Online privacy has taken a few blows over the past year, and lawmakers are starting to wonder if regulation is the solution. In answer to data breaches such as Facebook’s Cambridge Analytica scandal and the Equifax hacking, the Senate has started to gather testimony in order to prepare for a federal privacy protection law. Following the European Union’s recent GDPR and the soon-to-be-implemented California Consumer Privacy Act, a trend emerges, and it seems that Americans can soon expect new laws on data protection.
The Senate Committee on Commerce, Science, and Transportation interviewed a panel of tech representatives from Amazon, Google, Twitter, AT&T, Charter Communications, and Apple in a hearing to examine consumer privacy protections.
Privacy advocates have criticized the committee for consulting a panel full of big tech insiders, but chairman John Thune (R-SD) has already committed to holding an additional hearing next month to question other voices. Predictably, the tech representatives said little of substance, giving vague and evasive answers with few tangible solutions, and navigating the ill-informed questions posed by the committee with ease. While Thune and his Senate colleagues may have good intentions, they were outmatched and outplayed.
Securing a Monopoly
Each company represented on the panel was based in computing and the web, but each operates in a different corner of the industry. AT&T and Charter Communications act as telecommunications providers; Amazon and Apple sell goods and services; Google and Twitter provide free online services funded by advertising. These companies may all handle personal information, but they operate under different business models, which in turn affects how they use the data.
Tim Seymour and Ryan Dodd of tech risk management company Cyberhedge predict the regulation of online privacy would split companies along business models. They point out that Apple, which sells its own products directly to consumers, is incentivized to protect user data in order to keep an edge over market competitors. On the other hand, Facebook, Twitter, and Google, which offer free services and make money through advertising, would be forced to “radically change” their business model to comply with a law that prevents them sharing user information with third parties.
While Seymour and Dodd accurately point out the operational divide between tech firms, they do not acknowledge that companies like Google and Facebook do not need to sell user data in order to utilize and manipulate it – a fundamental point that the Senate committee also failed to grasp.
For example, Google insists that it does not share personal information with third-party advertisers – instead, the tech giant holds this information hostage, forcing advertisers to rely on its ad services and consolidating its stranglehold over online advertising. Rather than putting Google, Twitter, Facebook et al. out of business, privacy regulation could, in fact, solidify the hold these companies have over user data.
Furthermore, the tech panel could not have been more eager to urge lawmakers to create a federal privacy law before other states could follow California’s lead and design their own rules. By pushing for all-encompassing federal regulation, could it be that these companies are hoping to secure their monopoly on the tech industry by forcing small and medium-sized competitors out of the market under regulatory burden? As Google’s chief privacy officer Keith Enright admitted, the company spent “hundreds of years of human time” coming up to scratch with GDPR – what other business could afford to do that?
Personally Identifiable Data
The committee’s primary focus was on the sharing of personal information with the public or third parties; unfortunately, this line of questioning failed to truly plumb the depths of privacy invasion being committed by big tech.
The tech representatives repeatedly denied misusing “personally identifiable information” – a term they hid behind and defined only when forced. Turns out that here they refer only to the most basic of information given: Your name, email address, phone number, address and so on. While few of us would be pleased to find this information made public or sold to a third party, these tidbits of data make up only a tiny fraction of the information collected and used to further the agenda of these tech giants – something the committee singularly failed to grasp in its questioning.
The way our personal information is used by tech companies to manipulate users is provided by Silicon Valley computer scientist and author Jaron Lanier. Lanier describes how the “manipulation machine” works:
“[There is a] constant feedback loop … when you use these new designs – social media, search, YouTube – when you see these things, you’re being observed constantly and algorithms are taking that information and changing what you see next, and they’re searching and searching and searching … until they find those patterns, those little tricks that get you and make you change your behaviour.”
Lanier is skeptical that privacy regulation will have any real effect on the way personal information is used by tech companies like Facebook:
“The business model is to addict you and then offer a channel to third parties to take advantage of that, to change you in some way without you realising it’s happening. I mean, that’s what it does. So I don’t think any amount of tweaking can fully heal it. I think it needs a different business plan. I mean, it’s very hard to throw a barrage of rules at somebody who’s following different incentives and expect them to make a difference…
I don’t believe that what happened with Cambridge Analytica is the worst of it. The whole system is designed for this … I think the data protection idea is a sincere and good idea but it’s certainly not adequate, it doesn’t address the core problem, which is the manipulation engine and as long as that is there, a bad actor can find a way to utilise it.”
Listening to the hearing, one doubts that any regulation will be capable of dealing with the basic purpose of big tech: Manipulating personal information to make money. Senators may be laboring under the misapprehension that data abuse stops at Cambridge Analytica style breaches, but they have only seen the tip of the iceberg.
No amount of regulation will protect user privacy until people realize one thing: When it comes to tech companies like Twitter, Google, and Facebook, you are not the customer. You are the product.