The CEOs of Google, Facebook, Apple, and Amazon walk into a bar. Except instead of a bar, it’s the latest in a series of hearings as part of a comprehensive House Judiciary Subcommittee investigation into long-alleged anticompetitive practices by the world’s most powerful technology giants. Notably, the hearings brought attention to the interrelationships between consumer data privacy and competition issues. Yet how the dominant market power of Big Tech companies leads to the further erosion of consumer privacy has not been fully explored. In other words, how do large technology firms like Facebook, Google, Amazon, Apple, or Microsoft use their largesse in respective markets to cause adverse effects to consumer privacy? This piece investigates one crucial argument: That dominant digital platforms offer a “take it or leave it” option for consumers that coerces them to give up ever more data.
Why should we even care about consumer privacy? Because the lack thereof may lead to a range of consumer harms, including the failure to control one’s social boundaries, the violation of reasonable expectations of privacy, the intangible loss of dignity, the risk of discrimination, and the possibility of personal data being used for unintended purposes. These harms are amplified by the behaviors of Big Tech companies, behaviors that are only possible because of their monopolistic market power. While big is not inherently bad, the size of a corporation gives it the leverage to disrupt much of the digital economy and set the standard for other market players. Of course, there is also the gentle sense of unease for some to know that most of their personal data is under the management of two or three corporations.
A key mechanism through which this happens is through the innocuous-seeming, ubiquitous Terms of Service (ToS) that we’ve all mindlessly clicked through. Leading digital platforms like Google and Facebook exploit their market position to give users little choice but to give up their data privacy. When someone signs up for Facebook, for example, she is faced with the obligatory ToS presented starkly — either accept all of the terms and conditions and use the social media platform, or not accept any of the fine print and not participate in Facebook. While this may be appropriate for most businesses, Facebook and Instagram’s dominance in the social media market make this a “take it or leave it” decision — essentially forcing users to decide whether to participate in recreational online networking or mobile photo sharing at all. Monopoly power is particularly significant in the case of social media, given that business models depend on network effects, so that even a smaller competitor with a better product would find it hard to build up their user base compared to the large incumbent. Knowing that they are in such an entrenched position, Facebook can leverage this advantage to convince users to give up more of their personal and behavioral data. The result is eroded data privacy and a solidified monopoly.
And that has been at the center of Facebook’s data use practices all along. According to the German Federal Cartel Office, or the Bundeskartellamt, which investigated this issue, “private use of the network is subject to Facebook being able to collect an almost unlimited amount of any type of user data from third party sources, allocate these to the users’ Facebook accounts and use them for numerous data processing processes.” By agreeing to the ToS, ostensibly so the user would be able to access facebook.com, she would in fact be agreeing for data to be combed from the Instagram and Whatsapp subsidiaries, but more importantly, to be collected from any third-party site that has any Facebook’s Application Programming Interface (API) embedded, like a “Like” button, through the Facebook Social Graph. That is, Facebook-owned trackers and analytics software record a user’s online activity on third-party websites and send that data to Facebook to build a profile. Then, through Facebook’s Graph API, third-party developers are also able to obtain data from Facebook users to feed and optimize their own products. All of that is authorized through a click of a button, and most users are unaware of the full extent of these activities.
Germany’s Federal Cartel Office, in its 2019 ruling, found those practices to be anticompetitive. In a call for an “internal divestiture” of Facebook’s data, the Bundeskartellamt ruled that the social media company “will no longer be allowed to force its [German] users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts.” Under the decision, the voluntary, active consent of users must be given for Facebook proper to harvest and use data from Instagram, Whatsapp, or third-party websites. This is in fact in broad agreement with one of the principles of the European Union’s General Data Protection Regulation (GDPR), which specifies that “personal data can only be collected for specified, explicit, and legitimate purposes,” such that data “processing cannot proceed unless the data subject has consented to every processing activity.”
Crucially, the ruling notes the consumer’s lack of choice in the market because of Facebook’s overarching market power. It asserts that the current ultimatum that the platform provides the user “cannot be referred to as voluntary consent,” and that it constitutes an “exploitative abuse” of business terms. The heart of the matter is that users cannot find another social network with comparable functionality and scale as Facebook if they do not consent to its terms and conditions. Hence the Federal Cartel Office hopes to alleviate this by determining that, “Facebook may not exclude [users] from its services and must refrain from collecting and merging data from different sources” without prior consent.
While this would be a good step for consumer privacy, the real issue is that alternatives to technology monopolies competing in their core offerings simply do not gain the traction needed to be serious, long-term threats. Most privacy-oriented competitors are “cornered,” such that privacy is their only differentiating advantage while offering an inferior product in other ways. For example, DuckDuckGo, a privacy-enhanced search engine, does not yet offer more efficient search or better features than Google. This is because of the widely-known survivalist business tactics that Big Tech deploys whenever a major competitor emerges — buy it or copy it. The technology sector is rife with stories of tech giant spending sprees, so much that a big reason for venture capitalists to invest in startups is in its predicted ability to be bought out by one of the large firms, not by its potential to become the next big company. If a startup resists acquisition, the next best option is to clone its products outright, and Facebook is one of the worst, or best, perpetrators. In a revealing quote from a Recode article, “Facebook offerings like Stories, Marketplace, Live, and Pay are versions of features first found on Snapchat, Craigslist, Periscope, and Venmo, respectively.”
Therefore, if DuckDuckGo shipped an innovative, non-privacy related feature tomorrow and grows tremendously as a result, Google will more likely than not clone it or seek to acquire the upstart. The only feature that Google cannot import wholesale are DuckDuckGo’s strict no-tracking policies, since they form the bedrock of Google’s advertising business model. Therefore, privacy-oriented competitors are usually left with privacy as their singular selling point.
The exception here is mobile messaging services, where small privacy-focused companies have earned substantial market share. Services like Telegram and Signal have not only been adopted widely but have set the standard for the industry, so that even Facebook’s offering, WhatsApp, has default end-to-end encryption. The most likely difference here is that privacy is an exceptionally salient issue in the so-called “private messaging” market. It is not difficult to imagine why consumers would not want personal conversations to be tracked. But sensitive information does not just lie in what we text each other online.
Given this lackluster choice environment, it is unsurprising that consumers feel a sense of resignation. According to the “Americans and Privacy” Pew poll, 62% of Americans feel it is not possible to go through daily life without companies collecting data about them. 81% claim they have little or no control over the data that companies collect. Consumers can both be aware of and be concerned about data privacy, yet in their private actions use its greatest offenders because of either what Ben Armstrong terms a “social media Stockholm Syndrome,” or a lack of choice.
The market dominance of technology companies like Google and Facebook and the inability of privacy-focused alternatives to meaningfully compete amplifies inequitable power dynamics in the market and unfairly makes consumers accept privacy-invasive digital products. However, if not handled correctly, more privacy may actually result in more industry consolidation. A stricter privacy regime may threaten the openness of the Internet and its free data flows, which in turn may further consolidate the power of the most dominant firms and damage competition. This is most evident from the aftermath of the Cambridge Analytica scandal and the implementation of the GDPR, both in 2018.
After Facebook’s embarrassing political scandal, which entailed a third-party quiz app harvesting information from 87 million Americans to manipulate public opinion for the 2016 presidential election, the social network company responded by introducing limitations on accessing user data by third-party developers. According to TechCrunch, Facebook moved to “significantly limit data available from… Facebook’s Events, Groups, and Pages API plus Facebook Login.” The platform also blocked apps from pulling user data without renewed consent after 90 days, and Instagram also shut down its old platform API. Still in crisis mode, Facebook also suspended tens of thousands of apps using its APIs following an investigation into third-party data use practices.
On the one hand, this is a win for consumer privacy — Facebook was finally putting privacy issues front and center, and even placing restrictions on its prized developer network. On the other hand, if the trend continued, would-be competitors to Facebook’s products would have less scope to leverage Facebook’s magnificent trove of personal data to improve on their offerings. Facebook has already been no stranger to weaponizing its data to crush competition. A leaked email from 2013 between Facebook’s Vice President Justin Osofsky and CEO and founder Mark Zuckerberg revealed that the company purposefully blocked off video app Vine’s access to Facebook’s friends API because it viewed the app as a potential competitor.
On the other hand, the adoption of the GDPR in 2018 was heralded by privacy advocates as the most comprehensive privacy legislation globally. However, as the Wall Street Journal reported, the law disproportionately disadvantages small digital ad tech firms which, like Google and Facebook, put trackers on third-party sites to collect data to be sold to advertisers. Unlike these small competitors, rich, consumer-facing giants like Google and Facebook are well-suited to strictly adhere to the GDPR’s requirement that companies must obtain affirmative consent to use Europeans’ personal information, and both have assembled large teams dedicated to ensuring compliance to the law. On the other hand, it is much harder for small, unknown, enterprise-facing ad tech companies to obtain active consent from consumers. Users are generally inclined to accept tracking from a known brand like Google than an analytics firm like AdUX. In March 2018, Google issued an ultimatum: publishers and apps that sell ads through Google must require consent that “specifically mentions every company that might collect or process their users’ data,” or “risk being kicked off Google’s system.” As Thompson argues, the GDPR would consolidate the monopolies’ hold on the digital advertising market because they “generate the majority of their user data on their own platforms…their data collection and advertising business are integrated,” unlike the more modular model of their smaller competitors. Although the GDPR is an advance for consumer privacy in many ways, greater attention to its implications for competition is needed to counter its unintentional side effects. Perhaps this necessitates greater elaboration of what the law means or applies to, or exceptions for small to medium sized companies. Or we can turn to industry solutions, such as Chromium’s plan to phase out third-party cookies — a victory for privacy — while sustaining “a healthy, ad-supported web” that “addresses the needs of users, publishers, and advertisers.”
The tactics that Big Tech companies use to crush competition and cement dominance in digital markets reduce consumer choice and subject users to exploitative terms of service contracts. These arrangements harm consumer privacy by making users agree to an almost unrestricted exploitation of their personal and behavioral data, often without explicit consent, if the user wants to engage in social networking or other online services. Yet countervailing regulation, however sorely needed, must be enacted with the intention of keeping the internet as open and competitive as possible.
Moving forward, these findings could have significant ramifications for regulation. In the United States, they could help to show that consumer privacy is an important part of the consumer welfare standard, the current legal standard for antitrust law in the United States. This may give more credibility to the case for antitrust action against the largest technology firms, something that the current House investigation will likely hope to achieve.
The lack of significant privacy protections for consumers at the federal level in the United States today has expedited the rise of monopoly players across multiple industries in the digital space. The market power of these Big Tech firms, in turn, instigates unique harms to consumer data privacy. Only by understanding the intersections between privacy and antitrust and by developing complementary, coordinated solutions can regulators tackle these issues comprehensively.
Published exclusively in Brown Tech Review. Image source.