"If you don't pay for a service, you're not the customer: you're the product."
That was the message panelists emphatically delivered in a data privacy session at the recent SRI Conference. One revelation after another continues to affirm this unsettling aphorism.
Nothing in life is free
Think about all the free stuff in your life. Maybe you have a Yahoo!, Gmail, or Facebook account. Perhaps you're a Twitter user. You almost certainly use Internet Explorer, Chrome, or Safari. For-profit companies provide all of these to you, free of charge. Have you ever considered how they make money? What business model allows companies to give away their product for free?
E-mail accounts, web browsers, and social media platforms aren't the product. You are. All the personal information you voluntarily feed into the gaping online maw has significant monetary value, so that's what gets bought and sold. It's also what makes you vulnerable.
We've known for a while now that different kinds of companies collect and sell our information. Retailers like Wal-Mart (WMT 0.46%) and Target (TGT 1.03%) do so because it helps them to attract more customers and to get existing customers to buy more stuff. They're eerily good at it -- Wal-Mart has data on more than 60% of U.S. adults, and Target knows you're pregnant before you've told all your friends. Of course, in retailers' case, there's a real product you consume, and your data helps them sell it to you better.
By contrast, big computing giants collect your data because it helps with ad-targeting, and because third parties will pay dearly for it. Google (GOOGL -1.23%) and Facebook (META -4.13%), for instance, owe their entire existence to the value of your data.
Google and Facebook, therefore, rely fundamentally on the willingness of their users to fork over that information. While people's Facebook "friends" may think it's obnoxious, Facebook itself has an existential need for drunken birthday photos and annoying check-ins from whatever drab brunch joint someone is patronizing on a Sunday morning.
Thus, when Edward Snowden blew the lid off of the NSA spying scandal, it appeared that we were seeing a split along industry lines on the topic of data privacy. Big computing giants with an overseas presence suddenly saw a risk to their foreign clientele. Non-American Facebook and Google users are realizing that they're subject to surveillance by virtue of their use of these services, and while American firms have so far dominated the market, there are alternatives.
So we have companies like Facebook and Google pushing strongly for restrictions on the NSA's use of personal data, while at the same time we see retailers like Wal-Mart and Target resisting efforts toward greater privacy protections. In my coverage of this topic, I've treated the two as distinct issues.
But it looks like I was wrong to do so.
Where data privacy and government surveillance converge
This week, we learned that the NSA had successfully exploited a design element of Google's ad-targeting protocols to collect information for its own surveillance purposes. A Washington Post piece explains that the NSA has been "secretly piggybacking on the tools that enable Internet advertisers to track consumers, using 'cookies' and location data to pinpoint targets for government hacking and to bolster surveillance."
This mashes together two issues that I'd viewed as independent. On the one hand, companies are collecting what may be far too much information on us for their own commercial purposes, which they love and freely celebrate because it improves their competitiveness. On the other hand, the government is forcing companies to hand over our personal data for its surveillance purposes, which companies hate and resist because it compromises their competitiveness.
But if the NSA is piggybacking on Google's own technologies, it means that the fundamental mechanisms of commercial data collection are subject to exploitation. Google isn't just being forced to hand over information by some government directive. The NSA is taking Google's data from the company, like candy from a baby. Who else could do the same?
So far, the discussion has been bifurcated. Those who are concerned about the broad problem of data privacy want two things:
- For the government to pull back significantly on its seemingly unlimited collection efforts, thereby protecting civil liberties and the overseas competitiveness of American companies.
- For companies to implement greater protections regarding how they use and share personal data, thereby protecting our privacy.
Now it seems that the very fact of personal data collection is a liability. If the NSA can jump on Google's protocols, could credit card hackers? Blackmailers? Identity thieves?
The simple fact is that you are not in control of a treasure trove of intimate information about your life, because you're not the customer: you're the product. How comfortable are you with that?
It all leaves me thinking that we need a fundamental rethink on the matter of personal data collection. But if we tighten up the laws, will Google and Facebook's value proposition collapse? One thing is for sure: these companies had better find a real solution before one is forced upon them.
