Finding harm
"Where's the harm?" has long been a hugely difficult question to answer in privacy matters. Many answers sound vague and conspiracist. Knowing they're being watched causes people to censor themselves. It chills free speech. It isn't enough to say it's creepy?
Last week, in a US court case based on a complaint brought in 2012 in San Jose, California, US district judge Edward J. Davila ruled in favor of Facebook, though he left some claims open for the plaintiffs to amend and resubmit. The complaint raised two main points. First, that by tracking them online when they weren't logged into the site Facebook violated the US's wiretap laws. Second, that in doing so Facebook improperly profited from the collection and use of their information. Davila ruled that the plaintiffs had not made the case that they had lost the chance to sell the information themselves or that its value had dropped because Facebook had collected it. Further, they had failed to show that Facebook had illegally intercepted their communications, and anyway they could have taken steps to protect themselves. In the judgment, Davila writes:
Plaintiffs have not established that they have a reasonable expectation of privacy in the URLs of the pages they visit," Davila wrote. "Plaintiffs could have taken steps to keep their browsing histories private. For instance, as Facebook explained in its privacy policy, "[y]ou can remove or block cookies using the settings in your browser." MTD 6. Similarly, users can "take simple steps to block data transmissions from their browsers to third parties," such as "using their browsers in 'incognito' mode" or "install[ing] plugin browser enhancements.
I am not a lawyer, and can't test these arguments's legal soundness. But the case seems to violate common sense in a number of ways.
For one thing, it sounds like the judge, based in San Jose, has bought the oh-so-Silicon-Valley idea that consumers can take care of themselves. They can - but there are limits. For every person who regards installing a browser plugin as routine, there are many more who haven't a clue where to start. Putting the burden on them to figure out privacy settings, read terms and conditions, and so on is effectively setting industry norms at opt-out. The reality is that the rampant data-collection business models of social media companies is directly opposed to what many consumers would choose if they had more effective choices.
What's more disturbing is the presumption that they should have known to do this. The judge appears to believe the expectation of privacy - in your own home in front of your own computer - needs to be established. How many of us think of visiting a website as public act to be captured by anyone who's interested? Since Edward Snowden's 2013 revelations, the internet as giant surveillance platform has certainly received greater publicity, but that still doesn't make it right (and certainly not in 2012). One hopes the EU would view this case differently.
Even more disturbing is the spread of this "new normal" to institutions that really ought to know better. On July 1, the BBC - which at one point seemed like the opposition to commercial media - began requiring individual logins in order to view or listen to content on its site. Previously, anyone geolocated in the British isles was simply asked to verify that that they had a TV license. Now, it appears to that the BBC has jumped on the data collection and personalization bandwagon. You can lie, of course, about your name, your date of birth, your gender, and your postcode - but anyone who has broadband will see their IP address feed through, and they do ask you to confirm your email address (which I suppose you could set to one you use for nothing else). But the whole thing is still wholly unfair: anyone who has a TV license is already paying for the BBC, including the streaming services. Where do they come off demanding that in addition I pay them with my data and offering no opt-out alternative?
Returning to the judge, however, his basic contention is that the plaintiffs failed to show the harm, which he defined in purely economic terms. It's just that pure economics are utterly irrelevant: Facebook's business is exploiting haystacks; it doesn't sell individual needles on the open market.
So what is the harm? Whom does it hurt if Facebook tracks people around the web who believe they are safely logged out of its service? What damage is caused by the discovery that companies can collect the information you enter in web forms whether or not you ever submit it? (Facebook has been doing the same thing for some years now.)
The harm, to answer the judge, lies in a general sense of unfairness: these systems work because they rely on defying users' mental models of how the world works. There's only so many times you can do this before users learn to distrust everything they see. Society-wide distrust seems plenty harmful to me.
Illustrations: Facebook (Simon Steinberger; Judge Edward J. Davila.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.