The economics of privacy

Perhaps the biggest complaint about tech companies today is that they do not respect our privacy. They gather and store data on us, and in some cases, such as Facebook, they charge companies for the ability to send targeted ads to us. They induce us to self-reveal on the internet, often in ways that are more public than we might at first expect. Furthermore, tech data practices are not entirely appropriate, as for instance Facebook recently stored user passwords in an insecure, plain text format.

This entire debate is overblown, and the major tech companies are much less of a threat to our actual privacy than is typically assumed.

For most people, gossip from friends, relatives, colleagues, and acquaintances is a bigger privacy risk than is information garnered on-line. Gossip is an age-old problem, and still today many of the biggest privacy harms come through very traditional channels. And unlike false charges planted on social media, often there is no way to strike back against secretive whisperings behind one’s back. In the workplace, one employee may tell the boss that another employee does not work hard enough, or high school gossip may destroy reputations and torment loners and non-conformists, to give two common examples of many.

If anything, the niche worlds made possible by the internet, and yes by Facebook and Google, are giving many people refuges from those worlds of public scrutiny and mockery – you can more easily find the people who and like respect you for what you really are.

Life in small towns and rural areas is another major threat to privacy – too often everybody knows everybody else’s business. In contrast, if you live in a major city or suburban area, you have a much greater ability to choose whom you interact with, and you are more protected from the prying of your neighbors and relatives. And it seems that so far, contrary to some initial “death of distance” predictions, the internet has encouraged people to move to major urban centers such as New York and San Francisco. To that extent, internet life has boosted privacy rather than destroying it.

There’s also evidence that young Americans are having less sex these days and they are less likely to be in a serious relationship. The internet is likely one cause of that isolation, and in my view those changes are probably social negatives on the whole, and they represent a valid criticism of on-line life. But is the internet in this regard boosting privacy? Absolutely. The internet makes it much easier to be in less contact with other people, whether or not that is always wise or the best life course overall. It strikes me as odd when the same people blame the internet for both loneliness and privacy destruction.

A lot of actual privacy problems in the public arena don’t seem to attract much attention, unless they are tied into a critique of big tech. For instance, autocratic governments are using Interpol and its police powers and databases (NYT) to track down and apprehend ostensible criminals who are in fact sometimes merely domestic political dissidents. It is likely that many innocent individuals have ended up in jail (can the same be said from social media violations of privacy?) That’s an example of using databases for truly evil ends and, while it was covered by The New York Times (p.A10), it is hardly a major story.

It is striking to me how much the advocates focus on regulating the big tech companies, because a true pro-privacy movement might not have that as a priority at all.

By the way, how do you feel about obituaries?  The newspaper collects information on you for years, and then suddenly one day they publish it all and then keep it on the web, whether you like this or not.  They’ll even throw in snide remarks, sarcastic tone, or moral judgments about you, depending on the outlet of course.

If the privacy landscape is so complex, why then is there so much anger at Facebook and other social media companies? First, most users of services such as Facebook and Google are actually pretty happy with those services and with the companies. Some of the opposition is coming from intellectuals with core anti-business grudges, politicians looking to get headlines, or often from media itself, who face Google and Facebook as major and far more profitable competitors.

Second, social media themselves create contagion effects, whereby attention is piled on a relatively small number of select victims. For instance, the #MeToo campaign has focused condemnation on a small set of offenders, such as Harvey Weinstein, then magnified by Twitter and other social media. Many other offenders get off scot-free, simply because attention has not been directed their way. Ironically, one of the better arguments against social media is to look at how social media treat and discuss social media itself. On the privacy issue, Facebook rather than say Google has ended up as the main whipping boy, even though it might have gone the other way (who again controls your gmail?).  Ironically, perhaps the actual best argument about social media is how social media reflexively covers social media itself.

Third, many of the supposed concerns about privacy are perhaps questions of control. It is correct that the major tech companies do “funny things” with our data which we neither see nor understand nor control.This unsettles many people, even if it never means that some faux pas of yours is revealed in front of a party of your mocking friends. Still, I am not sure the underlying notion of “control” here has been satisfactorily defined. Many marketers, and not just on the internet, do things you do not control or even know about.  Furthermore, see Jim Harper on privacy, who covers security, seclusion, autonomy, and absence of objectification as some of the different features of privacy concerns.

Of course, just as privacy violations do not stem mainly from the big tech companies, we have never been in control of what is done with information and opinion about us, again think back on social gossip. This fundamental lack of control is just now being pushed in our faces in new and unexpected ways. In part it is actually unsettling, but in part we also are overreacting.

Privacy is a real issue, but to the extent it can be fixed, most of that needs to happen outside of the major tech companies.  Most of what is written about tech and privacy is simply steering us down the wrong track.

Comments

"...gossip from friends, relatives, colleagues, and acquaintances is a bigger privacy risk than is information garnered on-line..."

If the people I knew had years' worth of transcribed conversations with me and tracked my movements and interactions, then yeah, I'd be concerned about privacy. But people don't do that. They forget 99% of what you say and do because they've got their own stuff going on; you might call it a form of security through obscurity.

Right. A big problem with the Internet is that your high school principal's bluster about "This is going on your Permanent Record" has come true.

"has come true...."

????

The tech companies will be the last ones to tell everyone about it! The last thing they want to do is post negative info about you and drive you away from their advertisers.

It's not the tech companies who save and republish this info. It's your friends, neighbors, bosses, coworkers and other people you know. And they can just as easily save it and publish it on Wordpress as they can on Facebook.

Well, banks don't want to lose money, but when you store vast quantities of valuable stuff, you become a lightning rod for theft.

https://en.wikipedia.org/wiki/List_of_data_breaches

Exactly. TC makes some good points but I'd like to have this one answered. Nothing seems to be forgotten (and often not forgiven) on the internet which is what scares me the most.

I was going to say the same thing. Mostly agree with TC here but he elides the fundamental change that the internet has brought, the "permanent record".

Maybe his point is, it's not eeeeevil FB and Google to attack, it's how do we develop suitable norms in the new online world, where everything is archived and accessible somewhere online. That's not a FB problem, that's a society one.

It's probably not a good thing that I was able to anticipate the arguments and conclusions from having read only the title. (I am of the belief that predictability is a sign of someone being on intellectual autopilot.)

Implicit collusion between the tech titans and the NSA. The goal is to prevent us, the little people, from having personal cryptography in our hands. Tech titans have no cause to have our information except that we grant the permission, but government prevents us from hiding and protecting our information.

Well, the collusion is quite explicit - the only thing that is not meant to be explicit is for anyone to talk about the details.

Although you make some salient points, this seems, unusually for you, full of generalisations without evidence, such as “Most people” “most users” “a lot of.” It would be a much more compelling argument if you could shore it up with some facts.

'Perhaps the biggest complaint about tech companies today is that they do not respect our privacy.'

It is not a complaint for anyone in the EU at this point, thanks to the GDPR,

'This entire debate is overblown, and the major tech companies are much less of a threat to our actual privacy than is typically assumed.'

Surveillance advertising (a term noted here - https://marginalrevolution.com/marginalrevolution/2019/05/maciej-ceglowski-on-gdpr.html ) rejects any claim to privacy, mainly because it is a challenge to advertisers profiting from private data.

'A lot of actual privacy problems in the public arena don’t seem to attract much attention, unless they are tied into a critique of big tech.'

Yet strangely, this story seems to get even less play - 'The State Department is now requiring nearly all applicants for U.S. visas to submit their social media usernames, previous email addresses and phone numbers. It's a vast expansion of the Trump administration's enhanced screening of potential immigrants and visitors.

In a move that's just taken effect after approval of the revised application forms, the department says it has updated its immigrant and nonimmigrant visa forms to request the additional information, including "social media identifiers," from almost all U.S. applicants.

The change, which was proposed in March 2018, is expected to affect about 15 million foreigners who apply for visas to enter the United States each year.' https://www.cbsnews.com/news/state-department-now-requires-us-visa-applicants-to-share-social-media-accounts-2019-06-01/

'The newspaper collects information on you for years'

No, it doesn't - easily 99% of the obituaries in the newspaper are not from any information the newspaper has been collecting. That 'you' is a fascinating insight into a certain perspective that has been growing larger here over the recent years. And this is just hilarious - ' whether you like this or not.' The 'you' in this case being the deceased, of course.

'Many marketers, and not just on the internet, do things you do not control or even know about. '

And for citizens in the EU, the GDPR covers this as well. Being the legal owner of your data is an obvious first step in your controlling it.

The requirement for providing social media account information is no different than the requirement to provide any AKA aliases a person has ever used, and the history about where they have lived.

I would argue that providing the social media account name was already implied in the requirement to provide all aliases and should not be a new requirement but merely a clarification on the existing one.

Just show up at the southern border, claim asylum because your significant other beats you or gangbangers are in your neighborhood and you'll get entry to the US. No need to give out social media credentials and no visa required.

Thousands of people do it every month.

and then the TSA will apparently allow you to board a plane with
squirrely documentation
https://www.dailysignal.com/2014/08/25/illegal-immigrant-air-tsa-allows-illegal-immigrants-board-planes-without-ids/

Information is the single most valuable thing in an economy. With perfect information, central planning becomes a legitimate way of running the world. Without it, market pricing is much better. If I knew what the stock market is doing even 1 millisecond into the future, I could be the world's first trillionaire. Information is also the most important thing in politics/geopolitics. That is why we staff the federal bureaucracy with all kinds of information gathering like the State Department or the intelligence community. The work of diplomats, spies, and military officers would be made much easier if they knew what the other side is up to or if something changed. But also imagine the absolute terror if an evil government gets their hands on this tech (as Tyler mentions). This should tell you the considerable intrinsic value of information. Privacy is a way to keep that value for yourself. When every little bit of data you create is tracked and analyzed, you give away your leverage. You lose positive leverage when what you know could improve your situation but someone else steps in front. Or you gain negative leverage when the information could be used to blackmail you. I know there's a group of libertarians that are okay with blackmail but this isn't a settled debate. I think a good first step is to move towards default opt-in to allow maximum choice.

"With perfect information, central planning becomes a legitimate way of running the world." Not really, the problem of central planning it is not about "information" in terms that can be written down as data, is about the impossibility of the central planner being aware of all the relevant dimensions of the planning problem due to complexity.

That is, the knowedge of how to USE the data is equally important for the economy than the data itself.

I think the major issue in modern economics is actually the fact the gigantic issue of imperfect awareness has been obscured by the vastly less relevant issues of private information.

The current data privacy protection obsession seems to be largely an expression of the famous American "Paranoid Style". It's less an issue in other places where they don't have parallel obsessions with "Rights" and "Freedom". Since complete protection of personal data isn't a realistic option, the issue is how much data to exchange for how many benefits. (Governments, other organizations, and people in general are going to be snooping on you, like it or not). Everyone is free to make their own cost/benefit calculations. If you don't love America, leave.

I think you're not familiar with GDPR regulations in the EU27
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

The reason why Americans are ‘paranoid’ as you say is because their data is NOT respected at all. You only have to travel or live there for a few months to realise it.

Actually, the real American virtue is that if you love America, you keep pressing for change to make it better.

What if you can make it better by leaving and letting God and the market sort things out rather than staying and pressing?

Or, how about you can make it better by leaving and letting American citizens to sort things out rather than staying and pressing?

A functional democracy is like that - citizens are the ones who decide what the government does in the end, not god and the market.

_Exit, Voice, and Loyalty_

Tsai-2, how do you know that God is not using Clockwork_prior to work things out the way God wants?

Yes, often the best way to improve a country is simply for its embittered losers to voluntarily emigrate.

Before you go thinking that he's said something sincere, remember that in other posts, the troll likes to argue that corporations have a first amendment right not to be criticized by individuals.

'likes to argue that corporations have a first amendment right not to be criticized by individuals'

Why do you keep repeating this utter falsehood, even after multiple corrections?

All American citizens are free to criticize any company for any reason at all, up to calling for a boycott, as guaranteed by the 1st Amendment. How you can interpret that statement as saying a corporation has a 1st Amendment right not to be criticized by individuals is just another example of how unique the MR comment section can be.

Data breaches? The famous cases of Target and Home Depot which exposed the credit card info of clients. https://www.firmex.com/thedealroom/the-10-most-expensive-data-breaches-in-corporate-history/

When Target was hacked, nothing happened. If Amazon is hacked, what happens?

The lesson of this would be to not centralize valuable information in huge database as the cases of Google or Amazon. Keep information in independent and smaller databases. Even if it's not the more efficient, it distributes risk.

What's annoying are the breaches of companies that you have no direct relationship with. The Equifax hack was bad because your relationship is with the banks and yet an outside third party end up with your info. All centralized without your knowledge or consent. The latest breach is American Medical Collection Agency which handles debt payment for Quest Diagnostics and Lab Corp. Why one's medical record is sent to a debt agency is anybody's guess. Possibly illegal, and if it isn't, it should be. At least with Google and Facebook you deal with a known quantity.

Another angle I don't hear discussed much is your loss of legal protection when it comes to law enforcement. Things that used to require a warrant like getting cell phone location data needs no judicial checks and balances because it is now publicly available information to anyone that pays.

The largest issue with the Equifax breach is that the data is perfect for identity theft. It would be great people whose identity is stolen and suffer damages can trace the liability back to Equifax and sue them.

Sure, but it has nothing to do with the people whose information was stolen - why would they have standing? If some entity is duped into giving away money based solely on public information, the burden should be on it to pursue Equifax or whomever.

If Tyler wants to defend Facebook, Google or Amazon, fine. But this is straw-man: "This entire debate is overblown, and the major tech companies are much less of a threat to our actual privacy than is typically assumed."

Perhaps the major tech companies in SV care enough about data safety, but smaller tech companies are a mess and need to improve a lot, e.g. Equifax.

What's your take, Tyler, on pervasive aerial surveillance?

https://www.bloomberg.com/news/articles/2019-06-06/a-new-kind-of-surveillance-is-coming-to-u-s-skies-in-a-balloon

It is not only the privacy, but also how the big tech algorithms are trained to deplatform any voices who don't meet big-techs definition of social harmony. At this point you can ask yourself whether Google went to China to build or to learn from the Uyghur social surveillance system.

Absolutely. Tech giants are engaged in a deliberate program of political suppression.

Cowen favors economic growth, and with tech being one of the few sectors actually growing (it's growing because that's where the money is), he has to defend tech and social media. Worrying about why owners of capital choose not to invest in productive capital is a waste of time, with investors more than willing to put their money in tech and the advertising model that makes it profitable. Indeed, without tech, where would we be today.

I might point out that revenues from advertising have not grown as the result of the advent of digital advertising; instead, advertising has shifted from old media to new, moving revenues to tech that at one time went to old media (newspapers, magazines, etc.). I might also point out the many studies that have concluded that gossip is actually beneficial. Here's just one article, in The Atlantic, but Google "the benefits of gossip" and a legion of actual studies will pop up: https://www.theatlantic.com/magazine/archive/2018/07/gossip-is-good/561737/ As pointed out by another commenter, gossip, unlike stored digital data, has a short shelf life. And gossip can't be mined, unlike digital data.

My view about social media is about the same as my view about cocaine and heroin: if social media is so dangerous, why do so many people choose to use it? Okay, cocaine and heroin are illegal. Should social media be illegal? Would people use social media even if illegal? Cowen often points out the dangers of alcohol but he doesn't suggest that alcohol should be illegal. People make choices, and if they choose to let Google and Facebook store billions of bytes of data about their users, well, it's the users' choice to make.

the internet has encouraged people to move to major urban centers such as New York and San Francisco.

Really? People were encouraged to move to places like that long before the internet existed.

The biggest problem with personal information and storage is that the holder of the storage may change and its purposes be re-directed. It's almost impossible to imagine but the USA isn't guaranteed, even likely, to endure forever in its current form. Its replacement may not be as citizen-friendly. A case in point.

"Gossip is an age-old problem" - This is a statement given without any justification. I have actually come around to the opinion that gossip can actually be very beneficial in some instances. Gossip about someone doing something bad, in particular, can spread the information to others. When people who do bad things are allowed to keep it a secret, by claiming privacy or that gossip is bad, then it just allows the bad behavior to continue.

Of course every rumor is true.

not if the source of the rumor is cnn

Haha, clever! Because CNN is always lying....nailed it.

#MAGA2020

"This entire debate is overblown, and the major tech companies are much less of a threat to our actual privacy than is typically assumed."

This is complete bull shit and shows a complete lack of understanding the actual problem. Yes, the some of the, one cannot say minor, glitches that come up about storing passwords or sharing, and selling, or personal likes and daily activities.

The problem is that there is no accountability or liability for these companies. The old saying -- if you get a product for free, then it's not the product you are -- applies here. Companies and our legal treatment seem to view these data more like raw materials input to the business production line, if some gets lost or is corrupted (inaccurate) then that is only a cost to the company. That is far from true.

https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime lists some stats. It's clear that many of the uses of stolen information goes to activity that can have huge impact downstream -- the phones and credit cards and tax all impose some direct costs on a person. They can also expose them to other problem -- like criminal charges which might be difficult for some to defend against. They will also lead to lost opportunities -- don't get the loan, don't get the job (possible lose the job).

https://www.csid.com/2016/09/real-cost-identity-theft/ estimates the cost of identify theft at something over $15 billion. That's a lot of cost shifting - though to be sure not all of that is due to lack policy and implementation by tech companies. But they are the "bank where the money is kept" so will be the targets for the robbers.

"But is the internet in this regard boosting privacy? Absolutely. " seems to confuse intimacy and privacy.

Tyler hasn't thought enough about the issue to be affecting this pompously condescending contrarianism. Users are angry at Facebook because they feel lied to. The company advertised itself on the level of control that it offered over what information was shared with whom. It purported to allow users to set up different social (and professional) circles, to which one could disclose different types of personal or professional information, at appropriate levels of sensitivity. In practice, the company was putting all of its users' information up for sale to any number of grifters.

Tyler's old-man rant that it's just like the back fence thus suggests that he never really used the product much and hasn't learned enough about its history and practice. He could argue, I suppose, that users were naive for trusting what a corporation told them. That's kind of an awkward position, though, for someone who just wrote a book arguing that big business is really much nicer than you think it is.

Eroding privacy is inevitable and is harmless and non-violent. Information is more about interpret ion and usage rather than its ubiquitous availability. I foresee the extremely rich, with their massive wealth, in combination with technology devastating the middle and lower classes; this is a developing phenomona, just look around and see companies like Palantir. Extremely wealthy will employee 100s of data scientists, computer scientists, etc. to leverage technology to unfathomable levels. This will produce higher self productivity, information distortion, misinformation and other strategies to benefit themselves as people are self-motivated. My assumption is they will obfuscate the true purposes of the technological usage until it's too late; the rich get richer, the poor get poorer.

I heard Aaron Klein say it, but perhaps others have: Privacy shows an enormous gap between stated preferences and revealed preferences.

Another gentleman described to me how he assembled a database of millions of medical records: "You'd be surprised how much people will part with for a Starbucks gift card."

I've think people willingly give up information to tech companies and others, with four unstated conditions:

1 - The information will not be used to shame me. This is the 'no gossip' rule.

2 - You will protect my information. The Home Depot and Target breaches violated this.

3 - You will pay me for the information. The pay might be ridiculously low, but a Starbucks card has value. So does free use of an efficient search engine, and the ability to track friends and relatives via Facebook.

4 - You will tell me how you will use the information and not go further than that. This is probably Facebook's biggest failing. They told us, for example, they would not sell our information, but it turned out they bartered it away.

I think that organizations that follow these four rules are at must less risk of being called out for abusing privacy.

> Privacy shows an enormous gap between stated preferences and revealed preferences.

The answer to this puzzle is that the amount of privacy at stake at the margin, in each transaction, is basically zero. All the details of your private life are in some database or another anyway. Might as well get a free coffee.

Privacy is a property of the environment.

This is an incredibly naive thing to say. We are at the early stages of something that can easily get much, much more powerful.

Privacy, in the traditional sense of the word, does not inform this debate. The ultimate goal of such surveillance is to use it to gain advantage over the levers of human behavior.

We need to understand that the effects of this type of pervasive surveillance is largely hidden. In the wrong hands, it will certainly be possible to manipulate social and political behavior on an almost unlimited scale.

We've always tried to manipulate each other, but the increasing power of this stuff takes away all the prior natural limits.

^^^ Yep. Exactly right.

+1

This is not one of Tyler's better posts.

I think the attempt was the usual billionaire apologia as thinktanks like Mercatus are funded by the likes of Google [1]. Privacy/surveillance is a much bigger and more important debate than to be reduced to "Facebook is/isn't bad. "

[1] https://www.sourcewatch.org/index.php/Mercatus_Center#Google_Funds_Legal_Conference_While_Under_Investigation_.282014.29

Tyler I agree 100%, but the Progressive Ludderatti won't be denied.

The Ludderatti loved Facebook when they thought that investors had donated the billions it cost to build Facebook as a general public service. Now that it's just a business and people make money from it, they feel cheated. Worse yet, conservatives used it to their advantage in the last election, and Facebook *did nothing!* We can't allow businesses to be indifferent to causes that oppose Progressive Doctrine.

"Life in small towns and rural areas is another major threat to privacy – too often everybody knows everybody else’s business."

But today's internet is the apotheosis of McLuhan's "global village". Everybody knows everybody else's business.

Historically, villages were places that progress passed by, held back by the dead hand of tradition. But in the anonymity of the city, people could throw off their past selves and reinvent themselves.

So what happens when the "city" is no more, and everything is "village"?

This is an odd post. TC is so often talking about the "Straussian" interpretation of things, and yet here he is taking the claims of privacy advocates at face value. It is patently obvious that the online privacy debate is just a proxy for regulating large tech companies and social media platforms.

There is no debate about privacy. We all want more of it. The debate is about how much the government can saddle media platforms with regulation and censorship, and to the extent they cannot, how much "unofficial" influence they can exert.

As an aside, athough Richard Posner's essay on the economics of privacy pre-dates the Internet by a decade, it is still worth reading: https://www.jstor.org/stable/pdf/1815754.pdf?seq=1#page_scan_tab_contents

Privacy: is it only about what information leaves your house, or is it as much about how much of the world comes in? Recently a brave woman in our "exemplary" local school district launched a modest, quixotic campaign to request just one opt-out classroom at each grade level kinder through 5 for parents who'd rather their kids didn't spend all day, at school - and at home doing their homework - on internet-connected 1:1 iPads (which had originally been pitched, years ago, as a replacement for textbooks, but then the textbook licensing had been too expensive for that use after all...). [I doubt she'll be successful, because the parents comfortable with the status quo, probably the same ones who always had their earbuds in while taking baby for a walk in her stroller, will not like the judgment, and the doubt, that an option might occasion: all must be the same! Plus, in the neighborhood forum - oddly for an area with a pretty big tech sector - there seemed to be a good deal of naivete about what sort of education will lead to kids actually becoming proficient masters of, and creators of, technology, if that is the goal, rather than merely consumers, like that chimp we all saw in the viral video the other week. And - in a further striking demonstration of our second or third-tier tech status - little or no awareness of the "don't get high on your own supply" mentality current in Silicon Valley itself, the primo schools there now being just those that are tech-free, with the NY Times dutifully weighing in that the new digital gap between rich and poor kids is that the latter are forced to use iPads at school!)

Parents articulated a number of issues, from too much screen time turning kids into zombies to the work not being very rigorous, to the iPads being circularly used for both the schoolwork as well as the prize for schoolwork (finish your "work" quickly, and you can play computer games or look at youtube videos for the rest of class, rather than reading, or drawing, or daydreaming, or interacting with your classmates); to older-grade kids who were stressed by every teacher's using a different app, for managing their work, or by the way school consequently never stops - in the same way technology has blurred the demarcation between work and off-of-work time - so that they might find their teen in their google classroom digitally "turning in" their schoolwork at midnight. And of course, parents had endless stories about things their small child had seen on the iPad, either from reviewing their history, or because the children had been upset enough to tell them - pornography after 1st graders' search for "sexy girls," ISIS beheadings. A few mentioned "social media" incidents, which they understandably felt it should not be the school district's role to foment just because it's in thrall to Apple.

The district's reply, so far, was dismissive. They basically said, we can't filter the internet more successfully than we already are, it mutates too quickly (and I guess they have no clue how to turn it off for little kids, but then we're talking about the folks who go into school administration, after all). And I expect they will say it would be too difficult and expensive to offer an alternate curriculum - though they do manage to offer an opt-in class at each elementary for people who want their kids to learn while immersed in the language of the people who cut their grass and clean their houses.

The story about Facebook storing passwords in plaintext is completely misleading. What happened was that FB was logging requests, after filtering out sensitive information such as passwords. A small change how parameters were passed meant that the filter broke, so when a request to change a password was logged, it accidentally included the raw data. No one noticed this because password changes are relatively extremely rare with respect to all the requests being logged. It was noticed when the internal security team decided to create automated searches for sensitive information being accidentally logged.

But, "FB stores passwords in plaintext!" sure sounds a lot more interesting than "FB accidentally logged passwords and didn't notice it for months!"

Those two statements are not exclusive. Just because the company accidentally logged passwords in plaintext doesn't make them less liable. If Facebook can't manage it's code correctly leading to this kind of incident, then they should be held responsible.

Yes, it was a mistake, but my issue is with how it was reported. It would be the same as if you accidentally dropped your wallet on the bathroom floor at work and it was spun as "Chris keeps his wallet on the bathroom floor", prompting discussion of how stupid that is and how irresponsible you are.

BTW, after the problem was discovered, it was self-reported. Making them "held responsible" gives a strong incentive for not reporting it.

I understand your point but at what point does it move from honest mistake to criminal negligence? Facebook may have made an honest mistake in this instance but Equifax, for instance, ignored security for years and was hacked as a result. Are they criminally negligent?

Also, I understand your wallet analogy, but it would be more appropriate if i had borrowed your wallet and dropped it in a restroom. People entrusted Facebook with their information and they screwed up. They really have no excuse for not testing things before implementing them and monitoring constantly. A small percentage of users may have been affected but at the scale of Facebook, that equals hundreds of thousands of people.

It’s honestly kind of beating a dead horse with this specific case, but it serves as a useful example of security mishaps committed by countless companies. How do we incentivize companies to prevent these issues?

"how do you feel about obituaries? The newspaper collects information on you for years, and then suddenly one day they publish it all and then keep it on the web, whether you like this or not. They’ll even throw in snide remarks, sarcastic tone, or moral judgments about you, depending on the outlet of course."

Few of us will get an obituary, unless our kids write it and pay to have it printed.

Price really changes the nature of things. Nobody sees paying a person to chase someone all day, talk to the people they interact with and then and report it all as a big problem: It's legal, and we even let governments do it, but only because the price is high, so information is only captured of "interesting" people at interesting times.

But what happens when the price of snooping approaches zero, and the price of storage approaching zero: It's possible to preemptively snoop on everyone, and have perfect information available, anonymously. The price change makes the nature of the matter we are talking about very different.

We are in the same boat with nuclear proliferation: It's alarming, but OK, for a few nation states to be able to destroy the world if they wish to. As the price of planet-destroying tech comes down, things get scary. If anyone could destroy the world by paying $100, the world would be a radioactive wasteland already.

Tyler,

You bring up a good item of discussion that I think does get left out of this debate a lot of the time: What is the actual harm of tech companies disregard for privacy?

Actual harm I can think of off the top of my head:
1. Everyone has a permanent record kept of almost every interaction. Years after someone says something online it can be dredged up to be used against you, with or without context.

2. Facebook has acknowledged that their platform has played a role in the Rohingya genocide by allowing personal data to be collected and disseminated on a huge scale.

3. Facebook advertising has used its user profiles to illegally target job advertisements away from racial/age groups.

4. The Facebook advertising platform used very specific demographic data to target political ads/content to very specific groups, meaning that we really have no way of knowing what content individuals were shown and have no way of challenging its truthfulness or validity. Russia used this system to influence our election without authorities being able to see the scale of their effort. Hypothetically, it could easily be used to advertise a drug as curing cancer without the ad ever being shown to anyone that could challenge that statement, avoiding government oversight. We have no way of knowing if this has or hasn't happened.

5. Equifax style breaches are commonplace. The effect is that systems we used to use for personal security are almost useless, such as social security number, passwords, mother's maiden name, bank account numbers, etc. We've had to develop far more robust security systems as a result (biometrics, chip and pin credit cards) at a significant cost, and that has not stopped this information from being regularly used to steal people's identities.

6. Russia just announced that they are requesting sexual orientation data from social media companies so that they can prosecute homosexuals. While this is terrifying in itself, combine it with the ability of a company like Facebook to identify sexual orientation of users without them providing that information, based on inference. Add onto that the fact that Facebook manages a database of information on people who do not use their system, compiled from things said about them by others.

7. Multiple smart speakers/TV's have been shown to accidentally record audio and send it to central servers when the devices were not supposed to be listening and, I believe, in some cases when the devices weren't even turned on. There is no known negative use of this data that I know of, however it doesn't take much to see how it could be used for harm, and this is not a case of people exchanging privacy for convenience as the equipment was not working as advertised. I believe Google, Amazon and Samsung have all had this happen to some extent.

8. Amazon employees have been caught spying on owners of Amazon Ring door security systems. I know I've seen similar stories from other companies, including Facebook, where employees were able to access information considered and advertised as private for personal use. I know this also happened at Uber a few years ago where any employee could track anyone with the app at any time. This information was used to track significant others without their consent among other uses.

9. Multiple school districts have been caught spying on students through school provided laptop webcams without their knowledge or consent. This included underage students in their bedrooms. Some images of students in their homes were used to punish students for non-school related offenses.

It's one thing to say people exchanging personal data for services should know that the information could be used in ways they might not agree with, however, that really isn't acknowledging the full reality of the situation. Tech companies have databases of information that was advertised as private, inferred based on other information, or collected on people that are not users. Most of the time this information isn't used for harm, however, when your database contains personal information on millions or billions of people, one slip up in information security or one sale of information to an outside source can have a huge impact on millions of people.

Very cogent points from Tyler, except this one: "It strikes me as odd when the same people blame the internet for both loneliness and privacy destruction."

Not odd in the least. I may be the loneliest person in the world, with no family or friends whatsoever, and yet my most private data may be currency for both the tech giants and the dark web. The forces that destroy my privacy may or may not be adding to my loneliness -- but their use of my personal data isn't correlated at all to my social isolation. Two entirely different concerns.

It's not even hard to model both being true for the same reason: the internet encourages polarizes "public" and "private" communication; neither is good for making meaningful friendships, and the split erodes privacy too.

Comments for this post are closed