Fighting the surveillance economy — A practical guide for individuals and companies

Consider two statements from different ends of the privacy awareness spectrum:

1. Facebook and Google helps me by offering great, free-to-use services. The ads they show me are not so bad, they usually match my interests and that’s fine. Everyone is using their products, so they can’t be very harmful. I understand they collect some data on what I’m doing, but I have nothing to hide.
2. Most things I’ve done, said or searched for online is stored somewhere, controlled by people who haven’t earned my trust. They can use that knowledge to change what I see online, influence how I spend my time and my money, coerce me into giving them more information and help others to monitor me or feed me propaganda. This freaks me out.

Which one would you say reflects your views better?

If it’s the first, are you ready to learn why it might be a false picture?

If you picked the second, would you like to do something about it?

Listing all the ways our realities are being tracked by companies is a challenging task. Browsing history, decisions, clicks and taps were the start, then with the rapid adoption of smartphones, fitness trackers and IoT devices, it’s now the data on how often you hit the breaks in your car, what products you pick in the supermarket and what you say during intimate conversations in your bedroom. There is little going on in your life that at least one major corporation doesn’t know about. Data collection like this can be framed as inevitability, as progress, as a necessity that brings us free services or convenience and personalized experiences. And it can be framed as something Shoshana Zuboff in her new book calls “surveillance economy”.

Considering the possibilities of where all this might take us by 2025 is an alarming exercise. As you walk into a furniture store, a shop assistant equipped with an AR device gets a summary of your backstory and preferences based on your past logged actions to help her close a sale. All motion and voice data captured by millions of miniature low-power devices on buildings is aggregated and tied to your personal ID; corporations use it to monitor, control, influence and possibly blackmail you. Searching for and writing about topics online deemed inappropriate are known to authorities within a second thanks to cooperating companies; the consequences range from increased surveillance and punishments determined by an AI to public shunning.

If you are concerned about any of these possible future scenarios you might agree we need to figure out how to avoid them. In this post we will explore some of the forces that drive us towards these outcomes, then list what can we do as individuals and professionals right now to change course. By applying my recommendations you will not only fight against a future where surveillance-based models control everything, but you will be rewarded with the appreciation and business of an increasing number of people who don’t want to live in one.

1. “They know more about us than we know about ourselves or than we know about them”

Last May in my new role at IVPN, a privacy focused company, the very first paper I’ve read as part of my research was a journal from 2015 by Ms. Zuboff on issues of privacy erosion by the world’s biggest corporations through uninvited, unconsented and unknowable ways of data collection. The premise and her warnings stuck with me ever since, shaping my views strongly and guiding me in how I approach the collection of private information in my personal and professional endeavors.

In the book “The Age of Surveillance Capitalism” she defines the surveillance economy as a system where companies use the “human experience [translated into data] as free raw material for commercial practices of extraction, prediction, and sales”. There is an important distinction between data collected with permission and only for the purpose of improving a product or a service and the surplus that is collected to feed this system. While the former is useful and benefits the consumer, the later is turned into prediction products and sold on “behavorial future markets”, like behavorial advertising networks and data broker aggregators. As the first companies employing this model, starting with Google, figured out this strategy is immensely profitable, they started to increase the depth and breath of data collection to improve predictions, viewing everything about our private experiences fair game for translating them to knowledge about us we don’t even possess. Competitors and providers of other free services followed suit. As Zuboff explains, their goal is to “acquire ever-more-predictive sources of behavioral surplus: our voices, personalities, and emotions”. When competition started to increase for data, the new goal was to shape our behavior, so we provide even more useful information to feed on. “Surveillance capitalists know everything about us, whereas their operations are designed to be unknowable to us”, writes Zuboff, noting the vast knowledge harvested benefits the collector and those they enable to profit off it, but not the users where the information originates. Most consumers participate in the system solely as entities to extract data from, as objects for surveillance with no other function; this level of structural disconnect is unprecedented in the history of capitalism.

All this was made possible by multiple converging factors: absence of understanding of the issue at hand, no laws governing the practices shaping it and overlapping interests of state intelligence agencies and companies building up the surveillance economy. Google pioneered the way, many others followed suit, with Facebook perfecting the model in recent years. The issue is present on a worldwide scale and you are more likely to be involved than not: billions of users participate as sources for the “data exhaust”, while millions of small- and mid-sized business, enterprises and political operations are paying for the knowledge available and profit off the output. Even companies in the business of protecting people’s privacy are complicit: in the VPN industry, where IVPN operates, 17 of our top 20 competitors run ads on either Facebook, Google, or both. Likewise, 18 of these 20 firms use at least one external tool or tracker on their website that passes on collected data to a third party, with many employing as many as 20, putting private information of their customers at significant risk¹.

Zuboff makes a bold claim about the ultimate result of all these issues: just as the resources of Earth were exploited and the planet put at risk by the first excesses of the industrial capitalism, this surveillance-based path we are on threatens to wither human will and challenge human autonomy and democratic sovereignty.

2. “If the digital future is to be our home, then it is we who must make it so.”

Ms. Zuboff set out to define, document and name the problem we are facing. Her book, perhaps deliberately lacks directly applicable, practical suggestions on how to counter this reality that surveillance models dominate. The key problems outlined before stretch way beyond issues of privacy; monopolies and competition, fake news, machine learning and racial profiling, effects of behavioral modification on free will and democracies would be all fair game in discussing concerns and in pursuit of solutions. For the sake of focus and clarity, I’m discussing what individuals and businesses who care about privacy can do to stop feeding this system and start forcing change.

All that happened before and happening now is not inevitable. I’m calling for resistance in forms of boycott and better choices in what services we use and support with our disposable income and advertising money — both as individuals and as privacy-respecting businesses. Customers, even of free products, vote with their time, their taps and clicks, their behavior that can be translated into data. The trade-off for them, even if they don’t fully understand the ramifications, is between convenience and the level of privacy protection. The greater the need for the former, the more of the latter they are willing to sacrifice. The problem is, as Zuboff puts it, that they are “trapped in an involuntary merger of personal necessity and economic extraction”.

Regulation that cuts off some of the tentacles of the octopus gorging on our data might alter these trade-off decisions and ease the pressure. Ex-employees urging for change could trigger executives to ponder exercising moderation. The fundamental privacy violating flaws of the business models in question, however, won’t be solved overnight for a simple reason: the surveillance economy is too effective and way too profitable. The change should start with us.

How to resist collection of your behavioral data?
Solutions for consumers

Educating consumers and helping them make radical choices to influence the systems designed to harvest their data is one of the two important ways that can help us fight this crisis. We know that consumers stated privacy preferences are not reflected by the actions and choices they make, failing to act on recommendations they know would likely benefit them — this is commonly referred to as privacy paradox. I strongly believe this is something we can change together and that process starts with you and me. With the risk of being called a naive idealist, I believe we can lead by example in getting through the pains of giving up some of the convenience and ruthless pursuit of growth, ultimately affecting the course of history that is otherwise headed towards more surveillance, concentration of knowledge and power, and unethical exploitation of the human experience.

Privacy means having the agency to choose what you share, when you share it and who you share it with. The following recommendations can guide you, as an individual towards taking back that control and helping others do the same.

1. Don’t use services where you don’t understand what is going to happen with the data you share

Choose services that fulfill a need where there is an explicit pledge towards not monetizing your data. Take a look at privacy policies. Use more paid services. Do your research on business practices and revenue models. Contact the provider you are vetting and ask them to address your concerns. If you are not convinced, look for alternatives and make the switch, sharing your thoughts with those you are leaving behind.

If you do a careful evaluation of all apps and tools you are using right now a lot of them will fail these tests. This list starts with Facebook and Google: as Jaron Lanier suggests deleting your account is the best course of action. You will most likely discover many more offenders. Use DuckDuckGo instead of Google Search. Ditch Chrome and use Brave Browser. Switch to Disroot or Tutanota from Gmail. If you can’t find a privacy-respecting provider for your need or the options suck — consider building that service and you might have a new business in the future.

2. Start using additional tools that are designed to help you protect your privacy

To prevent your ISP, and subsequently, data buying companies from having logs on your internet activities, pick a VPN provider that cares about your privacy and pledges not to support surveillance economy companies (disclaimer: as stated before, I work for IVPN). Use an ad blocker that stops services from tracking your behavior through ad scripts. Install Little Snitch to monitor your network connections to catch fishy services. Install Privacy Badger by EFF that uncovers and blocks scripts on websites that track you; this Medium page has 2 active trackers that would have been blocked if you did - Google Analytics and Parse.ly (in their defense, Medium honors Do Not Track requests).

For helping with both point number 1. and 2. there are great resources that list privacy respecting alternatives. I recommend starting at SecurityChecklist and PrivacyTools.io.

3. Reward companies taking a stand and refusing to feed the surveillance economy with either data, ad money, or both

See who is giving your behavioral data to third parties by looking at the tracker list of Privacy Badger when visiting their site. You can also identify whether a company is advertising on Facebook by looking at the “Info and Ads” tab on their Page or if they appear in Google ad results by typing their domain into SpyFu and checking the PPC section. Look for businesses that accept anonymous payment options and don’t force everyone to share personal information with a third-party payment provider. If you don’t like what you learn about the conduct of the business in question, pick their competitors. Some progressive firms already identified the necessity of making the moral choice of responsible practices versus easy growth: Signal v. Noise, the company behind Basecamp announced their “Facebook Free” pledge last December and called for others to join them.

4. Donate to organizations who fight for your right to privacy

Non-profits like the Electronic Frontier Foundation and the CDT are doing important work with educating consumers on privacy issues and pushing for change by working on tech solutions and proposing new legislation. Supporting them with five or fifty or a thousand dollars per year — whichever amount is within your means — contributes to their budget to expand their teams of researchers, lawyers and advocates and conduct campaigns that call for better practices from data harvesting corporations.

I admit all this is harder than it should be, even if we take strength from success stories. I commit considerable time to solving problems related to privacy in my work and I haven’t managed to tick off everything on this list yet. I have a Facebook account with a fake name that I use to track events in my city and chat with friends who prefer Messenger to other services. I still use Waze (owned by Google) for navigation. I still have multiple Gmail accounts that I planned to migrate to a privacy respecting email provider, but somehow never found the time. My pledge here is that I’ll create a list of all these infractions of my own recommendations and work towards fixing them in the next 30 days.

Edit: You can learn about how I honored this pledge in my next post “I’m starting a support group for people ditching Facebook and Google”

The positive effects of following these suggestions won’t just contribute to the fight against the surveillance economy, but nudge sectors towards increased competition, potentially resulting in better services, more choices and lower prices for consumers. Putting in the time and effort is a worthwhile investment.

How to resist profiting off the capture of behavioral data?
Solutions for companies

As a business leader or an employee you are most likely participating in the surveillance economy in some way. The first step is to recognize and accept that. Digital marketing today starts with Facebook ads, Google PPC campaigns and display advertising with an inherent data collecting and profiling element. You are not just supporting these actors with ad dollars, but with no-questions-asked handover of customer behavioral data by placing their tracking scripts on your website. Just as consumers need to sacrifice convenience, to fight surveillance models you need to renounce the roguish growth opportunities they make possible and look for better alternatives.

No company claiming to care about the right to privacy can escape this dilemma. Apple seems to have realized this and started to position themselves in the champions of privacy role, using is as a differentiator and making aggressive moves against competitors to demonstrate their commitment. Taking this road comes with tricky choices: they still profit from Google search integration on their devices; contradictions like this, however, can be resolved by every company with a roadmap for deliberately moving away from supporting surveillance models.

From a strategic point of view this is risky and hard for most firms. This is even true for a company offering a privacy protecting service — here I’m looking at this problem from IVPN’s perspective — as most of our competitors won’t get on board with these guidelines, giving them a clear advantage in raising brand awareness and acquiring customers on false promises using surveillance data.

The choice to comply with the following directives are challenging, but they essential for any company that claim to care about the privacy of consumers.

1. Evaluate your business model and change it if necessary

If the key value driver in your business is related to acquisition, repackaging, analysis and/or sale of data acquired from customers who probably don’t understand how it was collected or did not consent to it, consider a new line of business. That’s a radical suggestion, but if you’ve read this piece up until this point and didn’t disagree with most of my thoughts it’s not a far fetched one. If some of your revenue is coming from selling customer behavioral predictions based on user profiling, explore new revenue opportunities to diversify with the intention to kill the surveillance-based one. You don’t have to do it right away, or in a radical fashion, it can be a slow, strategic process; even that is better than staying put.

You can explore subscriptions, membership upgrade tiers, one-off purchases, donations, tips, sponsorships, or limiting advertising you run to contextual ones. Try to do this without relying on third parties that are hungry for data to monetize. There are multiple companies I know of that are working on supporting this mission in privacy-conscious way, like Unlock Protocol, Houdini Project or Brave.

2. Don’t support surveillance-based business models with advertising dollars

If a company tries to sell you an opportunity to modify behavior with the help of data acquired about the consumer in a way they did not know, understand or consent to, say no. The obvious candidates for big wins are stopping your ads on Facebook and deleting your Google Ads account. As mentioned before, some companies are already making this jump; consider joining them. For your other partners not under intense scrutiny for surveillance practices looking at privacy policies and asking hard questions about data collection is the best approach.

Where can you shift your attention where there is no obvious data collection element? Sponsor quality content directly, like blogs, podcasts and newsletters, but not through intermediaries who try to add value by behavioral or individual-level targeting. Choose ad channels where contextuality is the key for audience segmentation, or where there is no segmentation at all. Information processing that enables targeting does not need to rely on data harvesting and can happen on the client side — Mozilla have tried this with Pocket recommendations and Brave is building their advertising model on this concept. Ad networks that don’t profile your users existed in the past, but they are mostly out of business now (like TheDeck network) or started including data collection for behavioral targeting and programmatic advertising (like podcast and newsletter ad networks); these changes were driven by the increased pressure for better performance due to the ruthless effectiveness of the surveillance economy.

Going wide from the currently preferred micro-targeting approach might feel like a step back for marketers. Building a solid, trusted brand, however, is not only possible, but more effective this way. It forces you to try harder and focus on getting your message through to entire communities with shared values in an honest, transparent way. Privacy-conscious consumers will reward you for this, and for not treating them as data sources you can nudge along through conversion funnels with sophisticated behavior modification tools.

3. Eliminate third party tracking and logging from your site and apps

By placing a Google script or a Facebook pixel on your website and in app you pass on behavioral information of your users to these companies. This data is almost always “anonymized”, but it’s evident that customer profiles are connected to this information with high confidence, resulting in better understanding of their habits. Your usage of Google Analytics goes against the core principles of “caring about the privacy of your visitors”.

This is also true for any other third party tool that you use that processes customer data in some way — the issue of no consent aside intentional malevolence, sloppy internal policies and data breaches all pose a threat to the privacy of your customers. For (almost) every tool you use, there is a self-hosted and open-source alternative. Switch to Matomo from Google Analytics to collect and analyze visitor data. Use RocketChat instead of Slack to protect sensitive information you share within your team. If there isn’t a good alternative for your need, consider building it and you might have a new business.

4. Donate to organizations who fight for your right to privacy

Similar to the same point on the consumer side. You have the resources and they need your help. Pick a non-profit or a couple working on uncovering, documenting and solving surveillance economy issues and support them.

5. Educate your customers about privacy

If you follow my recommendations and initiate changes in your business you should also start informing your consumers on your commitment to privacy protection and the steps you are taking for their benefit. Invest in content creation that explains these issues and challenges in depth and in the context of your industry and your service. Integrate these pieces into your communication, highlighting your commitment to fighting data surveillance. All this will increase respect and goodwill towards your business.

I went through this list and considered the implications for IVPN, changing some of our practices in the process:

1. Business model — We were doing well on this front. We’ve never sold customer information and all revenue is from paid subscriptions.
2. Privacy respecting advertising — We were running Google PPC ads for brand keywords to prevent hijacking; they are now stopped. We are not advertising on Facebook and deleted our page. The jury is out on Twitter, but we don’t and won’t run any ads there.
3. Third party tracking — We had to remove Google ads tracking codes and other residuals for third party tools we used in the past, like Unbounce and Adobe Typekit. We are now tracker-free.
4. Donations — Our next round of yearly donation to the EFF if due in this month (February 2019) and we’ll keep supporting non-profits going forward.
5. Education — While we already have educational materials published on our website we need to do a lot more in this area. This will be a key driver of our content strategy in 2019.

3. Becoming the friction

We are on course towards a future where all of our actions online and offline are captured and monetized by corporations of the surveillance economy, limiting our ability to control our privacy and as a consequence, our human experience freely.

Why do I think any of these recommendation would help in subverting that course? If enough consumers, partners and advertisers will signal to the current flag bearers they are dissatisfied with the way this system affects their lives and businesses, they will be more inclined to look for other ways to create value for their owners, shareholders, employees and most importantly, their users. Taking action also helps with summoning alternatives, new business models and frameworks that help us leave the current state of things behind. While recent revenue calls don’t support the notion that a tidal wave of awareness and demands for change is about to hit Facebook and Google just yet, I believe this battle is just beginning.

I’m not foolish enough to think this post will reach a billion people who will suddenly delete all of their accounts on services that feed off their data — similarly, I’m not expecting everyone reading this and running Facebook ads to pull the plug on them right away. If I have convinced you, however, that these issues need to be considered deeply and we can make better choices about the services we use and the ways we cooperate with businesses, that’s a good start.

I would like to invite you to comment, respond in a blog post or email me directly at viktor@ivpn.net to discuss this post. I’m very interested in hearing your feedback and iterate on these ideas.

Contact me if you are a content creator who feels aligned with these goals and you are looking for sponsors. Do the same if you are working on solutions to untangle and solve the issues inherent in the surveillance economy model. I’d be more than happy to concentrate all IVPN communication efforts and budget towards working with you.

Lastly, we are looking for a full-time privacy advocate Staff Writer to join our team and help us with our mission to fight for the right to privacy — please pass it along to someone you know and could be interested.

1. Information retrieved from Ahrefs.com, Facebook Pages Info and Ads and through Ghostery add-on; correct as of 6 February, 2018. Email viktor@ivpn.net for complete list.