes it a very wealthy company.
Facebook dreams of having a payment platform but has not yet developed anything that has been seen in public. It can only be successful by dislodging Apple Pay and Google Pay, not to mention Square, Paypal, and all the other companies hoping to be part of that market.
There is another problem with the messaging vision. WhatsApp is already tremendously popular in most of the world, but Facebook cannot achieve the same dominance in messaging in the US without dislodging Apple Message, which has fanatical loyalty.
• As a result, Zuckerberg made absolutely no reference to any changes in the public News Feed, which generates all of Facebook’s income. The company’s fundamental business model is built on the News Feed and requires a steady flow of user data. A new focus on privacy for individual messages does not suggest any change in the way Facebook promotes the News Feed or the data it is prepared to ingest and bargain with to drive the News Feed.
Zuckerberg’s pious claim that Facebook will henceforth care deeply for your privacy accomplishes a few things: (1) it introduces what may be important new services which incorporate meaningful privacy protections (which it now has to figure out how to monetize); (2) it gets Facebook valuable PR exposure at a time when it desperately needs to change the narrative; and (3) it might distract the regulators circling the company.
But it does not suggest that Facebook is going to change anything about the way it collects data or trades it with its partners. Facebook is not killing its core business.
It’s not just Facebook
It’s not just Facebook. From the New York Times: “Personal data is the oil of the 21st century, a resource worth billions to those who can most effectively extract and refine it. American companies alone are expected to spend close to $20 billion by the end of 2018 to acquire and process consumer data, according to the Interactive Advertising Bureau.”
Data about you – not your neighbor, not some undefined mass of residents in your town, I’m talking about you, gentle reader – is flowing in our economy. What you thought about buying last night, whether you liked the TV show, what you had for breakfast, how you slept, where you had coffee, when your heartrate goes up, whether you’ve started your period, for god’s sakes – it’s flowing to Facebook and Amazon and Google, sometimes directly, frequently indirectly from apps or websites or cameras or from things you do in the Real World. Facebook gets data in from apps and passes it out to Cambridge Analytica, which uses it to manipulate the 2016 election; Equifax sucks in data from public records and stores it poorly and it’s hacked and now the flow runs to all the bad guys. Big companies trade that information freely in markets that we have no knowledge of and no insight into.
You have no privacy while that data is flowing. You can thunder about how there ought to be a law, but nothing foreseeable is going to stop the flow.
Just one more example of how that works.
Apple has chosen to put user privacy at the center of its messaging in the last couple of years. iPhones cannot be unlocked for law enforcement; Apple doesn’t read your mail; data stored with Apple is encrypted; Tim Cook lectures the other companies about their privacy sins. Basically Apple’s marketing says that it’s a virtue that Apple knows very little about you.
Kudos to Apple. It’s proving to be a successful bit of marketing. I’m a cynic and I believe Apple was forced to that position as a result of falling embarrassingly behind Google in AI and machine learning; even if it had the data, Siri was never going to be as strong as Google Assistant, so Apple is using privacy as an elaborate excuse. But okay, Apple stays out of some of your data and you’re meant to think kindly of them and buy their phones.
But maybe you’ve spotted the missing piece: every non-Apple app that you install on an iPhone has the potential to suck all of your data from the phone and put it into the global information flow. Every time an app says it needs permission to read your contacts or track your location, that data is being sent out, regardless of Apple’s attitudes about privacy. Flo Period Tracker was sending its data to Facebook from iPhones just as freely as from Android phones.
Apple’s privacy claims, then, are meaningful, but nowhere near as meaningful as they want you to think.
Let’s close there for today. You’re being surveilled; there’s nothing you can do about it; and some of the companies that get your data will do very bad things with it.
Regulation can provide important protections, and there are some things you can do personally. Well, not much, but I’ll try to make you feel better, anyway. In the next article we’ll try to find a brighter side.
What can regulation accomplish? What can you do to deal with life in a world where nothing is private?