In a previous blog post I critiqued the problematic argument that American companies’ collaboration with National Security Agency (NSA) would cause them to lose business to companies in other countries. In this post I would like to critique a similar argument, that privacy-violating companies will lose business to other non-privacy violating companies. Or that, stated another way, people can boycott privacy-violating Internet services in order to safeguard their privacy online. (I would like to mention and thank members of Restore The Fourth SF and @RancidTarzie, with whom I have had conversations that inspired this post.)
The case was made, for one, by Brian Fung of The Washington Post in his post Yes, there actually is a huge difference between government and corporate surveillance:
In a functioning marketplace, boycotting a company that you dislike — for whatever reason — is fairly easy. Diners who object to eating fake meat can stop frequenting Taco Bell. Internet users that don't like Google collecting their search terms can try duckduckgo, an anonymous search engine.
Sounds great, right? The beauty of the “free market” is that one can simply discard these privacy-violating bad corporate actors with an informed consumer choice. Unfortunately, things aren’t that simple.
First, finding substitutes to one’s favorite services can be difficult; the ease varies on a case-by-case basis. For instance, finding a feature-comparable substitute for Google web search, [1] such as duckduckgo, is easy. Finding a feature-comparable substitute for Gmail is much more difficult. Sure, there are many other services that offer email (Riseup for example), but Gmail’s other features (indexing mail history for search, built-in contacts, built-in chat, video chat, etc.) to my knowledge are not offered by a purported privacy-respecting email service.
In the case of a service that exploits network effects (that is, the service is only useful to the extent that other people other use the service, such as a telephone network or social network), there is no substitute because of the monopoly the service has on your contacts. Leaving Facebook to join another privacy-respecting social network is worthless unless all of your friends and family make the migration with you. This is a serious option for a vanishingly small number of people.
There is also the issue of data portability, the lack of which can tie one to a service in a similar way. (I suppose if we want to get pedantic about it, the social network stickiness problem is just a special case of the web service stickiness problem in which the data is your social graph.) If there is no way of getting years of invested data out of the service and into another one easily, the switch is impossible and therefore will not be made.
Second, based on recent disclosures, we can pretty much safely assume that the NSA is monitoring, more or less, the entire Internet. Even if one switches to all open-source software, uses ad-blocking and tracking-thwarting browser plugins, refuses unencrypted connections when possible, etc., some traffic is, under current Internet architecture, fundamentally unencrypted. This includes the metadata of a web request / response, email contents, [2] DNS requests, etc. In short, technical limitations in Internet technology itself prevent one from dropping off NSA’s map entirely (unless one simply refuses to use the Internet, and maybe not even then).
Third, boycotts require that consumers know that the to-be-boycotted entity is doing some unsavory activity that the consumers want to pressure it to end. Unfortunately, one of the problems with Internet surveillance is the secrecy -- both intentional and unintentional -- that pervades the entire government/corporate monitoring empire. One news story can turn today’s corporation boasting about respecting privacy and individual rights -- as they all do -- into tomorrow’s hated surveillance collaborator.
The dynamics of corporate / government relations in the United States are such that a company really has no choice but to collaborate in surveillance when the government comes calling. Recall the protestations of the lackeys of an exposed corporate-government alliance: “But we need to follow the law!” But the government has more screws to twist than that: antitrust regulations, taxation and regulation, issuing of government contracts, and -- of course -- punitive legal retaliation. [3] Which is what makes the threat of a switch from one monopolist to another (“I’ve had enough of your privacy violations, GMail! I’m switching to Hotmail!”) such an idle one. Small companies such as Lavabit which have the ability (as only small companies do) and courage (which few of any size posses) to defy the government when approached are rare.
Fourth, and I’ll bold this because it is a point so often glossed over, there is a fundamental trade-off between convenience and privacy. You can’t recall your web search history if Google doesn’t store it. You can’t search for times you discussed Teletubbies over email if you don’t let GMail index your email. You can’t skip the toll lines on the Bay Bridge if you don’t have a FastTrack pass that records every time you cross the bridge. You can’t get a loan if a rating agency has not monitored your past debt transactions -- that is, your credit history. So those that pine for absolute privacy should be careful about what they wish for; many likely don’t understand the downsides. [4]
Fifth, simply switching to another service does not mean that the service switched from purges the information you gave to them (or that they have otherwise accumulated on you). What happens in most cases is that the company just flips a bit in the database specifying your account has been deactivated, but the data nonetheless remains. This data is valuable to them both in the case in which you rejoin the service and as an asset to sell to third parties. Speaking of which, your data is traded around in ways that you are not even aware of, between ad networks, data brokers, and other services. [5]
To sum up, we’re at the point where nearly all large Internet corporations are suspected of collaborating with government in violating personal privacy in some way. Substitutes to these services are partial, difficult or nonexistent -- and there is no guarantee that the substitutes are not also compromised. We should get rid of this fantasy of consumer choice via boycotting as a means of reclaiming control over our information. The problems are much more systemic than that, and demand a much more comprehensive fix.
(Just for the sake of clarity: I do advocate using free software -- as in libre, not gratis -- and other privacy-respecting services and technologies where possible. But the point is “where possible” is a small and ever-shrinking domain for most people.)
[1] Not accounting for Google’s most likely more comprehensive index that they can compile given their vastly superior computing and human resources.
[2] That is, unless one uses PGP to encrypt the contents of email, but under those conditions the metadata could still be monitored. Besides, this is a pretty impractical solution for anyone that is not highly technologically competent.
[5] See No Place to Hide for more information on data brokers.
UPDATE: Boycotting certain companies on the Internet, for instance Google, is nearly impossible because of their multiple properties and pervasiveness. Besides operating Google web search, YouTube, Blogger, Orkut, Google+, Google Maps, Google News, etc., and the software they release: Chrome, Android, etc., they also run an advertising network that tracks you everywhere you go. Incidentally, the NSA piggybacks on this network to ID individuals. Almost every site but the largest and smallest run some kind of Google Analytics on their site. Software -- not even Google software -- routinely pings Google without the most users' knowledge. Really, there is no escaping Google cookies on the Internet. (Unless, of course, one is willing to turn off cookies entirely, but have fun using the Internet without being able to log into any website!)
UPDATE: Boycotting certain companies on the Internet, for instance Google, is nearly impossible because of their multiple properties and pervasiveness. Besides operating Google web search, YouTube, Blogger, Orkut, Google+, Google Maps, Google News, etc., and the software they release: Chrome, Android, etc., they also run an advertising network that tracks you everywhere you go. Incidentally, the NSA piggybacks on this network to ID individuals. Almost every site but the largest and smallest run some kind of Google Analytics on their site. Software -- not even Google software -- routinely pings Google without the most users' knowledge. Really, there is no escaping Google cookies on the Internet. (Unless, of course, one is willing to turn off cookies entirely, but have fun using the Internet without being able to log into any website!)