'Big Tech' Blinders Let Other Privacy Violators Off The Hook
from the look-around dept
After over a decade of largely uncritical admiration from journalists, policymakers, and the public, the United States’ biggest tech companies have experienced a swift fall from grace.
Facebook, Google, and Amazon are the subject of long overdue scrutiny, investigations, and legal proceedings in jurisdictions around the world for their widespread and repeated violations of people’s privacy, while their executives no longer enjoy the glowing reputations they once did. After Cambridge Analytica, YouTube’s record-breaking COPPA fine for illegally tracking children, and a nearly endless list of other privacy transgressions, the Silicon Valley companies deserve all the scrutiny they’re getting and then some.
But Silicon Valley tech companies aren’t the only ones violating our privacy with impunity, and focusing on them as the sole villains allows a whole host of co-conspirators to get off scot-free. These other companies aren’t doing less objectionable things with your data, and they haven’t demonstrated that they’re more worthy of consumer trust, or less likely to be breaking the law.
Policymakers and tech journalists need to take off their “big tech” blinders and focus more energy on the lesser-known privacy violators benefiting from Facebook and Google’s absorption of the critical oxygen. When we’re talking about powerful companies surreptitiously creating information about you and using it to make important decisions about your life, threaten your safety, or violate your privacy, Facebook and Google shouldn’t be the only companies we’re talking about—because they’re far from being the only source of the problem.
Take the telecom industry, for example. All of the biggest telecommunications companies have been caught violating their customers’ privacy, often at the same scale and to the same degree of flagrancy as their Silicon Valley peers.
In 2016, Verizon was fined $1.35 million by the FCC for tracking the browsing history of users on its mobile network without their knowledge and consent. Two years later, a Verizon-owned ad tech company paid the then-highest COPPA fine to the New York state Attorney General for illegally tracking children. AT&T was fined $25 million by the FCC for failing to protect consumer data after AT&T employees stole the names and full or partial Social Security numbers of around 280,000 customers, then sold them to third parties.
More recently, an investigation by the Norwegian Consumer Protection Council found that an AT&T-owned ad tech company was among those receiving granular location information and information on users’ sexual orientation from dating apps like Grindr and Tinder. All the biggest carriers?Verizon, AT&T, T-Mobile and Sprint?were found to be illegally selling customers’ real-time location data to anyone who wanted to buy it.
Not only do the telecoms violate the privacy protections we have, they tirelessly lobby to make them weaker and worse. They fought the FCC’s broadband privacy rules in 2016, then (successfully) convinced Congress to negate them in 2017, lied about the privacy implications of encrypting DNS queries, and are trying to pass a Trojan horse privacy law that would calcify an exploitative status quo. Criticisms of “big tech’s” exploitation of people’s privacy that ignore big telecom miss the forest for the ISPs.
Then there’s the ad tech industry. Behavioral advertising, which targets people with ads based on information about their browsing history or offline behavior rather than their current online activity, is in many ways the internet’s original privacy sin. The profit motive it supplies for companies to track our every move and keep us scrolling and clicking for as long as possible is responsible for much of the toxicity, disinformation, and privacy violations that we’ve become inured to.
Behavioral advertisers have done everything they can to link the viability of innovative web services to highly profitable surveillance of users, while claiming that any attempts to weaken or sever that link will break the internet. Their business model is what makes so many online services inherently and unavoidably privacy-invasive when they don’t have to be.
These companies traffic in lists of sexual assault survivors, which students are undocumented or are using birth control, and which of us is most likely to be a vulnerable target for predatory loans, all while remaining staunchly contemptuous of the prerogative of legislators to reign them in. Nothing about data brokers’ exploitation of our data is less objectionable or malignant than what Facebook and Google are doing with it, but #DeleteLiveramp won’t get anyone’s attention.
This list of companies that rake in enormous profits for violating your privacy and deserve more notoriety for it isn’t short. There’s the app developers, location aggregators, the credit reporting agencies, and insurance companies. There’s also the brick-and-mortar companies that are falling all over themselves to build exactly the same kinds of tracking and analytic capabilities that Facebook and Google have weaponized, or contract out for them when they can’t. All of these companies actively, eagerly take part in the kinds of privacy violations that the Silicon Valley companies have grown notorious for, and a focus on the Silicon Valley companies alone minimizes the threat, and distorts the real problem.
There are some ways in which Facebook, Google, and Amazon present uniquely severe concerns by virtue of their size and ubiquity: it’s not as though their widespread notoriety wasn’t repeatedly earned. Moreover, examples cited here of transgressions by non-Silicon-Valley companies only exist because tech journalists or policymakers decided to focus on that not-Facebook and not-Google issue.
Nor does expanding the focus of tech critics to lesser-known privacy violators mean that regulators should exclusively focus on small companies at the expense of big ones, as the FTC has correctly been criticized for. Neither policymakers nor journalists should ignore the 400 pound gorillas in the room or the havoc they wreak. But there are other actors in the data collection ecosystem that deserve to be just as notorious as the Silicon Valley giants, and whose conduct deserves just as much attention.
For all the investigation and criticism that Amazon’s Rekognition deserves, policymakers and journalists shouldn’t ignore lesser-known facial recognition technology vendors like NEC or Idemia. As Clearview AI has demonstrated in dramatic fashion, a hitherto-unknown company can turn out to be engaged in practices as bleakly dystopian as you can imagine, as soon as it receives the kind of scrutiny that the biggest tech companies have been experiencing for years.
At the end of the day, “big tech” means nothing if it excuses the identical privacy transgressions of big telecom, big ad tech, big data broker, and big, well, everything else.
Lindsey Barrett is a staff attorney and teaching fellow at the Communications and Technology Law Clinic at Georgetown Law.