You Are What You Click: On Microtargeting
Fighting the Future
Given the choice, most consumers would prefer that their information not be collected and aggregated. And so advertisers and data aggregators have treated them like the proverbial boiling frog: enticing them into an indispensible social or technological network, then slowly eliminating their choices. Regulations and advocacy have been consistently losing ground against the advertising behemoth.
By default, browser and mobile software provide little protection against the collection of their data. Simple but powerful browser extensions such as Disconnect and Ghostery prevent a great deal of tracking via cookies on PCs, but they are used only by a small fraction of consumers. And even such extensions can’t prevent the many other forms of tracking, and mobile platforms do not permit their use. Privacy advocate Brian Kennish, the creator of Disconnect, stresses the lack of transparency in data collection and use: “We’re trading information we don’t even understand for Internet products. If we don’t even know what’s happening, it’s hard to assess the risk.”
Cases like the one the government brought against Google are irrelevant to the central privacy issues of the day. There is no legal or regulatory infrastructure set up to monitor the collection, aggregation and trading of consumer information. Certain forms of information, such as medical records, are cordoned off by privacy legislation such as HIPAA, but even these laws are no guarantee of anonymity, as it is easy to determine much about a person’s health and medical history by looking at his everyday purchases and activities. In great enough quantities, collection and aggregation of nonconfidential information can violate privacy just as much as the disclosure of confidential information does.
Most resistance to this kind of aggregation has been purely reactive and not particularly effective. When the resistance has had any effect, it has played on momentary consumer outrage. Consider the case of Facebook Beacon, launched in 2007: the concept was that companies partnering with Facebook, which included eBay, Yelp, The New York Times and Blockbuster, would allow it to put an invisible “web bug” on their sites that would enable Facebook to see everything its users did on the partner sites and associate that activity with their Facebook accounts, whether or not they were logged in. If I purchased shoes from Zappos, for example, Facebook would post that information to my wall automatically, saying, “David just bought shoes from Zappos!” Facebook users were “opted” in to Beacon without being asked and had to manually turn it off.
There was a public outcry: Facebook users did not want their online activity automatically advertised to their friends. MoveOn started a petition, and a class-action suit was filed against Facebook and several partners. Facebook quickly made Beacon optional for users, requiring an explicit opt-in, and subsequently allowed people to turn it off completely. Two years later, in 2009, it shut down Beacon altogether because, when given a choice, very few people wanted to opt in to such a program.
But Facebook didn’t abandon the goals of Beacon. Rather, it learned from its mistake, grasping that what frightened people most about Beacon was seeing their online behavior publicized without their consent. Through the use of “like” buttons, comment registration and third-party cookies, Facebook still monitors a large percentage of the online activity that Beacon was supposed to capture. It just doesn’t publicize its actions.
This kind of two-step, where data is collected but the consumer is not notified, has become the norm in Internet commerce. The two-step works in other ways. Facebook has drastically weakened its privacy policies several times, most notably in 2009, 2010 and 2012, each time attempting to make more user information less private by default. (A brief timeline is available from the Electronic Frontier Foundation, which has worked diligently to raise consumer awareness.) Whenever there was a strong public protest, Facebook retreated, but not to its original position, thereby cooling critics’ ire while still managing to raise the flame under the frog.
Facebook’s case is an unusually visible one. Most companies have not had their data collection practices scrutinized so closely, if at all. Natasha Singer’s Times article about Acxiom raised eyebrows in Congress and at the FTC, but no action has been forthcoming: “self-policing” seems to be the order of the day, which is to say there’s no order at all. Because consumers remain mostly in the dark about the activities of companies like Acxiom, there is far less pressure on them than there has been on Facebook—and even there, the pressure hardly seems to have made a difference. The Obama administration’s Consumer Privacy Bill of Rights, issued in February 2012, sets out vague guidelines for control and transparency that are wholly out of touch with reality: corporations have so far yielded nothing to it, and the government has not pressed the point.
Legislatively, there are very few existing guidelines, partly owing to the difficulty in quantifying exactly what should be illegal: companies have been collecting this sort of data for years, so how would one justify criminalizing the collection of more of it? In Steinberg v. CVS, decided last year, CVS successfully fought off a Pennsylvania lawsuit over giving “anonymized” data to pharmacy companies and data brokers, because no legal protections were in place beyond the requirement of scrubbing people’s names from the data. The concept of reidentification has not yet entered the legal domain—nor has the inevitability that the data will be combined with other data.
There are many legal issues to resolve, and the only impetus for change appears to be consumer education and outrage. But given the complexity and obscurity of data aggregation today, outrage occurs only when a company makes a public relations gaffe that’s big, simple and visible enough for the media to latch on to. Even then, few people end up leaving Facebook. All of your friends are there, being watched and anonymized as they “friend” and watch you, all of them doing, in the words of Joseph Turow, “free labor in the interest of corporate profits.”
Caleb Crain writes about his experience of being cyber-stalked in this same issue of The Nation.