Facebook was back in the news again this week with yet another privacy mess. This time, the company was paying users, including teens as young as 13, to willingly install what amounted to spyware on their computers to allow Facebook to watch over their shoulder as they went about their daily lives. When the project’s immense privacy risks and questionable ethics came to light, Apple summarily banned the app from its App Store and disabled all active installations. Looking to the future, could Apple perhaps become our defacto privacy guardian, protecting its users from unethical data harvesting as governments around the world refuse to act?
Facebook’s latest fiasco revolved around an extraordinarily intrusive monitoring app that shipped a breathtaking amount of sensitive information about its users back to Facebook. For its part, the company emphasized that users had digitally signed a consent form granting it the right to harvest their data and that they were being compensated a token fee for the use of their data.
Ironically, the idea that clicking a box that says a user agrees to tens of pages of highly technical legalese somehow constitutes “consent” is the same laughable explanation that Facebook has used for all of its privacy situations.
A clickthrough agreement might count as “consent” in the eyes of the law, but in the world of research the bar is typically set higher: “informed consent” in which the researchers ensure that the user actually fully understands every aspect of what will be done with their data and the potential implications for them.
As usual, the company did not respond when asked for a complete inventory of all of the data points it was harvesting from users and what the company did with that data or how long it plans to keep it all.
Apple had previously banned a very similar Facebook research app from its App Store for violating its policies, so Facebook was forced to distribute this application using Apple’s program for distributing internal employee-only apps. Apple’s terms of service explicitly forbade the use of the program for distributing consumer-facing applications and so when Facebook’s violation came to light, Apple moved swiftly to temporarily revoke Facebook’s usage of the program.
Facebook did not respond to a request for comment on why it felt its application was not in violation of Apple’s rules, though it has announced it has now ended the program on Apple and in an internal email acknowledged that its app had violated Apple’s terms of service.
In a twist of irony, Apple in this case became a defacto privacy regulator, moving swiftly to ban a highly invasive and ethically questionable data harvesting application. From a legal standpoint Facebook had done nothing wrong and even if US policymakers had taken an interest in the case, they had no standing with which to demand Facebook end its use of the application under current law.
Governments across the world have largely been loathe to intervene in the data harvesting practices of some of the world’s most profitable companies, preferring to let the companies themselves decide what is acceptable conduct based on how much customers are willing to put up with.
Intensive lobbying from technology firms has ensured that the few legislative attempts to rein in data collection have been so watered down as to be almost meaningless, letting companies decide when the rules apply and don’t apply. Even when fines are ultimately assessed, the typical dollar amounts of tens of millions of dollars are not even rounding errors to the large tech firms. Even an isolated billion dollar fine can be readily absorbed as simply the cost of doing business and would likely represent just a fraction of the total money earned from the violation, making it well worth the violation.
In essence, it is as if bank robbers, instead of going to jail, were merely charged a $100 fee for each ordinary robbery and up to a $1,000 fine for robberies that net more than a $100,000 in funds. While the fees would certainly be obnoxious, their inconsequential impact would be unlikely to deter future robberies.
Governmental efforts to regulate data use have often backfired spectacularly. Rather than constrain Facebook’s use of facial recognition, Europe’s GDPR actually rolled back all of the previous protections that had prevented Facebook from applying the technology across the continent and allowed Facebook for the first time to finally roll out facial recognition EU-wide.
What if instead of turning to governments, we turned to the private companies that are increasingly the gatekeepers of our devices?
Social media companies like Facebook and Twitter have for years acted as absolute gatekeepers over their platforms, deciding what the citizens of every country in the world are permitted to say and see and blocking third party applications they disagree with.
If social media companies are permitted to set global standards for online speech on their platforms, why should device manufacturers not be permitted to set global standards for privacy and safety on their platforms?
Instead of lobbying lawmakers for new privacy rules, what if we lobbied device manufacturers like Apple to establish new policies that ban data harvesting? With one line added to their terms of service and a set of filtering rules added to their App Store scanning, together with the threat of banishment for violating those rules, Apple could quite rapidly put quite a dent in the web’s most egregious data harvesting practices.
Similarly, imagine if Apple banned the use of facial recognition and other biometric collection for anything other than authenticating to an application? Suddenly the biometric debate would be transformed.
When we leave privacy protections to governments, commercial interests ensure that any resulting laws are watered down to the point of being useless or in fact more dangerous than the previous status quo.
A private company like Apple could enact new privacy policies overnight and enforce them without concern to whether banning data harvesting was hurting Facebook’s bottom line. Facebook’s lobbyists have no sway over Apple’s leadership.
Moreover, unlike the technology neophytes of government who often struggle just to make calls on their phones, a technology company like Apple deeply understands the digital surveillance state and would be able to do a far better job of anticipating the potential for unintended consequences from various policy decisions.
Of course, in reality, the aggrieved data harvesters would likely turn to those very lawmakers to enact legislation banning Apple from interfering with their harvesting practices or leverage Apple’s external hardware and software dependencies to strongarm it into letting them resume hoovering up Apple’s customers’ data.
There are also very real concerns over a single company being allowed to decide what we are permitted to do with our phones. The fact that Apple could simply flip a switch and cancel Facebook’s research application and cripple its entire fleet of internal applications is extraordinarily worrisome and reminds us that our devices are no longer truly ours.
For all intents, we merely “rent” our devices like we rent our movies and music today.
In many ways, Apple today wields the kind of absolute control over our devices as Microsoft did two decades ago with our desktops.
Putting this all together, there is a certain irony in one massive technology company becoming the defacto privacy regulator and putting a stop to another major technology company’s unethical data harvesting. It does raise the fascinating question, however, of whether seeking elusive government regulation is the best approach in the near term. Would turning to device companies like Apple be a far more effective approach to reigning in the digital world’s rampant data harvesting?
We accept Facebook and Twitter’s absolute power to decide acceptable speech on their platforms, so why would we balk at Apple’s absolute power to decide acceptable data practices on its platform?
In the end, which would you prefer? A company like Apple leveraging its platform control to ban invasive data harvesting on its devices? Or leave the matter to governments that care more about protecting profitable industries than they do the rights of ordinary citizens?
