Readers of this blog and the CDP Institute newsletter know that I’ve been fussing for years about privacy-related issues with Facebook, Google, and others. With the issue now attracting much broader public attention, I’ve backed off my own coverage. It’s partly because people can now get the information without my help and partly because there’s so much news that covering it would consume too much precious reader attention. But, ironically, the high level of noise around the topic also means that some of smaller but significant stories get lost.
I’ll get to covering those in a minute. But first a general observation: the entirely coincidental convergence of the Facebook/Cambridge Analytica story and implementation of the European Union’s General Data Protection Regulation (GDPR) seems to have created a real possibility of changes to privacy policies everywhere, and most particularly in the United States. In a nutshell, the Facebook news has made people aware of how broadly their data is shared and GDPR has shown them it doesn’t have to be this way. Until now, few people in the U.S. really seemed to care about privacy and it seemed unlikely that they would overcome the resistance of commercial interests who largely determine what happens in the government. (Does that make me sound horribly cynical? So be it.) It’s still very much uncertain whether any significant change will take in U.S. laws or regulatory agencies. But that there is any significant chance at all is brand new.
So much for that. Just wanted to get it on the record so I can point to it in case something actually happens. Here are some developments on the Facebook / Walled Garden / Privacy fronts that you might have missed.
More Bad News
One result of the heightened interest in these issues that public agencies, academics, and especially the media are now looking for stores on the topic. This in turn means they find things that were probably always there but went unreported. So we have:
– CNN discovers that ads from big brands are still running on YouTube channels of extremist groups.
This has been a known problem forever, so the fact that it gets reported simply means that journalists chose to look for it and decided people would be interested in the results.
– Washington Post finds paid reviews are common on Amazon, despite being officially banned. Again, this comes under the heading of “things you could always find if you bothered to try”.
– Journalism professor Young Mie Kim found that fully half the groups running political advertising on Facebook during the 2016 election couldn’t be traced. Kim started her research before the current news cycle and it was probably accepted for publication before then too. But would Wired have picked it up?
– PricewaterhouseCooper’s FTC-mandated privacy review of Facebook in 2017 failed to uncover the Cambridge Analytica breach. It’s more evidence for the already-obvious fact that current privacy safeguards don’t work. But it never would have seen the light of day if this hadn’t been a hot issue.
Attacks from All Sides
Politicians, government agencies, and business rivals are all trying to gain advantage from the new interest in privacy.
– Immediately after the Zuckerberg hearings in Congress, two Senators introduced a bill to give consumers more rights over their data. The language was highly reminiscent of GDPR.
– A group of 31 state attorneys general opposed a bill to create a Federal law with standards for reporting about data breaches, fearing that Federal standards would override more stringent state regulations. Of course, this is exactly what the sponsors intend. But now the state AGs are more motivated to resist.
– The Securities and Exchange Commission (SEC) fined Yahoo $35 million for failing to discuss a 2014 data breach involving over 500 million accounts. Data protection isn’t usually a SEC concern, so it’s equally interesting that they chose to make it an issue (arguing the breach was news that should have been shared with investors, which seems a bit of a stretch) and the Republican-majority Federal Trade Commission is steadfastly unengaged.
– Four major publisher trade groups have attacked Google’s proposed approach to gathering advertising consent, which places the burden on the publishers but requires them to share user data. This would have been an issue under any circumstances but I suspect that publishers are emboldened to resist by the expanded interest in privacy and greater hostility to the Google, Facebook, et. al.
Scrambling by Facebook
Facebook has been scrambling to redeem itself, although it has so far avoided changes that would seriously (or even slightly) impact its business.
– It has ended a program to target ads using data from external compilers, such as Acxiom. How this helps privacy isn’t clear but it sounds good and conveniently makes Facebook’s own data even more valuable.
– It announced major API changes that limit the amount of data shared with developers. Note carefully: they’re not limiting data collected by Facebook, but only how much of that is shared with others. Similar changes applied to Facebook-owned Instagram. Again, the actual effect is to add value to ads sold by Facebook itself.
– It announced just today that it will let members block it from collecting data about their visits to non-Facebook Web sites. By now you see a pattern: less data from outside of Facebook makes Facebook data more important. This reflects perhaps the most disturbing revelation from the Zuckerberg hearings: that Facebook collects such data even on non-members. But the change doesn’t address that issue, since only members can tell Facebook to stop the data collection. If you find this confusing, that’s probably no accident.
– It promised to add an “unsend” feature to Messenger. Nice, but it only happened after reports that Facebook executives themselves already had this capability.
– It rolled out a new centralized privacy center that made settings easier to manage but apparently didn’t change what users can control.
– More substantively, it promised to apply GDPR consent rules globally. Signals were a bit mixed on that one but maybe it will happen. Who wants to start a betting pool?
– It dropped opposition to a proposed consumer privacy law in California. Good but it would have been a public relations disaster to continue opposing it. And who knows what they’re doing in private?
– On the Google front: Google-owned YouTube has touted its efforts to flag objectionable videos. That’s not exactly a privacy issue but probably overlaps the public perception of how online tech giants impact society. Remember they’re also motivated by tough laws in Germany and France enacted early this year, which require to remove illegal content within 24 hours.
Business as Usual for Everyone Else
How much of this is unique to Facebook and how much reflects a fundamental change in attitudes towards data privacy? Certainly Google, Amazon, and others are tip-toeing quietly in background hoping not to be noticed. Per the above, YouTube has occasionally wandered into the spotlight, especially when extremist videos on YouTube intersect with extremist content on Facebook. Over-all, I’d say it’s very much business as usual for most firms that gather, sell, and employ consumer data.
– Amazon continues to offer amazingly intrusive concepts with little evidence of pushback. For example, they’re expanding their Amazon Key in-home delivery program to also leave packages in your car. And they continue to expand the capabilities of Alexa ‘smart speaker’ (a.k.a. ‘always listening’) systems, most recently by making it easier for people to build their own custom capabilities into the system.
– Similarly, Waze has been merrily promoting its ability to share data about traffic conditions, setting up any number of integrations such as deals with Carto and Waycare to help traffic planning and, in Waycare’s case, warn drivers about current road conditions. Waze’s data is truly anonymized, at least so far as we know. But they certainly don’t seem to be worried a general privacy backlash.
– Another announcement that raised at least my own eyebrows was this one from Equifax, which headlined the blending of consumer and commercial data to predict small business credit risks. Anything that suggests personal data is being used for business purposes could worry people – but apparently it that doesn’t worry Equifax marketers.
What Do Consumers Think?
The big question in all this is whether consumers (should we just call them “people”?) remain concerned about privacy or quickly fall back into their old, carefree data sharing ways. It’s probably worth noting that Facebook was already uniquely distrusted compared with Google and Amazon, both by consumers and small business.
We do know that most have been following the Cambridge Analytica story in particular. But, to their credit, they also recognize that what they post on Facebook is public even if they don’t necessarily understand just how much tracking really takes place.
Sure enough, it seems that few Facebook users actually plan to close their account and, more broadly, there’s little support for government regulation of social media.
Indeed, most consumers are generally comfortable with sharing personal information so long as they know how it will be used.
Surveys do show that EU consumers say they’ll exercise their privacy rights under GDPR, but it’s reasonable to wonder how many will follow through. After all, they’re notably lax on other cybersecurity issues such as changing default passwords on home networks.
But this doesn’t mean that Facebook and similar firms are home free. Consumers are smart enough to distrust recommendations from smart speakers, as indeed they should be.
They’re also not terribly enthusiastic about ads on smart speakers or, indeed, about personalization in general.
On the other hand, of course, many studies do show that consumers expect personalized experience, although there’s some reason to suspect marketers overestimate its importance compared with other aspects of the customer experience.
This matters because personalized experiences are the main public justification that marketers give for gathering personal data – so consumers who increase the value they place on privacy could quickly reach a tipping point where privacy outweighs the benefits of personalization. That could radically shift how much data marketers collect and what they can do with it. Given the dire consequences that would have for today’s marketing ecosystem, everyone involved must do as much as possible to make sharing data genuinely safe and worthwhile.