Listen to the article (AI powered narration)

Published on October 23, 2024

In order to foster innovation and win the proverbial AI arms race, American regulators are often reluctant to regulate Big Tech. However, legislation is definitely needed, as social media companies, video streaming services, and search giants have taken their data surveillance practices too far.

Big Tech’s data surveillance is relentless and intrusive. As an example, security researchers from CyberNews recently issued a scathing report on Android devices’ data collection practices. Using a man-in-the-middle approach, the researchers intercepted traffic between a new Android phone and Google servers. Researchers found that, even with GPS services disabled on the device, location data and a host of personally identifiable information (PII) were being transmitted to Google servers roughly four times every hour.

Researcher Aras Nazarovas explains, “Every fifteen minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks.”

Thus, unbeknownst to many owners of these devices, users are constantly sharing their PII with Google, while also potentially putting their sensitive data in harm’s way. That said, data surveillance overreach is not merely a Google issue.

FTC describes Big Tech self-regulation as a “failure” and calls for Congress to act

According to a recent FTC staff report, social media, search, and streaming companies’ data minimization, collection, and retention practices are “woefully inadequate.”

This report is the culmination of four years of investigating the data collection and retention practices of nine different social media and video streaming services (SMVSSs): Amazon’s Twitch; Meta’s Facebook and WhatsApp; Google’s YouTube; ByteDance’s TikTok; X, Snap, Discord, and Reddit. After four years, the FTC came to the conclusion that Congress should pass federal data privacy legislation.

Additionally, FTC researchers found that these SMVSSs frequently neglected to delete user data when requested to do so; they also fed user data into AI training models without informing the users, and often used “privacy-intrusive” pixel tags to send sensitive information to advertising services.

In addition to encouraging Congress to get a federal data privacy law on the books, the FTC staff report issued other, admittedly vague, recommendations. Although one of the report’s authors likened the recommendations to “bureaucratic bullying,” some of the recommendations are nevertheless as follows: (1.) SMVSSs should practice data minimization and only collect as much user data as necessary to provide their services. (Of course, in the European Union, this is already mandated by Article 5(1)(c) of GDPR.) In a similar vein, SMVSSs should only retain user data for the absolute minimum amount of time.

(2.) Users should be informed when companies use their personal data to train AI models, and users should be able to opt out of such training. (3.) New policies need to be put in place to protect children. And (4.) in order to keep sensitive PII from reaching advertisers, companies should use caution when using tracking pixels.

Two FTC commissioners issued dissenting opinions

Although all five FTC commissioners signed off on the report, the two Republicans—Andrew Ferguson and Melissa Holyoak—issued separate concurring and dissenting statements.

In several respects, Ferguson makes a persuasive argument. Ferguson acknowledges that we’re in an “online privacy crisis”; however, he takes umbrage with the report’s sections on AI and targeted advertising. Ferguson believes there is a “protocompetitive justification” for targeted advertisements, as such ads help smaller companies efficiently reach customers at a lower cost, which helps them compete with their larger competitors.

Ferguson doesn’t understand how targeted ads function as a form of “unlawful discrimination,” “reputation harm,” or “invasion of privacy.” He concedes that regulation is needed, but he believes it should come earlier in the supply chain.

Ferguson writes, “The correct regulatory focus is one step earlier in the supply chain—the largely unregulated collection, aggregation, sale, and retention of consumers’ data that makes the targeted advertising possible.” Reading between the lines, such a focus would put the data brokerage industry in regulatory crosshairs. And rightfully so.

Also, I very much appreciate Ferguson’s take on SMVSSs’ shadowy privacy policies. On that front, he writes, “To be sure, most firms technically disclose their data practices to consumers through privacy policies. But every American knows that these policies are long, vague, and unhelpful—probably intentionally so.” I think we all can agree that intentionally vague privacy policies need to become a thing of the past.

In his dissenting statement, Ferguson concludes, “I do not share the report’s apparent view that the display of targeted advertising to adults is, on balance, harmful. (Targeted advertising to children and teenagers is another matter entirely.)”

Thus, despite the lack of productivity on Capitol Hill, there’s a demographic that may finally get lawmakers and regulators to act on the data surveillance front—children and teenagers.

The surveillance of children’s data may provoke lawmakers to act

Like her FTC colleagues, commissioner Melissa Holyoak is particularly worried about SMVSSs’ collection, usage, and retention of children’s data.

Throughout her statement, Holyoak laments that most companies don’t implement safeguards around the sharing of data collected from children. In fact, SMVSSs frequently neglect to differentiate between adults and children in the first place. Teens can often create accounts without restrictions, and many companies collect teens’ data in the same ways in which they collect adults’ data.

Even when companies are formally asked to delete children’s data, they decide to de-identify the data and retain it. This is a problematic practice, as this de-identified data risks re-identification.

Of course, such concerns around targeted advertising and the collection of children’s data aren’t limited to FTC commissioners. For example, Texas Attorney General Ken Paxton recently filed a lawsuit against TikTok, arguing that the ByteDance company is in violation of Texas’ SCOPE Act because TikTok allegedly collects and shares minors’ PII without obtaining parental permission.

Further complicating all of these matters is the fact that SMVSSs’ age verification processes are easily circumvented. Again, possibly by design.

There are steps consumers can take to stifle Big Tech surveillance

Rather than wait for slow-moving legislative wheels to turn, technologically-literate consumers can throw a wrench in Big Tech’s surveillance ecosystem themselves. Although it can be a time-consuming process, opting-out of data brokers’ data collection is definitely worth doing.

Additionally, given that some apps on our smartphones are likely listening to our conversations, it is worth changing the settings to block this. On an iPhone, you can go to Settings > Privacy & Security > Microphone, and then disable microphone access for any applications that you believe are actively listening. For what it’s worth, Meta, Google, and Amazon deny listening to our conversations via smart phone apps.

That said, many applications actively listen; for example, ChatGPT’s application recently used to do so, although OpenAI says it has subsequently changed its settings. Of course, our phones also listen via Siri (iPhone) and Google Assistant (Android), so if you’d like, you could disable those services as well.

Additionally, there are privacy-centric browsers (e.g., Brave, Ulaa) and browser extensions (e.g., Privacy Badger) that block pixel tags. Also, there are business email tools (e.g., Zoho Mail) that automatically disable external image loading in emails, which prevents pixel tracking.

Key Takeaways

The FTC staff report is not going to have an impact until after the presidential election; moreover, it remains to be seen whether FTC Chair Lina Khan will still be in charge regardless of which party wins.

Given the dysfunction on Capitol Hill, privacy legislation seems unlikely; thus, if you’re worried about Big Tech data surveillance, you can take matters into your own hands by disabling microphone access to applications, using privacy-centric browsers, and opting out of data brokers’ collection activities.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x