How free is "free"?
Is the future really free?
It seems we've entered an age where there's a land-grab happening for personal data and attention time. Look at all the web start-ups backed by venture capital. They aren't investing out of philanthropy. There's value there. YouTube is "free" but Google paid over a billion dollars for it. Why?
Here's a hint: It's not about the Tube.
Chris Anderson's Wired article was quite bold in its proclamations:
You know this freaky land of free as the Web. A decade and a half into the great online experiment, the last debates over free versus pay online are ending. In 2007 The New York Times went free; this year, so will much of The Wall Street Journal. (The remaining fee-based parts, new owner Rupert Murdoch announced, will be "really special ... and, sorry to tell you, probably more expensive." This calls to mind one version of Stewart Brand's original aphorism from 1984: "Information wants to be free. Information also wants to be expensive ... That tension will not go away.")
Once a marketing gimmick, free has emerged as a full-fledged economy. Offering free music proved successful for Radiohead, Trent Reznor of Nine Inch Nails, and a swarm of other bands on MySpace that grasped the audience-building merits of zero. The fastest-growing parts of the gaming industry are ad-supported casual games online and free-to-try massively multiplayer online games. Virtually everything Google does is free to consumers, from Gmail to Picasa to GOOG-411.
The rise of "freeconomics" is being driven by the underlying technologies that power the Web. Just as Moore's law dictates that a unit of processing power halves in price every 18 months, the price of bandwidth and storage is dropping even faster. Which is to say, the trend lines that determine the cost of doing business online all point the same way: to zero.
One of the old jokes from the late-'90s bubble was that there are only two numbers on the Internet: infinity and zero. The first, at least as it applied to stock market valuations, proved false. But the second is alive and well. The Web has become the land of the free.
There ain't no such thing as a free lunch.
The idea behind this is that there's always some sort of exchange happening, even if it's not in cash. If I buy you lunch, I'm getting something out of it -- the pleasure of your company, a chance to boast or commiserate, an opportunity to share a new restaurant discovery, freedom from an otherwise mundane meal, relief from a spiritual debt acquired when you bought me lunch last week, whatever.
And yet when I buy you lunch, it does not imply that you now are entitled to inspect my purse, or peruse the messages in my iPhone, or rummage through my dresser. Those things are considered private to most of us, right?
Chris Anderson's entire perception of the "free" present and future seems to depend upon the assumption that not only our time and attention have no value, but that our privacy has no value ... that is, no value to us.
Those things certainly have value to the companies offering the "free" services.
Last year, Yahoo announced that Yahoo Mail, its free webmail service, would provide unlimited storage. Just in case that wasn't totally clear, that's "unlimited" as in "infinite." So the market price of online storage, at least for email, has now fallen to zero....
That's zero in cash. But just because you aren't forking over cash doesn't mean something is really free. With 'free' email, it may not cost you cash, what are you handing over otherwise? It may seem trivial enough, but you are paying for that mail in terms of having advertising rolled in front of your eyes, and in terms of handing over personally identifiable information that can then be leveraged, quantified and sold to others or leveraged in other ways.
It's now clear that practically everything Web technology touches starts down the path to gratis, at least as far as we consumers are concerned. Storage now joins bandwidth (YouTube: free) and processing power (Google: free) in the race to the bottom....
...Basic economics tells us that in a competitive market, price falls to the marginal cost. There's never been a more competitive market than the Internet, and every day the marginal cost of digital information comes closer to nothing.
This brings us back to the question, Why did Google pay 1.7 billion dollars for YouTube? Answer: It's not about the Tube, it's about You.
YouTube gets your information, your attention for advertising ... and all-media licensing rights to your video in perpetuity. Hardly free. And Google gives away search results information, but sells your attention to advertisers who get to hawk their wares on our search results. If you're like me, you consider this a fair trade-off to access the quality search results Google offers.
It may seem fair and trivial, but it's not free. And maybe that's an important thing to remember.
'Who' is on first
Consider that, for decades, television has been giving you "free" programming by selling a huge percentage of your time and attention watching it to advertisers. It's no secret that television advertisers pay big bucks for your attention. (And sometimes we may even appreciate it. Heck, for me the fun of the Super Bowl comes from the new, often very creative ad spots.)
YouTube also has your attention ... and much much more: If you are registered, YouTube also has your email address, your ISP info, your rough geographical location, a record of your viewing habits, and a fair sense of your tastes and how they match up with other YouTube members. That's a lot more information than your local television channel ever had.
Google bought Doubleclick for much the same reason: Data on your attention, and a structure to monetize it.
And so on down the line.
Obviously your privacy, your time and your attention have value -- big money value.
"Hang on a minute!" you say. "I like watching YouTube, so what's the big deal?"
Perhaps that's the real point: It's not a big deal. The price you pay may be small most of the time -- small to the point of practically nothing. It's not a big deal, it's a little deal. And with millions of subscribers and bazillions of views, those little deals do add up to beaucoup bucks.
So can we at least admit that "free" is not really free, even if it is really really cheap most of the time?
Are you opting out as much as you think?
So you realize how you are making an exchange, trading elements of your privacy and attention for some "free" services. Great.
So now you can take charge of your "free" web usage, and move into the future with a full awareness. Wonderful.
So you can opt out of any exchange that crosses the line according to your own valuations and judgments. Terrific!
But what if the exchange of your privacy for "free" services is not so obvious?
Consider Facebook. AP's Martha Irvine reports that privacy-conscious users aren't as private as they might think:
People often think Facebook profiles and sometimes MySpace pages, if they're set as private, are only available to friends or specific groups, such as a university, workplace, or even a city.
But that's not true if they use applications. On Facebook, for instance, applications can only be downloaded if a user checks a box allowing its developers to "know who I am and access my information," which means everything on a profile, except contact info. Given little thought, agreeing to the terms has become a matter of routine for the nearly 70 million Facebook users worldwide who use applications to spruce up their pages and to flirt, play and bond with friends online....
...So what do these third-parties do with the information? Sometimes, they use it to connect users with similar interests. Sometimes, they use it to target ads, based on demographics such as gender and age (something Facebook and MySpace also do)....
...But experts who track online security issues think there's too much personal information flying around out there, with few guarantees that it's safe. They also think social networkers have little understanding where their information goes and how it's used — and as a result, have a false sense of security.
"I suspect that there's a whole lot of clicking without a lot of thinking," says Mary Madden, a senior research specialist at the Pew Internet & American Life Project who studies privacy issues. "So much of this sharing happens in a way that users don't see the consequences. It's kind of a big, black hole."
Part of the risk stems from Facebook applications being created by anyone, some of them tech-related companies and others individuals with know-how. And they could be anywhere in the world....
...Some would argue that it's much like trusting an online vendor with your credit card information.
And of course there's Beacon. Facebook gives us "free" social networking, but sells the "beacon" of our purchasing behavior data. How palatable that is to members is more questionable. Obviously some "free" things are preferable to others.
Facebook scaled back Beacon after a lot of outcry, but the applications system remains largely unnoticed.
[I]t's an honor system, says Adrienne Felt, a computer science major at the University of Virginia....But, in the end, Felt says there's really nothing stopping them from matching profile information with public records. It also could be sold or stolen. And all of that could lead to serious matters such as identity theft.
"People seem to have this idea that, when you put something on the Internet, there should be some privacy model out there — that there's somebody out there that's enforcing good manners. But that's not true," Felt says.
Tread On Track Me
Diane Bartz of Reuters recently reported about a drive to create a "Do Not Track" list much akin to the "Do Not Call" list that was meant to prevent telemarketers from bothering people who don't want to be bothered.
In December, the FTC approved Google's purchase of advertising rival DoubleClick over the objections of some privacy groups.
At the same time, the agency urged advertisers to let computer users bar advertisers from collecting information on them, to provide "reasonable security" for any data and to collect data on health conditions or other sensitive issues only with the consumer's express consent.
In comments to the FTC on online behavioral advertising, advertisers made clear a strong preference for self-regulation rather than government dictates on how personal data are collected, what disclosures are made to computer users and how long the information is stored.
Consumer groups said on Tuesday they were skeptical of self-regulation.
"Self-policing schemes are not enough to protect consumers' privacy and offer no enforcement against improper behavior," said Chris Murray, senior counsel for Consumers Union, in a statement.
"While companies like Google are trying to put pretty good practices in place, we don't want to rely on the good graces of the companies because they might change their minds," he told Reuters in a telephone interview.
CNet's Anne Broache blogged about this:
Without a better way to get around those shortcomings, "we have...consumers and the FTC and industry agreeing on consumer choice and then no way to technically get there," said Peter Swire, an Ohio State University law professor and a former lead privacy counselor in the Clinton White House....
...A broad coalition of consumer and privacy advocates last fall called on the Federal Trade Commission to establish such a registry. The concept is this: Any advertising entity that sets a "persistent" cookie on a user's machine would be required to give the FTC the domain names of servers used to place it. Consumers would then be able to import that list of domain names and block them from tracking their Internet surfing behavior.
[AOL Chief Privacy Officer Jules] Polonetsky said that while he supports the concept, "I think the way to do it isn't a government place where your browser goes and gets stuff."
Instead, the former New York state legislator said, "the rule should be that whatever technology platform you're using should have no-brainer, easy-to-use labels that people know how to toggle to turn on or off the kinds of personalization, storing, whatever it is that that particular platform does."
Privacy advocates at Thursday's discussion weren't sold on the idea of self-regulation alone. Ultimately the responsibility to understand how their information is being used should not fall on consumers, but "on business to protect and safeguard consumers to whom they are providing these products," said Marc Rotenberg, director of the Electronic Privacy Information Center.
"The system is already in place, it's too late to turn it back," said Jeff Chester, director of the Center for Digital Democracy, which advocates for tighter privacy regulations on Internet companies. "We need real policy safeguards. The Congress and the FTC need to act."
When the privacy stakes are raised
It's one thing to weigh these issues in the domestic (which, in my case means American) context. There are complexities. As Americans, our two strongly held values of Fairness and Freedom (as in freedom of speech) come into conflict here. On the one hand, we don't want people to be abused by entities without accountability. On the other hand, we don't want Big Brother meddling with one of the sectors of our fragile economy that seems to still be going like gangbusters.
These same issues seem much clearer when it comes to other countries, other regimes, such as China, which as won cooperation from Yahoo, Google and others in censoring the internet to suit the Chinese government's policies. Rebecca McKinnon writes:
Many would agree that being a socially responsible Internet or telecommunications company requires respect for users’ rights to privacy and free expression, but there is great disagreement over how to accomplish this ideal.
She goes on about a case where Yahoo's cooperation led to the arrest of a dissident in China.
For two years after Yahoo’s role in Shi Tao’s case first came to light, the company’s public statements characterized the plight of Shi Tao and the three others as if they were acceptable collateral damage in the great task of bringing Internet information services to the Chinese people. Executives argued that the Chinese people were still better off in the long run thanks to Yahoo’s presence....
...Yahoo executives also argued that the company’s nose was legally clean on two fronts: Not only did employees respond to a legally binding written order; actions by Yahoo’s China-based employees were consistent with the user “terms of service” that Shi Tao and all other Yahoo email users agree to in order to create an account. In these terms the user promises not to use the email account to commit a list of actions, including “damaging public security, revealing state secrets, subverting state power, damaging national unity,” etc....
...But a legal victory would have been hollow because it would not have absolved Yahoo in the eyes of the human-rights community and socially responsible investors. They point out that Chinese law in this area contradicts international law–and that socially responsible companies have an obligation to do something more than participate in a “race to the bottom” as far as global practices on privacy and freedom of expression are concerned....
...With data privacy, things are much more clear cut: when user data is handed over a person can go to jail and his or her life is ruined or shortened. So what to do?
In the "freeconomy" picture Anderson paints, of course, there is no secret police ready to arrest you for buying that book about genital herpes or searching for websites about bankruptcy counseling.
But does that mean you have no interest at all in how that information about your supposedly private behavior is used and shared by other parties? Does that mean that your privacy has no value? Does that mean you can just "choose" not to use the Internet at all?
After all, do such uses of your private information really harm you in any way? How can you quantify it?
And if you can't quantify it, if you can't point to any real damages, then what can you do about it, anyway?
Judging the value of privacy
Lauren Gelman, Executive Director of Stanford Law School's Center for Internet and Society, writes of a recent DC Circuit court ruling:
holding that the federal Privacy Act's requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed'n of Gov't Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08.
[T]he plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim.
...I think this is a great decision that supports the belief that people's harm from a privacy loss is not just another's use of that information to cause financial loss (i.e. identity theft), but that emotional damages and embarrassment are cognizable harms of privacy violations.
Other lawsuits about privacy are hitting the courts. We seem to be reaching the point where companies' right to swing their information-gathering-and-sharing arms is starting to meet private citizens' right to not have their private elbows bumped.
And, last I checked, lawyers aren't free.
And this doesn't even get into cases relating to people's private information where the damages are much more apparent.
Back to McKinnon:
Meanwhile, the rest of us should not simply sit around and wait for our Internet and email service providers, Web-hosting services, and mobile-phone carriers to do the right thing on their own. Technology users around the world have an interest in joining together to insist that the products and services with which we increasingly entrust our careers, our beliefs and the most intimate parts of our lives, will not sell us out because they feel they have “no choice” since all their competitors are selling out their users too.
Who's identity is it, anyway?
The question I keep coming to is this: If the web is so distributed, why are people flocking to centralized management of their information (and in doing so trading away so much of their privacy)?
The answer, it seems to me, is that it's easy that way. GMail is easy. Google Calendar is easy. Connecting with friends via Facebook is easy.
But maybe the easy way is not always the best way. Maybe?
Adriana at Media Infuencer has written something of a manifesto on taking charge of one's own identity:
What I want is option (with set of tools) for individuals taking charge of their identities.* And on the web that starts with exercising sovereignty over my data. This alternative must be networked and not third party dependent or platform based....
...The key is in realising that authorisation and identity are related but separate.
Authentication is the act of establishing an identity - this is separate from the existing identity approach where the focus is on collection and disbursement of bits of data to do with someone. The cheap and cheerful explanation of this is that you can authenticate with a password (i.e. something that only you know). However, that password need not reveal anything about you/your identity. It just reveals that you are someone who knows the password. Therefore, authentication is free to be separate from identity. They are in separate but related domains. Have I mentioned that they are separate?
I owe this point to Alec who explains:
Traditionally authentication is one-or-more of three things.
- something you KNOW, e.g, you KNOW the password
- something you HAVE, e.g, you HAVE the door key,
- something you ARE, e.g, you ARE a 4-star general on an army base
The latter tends to be a bit weak, as authentication goes, in my experience it is prone to social hacking. Good authentication might be combining something like: KNOWING the password that UNLOCKS the certificate that you HAVE on the laptop, that permits a remote website to challenge you and get the response it expects, since it KNOWS that you have your certificate on your laptop....
In short, let me have a go at my identity myself, on my own terms, the web way, without intermediaries, ‘trusted’ parties and hierarchical non-direct ways. Locking me into new ‘better’ platforms, offering ’services’ to manage my meta-identity is like putting a band-aid on a gaping wound. Instead, give me tools, flexible and modular, to reclaim my digital personae, help me piece together my fractured identity. And then allow me to drive it forward with all of the benefits that it can bring me and to those I interact and transact with. Learn to live with the unpredictability and emergent juicy goodness that comes from my independence and lack of your control over me.
One approach to protecting privacy in some way draws from a fundamental tenet of basic object-oriented programming: That the data and logic to accessing that data are combined into an object; any other object or entity wanting to access that data engages the object as a whole, and gets what the object is 'willing' to give, under its own logic. This is in contrast to function-based programming, where any procedure or function can access the data by its own means.
(Programmers reading this: please be kind. I'm trying to over-simplify to make a point.)
The same approach can be handled for identity, with systems such as OpenID: Rather than managing identity through multiple sites that parse your information through their own individual functions, according to their own rules, your identity and access to it are managed as a unit -- an object.
You can use a verifiable identity token instead of a password that you may be using on a few dozen other sites. You can keep your profile information in one place, and share it according to your own terms.
It's just an idea, and in its infancy at that, and while it's seeing in-roads with adoption by Wordpress, Drupal and others, it's something that so far has been met with a bit of resistance from some of the major players who have found big money in the identity stakes.
But it seems clear that the way things have been going so far is not how we things will be going in the future. Change is a constant on the web, and that's all the more true in how we treat privacy.
When privacy is protected...
...does this threaten the "free" world of which Anderson writes? I don't think so.
In a guest post on ReadWriteWeb, Rick Hangartner writes:
Fifteen or so years into the evolution of the web, we already have many of the key ideas and technologies in place to start describing and sharing personal preference information - or what we might colloquially call "taste" - in order to personalize web experiences. So, why haven't we yet seen widespread adoption of web personalization? Mostly because user expectations and online business models haven't yet evolved to the point that user-controlled, ‘open taste’ sharing is a viable option.
For the more pragmatic: each time we make choices, we generate data which empirically describes our preferences. This is data that can be encapsulated and shared just like any other picture, blog post, video, or other piece of online content that we create; and which the DataPortability project is focused on.
A few ideas for open taste sharing
As a DataPortability use case, open taste sharing embodies and embraces the culture shift that the Web 2.0 movement represents. With regard to data ownership, the DataPortability concept has even more succinct expression: our tastes should be ours to share, or not. This puts the user in control of their online experience, so they can set the boundaries of how much they want to share and with whom.
Meanwhile, two new companies are offering to ISPs the service of tracking everything the ISPs' customers do, every website they visit, while claiming, counterintuitively (they admit), that their services actually improve the privacy of the users:
Phorm has agreements to work with the three largest Internet providers in Britain and will start operations there in the next few weeks. NebuAd says it is working with several smaller Internet providers in the United States that collectively serve 10 percent of the nation’s Internet users. Both companies are working hard to convince the large cable and phone companies in this country to join their systems. To do so, they must convince the Internet providers that they will not be offending their customers.
“Consumer acceptance is key to our progress,” Mr. Dykes said.
Of course, this "service" is "free" to the consumers, so why should you complain, right?
[This is cross-posted on BlogHer.]