Time to pay for privacy?

Google has been in the news again, this time for changes to its privacy practices, which involved consolidating around 60 statements into one to cover all of Google’s services, including search, plus, gmail, docs etc. Google claim this was done to simplify the user experience and thus to satisfy demands from regulators who were unhappy about the fractured privacy controls within Google’s services. The move is perhaps the biggest single change in privacy management that the Internet giant has yet implemented, and it seems unlikely that such a change was taken without careful consideration of the associated legal and commercial implications. So whatever Google has in mind, they know what they want to achieve. What does it really mean for everyone else?

As Robin points out, one of our key problems is that Google seem to have deliberately conflated ‘privacy policy statement’ and ‘privacy policy: they have not only changed the way that they inform users of how they manage personal information, but they have made a major material change to how they go about that management. Specifically, Google’s consolidation approach has resulted in a new policy that they will, if they choose, use personal information gathered across all services. Their policy now permits them to mine data across all of a user’s services in order to simplify services, tailor the user experience and facilitate sharing and collaboration – or that’s how Google is pitching it anyway; a user might feel that the change permits Google to mine their browsing, networking, mail, documents, shopping and pretty much any aspect of their online experience, in order to force them towards Google’s paying advertising customers. The Twitterati were up in arms about the change, and many people took the opportunity to delete their browsing histories before Google had the opportunity to start cross-referencing those against their other online activities.

Of course it’s not just Google’s web activities, or even just Google that is the problem. Facebook continues to attract criticism for privacy policies that seem to be in constant flux. Google’s Android and Apple’s iOS platforms have been criticised for mining users’ photos and address books through seemingly innocuous apps and for bizarre or obfuscated purposes. What’s causing the upset here is not so much what Google have done, but their dominance in our online lives. In a more fragmented market, such as retail or banking, if a company does something that upsets their customers, then those customers have the ability to terminate the relationship and to move to alternative providers. If sufficient customers do so, then the company takes a hit to its bottom line and changes its ways. But Google and Facebook in particular have achieved a dominance in our online world that makes it very difficult to avoid them. Users who choose to avoid Google find themselves marginalised and forced to use disjointed services from a range of providers. Those who opt out of Facebook (or any other social network for that matter) are left without networks that others enjoy. Opting out is not an option for many.

Our problem is not Google, or Facebook, or privacy legislation, or market regulation, or a lack of user-centricity in system implementations. Our problem is the underlying commercial model whereby we expect to receive these services for free. These companies deliver previously unimaginable richness of interaction without charging us a penny in cash for the experience. A substantial amount of data mining is essential if they are to create that richness, but the root cause for our lack of control over that mining is the fact that we’re the product, not the customer. The money flows in from the advertisers and affiliates, but as providers fight to meet shareholder expectations for revenues they are having to push harder and harder for our data, and take increasing risks with our privacy to produce the profits.

So what’s to be done? We can’t put the genie back in the bottle, our data is out there, and it’s not going to disappear from the interwebs in a hurry. There’s no point in speculating about breaking up Google’s control over the online world. It also seems improbable that competing systems with different business models will emerge in the near future; for example, the Vendor Relationship Management (VRM) approach championed by the likes of Mydex clearly has the potential to address the problem, but it’s still a long way from gaining the sort of momentum that will shake the big players. What we really need is a way to pay Google, Facebook et al for their services using hard cash instead of personal data. For example, if I could pay a small monthly fee to guarantee that an Android phone would never mine my data, and would in fact create a ‘walled garden’ environment to protect my privacy, then my iPhone would be up on eBay in a flash. If Facebook offered me enhanced private service with proper granular privacy controls with a certainty that my usage and relationships will never be analysed by them or a third-party app unless I expressly consent, then they’d get my monthly payment.

But a step such as that will require these companies to expose the dark heart of their business models, and that will not happen in the current economic climate. If they admit each customer is worth on average, say, £20 p.a. to them, then all those who don’t pay up will be demanding to be paid for their data. If they admit each customer is worth, on average, say, £2 p.a. to them, then their shareholders will be howling at their grossly inflated market capitalisations. Reputation businesses such as Klout exist to help these companies to assign a value to individual users, but being told your friend’s data might be worth £10 p.a. to Facebook, but yours isn’t worth £1 is hardly going to curry favour with Facebook’s users. The providers can’t win if they go down this route, at least not until a price poi nt is found that satisfies consumers and shareholders alike, or a disruptive new venture enters the market and forces their hand.

So that’s the challenge for the market, and in particular for VRM providers: if we want privacy *and* open data *and* free services, we need a way to make that more attractive to the major incumbents than their current business models. They need to see that they can make privacy pay without jeopardising existing revenues. And we all need to get ready to pay for our privacy.