US FTC: User data is an open book. Platform providers prioritize profit over privacy

Sponsor ad - 728w x 90h (at 72 dpi)

In September 2024, the FTC released a report with analysis and the conclusion that there is an “inherent tension between business models that rely on the collection of user data and the protection of user privacy….

“(and) … Until a law requires (them) to implement strong privacy practices many companies may continue to present a pretense of privacy-focused practices while collecting and using as much data as possible in ways that result in financial returns for the corporate entity at the expense of consumers’ privacy.”

Sponsor ad

In December 2020, the US Federal Trade Commission ordered nine social media and video streaming services companies to report to the FTC about their collection, use and presentation of personal information, their advertising and user engagement practices, and how their practices affect children and teens.

Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC. had been given 45 days from the date they received the order to respond.

Summary of practices

Nearly all companies reported applying algorithms, data analytics, or AI to personal information or demographic information in one fashion or another, including targeted advertising, to conduct research, to aid in content discovery, make content recommendations and to optimize user engagement.

“Most of the companies reported that “they used algorithms, data analytics, or AI to infer information about individuals, infer characteristics and demographic information such as age and date of birth, gender, location, familial status, family relationships, and other categories such as language.

“Some of the Companies appeared to have inferred other detailed categories…such as: education level; relationship or marital status; parental status and age range of children (such as “New Parents,” “Parents with toddlers,” or “parents with teenagers”); household income percentile; locations visited; homeownership; employment; or industry. Some Companies referenced vague or broad categories, including categories described as “Employment; Household; and Other lifestyle details.” At least one (respondent) inferred interests … based on data it received from third-party companies that created or supplied advertising audiences.”

Most of the companies also gather device and usage data, including a user’s activities on the platform, including a user’s messages and conversations, a user’s offline activities, and viewership history,”  Device characteristics collected include device ID, IP address, browser cookie IDs, browser settings, device metadata (such as screen size) and location information.

“Once sent to a digital advertising service, advertisers could use this offline data to build and customize audiences for targeted advertising on the platform, such as to build custom or lookalike audiences, and at least one (service) said that this data was used to train its advertising algorithms.”

Other uses cited in the FTC report include the use of data to inform company business strategies and product decisions.

Inputs and Outputs of companies’ use of algorithms, data analytics, or AI. Source: A Look Behind the Screens (Report). US Federal Trade Commission 2024

Yet, (with one exception) there is no universal way to opt-in or opt-out.  Users likely don’t know, don’t understand and can’t control the collection and uses of their data. Nor are they given ways to “know of…fix, address, or correct automated decisions about htem which were inaccurate or based on flawed conclusions or errors based on inferred details like consumer life patterns and personal relationships.

Lax oversight

Approaches to monitoring algorithms, data analytics and AI, “such as their monitoring and testing for bias, reliability, and accuracy,” differed from company to company. Only some companies had dedicated AI-specific teams, and oversight structures varied between companies.  Some companies reported limited human review or “gave vague descriptions of the role of human reviewers.”

Summary of conclusions

The FTC report concludes that companies rely heavily on the use of personal information by algorithms, data analytics or AI to power their platforms.  Companies fed extensive amounts of personal information into their automated systems, much of which is collected from sources other than directly from users, such as from data brokers

The use of this data raises privacy and other concerns such as risk to consumers’ civil rights and discrimination.  Systems run the risk of making inferences about individuals, such as assigning them to sensitive demographic categories.

The report also found that while companies generally restricted children from creating accounts and afforded some protections, the algorithms, data analytics, or AI that favor engagement can have negative mental health consequences for children and teens.

Recommendations

The report offers advice to policymakers and companies, meant to inform decisions about legislation and business practices.  These inclue

Nothing to see here

When  The Washington Post asked platform providers to comment on the findings, Discord’s head of US and Canada public policy said the report “…might confuse consumers and portray some platforms, like Discord, inaccurately.” Google said that it places restrictions on ads and personalization for minors.  Meta and Snap had no immediate comment, and X (former Twitter) said it has “made tremendous strides in protecting users’ safety.”

Phishing and worse, made easy

Social media platforms make their data repositories available for advertisers and app developers through APIs (application programming interfaces) to enable automated processes to leverage in targeted advertising campaigns.  App developers leveraging this data are subject to the data usage policies by the platform providers, and by Apple and Google as the operating system providers for devices used by consumers who are targeted by ad campaigns.

Still, it is possible for data to be used for illicit purposes by malicious actors, to conduct phishing campaigns that in turn can plant malware or malicious advertising on to consumer devices without their knowledge.

Not to mention the use of personal data to construct personnas that can be targeted by political influence campaigns, such as in the Cambridge Analytica campaign which used Facebook data to target individual voters prior to the 2016 US presidential election.

Stark contrast vs European practices

US data practices stand in stark contrast with European standards, including the General Data Protection Regulation (GDPR) and the EU’s Digital Services and Digital Markets acts.  GDPR mandates that data collection must have purpose and must be legal under GDPR’s definition of ‘legal.’  Collection must also respect individual rights, including that individuals know what is being collected, how it is being used, and why.

Under GDPR, ‘data controllers’ (e.g. services that collect personal data) are responsible for the data: they must report breaches within 72 hours and can’t blame their suppliers on breaches. Organizations that violate these terms may be fined up to the higher amount of 4% of their global sales or 20 million Euros.

The Digital Services Act complements GDPR by banning misleading practices and types of targeted advertising, to minimize attempts at manipulating users.  The Digital Markets Act places obligations on digital platforms to ensure that ‘gatekeepers’ (e.g. online service providers) not use consumer data for targeted advertising without explicit consumer permission, not interfere with consumers that want to uninstall pre-loaded software, or ban consumers from using third party app stores.

Further reading

A look behind the scenes: Examining the data practices of social media and video streaming services. 129-page staff report (PDF). September 2024. US Federal Trade Commission.

FTC staff report finds large social media and video streaming companies have engaged in vast surveillance of users with lax privacy controls and inadequate safeguards for kids and teens.  Press release (about the report). September 19, 2024. US Federal Trade Commission

FTC issues orders to nine social media and video streaming services seeking data about how they collect, use, and present information. Press release (about the 2020 order by the FTC). December 14, 2020. US Federal Trade Commission

American Privacy Rights bill introduced to US Congress: a GDPR it isn’t.  Article. April 12, 2024. by Steven Hawley, Piracy Monitor

GDPR Summary: the summary of what you need to know about data privacy and the EU General Data Protection Regulation. Web site. Accessed Sept 20, 2024. GDPR Summary (org)

EU passes Digital Services and Digital Markets acts; misses on live piracy.  Article. July 5, 2022. by Steven Hawley. Piracy Monitor

Why it matters

While the report’s analysis and conclusions are breathtaking to see collected in one place, they are no surprise.

In the United States, individual users are “opted in” to data collection and sharing by social media and streaming platforms; a long-held standard practice for American marketers.  Privacy terms are opaque and are often difficult for the average lay-person to understand, and to opt out, consumers are often asked to write a letter, on paper, and send it to the platform provider, with no convenient way to do so in their Web and mobile app settings.

In Piracy Monitor’s opinion, these defaults should be reversed.  Instead of notifying individuals that their data is being collected and can opt out, consumers should be notified of the nature of any data that these platforms collect and why, and be given the opportunity to opt in, which is the position taken in Europe.  The draft A.P.R.A. recognizes that marketers must clearly present ways to opt out entirely or if there are multiple opt-out options, then partially as well.

The FTC report simply underscores that the issue is languishing, despite lofty promises and bills that get tabled by Congress.

From our Sponsors