Tim Cook made headlines yesterday emphasizing the critical need for greater transparency around how companies collect and use our data. Yet, as Facebook’s Portal announcement earlier this month and its acknowledgment last month of address book mining reminds us, not only do we know very little about how even the biggest companies collect and use our data, but the companies now collect so much data about us everyday that even they forget all of the ways they surveil us.
Any discussion of how companies secretly acquire our personal private data without our informed consent must start with the data brokers, from which even Facebook itself formerly had to purchase a great deal of its ad targeting data. This shadowy world buys and sells our most intimate private information everyday and we have no right to demand to know what the companies hold on us. The sheer size of the data broker industry means it would be nearly impossible even to ask each of the myriad companies individually if they have data on us. A tiny company we’ve never even heard of on the other side of the country may have based its entire business on selling our data everyday that we never gave them permission to have, let alone sell. Making matters worse, at least in my case the overwhelming majority of the data several of the largest brokers hold on me is utterly wrong – a dangerous situation as companies increasingly go beyond mere ad targeting towards basing real decisions on it.
For all the focus on internet companies, it is misguided and naïve to think that simply building better privacy laws around the digital world will solve the broader issue of privacy, given how much of our personal information is bought and sold offline. New laws governing online privacy will do little to impede the dark world of offline data brokers.
In fact, new privacy legislation actually often leads to less privacy, not more. Instead of curtailing Facebook’s data collection practices, GDPR did what years of lobbying could not for Facebook: it allowed the company to finally roll out facial recognition across Europe. The former privacy laws did not permit Facebook to perform unfettered facial recognition across the continent, but GDPR changed all of this, finally giving companies a blank check to invade privacy vastly more than even they could ever have imagined.
Social media companies are notoriously silent when it comes to details about how they control what we see and say online. While publicly touting their efforts to remove terrorism, hate speech and fraud online, halt self-harm, silence bullies and address the most toxic and dark areas of their platforms, the companies refuse to release any details about whether those efforts are actually working or whether they are in fact making things far worse. Moreover, no matter how many warnings the companies get regarding a new initiative, they simply blindly proceed forward until eventually acknowledging that the critics were right and abandoning it. The problem is that the companies are never held accountable to all of the damage they have done to society in the interim.
It is no longer fine to “fail fast and break things” when the things being broken are democracy and people’s lives.
The most troubling element of our modern surveillance society, however, is that we have no legal right to know just how much we are being surveilled. Companies are free to issue whatever public statements they like or to decline to offer details under the guise that doing so would “help bad actors.” However, as I’ve noted again and again, in the United States our legal system is conducted in public and we don’t argue that allowing the public to know the outcomes of court cases will something help criminals know what they can get away with. In this country we believe transparency is so sacrosanct that it outweighs the risks.
It is often only through the work of independent researchers that we uncover these shadowy anti-privacy practices. Just last month Gizmodo reported that Facebook was mining uploaded address books to identify non-public contact information for other users. While a significant privacy story in itself, what set the story apart even further was that the reporter noted that Facebook had previously denied the practice, acknowledging it only after independent research confirmed its existence. When asked whether Facebook had only introduced the practice recently or why it would have originally denied the practice, the company did not comment.
Most recently, when Facebook announced its new Portal in-home camera system, the company was extremely explicit in touting that no data of any kind collected through Portal would be used for ad targeting. This was advertised by the company as a major privacy selling point of the device.
Yet, as others like myself noted, this seemed highly unlikely given Portal’s reliance on Facebook Messenger, which does collect data for ad targeting. As the company was pushed to explain this discrepancy, it reversed itself the following day, acknowledging that Portal calls are subject to the same data collection and ad targeting as all Messenger products. However, according to at least one outlet, the company did not contact them to correct its original assurances about Portal’s privacy and ad targeting until four days later. When asked why the company changed its statements about Portal’s privacy and why it took so long to correct its original statements, a spokesperson originally promised a response, but ultimately did not provide one.
When companies collect so much data in so many ways that the companies themselves lose track of all the ways they are tracking us, it raises the question of why we should trust them at all.
Unfortunately, in today’s world privacy is no longer viewed as a right, it is a privilege of luxury no longer accessible to the majority of the world’s population.
