Are tech giants really damned if they do and damned if they don’t (protect our privacy)?
That’s a damned good question that’s been occasioned by Google’s announcement that they’re killing the invasive, tracking third-party cookie (yay!) and replacing it with FLoC, an alternative tracking scheme that will make it harder for everyone except Google to track you (uh, yay?) (You can find out if Google is FLoCing with you with our Am I FLoCed tool).
Google’s move to kill the third-party cookie has been greeted with both cheers and derision. On the one hand, some people are happy to see the death of one of the internet’s most invasive technologies. We’re glad to see it go, too - but we’re pretty upset to see that it’s going to be replaced with a highly invasive alternative tracking technology (bad enough) that can eliminate the majority of Google’s competitors in the data-acquisition and ad-targeting sectors in a single stroke (worse).
It’s no wonder that so many people have concluded that privacy and antitrust are on a collision course. Google says nuking the third-party cookie will help our privacy, specifically because it will remove so many of its (often more unethical) ad-tech competitors from the web.
But privacy and competition are not in conflict. As EFF’s recent white paper demonstrated, we can have Privacy Without Monopoly. In fact, we can’t settle for anything less.
FLoC is quite a power-move for Google. Faced with growing concerns about privacy, the company proposes to solve them by making itself the protector of our privacy, walling us off from third-party tracking except when Google does it. All the advertisers that rely on non-Google ad-targeting will have to move to Google, and pay for their services, using a marketplace that they’ve rigged in their favor. To give credit where it is due, the move does mean that some bad actors in the digital ad space may be thwarted. But it’s a very cramped view of how online privacy should work. Google’s version of protecting our privacy is appointing itself the gatekeeper who decides when we’re spied on while skimming from advertisers with nowhere else to go. Compare that with Apple, which just shifted the default to “no” for all online surveillance by apps, period (go, Apple!).
And while here we think Apple is better than Google, that’s not how any of this should work. The truth is, despite occasional counter-examples, the tech giants can’t be relied on to step up to provide real privacy for users when it conflicts with their business models. The baseline for privacy should be a matter of law and basic human rights, not just a matter of a corporate whim. America is long, long overdue for a federal privacy law with a private right of action. Users must be empowered to enforce privacy accountability, instead of relying on the largesse of the giants or on overstretched civil servants.
Just because FLoC is billed as pro-privacy and also criticized as anti-competitive, it doesn’t mean that privacy and competition aren’t compatible. To understand how that can be, first remember the reason to support competition: not for its own sake, but for what it can deliver to internet users. The benefit of well-thought-through competition is more control over our digital lives and better (not just more) choices.
Competition on its own is meaningless or even harmful: who wants companies to compete to see which one can trick or coerce you into surrendering your fundamental human rights, in the most grotesque and humiliating ways at the least benefit to you? To make competition work for users, start with Competitive Compatibility and interoperability - the ability to connect new services to existing ones, with or without permission from their operators, so long as you’re helping users exercise more choice over their online lives. A competitive internet - one dominated by interoperable services - would be one where you didn’t have to choose between your social relationships and your privacy. When all your friends are on Facebook, hanging out with them online means subjecting yourself to Facebook’s totalizing, creepy, harmful surveillance.
But if Facebook was forced to be interoperable, then rival services that didn’t spy on you could enter the market, and you could use those services to talk to your friends who were still on Facebook (for reasons beyond your understanding). This done poorly could be worse for privacy, but done well, it does not have to be. Interoperability is key to smashing monopoly power, and interoperability's benefits depend on strong laws protecting privacy.
With or without interoperability, we need a strong privacy law. Tech companies unilaterally deciding what user privacy means is dangerous, even when they come up with a good answer (Apple) but especially not when their answer comes packaged in a nakedly anticompetitive power-grab (Google). Of course, it doesn’t help that some of the world’s largest, most powerful corporations depend on this unilateral power, and use some of their tremendous profits to fight every attempt to create a strong national privacy law that empowers users to hold them accountable.
Competition and privacy reinforce each other in technical ways, too: lack of competition is the reason online tracking technologies all feed the same two companies’ data warehouses. These companies dominate logins, search, social media and the other areas that the people who build and maintain our digital tools need to succeed. A diverse and competitive online world is one with substantial technical hurdles to building the kinds of personal dossiers on users that today’s ad-tech companies depend on for their profitability.
The only sense in which “pro-privacy” and “competition” are in tension is the twisted sense implied by FLoC, where “pro-privacy” means “only one company gets to track you and present who you are to others.”
Of course that’s incompatible with competition.
(What’s more, FLoC won’t even deliver that meaningless assurance. As we note in our original post, FLoC also creates real opportunities for fingerprinting and other forms of re-identification. FLoC is anti-competitive and anti-privacy.)
Real privacy—less data-collection, less data-retention and less data-processing, with explicit consent when those activities take place—is perfectly compatible with competition. It's one of the main reasons to want antitrust enforcement.
All of this is much easier to understand if you think about the issues from the perspective of users, not corporations. You can be pro-Apple (when Apple is laying waste to Facebook’s ability to collect our data) and anti-Apple (when Apple is skimming a destructive ransom from software vendors like Hey). This is only a contradiction if you think of it from Apple’s point of view - but if you think of it from the users’ point of view, there's no contradiction at all.
We want competition because we want users to be in control of their digital lives - to have digital self-determination and choices that support that self-determination. Right now, that means that we need a strong privacy law and a competitive landscape that gives breathing space to better options than Google’s “track everything but in a slightly different way” FLoC.
As always, when companies have their users’ backs, EFF has the companies’ backs. And as always, the reason we get their backs is because we care about users, not companies.
We fight for the users.