Over two days of testimony before Congress earlier this month, Facebook founder and CEO Mark Zuckerberg dodged a litany of questions from lawmakers about how the data of 87 million Americans ended up in the hands of voter profiling firm Cambridge Analytica.
The spectacle put a spotlight on the company’s murky data-collection and sharing practices, and sparked a much-needed discussion about if and how to hold companies accountable for their handling of user data.
However much deserved, Facebook has, so far, born the brunt of public scrutiny for what has unfortunately become standard practice for web platforms and services. As the Ranking Digital Rights 2018 Corporate Accountability Index—an annual ranking of the some of the world’s most powerful internet, mobile, and telecommunications companies that was released this week—shows, companies across the board lack transparency about what user data they collect and share, and tell us alarmingly little about their data-sharing agreements with advertisers or other third parties. (Disclosure: I work with RDR and worked on this report. RDR is a project of New America, which is a partner with Slate and Arizona State University in Future Tense.) The majority of the 12 internet and mobile companies we evaluated for this index also failed to give users clear choices about how their data is used, or options to control how they are being tracked and profiled, and why.
In practice, this means the intrusive data harvesting practices that led to the Cambridge Analytica scandal could be far more common, and more pervasive, than we know. This not only exposes the massive amounts of intimate information these companies collect on us to a bevy of privacy and security risks, but also likely sets us up for more attempts by bad actors to use our data against us—as we’ve seen with political ads aimed at spreading propaganda and fomenting division. That is, unless we’re able to hold companies accountable for these bad practices and pressure them to reform.
Not surprisingly, our analysis found that Facebook was less transparent than the five other U.S.-based internet and mobile platforms—Apple, Google, Microsoft, Oath (formerly Yahoo), and Twitter—about its handling of user data, such as what information it collects, shares, with whom, and why. The company also offered fewer disclosures than any other internet and mobile platform in the entire index, including two Chinese companies and two Russian companies, about options users have to control what’s collected about them and how that data is used. Over the past several weeks, Facebook has clarified some options users have to control their data, but these measures have not fundamentally changed the company’s existing policies.
Facebook’s poor showing on these questions is notable given the current controversy, but no company fared especially well on these issues. Because these companies are collecting such personal data on you—potentially who you’re messaging and when, your browsing and search history, your online purchases, your public profile information, among other details of your digital life—they should be transparent about what they’re collecting, how they’re share it with advertisers and third parties, and how it’s being used to serve you targeted ads. Ideally, companies should give users a clear choice to “opt in” to receive these targeted ads, rather than having the sometimes-creepy personalized content served by default. They should similarly give users options to control what personal data the company collects and how it’s allowed to be used and shared.
But our research shows that most internet and mobile companies we evaluated, including Facebook, only gave users the option to opt out of receiving interest-based ads, should they wish to do so and manage to navigate through often-labyrinthine settings pages to toggle them off. None clearly informed users if and when they were being automatically tracked and profiled. Nor did any appear to operate on the ideal “opt-in” model.
This problem goes beyond corporations recording what users do on their platforms. The companies we evaluated also proved especially evasive about clearly advising users if and how they track users across the internet, whether it be deploying cookies to follow and collect data on individuals across websites and devices, or casting similar data-collection nets via widgets or plug-ins, like social media buttons, or via other types of web-tracking tools embedded on other websites. For instance, Google Analytics, a tool that records website visits and feeds that information back into the company’s ad-targeting system, is embedded on a vast majority of the internet’s most-visited websites.
To platforms like Google and Facebook, these types of tracking tools and practices are worth big bucks. Combined, the pair, nicknamed “digital duopoly,” controls nearly 60 percent of total U.S. online ad investments—largely because the pair can sell more highly-targeted ads on systems that use the detailed individual behavior and preference profiles they’ve been able to amass (including on people who aren’t even registered on the platforms). But the companies’ lack of forthrightness about these practices means they’re making massive profits on tracking, recording, and sharing our information without meaningful consent.
But, once again, Facebook wasn’t the only internet or mobile company that lacked clear disclosure about whether and how they track users across the internet. Ten other internet and mobile systems that we evaluated in our ranking—including Google, Microsoft, and Twitter—either said little about these tracking policies or provided no information at all. Only Apple clearly stated that it does not track users on third-party websites.
Whether this is a moment of reckoning remains to be seen. What is certain is that that unless tech companies work to improve transparency and accountability about what they do with user data, public trust in these companies will continue to erode. But given that most major companies are at present are not telling people enough about their data collection and tracking practices, it’s likely that, in the meantime, we’ll see more of our personal data caught up in controversies like the Facebook–Cambridge Analytica fallout.