No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedom

Buried beneath the endless feeds and attention-grabbing videos of the modern internet is a network of data harvesting and sale that's perhaps far more vast than most people realize, and it desperately needs regulation. 

That's the conclusion the FTC made after spending nearly four years poring over internal data from nine major social media and video streaming corporations in the US.

These internet behemoths are collecting vast amounts of data, both on and off their services, and the handling of such data is "woefully inadequate," particularly around data belonging to children and teenagers, the FTC said. This will not be a surprise to regular Reg readers.

"Social media and video streaming companies harvest an enormous amount of Americans' personal data and monetize it to the tune of billions of dollars a year," FTC chair Lina Khan said of the findings. "While lucrative for the companies, these surveillance practices can endanger people's privacy, threaten their freedoms, and expose them to a host of harms." 

These surveillance practices can endanger people's privacy, threaten their freedoms, and expose them to a host of harms

Twitch owner Amazon, Meta, YouTube, X, Snap, TikTok owner ByteDance, Discord, Reddit, and WhatsApp were all asked in late 2020 to provide the FTC with answers to questions regarding their data collection and use. The 129-page report [PDF] doesn't break things down by company, and the US watchdog said not all of its recommendations apply to every platform. 

That said, the findings are pretty serious. 

First, the report concluded that many of the big players collect and indefinitely retain records on users and non-registered visitors from both their platforms and beyond with, as mentioned, subpar data protection practices. In addition, some services reported only de-identifying data when a user asked for its deletion, while others deleted only portions of the requested data.

Second, many of the nine corporations relied financially on selling ad space to third parties based on user information with little way for netizens to see what's being shared and with whom. This leads to the next finding: Many of the businesses feed user data into AI models to train them, and users lack the ability to have much of that data deleted - especially if it was harvested off platform. 

Neither users nor non-user visitors had the ability "to review the information used by these systems or their outcomes, to correct incorrect data or determinations, or to understand how decisions were made, raising the potential of further harms when systems may be unreliable or infer sensitive information about individuals," the FTC said. 

The regulator said it was also worried about how the web giants treated teenagers, whose data is no longer covered under the Children's Online Privacy Protection Rule (COPPA rule enforcement ends at age 13), but who still need to be treated as a special class. 

"Almost all of the companies allowed teens on their [social media and video streaming services] and placed no restrictions on their accounts, and collected personal information from teens just like they do from adults," the FTC said. 

• Social media is too much for most of us to handle
• Researcher claims Harvard nixed social media research after getting Zuck bucks
• LinkedIn started harvesting people's posts for training AI without asking for opt-in
• Facebook whistleblower calls for transparency in social media, AI

The Register has reached out to all nine big names in the report, and most haven't responded. Google, which acquired YouTube in 2006, told us it has "the strictest privacy policies in our industry," and doesn't sell personal data (though it could be argued it doesn't need to) nor use sensitive data to personalize ads or collect data from minors. 

An X spokesperson told us: "The FTC report is based on practices from Twitter in 2020, X has made tremendous strides in protecting users’ safety since this period."

"As of today, only about 1% of X’s US users are between 13-17. X takes user data privacy seriously and ensures users are aware of the data they are sharing with the platform and how it is being used, while providing them with the option of limiting the data that is collected from their accounts."

Discord said that, while it supports the intent of the study, its business model differs so much from the other orgs in the report that it doesn't think it should be lumped in with the rest. 

"At the time of the study, Discord did not run a formal digital advertising service, which is a central pillar of the report," Discord head of US public policy Kate Sheerin told us. "We look forward to sharing more about Discord and how we protect our users." 

The FTC is getting real sick of your s...

None of this is stuff we haven't heard from various government agencies and NGOs over the years. We know third-party companies hand lots of data over to Meta and other firms, we know Americans lack the same AI opt-outs that EU residents have and we know the amount of data those nine companies have can be a privacy concern.

In order to address what is at this point a well-established and ongoing issue, the FTC made several suggestions, saying that online services should limit their data collection practices, eliminate privacy-invasive tracking technologies, add user controls, and treat teenagers differently than adults. 

This report makes clear that self-regulation has been a failure

But beyond that, the report concluded, a comprehensive federal privacy regulation is needed.

"America's hands-off approach has produced an enormous ecosystem of data extraction and targeting that takes place largely out of view to consumers," FTC bureau of consumer protection director Samuel Levine wrote in a preface to the report. "While there have been isolated instances of firms taking pro-privacy actions, those continue to be the exceptions that prove the rule."  

"This report makes clear that self-regulation has been a failure," Levine added. 

The most recently introduced federal privacy regulation, the American Privacy Rights Act, has been stuck in committee since it was introduced in June. ®