Recently the world was shocked by the Cambridge Analytica/Facebook scandal where a data scientist created a survey that gave him access to the personal data of millions of Facebook users and all their friends, then sold that data to a huge company which used it to sway voter opinion during presidential elections.  That event brought a lot of attention on the subject of Internet privacy, an important issue which many of us ignore because deep down we know that, much like our beloved sausages and hot dogs, the truth about what goes on inside that world is a gnarly one.  However, although ignorance may be bliss, it isn’t protection.  Burying its head in the sand did not stop the ostrich from being mauled by Mark Zuckerberg.  So let’s take a closer look at this issue.

What We Give – The information we choose to share online

Facebook, Google, Instagram, etc. have wiggled their way into our hearts with their bold colors and dancing animations, making us feel like they are a part of our families or friends in some way, a benevolent platform for us to freely express ourselves and digitally frolic, but what they really are is companies.  And what is a company’s main objective?  Making money.  However, many of us have been peacefully, maybe even voluntarily, ignoring the fact that nothing in life is free and yet Google and social media appear to be, which of course means that they must get their multi-billion dollar profit in a different way.  How?  From advertising.  That means their clients are the advertisers.  And what does any good, successful company like Google or Facebook do?  It tries to make its clients happy so that they keep coming back.  That means providing a quality product, and in this case the product is detailed information about their clients’ target customers – us – so that those companies can more effectively sell their products.

That being said, this apparent shadiness is pretty normal if you think about it from a business perspective.  If these companies’ objective was to provide a free service that makes people happy, they would be NGOs, and their CEOs wouldn’t be worth upwards of 70 billion dollars.  However, understandable though their business objectives may be, the issues currently arising are because what Facebook uses to make its enormous profit is personal information that most of us thought was private and secure.  They take the soft, sensitive details of our lives, emotions and connections, photos of babies and grandparents, status updates about heartbreaks and identity crises, and yes, even private messages, and reduce them to quantifiable identity profile packages which are used as fuel for corporate success.

That being said, the fact that we assumed the information we voluntarily share online was private in the first place without anybody’s explicit confirmation that this was the case is pretty naïve, and we must also take responsibility for our role in current events in order to pave the way for change.  That’s not to say that we shouldn’t expect more from our services.  Of course we should.  We should demand more, in the form of higher standards, ethical guidelines and monitoring/regulation of services that handle sensitive information.  This Internet utopia may be on its way as implied by the GDRP, a new regulation which aims to put control of personal data back into European users’ hands.  However, this is only the first step in the right direction and it’s not a cure-all for data privacy concerns, nor does it apply retroactively to information already collected.

That being said, online businesses do tell us what they’re going to do before they do it, and that’s something we have to take advantage of.  Just because we don’t read the fine print of the Terms and Conditions, doesn’t mean that it isn’t there, and not knowing what we’re signing doesn’t nullify our signature.  Remember Ariel?  Sure, she couldn’t read but that didn’t stop Ursula from snatching away her voice the moment she signed that contract.  May Ariel be a cautionary tale for us all.

I was recently at the Mobile World Congress (blog post here), where I encountered a company doing something I found pretty shocking.  I was watching a panel in one of the main presentations halls at the startup event of the Congress, about how new successful companies are using AI. The five panelists were obviously held in high regard by the startup community, sitting proudly in front of an audience of hundreds and giving their two cents on AI.  The panelist that made my jaw drop was one that worked in a company for an app which, in summary,  goes into your phone’s photos (not the ones you have selected to upload or share in any way, the photos on your personal device) and analyzes their content in order to tailor advertising to you.  “Wait…what?” I thought and looked around, but no one seemed to bat an eye.  To me this seemed like an absurd and blatant invasion of privacy.  They’re going into people’s personal phones and looking at their private photos?  The virtual equivalent of staring through stranger’s windows into their bedrooms, living rooms and bathrooms?  Who would ever agree to that??

Outside the hall, a representative of the company was handing out fliers and I asked him about it.  What he said is that the app is not used by itself, it’s used by other apps, so when you download the other app you automatically get this **cker as a package deal.  I asked him – “do people really agree to this?” and he said “Yes, because it’s explained in the Terms and Conditions which they have to agree to.  Although, admittedly, probably many people don’t read it.”  Bingo.  This company is likely well aware that the majority of people would not agree to what they’re doing.  However, they’re also well aware, as many other companies are, that hardly anyone actually reads the privacy policy.  Even Mark Zuckerberg said about Facebook’s Terms of Service during his Senate hearing – “I would imagine probably most people do not read the whole thing, but everyone has the opportunity to, and consents to it.”  The problem is that although we have the opportunity to read it, few of us do; we’re so used to just clicking agree, having accepted that this is the way of the world now, that various more-and-more ambitious invasions of privacy just go over our heads.

GameStation once did an experiment to see if anyone read their Terms and Conditions.  In their ToS they literally wrote, “By placing an order via this GameStation Website…you grant us a non transferable option to claim, for now and forever more, your immortal soul” and for the day they ran the experiment, they swallowed up 7,500 souls. Although this is obviously a comically exaggerated example to prove a point, many real Privacy Policies aren’t far off.  Did you know what LinkedIn’s privacy policy was just a few years ago when most of us probably signed up for it?  Here it is:

“You grant Linkedin a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to Linkedin, without any further consent, notice and/or compensation to you or to any third parties.  Any information you submit to us is at your own risk of loss.” 

What I’m getting at is that we have to be critical of what we do on the Internet.  We can’t expect strangers motivated by profit or power to look out for our interests.  Yes, we should fight for that, but before it becomes a reality we have to be very careful what we do and what we share, just like in our real lives.  The same way you would do a background check on the babysitter you entrust with your baby, you should also do a background check on the services that you give your most vulnerable information to.

That being said, however important reading the ToS may be, many Terms and Conditions documents are incredibly long, complex, hard to understand, and almost feel like they have been designed to not be read.  For anyone who watches Parks and Recreation, there is a great episode on this subject, where the town makes an agreement with a Facebook-esque service to get free wifi for all the citizens. After signing the contract, the character who was responsible for reading it discovers he missed a hidden sentence in the encyclopedia-sized contract which gave the company the right to collect personal data and use it however they want.  At first the character feels guilty for not having seen this clause and jeopardizing the citizens’ privacy with his oversight.  But then he realizes the fault is not his, it’s the company’s. They knew the town wouldn’t agree to the clause so they hid it, making it nearly impossible to find and understand.  The character concludes by saying, “A person should not have to have an advanced law degree to avoid being taken advantage of by a multi-billion dollar company.”

According to Carnegie Mellon University, the average American encounters 1462 privacy policies a year, and reading all of them would average 244 hours/year/person. It’s unreasonable to expect people (especially those without any legal or technical know-how) to sit down and sift through all of this dense information.  The fact that the information which, in an ideal and honest world, must be understood and agreed to, is made so difficult to process that most people give up is definitely on the spectrum of deceit.  As I have mentioned in a previous post, many companies use questionable design tactics to capitalize on human weaknesses such as short attention spans, limited understanding of technical and legal jargon, and inherent trust in successful companies to have our best interests in mind.  However, confusion does not pave the way to consent.  The reason we as a society teach that very drunk people can’t consent to sexual activity is because they don’t completely understand what is going on, therefore they cannot be expected to make the decision they would truly want to make if they were fully conscious of the circumstances. That is why now, many people are angry after learning what really goes on behind the scenes of many Internet services, because they feel misled and violated.

However, in that regard, it seems that the bad press and new regulations have forced a change.  As most of you have noticed, when you log into Facebook or Instagram or any number of other websites, you are presented with the new privacy policy that you are encouraged, even prodded, to read and agree to before you can continue using the product.   This is because very recently, the General Data Protection Regulation was implemented which requires companies to obtain explicit consent from users about certain data processing practices, to give users more control over their data, and to make an effort to better protect personal information (and if they don’t comply with the regulations they face huge fines). The information in many of the updated privacy policy updates has therefore been modified to be more clear and transparent.  But does that mean that the actual content of these new policies is significantly different from before?  I read the Instagram/Facebook policy closely and it still says that they track your location, collect information about exactly how and for how long you use all their content (including the camera), collect your credit/debit card numbers, keep a record of your search history for months, and analyze the content of your messages, among other things.  Therefore, although regulations like the GDRP are a great move in the right direction of giving users back control over their information, we still need to be vigilant about what we agree to.

Has this new wave of regulation-motivated transparency motivated more people to read the Terms and Conditions?  Have you read them?

Before there is sufficient regulation on online data-processing services and privacy protection, before we have universally enforced rules and ethics on this subject, we have to keep our guard up.  The information that is being lost is ours; we are the ones that have something lose.  Therefore, if we value its privacy, it is our responsibility to take care of it to the best of our ability.  Big businesses aren’t going to take care of us and our information, especially when it makes them billions of dollars, and we shouldn’t trust them to do that.  Even the most famous man in the biz was confused as to why we would:

Conversation between Mark Zuckerberg and a friend while he was at Harvard

We have to carefully read the contracts we sign and know what we’re agreeing to, and if we want the conditions to change, we have to demand it.  Although some people may feel hopeless in the face of big and powerful companies, it’s important to remember that in business, market is king.  If customers don’t like the way the product works, they won’t use it, and that will lead companies to lose money and adjust their tactics to make their target market happy and draw them back in.  However, the first step to making relevant demands and changing things for the better is understanding how things work, caring about it, and voicing discontent.  That means critically analyzing the products we use and the services we trust.  And yes, that means reading the fine print.