We Have Updated Our Privacy Policy

All of us have mindlessly clicked "Accept" when confronted with terms and conditions or privacy policies, they are ubiquitous. Some of us might even have, although unwittingly, sold our grandmother into slavery... 'No way' I hear you say, but did you read it? If you haven't read it all, how would you know?

I have been bombarded with updates to privacy policies lately, and I guess, so have you. While the email or letter you have gotten clearly sounds as if companies strongly desire to explain their policies to us, the real reason why they are updating their policies is much more mundane, namely the European General Data Protection Regulation, that was adopted in 2016, became enforceable on May 25th, 2018. Our friends from Google, Facebook , Twitter, Amazon et. al. are afraid of being fined...

It is easy to think at this point, that companies will clean up their act, be transparent about what information they collect, how they are collecting it, what they are collecting it for, how they will protect your data, that we all have access to the information companies have collected about us,, that we all will have the ability to correct errors, and if we request it, that our data will be permanently deleted by companies we no longer want to do business with, and last but not least, the public will be able to hold companies accountable for their wrong doings. Sadly, you would be way, way wrong...

In fact, the bombardment with updates to privacy policies we all endured is nothing but window dressing. It is an attempt to appease lawmakers and the public alike, in hopes that nobody will go digging into what is really happening. Allow me to explain:

In 1980 the OECD recommended the following seven principles for the protection of personal data:

1. Notice—data subjects should be given notice when their data is being collected;
2. Purpose—data should only be used for the purpose stated and not for any other purposes;
3. Consent—data should not be disclosed without the data subject’s consent;
4. Security—collected data should be kept secure from any potential abuses;
5. Disclosure—data subjects should be informed as to who is collecting their data;
6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

I detest the use of the term 'subjects' in the above, but in general, the concept sounds very reasonable. While the US fully endorsed the seven principles the OECD recommended , it did nothing to implement them within the United States. To be fair, the OECD guidelines were non-binding, so not implementing them was certainly an option. Americans simply prefer flying by the seat of their pants when it comes to privacy regulations, or maybe they too, didn't like the term subjects. Europe did somewhat better, as many European countries implemented measures to protect individuals regarding the processing of their personal data; however, the implementation of those principles varied between European countries to the point where the European Commission realized that privacy protections hindered the free flow of data between countries and something had to be done.

Long story short, the General Data Protection Regulation, that includes those seven principals, obtained its final approval on April 14th, 2016 and gave companies two years for the implementation. Mysteriously they all waited until the very last minute to update us, but now, May 2018, stuff (you may insert your favorite expletive here...) just got real!

Let's face it, you received said emails, didn't read them, and clicked 'Accept' when confronted with the update on your favorite websites. While this almost sounds like an accusation, and you could certainly interpret it as one, who has the time to read all this stuff? Many companies don't even care if you accept and instead use the creepiest of methods which is implied consent; if you keep using our services you agree to blah blah blah... Sorry granny, off to the gulag you go...

All kidding aside, let's have a look at one of those serial offenders: Google, the "Do no evil" company. Not to worry, I won't bore you with ALL of the details... after all their 'new and improved' privacy policyis 'only' 20 pages long. This begs the question, why would anyone need 20 pages to explain how they are going to protect my data? Do they really expect everybody to read all 20 pages?

I guess we all know the answer, and just in case you don't, it is no. That is where it actually gets interesting because Google (and everybody else) is counting on all of us to have better things to do with our time than reading that nonsense. Let us be clear about one thing, you really didn't have a choice between accepting or not accepting the new terms, unless you, all of a sudden, wanted to be, for example, without email...

It could be argued, that you actually had the option to forgo your email; however, I question the practicality of this course of action, especially considering all the other companies that were very eager for us to migrate gigabytes of our personal information online. The reasoning is , again, simple, the more you are invested into any given site, the harder it is for you to leave and the easier it is for companies to force their absurd business practices down our collective throats. This, by the way, is intentional.

Let's look at some of the juicy details:

In the section We want you to understand the types of information we collect as you use our services Google writes "ads that you'll find most useful, the people who matter most to you online, or which YouTube videos you might like." What they are really saying is: we want to show you the ads you are most likely to click on, we want to line up videos you are likely to watch after you watched what you originally came for and we want you to interact with the people who are most important to you online, so you will stay longer. Understand that they can do that even if you are not signed into your Google account by using "unique identifiers tied to the browser, application, or device you are using." While Google continues this statement referring to "things like" maintaining language preferences across browsing session, even their own wording makes it clear that this technology is not limited to language preferences...

Talking about Google accounts, the next section titled Things you create or provide to us states: "When you create a Google account, you provide us with personal information that includes your name and password. You can also choose to add a phone number or payment information to your account." This sounds perfectly reasonable, but then they continue by saying that they connect the information they have about you to the content you create, such as "emails you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos."

In the Your Activity section Google clearly spells out what you are sharing when you are using their services: "Terms you search for, videos you watch, views and interactions with content and ads, voice and audio information when you use audio features, purchase activity, people with who you communicate or share content, activity on third-party sites and apps that use our services, and your Chrome browsing history you've synced with your Google account."

Finally, Google knows where you where and where you currently are by collecting information such as 'GPS, IP address, sensor data from your device, information about things near your device such as Wi-Fi access points, cell towers, and Bluetooth-enabled devices.'

In contrast to what you might be thinking, The European General Data Protection Regulation does not prohibit companies from doing any of this, but they have to explain what they are doing in a language understandable by mere mortals and most importantly it requires consent, i.e. you have to click that 'Accept' button. But, as the name of this regulation implies, it covers Europeans, and the reason why companies are falling all over themselves to explain to us, non-europeans, what they are doing, is simple, the wording of Article 3 - Territorial Scope and the tricky, cross-boarder flow of data. Online there are no borders and, if you for a moment forget about the Great Firewall of China, people from all over the world are using services all over the world. Even though the new rules aren't applicable to most of the world, everybody now has the opportunity to learn what companies are doing, and have been doing, with our data behind the scenes all along.

And collected they have, in fact they have collected so much information that only very few companies are truly ready for GDPR and according to some articles I read, not even the legislature is ready to deal with it.

What I find interesting is this: These companies have been collecting all of this data without properly explaining to their users what exactly they were collecting and for what purpose. To the contrary, companies have been obfuscating their data collection activities (i.e. Uber) and hiding behind legalese to make it as difficult for the average person to understand what has been really going on. Therefore, couldn't it be argued that the information they possess, was collected at the very least unethically if not outright illegally? Should companies be allowed to keep this data? Should users be able to demand the deletion of their data? Instead we are bombarded with updates to privacy policies, explaining what has been going on for years, that users are basically forced to agree with...

I get it, users can demand all they want, but it is almost impossible to delete data once it has been saved online and even more difficult for a user to verify that this data has been deleted. It seems, we have all been making a fundamental mistake when thinking about online privacy, caused by a fundamental misunderstanding about how economics on the Internet work. Online and offline there is no such thing as free!

Google, Facebook et. al. make money from selling advertising, that is their business model, they just use different ways to attract users. In the case of Google and Facebook, one company wants to connect you with friends and family hoping that you will volunteer as much personal information as possible, because they want you to see Facebook as your personal home on the Internet, the other company provides utility like search, email, or a platform to post videos. However, both companies have the same goal, helping advertisers to reach their target audience in order to sell more advertising. I understand that this is an oversimplification, but it is needed so you can clearly see the conflict of interest that arises out of those propositions. They can't do both, protect your privacy AND sell as much advertising as possible. They intentionally designed their products to be addictive, so you spend as much time on their respective platforms as possible, as studies after studies have shown. Their equation is simple: the more users they have plus the more time those users spend online in combination with the information they have about those users equals more money, that's all that there is to it, every claim to the contrary is simply trying to obfuscate the issue. Mark Zuckerberg knows this, apparently almost everyone else seems not to.

Here you have it, companies have and will continue to collect vast amounts of data about us, with or without our consent. If you live in the EU you might have the chance to review and maybe even have some of this data deleted. If you live anywhere else, you're screwed. Terms and conditions have become easier to read and understand, yet they do little to protect consumers; their main purpose to protect companies from lawsuits with one simple argument: 'We told you so!', to which you agreed. I am not saying that all companies started this journey with malicious intent, but the need to turn a profit led to some rather unsavory business practices and clearly, a conflict of interest.

In essence, companies will continue to do what they have always done, ignore consumer's privacy to turn a handsome profit, they almost have to. Unlike their European counterparts however, Americans don't really care much about their privacy, if you don't count previously mentioned Mark Zuckerberg, who, when asked by a senator if he were comfortable telling everybody which hotel he was staying at during his time in Washington, clumsily declined.

But maybe Mark Zuckerberg's declining to answer, should give all of us pause. Why would the man who gave us Facebook and encouraged all of us to share even the most irrelevant details of our mundane lives, not want to share where he was spending the night? Privacy? Personal information? Mark, you're kidding, right? Facebook is any intelligence agency's wildest dream come true...

Europeans are cautious when it comes to personal privacy, just read those previously mentioned seven principles the OECD suggested to protect people's privacy again, they also learned the hard way to distrust the state. Maybe it is time for the rest of us to wake up from our peaceful slumber and start demanding that both, our governments and large corporations, start treating privacy as a human right, the right it has been for a very long time.