We’re losing the war against surveillance capitalism because we let Big Tech frame the debate

It’s too late to conserve our privacy — but to preserve what's left, we must stop defining people as commodities

Published June 20, 2020 2:00PM (EDT)

Global network modern creative telecommunication and internet connection (Getty Images)
Global network modern creative telecommunication and internet connection (Getty Images)

There is a reason that photography and videography are frowned upon at protests like the ones currently sweeping the nation: Surveillance capitalism has made it easy for even masked protesters to be identified. Both authorities and everyday citizens have access to search tools that can "out" someone from even the tiniest clues; even peaceable demonstrators are right to fear being fired or publicly shunned if their presence at a protest is discovered and then widely broadcast. Thus it is no accident that civil rights and privacy are intimately interlinked. Indeed, as law enforcement departments have become more militarized, they have equipped themselves with increasingly sophisticated surveillance technology — from devices that intercept cell phone signals to backdoors into social media sites.

Yet the civil rights battle over the right privacy is not waged on the street with protest signs and banners — at least, not generally. Privacy struggles are waged in more subtle ways, often through individual choices we make on our gadgets. We are told to "resist" by abandoning digital services; to "break up with Google Maps," so as to prevent some of our personal data from falling into the hands of the corporations who profit off of it.

Yet this very neoliberal notion of personal agency fails to acknowledge the role these services play in modern life. Being asked to resist only punishes those of us struggling to preserve our privacy. To imagine a world where privacy is preserved we need to explore what privacy truly means and to name it, for to name something is to own it.

What does it mean to see privacy as a civil rights struggle? The collapse of our privacy is exposing each of us to palpable risks: the erosion of the right to pray, to study, to congregate, or to participate in our democracy. In a digital world, privacy is the barrier between civil society and racial, political, or religious profiling writ large.

The rise of surveillance capitalism — the buying and selling of our identities and our data — may herald the death knell of privacy. Social media and targeted online advertising are designed to allure us; in the process, we are losing our rights to anonymity and accelerating the erosion of our civil rights. Proposed individual "solutions" — such as configuring our social media privacy settings or using the anonymous Tor web browser — are at best half-measures. A personal example best illustrates why.

Like 21.5 million Americans, I too had my personal information stolen by Chinese hackers in the 2015 breach of the Office of Personnel Management (OPM). To compensate me for their failure to protect my records (and that of every member of my family and relatives) I was provided with credit monitoring services from Experian, one of the big three credit bureaus. The primary result of this service is that I'm now flooded with offers to sign up for new credit cards carefully selected by Experian based on my credit score. My reward for being an OPM breach victim is to receive targeted spam that uses my personal information to benefit Experian and its commercial partners.

With the arrival of COVID-19, and the subsequent demands for contact tracing, we are all about to have our own individual privacy breach. In order to be effective, the results of any COVID-19 testing will need to be shared far beyond just you and your doctor. Counties, states, and possibly even national agencies will need access to test results. At scale, truly effective contact tracing will likely require very detailed location information, the kind your phone can trivially provide. In the current situation, your data won't be hacked by a foreign government, but freely given to assist with public safety.

Like many of us in the middle class, I and most writers on privacy tend to focus on the visible accoutrements of status, i.e., our phones, our online services, and our social media profiles. And with good reason, these are at the intersection of surveillance capitalism and consumers: services that have been instrumented to feed your personal information back into the engine powering those very services.

But the stakes are much higher than you may realize, for privacy is truly our civil rights struggle in the 21st century. Privacy violations are a gateway to identity-based targeting, which singles out individuals by race, religion, or gender identity. Yet with over 1 billion, mostly apathetic users, fighting Google (or Facebook or Experian for that matter) may move you to turn your despair into resignation.

So what does a world where our privacy is preserved look like?

Privacy and personal information are not the same

Many headlines call out the demise of privacy, but what they really mean is that some of your personal information is being sold, or stolen, or simply misused. The two concepts are not quite the same. It is reasonable to consider the loss of personal information under the general heading of privacy, but separating the two concepts opens the door to a more effective conversation about how to protect them both.

When we read about Facebook or Google (or our own government) wanting to listen in on your phone calls, read your emails, or review your Facebook feed, we're talking about privacy, pure and simple. Privacy in this case means freedom to engage in conversation or thought without unwanted or unknown surveillance. This is the notion of privacy that most of us think about when using the word "private." Our outrage is palpable when this notion of privacy is egregiously violated. Even Amazon was forced to respond to public outrage when it was revealed that Amazon employees could listen to your Alexa commands. (Amazon recently announced that they'd enable "options" that permit you to block sub-contractors of Amazon to eavesdrop on your requests to Amazon Alexa.)

Protecting one's personal information takes us into a different realm with more everyday practical implications. When I give Google my phone number in exchange for a Gmail or Google Voice account, I'm exchanging my data for a service. And I suspect most of us are fine with this type of value-based trade-off. Google needs to know where to route my Google Voice phone calls or how to text me an alert related to my account. It's Google's subsequent reuse of this information where things start to go awry.

Whether it's Google, Facebook, or the gym down the street, companies reuse, release, and resell this personal information. They allow third-parties to use this information to figure out what ads to show you in your account. Most people who spend time online are familiar with this experience, which does not always feel intrusive. Just the other day I was researching the dog food we feed our dogs and by that evening Google had displayed several ads for dog food brands in my Gmail inbox.

Dog food is only the beginning. If you do a quick Google search of anyone's name, you'll find dozens of offers to sell you a background check and other information about the subject of your search, (as a side note, many of these services are owned by the same company, they merely rebrand themselves to fool you). In the digital world your personal data is collected, repackaged, then correlated with other information to enrich the commercial understanding of you as a consumer. Even a cursory examination of the websites you visit will quickly reveal your political and sexual orientation, your racial identity, your ethnic heritage, and socio-economic status. Add to that your buying history, your Facebook friends, the people you follow on Twitter or Instagram, and a detailed profile of you emerges that probably transcends your own understanding of yourself.

Even if you feel comfortable with targeted advertising, the use of your personal information as fuel for the digital economy has a sinister aftermath few realize.

Privacy equals civil rights

Oppression originates whenever one group marks another group as "other," then uses that "otherness" to isolate, discriminate, and disempower. Often the markers for discriminatory behavior are obvious: darker skin, for example, or observation of gender.

But what if every marker of your individuality were known and sold, accessible to advertisers without your knowledge? The potential for manipulation or oppression is palpable, as one could easily use personal information for these suspect marking purposes. In 2016, the Russian Internet Research agency used Facebook to target ads at Black voters, ads designed to depress their voter turnout. Facebook had already siphoned up all of their vital personal details; all that the Russian Internet Research agency had to do was click a few buttons picking out the demographic they wished to target.

A 2016 NPR article mentions that the Iraqi army used Facebook data to identify students attending an ISIS run school. In the case of Cambridge Analytica, Facebook data that was inappropriately acquired was used to create unusually manipulative advertising for valuable voter demographics. And let's not forget this horrific tidbit, that Facebook "played a determining role" in the mass slaughter and rape of Rohingya in Myanmar, according to the U.N.

These examples are points along a spectrum of uses of your personal information. Finding terrorists using social media should be a good thing. Targeting groups of voters by their age and income levels makes sense if you're trying to effectively use your limited campaign advertising resources.

Yet now that technology-mediated services have an outsize ability to shape culture at large, the malicious use of this same personal information threatens to undermine every advance made by modern liberal society. This is why I call privacy the last line of defense in the battle for civil liberties.

Imagine an Uber-like service that used publicly traded information associating your phone number to your race, and used that pairing to provide slightly poorer service to African Americans. Or a real estate site that used such data to surreptitiously tailor the house listings presented to you based on your assumed religious or ethnic background. What if ICE quietly bought ads on sites offering immigration assistance to migrants, only to raid and arrest everyone who clicked "I'd like to hire an attorney."

Race, ethnicity, and religion aren't the only types of personal information that can be maliciously exploited. With the utter abandonment of principled politics and the open use of the federal instruments of administration for political aims, profiling has taken on an even more ominous direction.

There are signs that regulators are catching on. Indeed, after the announcement of a $5 billion dollar fine levied against Facebook, you could be forgiven for thinking "finally, someone is doing something to protect our privacy."

You'd be wrong. All of the regulations imposed on the major data brokers suffer from one fatal flaw: they reflect a belief that a statutory, regulatory response to this problem can succeed. One might say "If Facebook violated their terms of use, then we must pass a regulation forbidding them from doing that" or "if Amazon's employees have access to Alexa commands, they should stop that practice." But none of these proposals fundamentally address when it is permissible to collect personal information and what can be done with it.

Preserving our privacy

If regulation is not enough, how are we to protect our privacy? Thus far, regulations do not clearly address when it's permissible to collect personal information and what can be done with it, and the fines are rarely punitive enough to change behavior. If we think broadly of privacy as a resource to be valued, perhaps we can find some insight on how to protect it.

Imagine you come to work one day, and find someone has put a nude picture of you on the wall. You quickly have it removed but the embarrassment and anger lingers. Eventually, even that fades — maybe you even move to a new job where no one knows you as "the naked person." Embarrassing, but you recover. For those who have had their personal information stolen, there is no "but you recover." It is impossible to fully remove published information from the digital web. Even if you could miraculously convince every legitimate web service to remove your data, you can never convince those who illicitly deal in personal data to erase it. This immutability of stolen personal data is part of the horror of modern crimes such as revenge porn.

This is again why an incremental, regulatory based approach to protecting personal information will always fail: because a wound to our digital privacy never heals. We can't wait for a loss, then regulate the circumstances that led to it. By then it is too late. Privacy must be preserved, not conserved; that is why I advocate for a "preservationist" approach.

The preservationist solution is simple and easy to visualize. Imagine a world where we didn't have to figure out how to rein in Facebook. Where creating a set of regulations wasn't something we had to do, but rather Facebook (or Google, or the furniture store down the street) had to figure out how to operate with the principle that personal information may not be bought or sold. That is, we preserve our privacy by simply forbidding our personal information from being used as a commodity. Would this eliminate the need for statutes protecting our personal information? No, we'd still want to regulate how and when a service provider could ask for and how they must secure your personal data. But we'd have a principled floor — a bright line not to be crossed — eliminating some of the worst abuses.

Would this mean the end of Facebook or Google? Of course not. These companies have legions of bright energetic people working for them and they'd quickly adapt. Capitalism, warts and all, is an incredibly effective means of focusing humans on specific problems. Nor does this mean that these companies wouldn't be able to provide services to you. Indeed, with proper assurances on data handling there's nothing to prevent you providing personal information to a company in order for them to provide a service. Google needs my cell phone number so they can route those Google Voice calls to me. But they'd not be permitted to re-use it or sell it.

With the potential arrival of a new administration in Washington, and new faces in Congress, now is the time for optimism and activism. The potential nightmares of contact tracing, social distance monitoring, and mass testing only increase the urgency of addressing these issues. As citizens we must require candidates to elevate the status of privacy as an issue that differentiates them from the status quo. Privacy is the spine of the body politic. Preventing the sale of our personal information is the only effective tool left to preserve our civil rights as they are assailed by both commercial and governmental bodies. People are not a commodity, and we need to legislate that it is wrong to imbue humans with attributes we reserve for property. It is deeply saddening that we need to call for laws to say: I am not for sale.

By Michael Corn

Michael Corn was one of the first Privacy Officers in Higher Education and is currently the Chief Information Security Officer at the University of California, San Diego. The opinions expressed in this article are solely his and not that of his employer.

MORE FROM Michael Corn

Related Topics ------------------------------------------

Civil Rights Commentary Facebook Privacy Social Media Surveillance Capitalism Twitter