'Big Tech' Blinders Let Other Privacy Violators Off The Hook

from the look-around dept

After over a decade of largely uncritical admiration from journalists, policymakers, and the public, the United States' biggest tech companies have experienced a swift fall from grace.

Facebook, Google, and Amazon are the subject of long overdue scrutiny, investigations, and legal proceedings in jurisdictions around the world for their widespread and repeated violations of people's privacy, while their executives no longer enjoy the glowing reputations they once did. After Cambridge Analytica, YouTube’s record-breaking COPPA fine for illegally tracking children, and a nearly endless list of other privacy transgressions, the Silicon Valley companies deserve all the scrutiny they're getting and then some.

But Silicon Valley tech companies aren't the only ones violating our privacy with impunity, and focusing on them as the sole villains allows a whole host of co-conspirators to get off scot-free. These other companies aren't doing less objectionable things with your data, and they haven't demonstrated that they're more worthy of consumer trust, or less likely to be breaking the law.

Policymakers and tech journalists need to take off their "big tech" blinders and focus more energy on the lesser-known privacy violators benefiting from Facebook and Google's absorption of the critical oxygen. When we're talking about powerful companies surreptitiously creating information about you and using it to make important decisions about your life, threaten your safety, or violate your privacy, Facebook and Google shouldn't be the only companies we're talking about—because they're far from being the only source of the problem.

Take the telecom industry, for example. All of the biggest telecommunications companies have been caught violating their customers' privacy, often at the same scale and to the same degree of flagrancy as their Silicon Valley peers.

In 2016, Verizon was fined $1.35 million by the FCC for tracking the browsing history of users on its mobile network without their knowledge and consent. Two years later, a Verizon-owned ad tech company paid the then-highest COPPA fine to the New York state Attorney General for illegally tracking children. AT&T was fined $25 million by the FCC for failing to protect consumer data after AT&T employees stole the names and full or partial Social Security numbers of around 280,000 customers, then sold them to third parties.

More recently, an investigation by the Norwegian Consumer Protection Council found that an AT&T-owned ad tech company was among those receiving granular location information and information on users’ sexual orientation from dating apps like Grindr and Tinder. All the biggest carriers—Verizon, AT&T, T-Mobile and Sprint—were found to be illegally selling customers’ real-time location data to anyone who wanted to buy it.

Not only do the telecoms violate the privacy protections we have, they tirelessly lobby to make them weaker and worse. They fought the FCC's broadband privacy rules in 2016, then (successfully) convinced Congress to negate them in 2017, lied about the privacy implications of encrypting DNS queries, and are trying to pass a Trojan horse privacy law that would calcify an exploitative status quo. Criticisms of "big tech's" exploitation of people's privacy that ignore big telecom miss the forest for the ISPs.

Then there's the ad tech industry. Behavioral advertising, which targets people with ads based on information about their browsing history or offline behavior rather than their current online activity, is in many ways the internet’s original privacy sin. The profit motive it supplies for companies to track our every move and keep us scrolling and clicking for as long as possible is responsible for much of the toxicity, disinformation, and privacy violations that we've become inured to.

Behavioral advertisers have done everything they can to link the viability of innovative web services to highly profitable surveillance of users, while claiming that any attempts to weaken or sever that link will break the internet. Their business model is what makes so many online services inherently and unavoidably privacy-invasive when they don’t have to be.

Given their reversal of fortunes, one could say that Facebook, Google, and the other Silicon Valley giants have taken the whipping boy role in privacy policy discussions that data brokers used to occupy. Data brokers were a heavy focus of consumer protection-minded policymakers at the FTC and the White House for a number of years, and while the attention previously paid to them has shifted, the venality of their business model hasn’t. The core business of these companies is to collect and infer sensitive information about as many people as possible, and to share and sell those assessments to any company that wants to buy them, like advertisers, health insurance companies, educational institutions, hedge funds, and others.

These companies traffic in lists of sexual assault survivors, which students are undocumented or are using birth control, and which of us is most likely to be a vulnerable target for predatory loans, all while remaining staunchly contemptuous of the prerogative of legislators to reign them in. Nothing about data brokers’ exploitation of our data is less objectionable or malignant than what Facebook and Google are doing with it, but #DeleteLiveramp won’t get anyone’s attention.

This list of companies that rake in enormous profits for violating your privacy and deserve more notoriety for it isn’t short. There’s the app developers, location aggregators, the credit reporting agencies, and insurance companies. There’s also the brick-and-mortar companies that are falling all over themselves to build exactly the same kinds of tracking and analytic capabilities that Facebook and Google have weaponized, or contract out for them when they can’t. All of these companies actively, eagerly take part in the kinds of privacy violations that the Silicon Valley companies have grown notorious for, and a focus on the Silicon Valley companies alone minimizes the threat, and distorts the real problem.

There are some ways in which Facebook, Google, and Amazon present uniquely severe concerns by virtue of their size and ubiquity: it’s not as though their widespread notoriety wasn’t repeatedly earned. Moreover, examples cited here of transgressions by non-Silicon-Valley companies only exist because tech journalists or policymakers decided to focus on that not-Facebook and not-Google issue.

Nor does expanding the focus of tech critics to lesser-known privacy violators mean that regulators should exclusively focus on small companies at the expense of big ones, as the FTC has correctly been criticized for. Neither policymakers nor journalists should ignore the 400 pound gorillas in the room or the havoc they wreak. But there are other actors in the data collection ecosystem that deserve to be just as notorious as the Silicon Valley giants, and whose conduct deserves just as much attention.

For all the investigation and criticism that Amazon’s Rekognition deserves, policymakers and journalists shouldn’t ignore lesser-known facial recognition technology vendors like NEC or Idemia. As Clearview AI has demonstrated in dramatic fashion, a hitherto-unknown company can turn out to be engaged in practices as bleakly dystopian as you can imagine, as soon as it receives the kind of scrutiny that the biggest tech companies have been experiencing for years.

Don't let Mark or Sundar shrink into the shadows—just make Hans (Vestberg, Verizon), Brian (Cassin, Experian), and Scott (Howe, LiveRamp) household names alongside them. Conversations about privacy policy, investigations into violators, and blame for the exploitative wretchedness of the current ecosystem shouldn’t solely focus on Mountain View and Menlo Park at the expense of ignoring Dallas, Atlanta, and Bentonville.

At the end of the day, "big tech" means nothing if it excuses the identical privacy transgressions of big telecom, big ad tech, big data broker, and big, well, everything else.

Lindsey Barrett is a staff attorney and teaching fellow at the Communications and Technology Law Clinic at Georgetown Law.

Filed Under: big tech, greenhouse, privacy, tech, telcos

Ron Wyden: It's Time Congress Helped Americans Protect Their Privacy

from the mind-your-own-business dept

Americans today are faced with a dilemma – there is a vast universe of products to let us control everything in our lives with a voice command or touch of a button. We can unlock our doors, turn on the heat, track our exercise routines and our baby monitors and perform a million other tasks in ways that make life easier or more efficient.

But these conveniences carry with them the danger that the data generated will be used against us.

Far too often, information that a government or company can collect and retain, is being collected and retained, and then shared or sold with other companies, marketers or agencies in ways that Americans never consider when they decide to buy a new thermostat. When the government or private corporations can tap into the stacks of information, these smart devices that make our lives easier also amount to spies working against our interests.

There is no good reason that Americans should have to compromise on privacy to benefit from the digital age. Consumers want smart devices, but we also want companies and the government to mind their own business when it comes to our personal information.

Over the past decade, I’ve made protecting Americans’ privacy against unnecessary government surveillance one of my top priorities. And following the Cambridge Analytica scandal, I’ve spent a lot of time thinking about how to create a commonsense plan to secure our privacy from corporations that haven’t been good stewards of private information.

That’s why I wrote a draft privacy bill, and, after a year of soliciting feedback from experts, introduced the Mind Your Own Business Act last fall.

It’s based on three core principles: First, corporations should be required to provide full transparency, in easy-to-understand language, about how they collect, use and share their customers’ data — and they should be held to those commitments. There should never be another scandal like we saw with wireless carriers, when phone companies shared real-time location data with bounty hunters, scammers and creepy exes without their customers’ knowledge.

Second, users need far more control over how their data is shared. The Mind Your Own Business Act would put teeth back into the Do Not Track option that has become essentially useless today. Under my bill there would be a single website where consumers could click a button to say no company could share your information with a third party without your express permission.

Under my bill consumers can choose whether to allow sharing data with third parties and targeted ads, and companies would have to offer tracking-free versions of their products that don’t cost more than the average revenue generated from a user’s data. And it makes sure low-income families can get free privacy protection, so privacy isn’t a luxury good.

Third, there need to be real consequences for corporations that break the rules. My bill follows the European privacy law and California’s Consumer Privacy Act to add fines up to 4 percent of annual revenue and even the possibility of jail time for executives who lie to the Federal Trade Commission (FTC) about protecting users’ privacy.

Those are some key points, but my plan does a lot more as well. Because privacy is also about making sure companies protect the data they have, my bill directs the FTC to set baseline privacy and cybersecurity standards and beefs up the number of people and resources the agency enforce those rules. It requires companies to assess their algorithms to detect whether they result in biased results and to fix problems they find.

My bill will create a healthier internet economy in two separate ways: First, consumers can directly choose to pay for ironclad privacy, instead of data-scooping free services. But even users who don’t opt out will see major improvements in privacy from the baseline rules and new transparency requirements. Companies often have no choice but to terminate their shady deals with third party data dealers, once they become public. With my bill, companies will be forced to disclose exactly who sees your data, and they will face steep penalties for lying about it.

Americans are sick of being faced with a feeling of vague unease after clicking through pages of fine print. Congress needs to step up, add guardrails for our privacy and stop the endless series of Sophie’s choices between technological advances and personal privacy. We must also reform the legal treatment of “business records” so that information created to make technology work better for you and your family is treated like private, personal effects, not subject to government prying without a warrant.

It's time to level the playing field between consumers and the corporations who profit from our data, and force companies to finally take Americans’ privacy seriously.

Filed Under: control, greenhouse, liability, privacy, ron wyden, transparency