Good News! The Privacy Wins Keep Coming

From Carpenter v. United States to a landmark bill in California, privacy advocates sense a shift in what people will accept from Facebook, mobile carriers, and more.
Image may contain Electronics Computer Server and Hardware
Getty Images

On Monday, police in Florida abandoned a pilot program that had put Amazon’s facial recognition powers at their disposal. On Wednesday, representatives from the country’s most powerful technology companies will gather in San Francisco to take a hard look at the industry’s approach to privacy. And on Thursday, the California legislature will vote on a bill that would grant internet users more power over their data than ever before in the United States. Any of these alone would mark a good week for privacy. Together, and combined with even more major advancements from earlier this month, they represent a tectonic shift.

Progress can be difficult to measure; it often comes in drips and drops, or not at all for long stretches of time. But in recent weeks, privacy advocates have seen torrential gains, at a rate perhaps not matched since Edward Snowden revealed how the National Security Agency spied on millions of US citizens in 2013. A confluence of factors—generational, judicial, societal—have created momentum where previously there was none. The trick now is to sustain it.

Awake and Alert

If the US really has found itself in the middle of a digital privacy awakening, you can of course credit the recent spate of headline-grabbing scandals as the kick-starter. Cambridge Analytica illicitly took the personal information of up to 87 million Facebook users and turned it into psychographically targeted political ads. Equifax let slip the sensitive details—including Social Security numbers—of 148 million Americans because it couldn’t be bothered to patch a known vulnerability. And just a few short weeks ago, many learned for the first time that mobile carriers like Verizon and AT&T have for years sold their location data to shadowy third-party companies—including some that don’t carefully vet who can access it.

“All of these high-profile stories over the last year or so have really put consideration into overdrive,” says Michelle Richardson, deputy director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project. “Things like Facebook or Equifax, the location data, it’s all hitting at once, and people are losing patience with companies who are promising to change but aren’t doing it.”

Facebook, to its credit, pledged to cut ties with data brokers in March. But otherwise the company has spent its time ducking questions from both Congress and the media about how its core business proposition clashes with prioritizing data privacy. It has also taken some of the heat off of companies like Google, which grabs as much or more data, without a fiasco to shine a spotlight on its everyday practices.

But there are signs that the fallout from Cambridge Analytica has still had a wide impact. After The New York Times broke the story of carriers sharing location data with third parties—and the abuse of that system—in May, it took just five weeks for Verizon, AT&T, T-Mobile, and Sprint to curtail the practice. They did so in part at the urging of senator Ron Wyden (D - Oregon), but also to avoid the sustained public opprobrium Facebook and Equifax endured. What had for so long felt like shouts into a void ultimately echoed throughout the industry.

You can see those reverberations in the Wednesday summit organized by the Information Technology Industry Council, a trade group that represents Facebook, Google, Apple, Amazon, Microsoft, Samsung, and dozens of other major tech companies. First reported by Axios, the meeting will focus not on standards or tariffs, but on a topic that has often seemed anathema in Silicon Valley.

"Protecting consumers’ privacy is a top concern for our industry. As technologies evolve, we continually examine our approach to privacy,” says ITI spokesman Jose Castaneda. “This week’s convening will continue an important conversation that examines how our users’ and customers’ privacy is protected while also ensuring our ability to meet their demands for innovative products and services."

Part of that conversation will surely involve Europe’s General Data Protection Regulation, which went into effect this spring, tightening the ways in which companies handle user data. But it also reflects a newfound urgency stateside.

“I sometimes joke that’s how you know something is serious, when the trades get involved,” Richardson says. “That’s when they pull out the big guns.”

Law and Orders

The companies' voluntary actions have been buttressed by the legislative and judicial branches. Last week, the Supreme Court issued a ruling in Carpenter v. United States that will generally require the government to get a warrant before it accesses cell site location information. But the decision has even broader implications for how courts will view digital privacy going forward.

“At its core, Carpenter is a recognition that there are fundamental changes we’ve witnessed over the last two or three decades in the technologies that we use every day for communications and connecting with others, and that these technologies have implications for individual rights,” says Alan Butler, senior counsel at the non-profit Electronic Privacy Information Center. “That’s a point at which we’re on the other side of a sea change.”

The judicial breakthrough dovetails with a political shift, as well. Privacy has crossed party lines of late; House Republicans found themselves opposed to some forms of surveillance after President Trump claimed to have been victimized by it. And there’s nothing partisan about Equifax leaking your Social Security number.

“There’s an expansion of concerns across the ideological spectrum,” says Shahid Buttar, who leads grassroots efforts for the Electronic Frontier Foundation. “People very far to the conservative right and very far to the liberal left agree on surveillance principles.”

That will play out soon in California, where on Thursday the State Senate and Assembly will vote on AB 375, a bill that would enact the strictest privacy laws in the US. That bill, too, exists largely because of public pressure.

“The events involving Facebook and Cambridge Analytica certainly highlight the need for this legislation and its provisions and created public demand for a solution,” said state senator Robert Hertzberg, one of the authors of the bill, in a statement to WIRED.

And if the bill doesn’t pass this week, in November Californians will be able to vote for themselves on even more robust privacy protections in the form of a ballot initiative, the California Consumer Privacy Act, that advocates have spent the last two years pushing.

Remember, all of this is happening in the span of about two weeks. It’s a remarkable amount of progress, and there’s reason enough to believe it has momentum to continue.

Keep the Plates Spinning

The thing about public enthusiasm is that it fades in time, be it for privacy protections or C&C Music Factory. Outrage is difficult to sustain, especially when so many corners invite it. But privacy advocates are hopeful that this time things could be different.

There’s the bipartisan push, first of all. But there’s a generational one, too. People who have grown up online seem more aware of the implications of what they share, and more eager to protect it. “Young people are decidedly not OK with state surveillance or corporate-sponsored surveillance,” Buttar says. “You can see that reflected even in their choice of platforms. Young people increasingly are migrating away from platforms that pursue an advertising-driven surveillance model, like Facebook.”

The latest privacy missteps have also felt more tangible to more people than they may have in the past. You likely have a Facebook account; it’s distressing to confront what it knows about you and how it uses that information. If you’d like to freak out about Google and location services, check out your Google Maps timeline. And on and on.

Meanwhile, GDPR and Carpenter should provide scaffolding to hold up privacy protections even if public interest does wane—despite Silicon Valley lobbying hard against bills like the one in California. “Maybe there won’t be some omnibus privacy case against Facebook that solves all the problems,” Butler says. “But across the board, the pressure’s going to get turned up.”

And realistically, the next animating privacy meltdown will never be too far away. “I think there will always be another Cambridge Analytica,” says CDT’s Richardson. Now, privacy advocates are better positioned than ever to push back, and to win.


More Great WIRED Stories