Opening the Right Channels
Remember Tom from the previous chapter? After our failed experiment, Tom shifted gears and started to tackle the problem from a different angle. Instead of trying to educate people about the value of their personal data (and help them sell it for a fair price), he created an easy way for them to delete it.
But wait, isn’t that counterproductive to helping people benefit from their own data? Deleting a precious resource doesn’t create value. If anything, it seems to destroy it. Wrong. Deleting your personal data only puts you at a disadvantage if you are the only one holding a copy. Which couldn’t be further from the truth. In most instances, you don’t hold a copy of the data yourself. Yet, there are hundreds of entities trading your assets without your consent or knowledge (i.e., the companies collecting your data, or secondhand data brokers).
The fewer people who have access to your data, the more valuable it becomes. For example, you will have a hard time getting a fair price for your personal data when there are twenty other entities selling it for a bargain. Taking control over your data means limiting access to it.
Under some of the world’s more progressive data protection regulations—including the General Data Protection Regulations in Europe or the California Consumer Privacy Act—you have the right to request third parties to do just that: delete your personal data. This is a great idea—in principle.
When I started writing this chapter, I reached out to twenty of my friends in Europe and California to ask them whether they had ever requested their personal data to be deleted (and if yes, how often). Take an educated guess how many of my friends had done so (note, there are more than just one or two privacy scholars among them—and many of them have had to endure me rant about data privacy for years now). The answer: zero. Not a single person had used their right to protect their personal data from being traded.
I don’t blame them. I haven’t either (even though I know very well that I should). It’s a classic example of what my friend Dan Ariely, the behavioral economist, calls the space rocket principle of behavior change. To be successful in following through with our intentions, we need two things.
The first one is thrust. People need to be motivated and eager to change. That’s what Tom and I had tried to do when we showed participants how intimate—and therefore valuable—their data really was. But as we learned the hard way, motivation alone wasn’t enough. People said they were concerned, but then went ahead and sold their data anyway.
That’s where the second factor comes in. To launch a rocket into space, you also need to reduce friction. Making smart decisions about your personal data needs to be seamless. You can’t expect people to (e)mail out hundreds of data-deletion requests and (ideally) follow up on every one of them to check for compliance. Limiting third-party access to our personal data needs to be easy.
In Tom’s new application, mePrism, which I’m involved in as a science adviser, “easy” means being able to delete your personal data from the servers of hundreds of data brokers with just a few clicks (and an automatic deletion request should the data resurface). A great start, and certainly a significant improvement over the current status quo.
But in an ideal world, easy would mean protecting your privacy without you having to do anything at all. It’s what scholars have termed privacy by design.
There are numerous ways to put the privacy-by-design principle into practice. I’ve selected two broad approaches that I believe are not only impactful and relatively easy to apply, but also able to dynamically adjust to the rapid changes in the digital landscape.
First, we need to design systems that use our evolutionary shortcomings to our advantage.
Second, we need to leverage technologies that eliminate the trade-off between privacy and self-determination versus convenience and service.
Turning your inertia into a superpower
In the United States, about twenty people die every day waiting for an organ transplant. Over a hundred thousand people are currently on the waiting list, desperately hoping to receive a donation to save their lives.
A comparison of organ donation registration rates across countries offers intriguing insights into how inertia can be turned from kryptonite into a superpower. Some countries, such as Germany or the United States, require people to register as donors. In the United States, this means filling in an online form for about five to ten minutes, heading to the department of motor vehicles, or mailing in a letter. Other countries, such as Austria or the United Kingdom, register all citizens by default. You can take your name off the registry anytime, but unless you actively unsubscribe, you are part of the club.
Which of these countries do you think have higher rates of organ donors? The countries where people have to register (opt in) or the countries where they get registered by default but can opt out? Yes, it’s the opt-out countries. You’re much more likely to stay registered than register yourself.
But now try to be a bit more specific with your guess. How big is the difference between the opt-in and opt-out countries. What percentage of the population actively decides to register to become an organ donor in the opt-in countries? 70 percent? 50 percent? 30 percent?
On average, the number is a rather disappointing 15 percent. Even though more than 90 percent support organ donations in national surveys, only fifteen in every one hundred people decide to take the necessary steps to become a potential organ donor themselves.1
Now what about the opt-out countries? What percentage of the population do you think decides to stay registered as an organ donor rather than requesting to leave the system? Typically, more than 95 percent! To me, this difference is mind-blowing. It’s literally the difference between life and death. Importantly, none of the countries force their citizens to be organ donors. At the end of the day, it’s their choice. All they do is change the default and reap the power of our inertia.
Just like the organ donation registries, privacy policies come with a default. And this default—surprise, surprise—typically favors self-disclosure. If you don’t want companies to collect all the personal data they can legally access, you have to take action and opt out. That’s like designing your privacy spaceship in the shape of an inverted umbrella. Even the most powerful engine will never get you off the ground with that much friction.
The most obvious solution to this problem is to change the default. Require people to opt in rather than opt out. This shift not only makes it easy for people to protect their privacy, but could also indirectly impact people’s motivation by increasing the perceived value of their data. How? Through another human kryptonite turned superpower: A well-established decision-making bias called the endowment effect.
The basic principle of the endowment effect is captured in the famous Aristotle quote: “For most things are differently valued by those who have them and by those who wish to get them: what belongs to us, and what we give away, always seems very precious to us.”2
In the context of privacy, the endowment effect causes people to value their privacy more when they already possess it and face the possibility of losing it, compared to when they lack it but have the opportunity to gain it.
In a clever experiment led by economist Alessandro Acquisti at Carnegie Mellon University, research assistants approached unwitting shoppers in a mall and asked them to participate in a short survey in return for a gift card.3 Here comes the experimental twist: those who agreed to complete the survey were randomly assigned one of two gift cards. The first gift card, worth $10, guaranteed full anonymity. The second, worth $12, was linked to participants’ personal information. They were then offered the option to switch their card for the other.
Among those who were originally assigned the less valuable but anonymous card, about half the individuals (52.1 percent) decided to keep their card rather than switching to the traceable, higher-value card. In contrast, only one in ten individuals (9.7 percent) who had originally received the higher-value card decided to switch to the anonymous, lower-value card. That’s a huge gap. When we have privacy, we are reluctant to relinquish it. But when we lack privacy, we might be willing to forgo it.
Changing the default for sharing personal data is an important step in the right direction (especially in the absence of better alternatives). But it’s not a silver bullet. There are at least two problems with how the principle is currently implemented.
First, most of us have little to no idea what we’re agreeing to when we check the “Yes I do” box. Often, the process of informed consent is more akin to the Las Vegas version of a wedding than anything else. You might not think through the consequences of your decision; it just seems like a great idea in the moment.
Maybe you said yes because you were really excited about a certain product but couldn’t use it without agreeing to the terms and conditions. Or maybe you simply didn’t want to lose any time digging deep into the fine print before accessing the service (think of the last time you accepted all cookies on a website just to get to the content you really wanted to see).
Similar to a typical Las Vegas wedding, we sign all the required paperwork for our decision to qualify as informed consent. But do we really know what we’re agreeing to?
Second, changing the default from opt out to opt in requires you to give up convenience and service for privacy and self-determination. For instance, without sharing your location data, you can’t use Google Maps to navigate from A to B. And without allowing Siri to listen, voice recognition becomes unavailable.
We should not have to contemplate the value of letting companies use our personal data in this way. In an ideal world, you shouldn’t be forced into this trade-off. Instead of an either-or choice, it should be a both-and offer. Privacy and service. This might sound like a great idea in theory and impossible in practice, but it isn’t.
The technological path to having it all
Back in the village, my neighbors had to observe my behavior to be helpful. And there was no way to prevent them from gaining access to the intricate details of my life if I wanted their support. And once they’d been helpful, I couldn’t just go back and ask them to forget what they knew. In any case, I doubt any of them would have shown much interest in that proposition. They enjoyed the gossip.
That requirement no longer holds true in the digital world. We now have technologies that allow your data to remain in its safe harbor while still generating the insights you are looking for. It’s as if your neighbor were lending you their brain and resources for a day to process all your problems, without storing any of the data itself (well, kind of).
Sounds like magic, right? It definitely felt like it when I first heard about it. It’s math magic called federated learning.4
The truth is, you don’t need to hand over all your data to a third party to get personalized recommendations and convenient services tailored to you. We all carry mini supercomputers in our pockets. Remember the historic Apollo 11 mission that landed the first man on the moon? Your iPhone today has over 100,000 times more processing power than the Apollo 11 computer. It has over 1 million times more memory, and over 7 million times more storage.
Federated learning taps into this computing power to run algorithms (and insights) locally. Take Netflix. Instead of sending your viewing data to a central server it owns, Netflix could send its recommendation model to your device (i.e., to your laptop or smartphone, for example). The model would then update itself based on your data and recommend the best shows and movies for you. To make sure we all benefit from this learning, your device would send an encrypted version of the updated model back to Netflix.
The result? You benefit, Netflix benefits, and all the other users benefit. But your personal data never leaves its safe harbor. You don’t need to trust a third party (regardless of how trustworthy that party might be) to securely store your data and use it for only the purposes it was intended. Federated learning replaces the need to trust with a system that is inherently trustworthy.
This might sound like science fiction, but it’s not. Chances are you’re already benefiting from federated learning technology. Apple’s Siri, for example, is trained locally on your device. Using federated learning, Apple can send copies of its speech-recognition models to your iPhone or iPad, where it will process your audio data locally. This means that none of your voice recordings ever need to leave your phone, but Siri still gets better at understanding your needs. Because your phone sends back the updated model to Apple to integrate the new insights into its master model, you are helping to improve the experience of other users.
Governments could mandate technologies like federated learning for companies that have reached a certain number of users or that handle sensitive data. But using such technologies might also be in the best interest of companies. Hoarding large amounts of personal data has become a growing security risk that can be incredibly costly. You don’t want to sit on a pile of gold if you know there are robbers lurking all around you waiting for their opportunity to steal it. You’d much rather keep it somewhere safe. Use it to do your business without the mandate to protect it. The same is true for personal data.
Importantly, the shift to privacy by design could also significantly improve the products and services we use. This might seem counterintuitive. Less data should mean lower quality, shouldn’t it? It’s the classic argument you hear from tech companies. But privacy by design doesn’t mean no data. It means trading data in exchange for better service and products. Today, much of this exchange amounts to mere lip service. There is no incentive for companies to fulfill their promises once they’ve acquired your data, leaving you in a bad position at the bargaining table.
But if companies depended on their customers’ active consent to collect and use personal data, they would be compelled to deliver value in return. The formula is simple: no value, no data. Vague promises would no longer suffice. If you don’t perceive a benefit from sharing your personal data, you simply wouldn’t share it and would move on to another service that does a better job.
Take Instagram. The app’s recommendation algorithms promise to deliver the most relevant and engaging content by tapping into users’ personal data. That sounds helpful, but how can I be sure it’s actually true? Currently, I have to take Instagram’s word for it. There is no way for me to compare my personalized feed to a more generic version of the app or one that is based on only a subset of my data that I might feel comfortable sharing.
Once we shift the default to opt in, that changes. The generic version of the app would become my new baseline. For me to change the default, Instagram would need to show me how sharing my personal data gives me a much better experience. If it fails to do so, I could simply revoke data access and either go back to the generic version or move to a competitor that keeps it promises.
Privacy by design empowers us all to ask for more.
Closing the Wrong Channels
Considering the obvious benefits of personal data for the global economy, it’s hardly surprising that it is often compared to valuable resources such as oil or gold, an analogy that makes the collection and processing of such data an attractive endeavor. If you stumbled on an oil field or gold mine in your backyard, wouldn’t you start mining?
In a 2008 Guardian article, the journalist Cory Doctorow offered a different analogy, comparing personal data to nuclear waste. He wrote, “We should treat personal electronic data with the same care and respect as weapons-grade plutonium—it is dangerous, long-lasting and once it has leaked there’s no getting it back.”5 Doctorow is right. In the worst case, personal data—just like radioactive material—can be deadly. Literally.
On July 19, 2020, US District Judge Esther Salas and her husband Mark celebrated the twentieth birthday of their son Daniel in their home in New Jersey. The celebration turned into tragedy when a man, posing as a FedEx delivery man, entered their home and opened fire. Salas’s son Daniel died on the scene. Her husband, Mark, was critically wounded. The killer, former attorney Roy Den Hollander, had collected personal information about the judge online and assembled what Salas referred to as “a complete dossier on me and my family.”6
But Doctorow’s analogy goes beyond emphasizing the potential harm associated with the collection and use of personal data. While radioactive material can cause unparalleled destruction when weaponized, it also remains one of the cleanest, cheapest, and most reliable sources of energy. Plutonium doesn’t care what we do with it, just as personal data doesn’t care if it is used to hurt or help people. That decision is up to us.
With nuclear power, the world collectively agreed that the stakes are too high for these decisions to be made without strict regulations. Rather than allowing unrestricted use or banning it entirely, we decided to heavily regulate and control the acquisition, possession, and use of radioactive materials both nationally and internationally. You can’t just walk into Walmart and order a pound of plutonium or uranium.
We need to put similar safeguards in place when it comes to personal data and psychological targeting.
The tragedy of Judge Salas and her family led President Joe Biden to pass the Daniel Anderl Judicial Security and Privacy Act in December 2022.7 The legislation states that “it shall be unlawful for a data broker to knowingly sell, license, trade for consideration, or purchase covered information of an at-risk individual or immediate family.” Seeing policy makers acknowledge the potential dangers of personal data makes me optimistic about the future. It’s a first step in rewriting the data narrative.
At the same time, however, the new act raises an important question: If we believe it is necessary to protect judges from the potential harm caused by personal data, why doesn’t the same principle apply to the rest of us? We might not all be potential targets of hate crimes, but we are all vulnerable to the dangers posed by personal data.
How do we create a system with collective guardrails that—like those introduced in response to the discovery of nuclear power—turn the use of personal data into a force for good rather than bad?
First, we need to impose a cost on the collection and use of personal data, and we need to prevent any one entity from collecting too much radioactive material to (un)intentionally elevate their arsenal to weapons grade.
Companies should face trade-offs, too
While navigating the digital landscape means weighing the costs and benefits of sharing personal data for users, the scenario is different for companies. There’s a lot of upside to collecting personal data. It can be used to better understand customers’ needs, create better products, or sell for profit to third parties. The incentives are clear: data is a resource that holds enormous economic value.
Yet, there’s very little downside for the companies themselves. Back in the village, there was an implicit cost associated with collecting intel on your neighbors. I had to buy my friend a beer to hear the latest gossip. Or I had to make the exchange reciprocal: if my friend shared some gossip, I’d share mine. With the shift to anonymous online exchanges, this is no longer the case. Setting up data dragnets is easy. Storage is cheap.
With a lot of upside and virtually no downside (other than the typically neglected security risks), why wouldn’t companies collect our personal data? From a purely economic perspective, it seems foolish not to. It’s like ignoring a pile of cash sitting in front of you and saying, “No thanks.”
We need to change the immediate incentive structure for companies in a way that introduces trade-offs. Companies should pay a price for collecting personal data, just like you and I pay a price for sharing it.
One potential approach is to tax companies for the collection of personal data, forcing them to reconsider whether they truly need it. Let’s take data brokers, for example. These are companies that benefit from your personal data without giving you anything in return—the type that is targeted by the Daniel Anderl Judicial Security and Privacy Act. They collect as much of your personal data as possible and sell it at a profit to other companies. They’re like the old lady in the village who becomes the go-to hub for gossip. She has no interest in using rumors to your advantage or disadvantage. But she enables those who do. The same is true for data brokers. They might not interfere with your life directly. But they are all too happy to support others in doing so.
Imagine a small tax of 2 percent on this industry, which generated about $250 billion—equivalent to the revenue of all US airlines or the GDP of Bangladesh. Imposing a cost on data brokers would not only create a financial disincentive but also generate an additional $5 billion in taxpayer revenue overnight. This money could be used to lower taxes elsewhere or dedicated to the development of privacy-preserving technologies.
Prevent players from collecting all the pieces in our data puzzle
I showed you how different types of digital footprints can be used to make predictions about your most intimate traits. Each of these traces provides a part of the puzzle.
Your Facebook likes to offer insights into how you want to present yourself to others. Your Google searches provide a glimpse into the burning questions that are currently on your mind. And your location data helps me better understand your daily routines. Like a puzzle piece, each data point captures part of you but is incomplete on its own.
The more data points companies can access and combine, the clearer the picture of who you are and what you want becomes. This is what Roger McNamee, an early investor in Facebook (and now avid critic of the company), refers to as “McNamee’s seventh law”: datasets become geometrically more valuable when you combine them.8
Just as the danger of radioactive material increases with mass, so does the danger of personal data. While having a random weather app access my GPS records is concerning, it pales in comparison to big tech companies having access to almost all parts of my data puzzle.
Just think about how many different aspects of your life Google products touch on. There’s YouTube, Gmail, Google search, Maps, Chrome, Drive, Calendar, Fit, Play, and so on. Since Google seemingly had a product for every single letter in the alphabet, it’s collecting most of our puzzle pieces. And whatever data it doesn’t collect itself, it buys.
But what makes the tech giants so dangerous isn’t just the mere amount and granularity of data it hoards but its reach. As the saying goes: “You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” If Google tried, it could fool (almost) all the people all the time. That’s a dangerous gamble.
How do we prevent any one player from collecting all your digital puzzle pieces? The most obvious starting point is to break up the tech giants into separate corporations that are not allowed to share the same user base, data, or resources (e.g., Gmail, Maps, DoubleClick, and YouTube). This could be achieved with the help of antitrust laws.
I’m not the first to suggest this radical step. Over the last decade, the digital economy has turned into a winner-takes-all arena, with a small number of companies controlling large parts of the market. They control the attention of customers, recruit the brightest talent, and have an enormous influence on lawmakers in Washington. It doesn’t take much imagination to see how the mere size, power, and mostly unregulated conduct of the tech giants—Facebook, Alphabet, Amazon, Apple, and Microsoft—makes them top contenders for antitrust regulation.
Although antitrust laws are designed to create and maintain healthy competition, they could also help address privacy concerns they weren’t originally designed for. Breaking up the tech conglomerates would not only prevent companies from obtaining access to the full puzzle of your psychology but also reduce the risks associated with data breaches. Right now, a hack of the Google databases might expose not just your emails, but also your searches, your YouTube playlists, and your location data.
Think of it as a central safe in which you store your entire life savings. Even with state-of-the-art protection, there’s always a risk that someone could crack it open. Now imagine you had multiple safes, with multiple passwords in multiple locations, all independent of one another. If a thief managed to access one, their haul would be limited to whatever is stored in that particular safe at that particular time.
The main argument against breaking up the tech monopolies is that it would stifle innovation and destroy the value these companies create for their users, shareholders, and the tech ecosystem at large. It is hard to discern whether this concern is genuine or just a convenient excuse for those who benefit from maintaining the current status quo. As the saying goes: “Prediction is very difficult, especially if it’s about the future.” We can’t foresee the future, but we can learn from the past.
In 1982, the government decided to break up Bell Systems. In 1984, AT&T followed. Both times, those opposed to the breakup raised similar concerns to what you hear today in the context of the tech giants. Yet, both times, the decision to invoke antitrust laws created winners all around. It benefited consumers and the broader economy by accelerating innovation and creating a thriving, expanded ecosystem (now Silicon Valley). At the same time, it also generated enormous value for the shareholders of Bell Systems and AT&T.
We can’t be certain that the same outcomes would apply to today’s tech giants, of course. But as leading voices in the call for antitrust regulation—like Scott Galloway or Tim Wu—have convincingly argued, it very well might. Amazon Web Services, for example, could become one of the biggest success stories in history if broken off from the retail business of Amazon, and Instagram is likely to continue to yield high revenue even if it were no longer part of Meta.