FTC's YouTube Privacy Settlement Pisses Everyone Off; Perhaps We're Doing Privacy Wrong

It's becoming a tradition. A week ago, we wrote about a Friday evening news "leak" (almost certainly from Facebook) about the FTC approving a settlement with Facebook over privacy violations. And, this past Friday evening, there was a similar news dump about a similar settlement with YouTube (though at a much lower dollar amount). In both cases, the Friday evening news dump was almost certainly on purpose -- in the hopes that by Monday, something bigger will have caught the news cycles' attention. Thankfully, we don't work that way.

Let's cut to the chase, though. No one (outside of, perhaps, YouTube/Google/Alphabet execs) is "happy" with this. Pretty much everyone will point out, accurately, that a "multi-million dollar" fine is effectively meaningless to YouTube. No one believes that this will magically lead to a world in which internet companies take privacy more seriously. No one believes this will lead to a world in which anyone's privacy is better protected.

And while I'm sure some people will complain about the amount (pocket change for Google), I'm not sure the amount really makes much of a difference. Remember, last week's angry response to the $5 billion that the FTC is allegedly getting from Facebook. That's a much higher amount (by a massive margin) the largest the FTC has ever gotten from a company.

Perhaps there's a larger issue here: this system of expecting private companies and overworked/understaffed federal (or state) agencies to somehow manage our privacy for us does not work -- no matter what your viewpoint on all of this is. Perhaps we should be looking for solutions where users themselves get better direct control over their data, and aren't reliant on giant fines or government bureaucrats "protecting" it for them. Because if we're just going to go through this charade over and over and over again, it's not clear what the benefit is for anyone.

If you don't trust Google/Facebook, then no fine is going to be enough. If you do trust them to hold onto the data they collect, then this whole thing feels like a bit of privacy theater. No one ends up happy about it, and nothing is actually done to protect privacy. I've been pointing out for a while now that we're bad at regulating privacy because most people don't understand privacy, and I think these kinds of things are a symptom of that. There's this amorphous concept out there of "privacy," and people -- egged on by media stories that aren't always accurate -- have a concern that the companies don't do a very good job protecting our privacy. And they're right about that. But, there's no agreement on what privacy means or how you actually "protect" it. And the only tools in the toolbox right now are fines or crazy, confusing, misguided regulations that seem to only lock in large players and hand them an even more dominant position (allowing them to do more things that people are uncomfortable with).

There needs to be a better approach -- and it has to be one that starts more from first principles about what it is that we're actually trying to accomplish here, and what will actually get us there. What we have now is not that.

