Fighting data-exploitative business models

What is the problem

Business models of lots of companies is based on data exploitation. Big Tech companies such Google, Amazon, Facebook; data brokers; online services; apps and many others collect, use and share huge amounts of data about us, frequently without our explicit consent of knowledge. Using implicit attributes of low-cost devices, their ‘free’ services or apps and other sources, they create unmatched tracking and targeting capabilities which are being used against us.

Why it is important

Companies are exploiting people’s data for power and profit. People are being reduced to data to be collected, processed, shared with advertisers, data brokers, political parties alike or just thrown into complex machine learning algorithms.

This model of doing business undermines our fundamental rights, freedoms, and dignity because this collection of data creates secret profiles used to influence us and make decisions about us.

We want to see a world where technologies work for us and where we are in full control of information about us, where big-tech and other private players are held to account and restrained from abuses.

What we did

Early on, we demanded Amazon and Google to be more transparent about their data practices in their privacy policies. We pushed search engine companies to limit the retention of our search data. We scrutinised privacy policies and practices. We pressured internet companies to allow people to actually delete their accounts — which, for instance, resulted in eBay creating this capability. We worked with company officials to pressure internally for better practices and to publish transparency reports.

Over the past 4 years, through technical analysis, targeted advocacy, legal work and public campaigns we have continued to directly engage with companies or reach to regulators for investigations and sanctions beyond the Big Tech players.

We constantly pressured companies to protect privacy, comply with data protection principles and law, and enable their users to assert control. We had to push companies to make clear their privacy commitments, change their data collection, processing and sharing practices. We targeted industry giants like Google, Amazon, Facebook, Microsoft; popular business and entertainment apps (including Dropbox, Spotify, Kayak, TripAdvisor etc.); menstruation apps (Maya, MIA, My Period Tracker, Ovulation Calculator, Period Tracker and Mi Calendario etc.), diet companies (BetterMe Meal Plan, Noom and VShred), mental health apps and websites (health site Doctissimo and new-Zealand national public health programme’s website), data brokers (including Experian, Quantcast, Criteo, Bounty etc.).

And, we succeeded.

What we achieved

Over the last 4 years our work brought significant results: We effectively challenged data-collection and sharing practices by various platforms, apps and service providers, to stop or improve security in relation to their data-related operations. As a result of our work 15 popular Android apps, 42 metal health services, 4 menstruation apps and 2 diet companies changed their data collection and/or sharing practices

Our work influenced regulators to open investigations or enforcement action into the leading data broker companies. Following our complaints the Irish Data Protection Commission launched an inquiry into the data practices of ad-tech company Quantcast; the French regulator CNIL launched an investigation into the data practices of ad-tech company Criteo and health website Doctissimo, and the UK Information Commissioner’s Office directed Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services.

We brought more scrutiny and additional safeguards into Big Tech mergers. Following our work the CMA raised concerns about potential negative impact on users’ data resulting from Facebook’s acquisition of Giphy and made an order for Giphy to be divested. As a result of the campaign supported by many individuals and organisations PI was granted interested third person status by the European Commission in the Google/Fitbit merger review and submitted comments on the merger to the ACCC. These resulted in the ACCC rejecting Google’s commitment and the EC approving the merger with specific commitment echoing PI’s concerns.

We were able to influence tech giants to offer more control over their data to people. We actively advocated with Apple and Google to implement additional privacy controls, including the ability for users to block third-party tracking. We welcome important privacy changes made by Apple under the iOS 14.5 update and Google’s decision to extend the Privacy Sandbox to android apps and make “Weight loss” a sensitive Ad category that users can opt-out being targeted from.

We were able to contribute to strengthening data security for users of low-cost devices. Thus, as a result of our public campaign, direct engagement and pressure, Google mentioned that the JioPhone Next, a new low-cost phone launched with Reliance in India, will receive the latest Android operating system and security updates.

We are extremely proud that, as a result of our work, we have positively impacted (at least) every second person over 15 years old on the planet.

What we learned

It wasn't all smooth sailing. We learned some hard lessons: Large companies are complex - the left hand knows not what the right bottom left tentacle is doing. Staffing at companies change, but the fundamental direction is set by the founders and investors. This means that even when positive buy-in is possible in one part of the organisation, it won’t be long before that is undone by another side and when someone moves on. Big companies remain hard to reach to even harder to convince to operate any changes in their practices. Ultimately, despite all the occasional pro-privacy rhetoric, only the threat of regulation truly affects their conduct.

At the same time, any form of cooperation with industry must be done with great care. While cooperation may create new opportunities for change, if the lines are unclear in any way, the cooperation must not proceed.

At the over end of the spectrum, smaller companies or companies operating in the dark like adtech ones avoid dragging attention to escape regulation and scrutiny. Despite being less known or smaller, their practices can be as harmful as the ones of big tech, if not more. Technical analysis and in-depth research is often necessary to understand and expose the extend of harm of a single actor. And even when one company is put in the spotlight and suffering bad press, the rest of the ecosystem continues to thrive, simply hoping they won't be next.

In any case, our work demonstrated that qualitative technical research, coupled with clear demands and consequent advocacy can bring substantial, concrete change.

We are now able to build on these lessons to be more effective in challenging these exploitative companies.

What we are going to do next

Although, we have seen success when demanding stronger security and privacy measures for Big Tech companies, some of them continue to operate following their data-exploitative business models, pushing forward their agendas. For example, recent big merger initiatives such as Google acquiring FitBit demonstrates their will to expand their market dominance to new areas such as health.

PI continues to investigate companies’ data collection and sharing practices and advocate for greater security over their products and services. We will further develop our engagement with regulators and legal actions to ensure that our data are under our control, and no one can exploit them for their power and profit.

We will continue to challenge data brokers and ad tech industry players willing to know everything about us for deep segmentation and targeting; big-tech companies mergers and their tentative to extend their market dominance; will explore and challenge gig-economy platforms to ensure necessary protections of workers and content-creators.