Stacked Against Users: How Regulators Failed and Google Turned The Internet Into a Surveillance Machine

By Caitriona Fitzgerald, EPIC Policy Director

Next Tuesday, that Senate Judiciary Committee is holding a hearing on “Stacking the Tech: Has Google harmed competition in online advertising?” The obvious answer to that question is yes. But Congress holds some of the blame for it.

Today’s digital advertising techniques differ greatly from traditional advertising models. In the analog world, consumers could readily identify the placement of an ad, its source, and its purpose. There was little need for advertisers to gather personal data from users. Perhaps most critically, advertising supported editorial content and made possible the publication of daily news. Traditional advertising sustained a healthy ecosystem that financed the production of news without government subsidy. Much of that has changed.

There are many problems with today’s online advertising systems — the profiling and tracking of Internet users, the increasing concentration of power in the hands of a few companies (e.g. Google and Facebook), the loss of support for editorial content, the use of discriminatory practices and redlining, the design of systems to unfairly promote the advertiser’s products over competitors’, and the misuse of ads to undermine democratic institutions. All of these issues require careful examination by Congress. The threats to innovation, competition, civil rights, and democracy are real.

But it didn’t have to be this way. More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy.

In the early days of the commercial Internet, EPIC favored the development of new digital advertising techniques and explained that online advertising could both safeguard privacy and promote new forms of revenue. EPIC expressed support for the digital advertising firm DoubleClick when it first announced that it would develop an advertising model that did not require the collection of personal information. Among the first privacy policies on the Internet were those developed by websites that partnered with DoubleClick. They assured users that no personal data would be collected. As DoubleClick explained in 1997:

DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick’s technology remain completely anonymous. Since we do not have any information concerning names or addresses, we do not sell or rent any such information to third parties. Because of our efforts to keep users anonymous, the information DoubleClick has is useful only across the DoubleClick Network, and only in the context of ad selection.

But then, in 1999, DoubleClick proposed a merger with Abacus, a large customer database firm that collected detailed information of Internet users’ offline purchases. EPIC immediately objected and launched a national campaign to block the Abacus-DoubleClick merger. We filed one of the first privacy complaints with the Federal Trade Commission (“FTC”). Many agreed that the proposed merger was unlawful and deceptive, and the case also provided one of the first opportunities for the FTC to address new challenges to consumer privacy.

Eventually, DoubleClick backed off the deal, stating that it had made a “mistake by planning to merge names with anonymous user activity across Web sites in the absence of government and industry privacy standards.” But the message was clear: Internet advertisers, even those who began with good business models, would seek to expand their reach and build their profiles of Internet users.

When Google later proposed acquiring DoubleClick, EPIC went to the FTC with an extensive complaint and warned that this acquisition would accelerate Google’s dominance of the online advertising industry, diminish competition, and fundamentally threaten the privacy of Internet users. At the time, EPIC said, “Google’s proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world.” On December 21, 2007, the FTC approved the proposed merger without conditions in a 4–1 opinion, saying that the proposed acquisition was “[u]nlikely to lessen competition.”

The FTC was wrong. Much of what we predicted happened. Google broke many of the agreements to protect privacy that DoubleClick had established.

In 2009, Google took a dramatic step with online advertising that has diminished journalism and contributed to the growth of fake news. Google moved from contextual advertising to behavioral advertising, a change which its founders knew could bring great damage to the Internet. And it has.

In simple terms, contextual advertising is the advertising that is placed based on the content that surrounds it — in the newspaper or magazine or the TV show. It is the ad aimed at the audience of a radio show or podcast. It is the ad on a website that aims to catch the attention of that site’s visitors. It is targeted based on context and content, not based on personal data collected from individual users. These ads fairly target users based on their interest in a particular content source: a magazine, TV show, or website. Contextual advertising allows the advertiser to reach the customer without a deep intrusion into the customer’s private life — and it is effective. The original DoubleClick model relied on contextual advertising to provide revenue to support websites. It was a successful model.

The behavioral model is entirely different. It targets the consumer directly. It relies on expansive data collection in order to build deep profiles on Internet users. It has led Google, Facebook, and other companies to turn the Internet into a surveillance machine, and to seek to expand that data collection into the physical world as well. It provides no benefit to content providers, such as news organizations; in fact, the behavioral models attack the revenue model that has sustained news organizations in the United States since the early days.

Not only does behavioral advertising rely on the personal data of the individual consumers, it also follows a series of rules that target some people — and exclude others — based on factors from zip code and age to race, religion, and nationality. Online platforms use algorithms to target ads with a level of granularity that has not been possible before. This is especially harmful in the political advertising arena. Campaigns and PACs are able to target users with such precision that they can sow discord and undermine our democracy. During the 2016 election, Russian operatives bought ads from Facebook targeted at “professed gun lovers, fans of Martin Luther King Jr., supporters of Trump, supporters of Clinton, residents of specific states, and Southerners who Facebook’s algorithms concluded were interested in ‘Dixie.’”

The dominance of a few firms in the online advertising marketplace, which has led to the widespread use of data collection and behavioral advertising systems, is a case study in the damaging spillover effects that a lack of competition can have on privacy in the Internet ecosystem. The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace. The merger of Facebook and WhatsApp has prompted countries in Europe to scrutinize the deal and issue fines. But the FTC has repeatedly failed to consider consumer privacy and data security issues in its merger review process. If the largest Internet firms continue to buy up new market entrants and assimilate their users’ data into the existing platforms then there will be no meaningful opportunity for firms to compete with better privacy and data security practices.

EPIC has underscored the dangers posed by lax enforcement in comments to the FTC, noting that Google and Facebook’s access to consumer data “is at the very heart of why the digital platforms have been able to entrench their dominance.” But as Facebook and Google have developed increasingly invasive tracking of their users, the FTC has failed to act. Despite an active consent decree against Facebook, the FTC allowed the company to disclose the personal information of 87 million Americans. The FTC had the power to stop the scandal, simply by enforcing its previous orders in a way that protected consumer privacy. It didn’t.

For more than a decade, EPIC has shown the FTC in numerous antitrust and privacy complaints that each acquisition by a dominant firm has led to a reduction in both competition and privacy protection. This is willful ignorance on the part of the agency tasked with protecting American consumers and competition. The Federal Trade Commission’s disregard for privacy protection and lax record of antitrust enforcement are diminishing innovation and competition in the United States economy.

Virtually every other democratic government has recognized the need for an independent agency to address the challenges of the digital age. Given the enormity of the challenge, the United States should create a dedicated Data Protection Agency, based on a legal framework that requires compliance with baseline data protection obligations. An independent agency could more effectively police the widespread exploitation of consumers’ personal data and would be staffed with personnel who possess the requisite expertise to regulate the field of data security.

The Online Privacy Act, filed by Representatives Eshoo and Lofgren (H.R. 4978), and the Data Protection Act, filed by Senator Kirsten Gillibrand (S. 3300), would both create a U.S. Data Protection Agency. The Senate Commerce and House Energy & Commerce Committees have yet to schedule public hearings on these important bills.

It has become increasingly clear that data protection, competition, and innovation are all essential to a healthy Internet economy. The consolidated market power of online platforms today is not healthy. A handful of companies dominate the market. The privacy of Internet users is under assault. The revenue model that allowed small businesses to break into the market is broken, and the current model is not sustainable. Privacy rules can help level the playing field. Congress must pass comprehensive baseline privacy legislation and create a U.S. Data Protection Agency.



Electronic Privacy Information Center

EPIC focuses public attention on emerging privacy and civil liberties issues and protects privacy, freedom of expression, and democratic values.