Ask the average American, and you’ll quickly get the sense that online privacy isn’t going great.
“So many companies out there are constantly trying to stalk everything that you do, and make money off you,” Don Vaughn, head of product at consumer-insights platform Invisibly, explained.
By “stalk everything that you do,” Vaughn might be referring to companies tracking your location, analyzing your browsing history, examining the way you scroll, passing personal information to third parties or following you around the internet with targeted ads.
Online Privacy Trends to Watch
- Third-party cookies leave
- New data privacy laws emerge
- Mobile app tracking gets trickier
- Internet of Things complicates privacy
Some people dubbed “privacy nihilists” or “data nihilists” don’t really care. The only noticeable outcome of all that tracking is more personalized content and experiences. And besides, would panicking really change how companies treat users and their data?
But other people care a lot. A 2021 Cisco survey found 86 percent of people reported they care about data privacy and want more control, and 47 percent said they switched companies because of data privacy-related concerns.
No matter where you fall, here’s how today’s biggest data privacy issues will impact you.
Third-Party Cookies Are Going Away
Third-party cookies, or the bits of code websites use to follow you around the internet, have earned a reputation as a creepy surveillance technology. (Whether they’re so bad compared to other invasive technologies is another question.) Firefox and Safari have phased out third-party cookies, and Google says it will do the same for Chrome by the end of 2023.
As a replacement, Google has been working on Privacy Sandbox, a set of solutions for a cookie-free browsing experience — but one in which advertisers can still do behavioral targeting.
Initially meant to serve as the cornerstone of Privacy Sandbox, Google nixed its giant machine learning model called Federated Learning of Cohorts following early trials. That method was supposed to group users into cohorts for ad targeting based on demographics or interests without passing along which sites individual users viewed and when.
It was met with criticisms related to privacy concerns. Google announced in January 2022 it would be replacing FLoC with Topics, a new proposal for interest-based advertising based on FLoC feedback. Initial testing for Topics began in July 2022 through AdSense.
Here’s how it works: Topics will determine a user’s top interests for the week based on their browsing history. When that user visits a participating site, three of those interests — one from each of the past three weeks — will be shared with the site and its advertisers. Old topics are deleted after three weeks, and users will have access to those interests so they can remove individual ones or disable the feature.
Firefox also launched its Total Cookie Protection in June 2022 as a default for all of its browser users. The tool works by limiting the information a website tracker can see to that individual site, rather than letting them link up user behavior through multiple sites. Firefox described the initiative as “the culmination of years of work to fight the privacy catastrophe that stems from online trackers.”
The move reflects a growing attitude among online consumers. A MediaMath survey found 54 percent of users are confident in their understanding of third-party cookies, and 51 percent are not comfortable with websites tracking and capturing information about their online activity.
Apple Is Making It Harder to Track Users
The Apple iOS now makes apps ask users’ permission to track them across the web and other apps.
The App Tracking Transparency feature launched in April 2021 as part of the Apple iOS 14.5 update. Since then, users have been seeing a pop-up with the options “Ask App Not to Track” or “Allow” whenever they download and open a new app. A user’s choice doesn’t affect their ability to use the app, it only determines whether the app can access and collect their identifying information.
Apple’s iOS 15.2 update went a step further in December 2021 with its App Privacy Report, which lets users see an overview of how often apps access their data, each app’s network and website network activity and the web domains apps contact most frequently. Apple described the move as part of an effort to give people a “complete picture of how the apps you use treat your data.”
Apple’s shift to allowing users to decide whether they want to opt into app tracking has been bad news for platforms like Facebook, which make money by learning what their users do online and then serving personalized ads. Meta CFO David Wehner predicted the change would cost the social media giant roughly $10 billion in 2022.
In an analysis released in April 2022, data management company Lotame estimated Apple’s privacy initiative would result in $16 billion losses for Snapchat, Facebook, Twitter and YouTube, with Facebook expected to take about 80% of that potential hit.
Around the time of its launch, Meta CEO Mark Zuckerberg criticized the change, suggesting Apple — which competes with Facebook in the messaging space — had ulterior motives. Facebook also ran several advertisements in major newspapers arguing personalized ads help small businesses and users.
Apple fired back at criticisms of its data privacy protections in May 2022 with a privacy-focused advertisement showing someone’s personal data being auctioned off until they intervene by using Apple’s Mail Privacy Protection. That feature went live in September 2021 to stop email senders from learning a user’s location, details about their online activity and whether they’ve opened a message.
As more states consider privacy legislation, which bills big tech endorses — and which it doesn’t — speaks volumes. | Image: Shutterstock
Data Privacy Laws Are Emerging
As big tech hashes out — and bickers about — privacy solutions, the government is also weighing in. Sort of.
The arrival of laws like the California Consumer Privacy Act, the European Union’s General Data Protection Regulation and Virginia’s Consumer Data Protection Act were good signs for some privacy proponents. When certain regions enact stricter privacy guidelines, companies are forced to build new privacy solutions — even if they’re just for a subset of customers.
There are five states with “comprehensive consumer privacy laws” already in place, according to the National Conference of State Legislatures, and at least 25 states along with Washington, D.C. considered legislation in 2022 to do the same. The most recent state to jump on the data privacy bandwagon is Connecticut with a law going into effect in July 2023.
“We certainly don’t want to see states pass laws that lower the bar, particularly as we head into a long-term conversation about what federal legislation would look like.”
Because a mishmash of local laws would make data management incredibly difficult for companies, federal data privacy regulation is likely.
That’s all good news — right?
Not if new legislation caters to large tech companies instead of consumers, Hayley Tsukayama, a legislative activist at Electronic Frontier Foundation, told Built In in 2021.
“Right now, we have a California model that set a bar,” she said. “It’s not a perfect law; there are improvements we’d like to see there too. But we certainly don’t want to see states pass laws that lower the bar, particularly as we head into a long-term conversation about what federal legislation would look like.”
“Lowering the bar” might look like weak enforcement. Laws giving consumers the right to limit what data they share with companies don’t mean much if companies can violate the law without swift consequences.
Virginia’s law, for instance, doesn’t allow any private right of action — that means consumers can’t sue companies who violate it. California’s law allows consumers to sue companies only if data is breached, but, otherwise, enforcement falls to the state attorney general’s office.
According to Tsukuyama, most state attorney general’s offices aren’t equipped to handle enforcement.
“Lawmakers shouldn’t be convinced by legislation pitched as ‘GDPR-lite:’ bills that grant lots of ‘rights’ without thorough definitions or strong enforcement,” the EFF wrote in a 2020 blog post.
As the prospect of federal regulation looms larger, big tech’s tendency to support legislation that organizations like EFF consider “milquetoast” might be cause for concern — at least for consumers who think companies shouldn’t be allowed to profit from their data without consent.
The Data Economy Is Shifting
Should Tech Companies Pay You for Your Data?
At the heart of the debate over privacy regulation is a larger debate about the so-called data economy. Should data serve as currency, allowing users to visit websites and social media platforms at no cost?
Many online publishers — like newspapers — work with ad platforms to show targeted ads to visitors. That, theoretically, pays for the publishers’ operations. Meanwhile, companies collect and analyze user data — like browsing behavior, gender or location — to better target ads or product offerings. Often, they also sell that data to other companies in exchange for money or technology and services. And all that, the thinking goes, lets visitors enjoy most online content for free.
The only party not earning money from user data is users.
Some people think that should change. In 2018, authors Jaron Lanier and Glen Weyl argued users should be paid for their data and proposed a new type of organization called an MID, or mediator of individual data. MIDs would be like labor unions, in that they advocate for data payouts and handle the technical requirements. Former Democratic presidential candidate Andrew Yang even launched an organization, Data Dividend Project, dedicated to collective bargaining for data payouts.
Reception was mixed. Based on CCPA’s guidelines for valuing data, data dividend payments would be both too small to make a difference to consumers and too large for companies to manage, Will Rinehart argued in Wired. (A $20 annual payment to every U.S. user would tank Facebook, he wrote.)
So, a large-scale approach to data dividends is unlikely, at least in the near future. But what about a small-scale one?
That’s exactly what data management platform Invisibly claims it’s doing. Users can download Invisibly’s app to earn points by sharing their personal data. Those points can be used to bypass paywalls to access premium news content.
“The problem isn’t that there’s data about you. The problem is that you don’t have control over it.”
Of course, if a user’s ideal browsing experience were one where their data doesn’t get collected without consent, they’d be out of luck. Right now, consumers can’t opt out of the data economy, so it’s hard to discern whether better targeted ads are a service to users and brands — or just brands.
But Invisibly’s position is one Vaughn calls “data positive”: The data economy isn’t going anywhere, so let’s give users some money and more agency.
“The problem isn’t that there’s data about you,” he said. “The problem is that you don’t have control over it.”
By connecting consumers and brands directly, Invisibly gives consumers more visibility into where their data is going. It also gives better advertising insights to brands, it claims.
Rather than legally compelling companies to pay users for their data, Invisibly’s model is a voluntary one.
If the model is successful, it could push more brands to pay for consensually shared data.
Will data Dividends Lead to Privacy Privilege?
For people who could really use a little extra cash, data dividends are especially attractive.
“I think thinking about data privacy is a luxury thing that we get to talk about, when most people are like, ‘I can use 100 more bucks a year,’” Vaughn said.
That distinction — people who can afford to worry about data privacy and people who can’t — opens the doors for a hierarchical data economy, in which people with higher incomes can afford to keep their personal information private, but others can’t.
The EFF, for example, refers to data dividends as “pay-for-privacy schemes.” By foregoing the data dividend, the organization argued, some consumers would essentially be paying a higher price for the same online products or services.
At the same time, if consumers were no longer able to “trade” their personal data for free access to online products and services, some couldn’t afford to pay with money. That could limit access to online content like journalism. (Keep in mind, though, that targeted ads cost consumers money too, in the form of more spending.)
It’s a dilemma — and one without immediate answers.
Brands May Look Elsewhere for User Data
Eyeo, the company that maintains the open-source software Adblock, also pitched what it called a “new deal” between users and advertisers. The product, a browser extension called Crumbs, gives users a personal data dashboard and allows them to choose what to share. It processes data on local browsers and anonymizes data by grouping users into larger categories. Crumbs also comes with privacy tools that block third-party cookies and protect users’ IP and email addresses from marketing software.
Like Google Topics and Invisibly, Crumbs operates on the assumption that an ad-supported internet — and the free content that comes with it — is here to stay.
“We really believe that we can reach some sort of a fair game of providing the web economy with all the tools it needs in order to make meaningful monetization of content, while also preserving user rights and user choice along the way,” Rotem Dar, VP of innovation at eyeo, told Built In in 2021.
“The result of that would be demonetization of journalism and content.”
This isn’t a new line of thinking for eyeo, Director of Advocacy Ben Williams said. In 2011, the company rolled out the controversial Acceptable Ads update, which adjusted Adblock’s default setting to allow certain ads to appear. Only about 8 percent of Adblock users chose to disable Acceptable Ads and go back to an ad-free experience, according to Williams. That suggests higher-quality ads really do pose value to users. (Either that, or customers didn’t understand how to disable the setting.)
“It took us a really long time until Acceptable Ads and ad-filtering were the standard and were accepted by the industry,” he added. “We [as an industry] don’t want to do the same thing with privacy. We want the users to be involved from day one, because if they’re not, they’re going to rebel again, and they’re going to block everything.”
“Blocking everything” could mean users pushing for the type of global data-sharing opt-out Tsukuyama mentioned. And that — for better or worse — would threaten the online economy publishers, brands and the ad industry have settled into.
“My fear is that if data is not going to be available in-browser, then budgets of advertisers would simply be shifted either to the walled gardens or to other mediums, whether it’s connected TV or basically any environment where granular data about users would be available,” Dar said. “And the result of that would be demonetization of journalism and content.”
Name-brand connected devices are the most secure, but that doesn’t mean they’re the most private. | Image: Shutterstock
How the Internet of Things Complicates Privacy
What about the Internet of Things — how’s privacy going in the realm of internet-connected devices?
“IoT is a mess,” Chet Wisniewski, principal research scientist at enterprise security firm Sophos, said. “It has been for a really long time, and I’m not sure we’re ever going to see it improve that much.”
That’s bad news, because any insecure device with a camera or microphone could be accessed by people you don’t want accessing it.
“IoT is a mess … I’m not sure we’re ever going to see it improve that much.”
In general, name brands tend to do a much better job with IoT security, according to Wisniewski. Apple, for instance, has high standards for items marketed as part of its “home kit.” And if a brand name consumer product is abused by hackers, the company is likely to fix the vulnerability or face recourse from the Federal Trade Commission.
Off-brand IoT products, on the other hand, are the wild west of cybersecurity. Many “brands” are just single-batch white labels from overseas factories, so there’s no way for regulators or researchers like Wisniewski to hold manufacturers accountable.
Even worse perhaps, those manufacturers are often looking for the cheapest and quickest way to get products to market — including the software inside them. Most run outdated versions of the open-source operating system Linux with known bugs and vulnerabilities still in the code.
There’s potential for this to get better. Alan Friedman, director of cybersecurity initiatives at the U.S. Department of Commerce, proposed something called a “software bill of materials,” which would compel consumer-tech manufacturers to disclose a product’s software components. That way, helpful third parties could assign consumer-friendly risk scores — almost like the ingredient labels on food.
VPNs — or encrypted internet connections inaccessible from the outside — are another potential IoT security solution.
“IoT is one area where I think VPNs actually can make a very large difference,” said James Yonan, CTO of OpenVPN and creator of the original open-source project of the same name. “If you have a webcam that is designed to connect to the internet over a VPN, that can really be the difference between it being secure and it being not secure.”
But until the government regulates IoT — which Wisniewski believes is unlikely — concerned consumers can cross their fingers for better transparency or encryption, or just air toward pricier, name-brand products. It’s very unlikely, for instance, that your Amazon Alexa will be hacked.
But that doesn’t mean it doesn’t come with big-time privacy concerns. Alexa records conversations, even when you don’t ask it to. Apple had to apologize after letting contractors listen to private Siri voice recordings from users.
In the end, it might make sense to worry less about shadowy hackers and more about the companies that access our data in perfectly legal ways.
“[Big tech companies] are collecting information from you to use for whatever purpose,” Wisniewski said, “and you’ll never find out, no matter how much you read the privacy agreement.”