Gulf News

Digital giants pull a fast one

Facebook and Google force elaborate procedures on users to stop data collection

Facebook and Google force elaborate procedures on users to stop data collection |

It’s becoming standard practice for US tech giants to follow the letter of European rulings and regulation­s without really changing their behaviour. Most recently, Facebook and Google have exhibited just a superficia­l compliance with the EU’s General Data Protection Regulation, which requires companies to allow users to keep control of their data.

The Norwegian Consumer Council issued a report showing that the tech companies rely on “dark patterns” to discourage users from exercising their privacy rights. The designatio­n refers to interfaces intended to trick users into doing something, usually subscribin­g to a service they don’t want or giving up data.

Facebook and Google have used this strategy for some time, even as they superficia­lly adhered to the European rules known as GDPR. The researcher­s found that Facebook and Google have default settings designed to extract a maximum of personal data from users. Their GDPR-related notificati­ons are adorned with a big, convenient button for consumers to accept the company’s current practices.

If the user declines, he or she is invited to change the settings. In effect, the system makes opting in the default response, while opting out is a multi-step process that dissuades users. “From an ethical point of view, we think that service providers should let users choose how personal data is used to serve tailored ads or experience­s,” the report says. “Defaulting to the least privacy friendly option is therefore unethical in our opinion.”

The consumer watchdog says Microsoft has done a better job of making it possible for consumers to protect their data. Windows offers a series of screens that invite users to make an in or out choice. Its Windows 10 update had about the same number of steps for opting in as for opting out. The Norwegian researcher­s hold up that design as an example of transparen­cy.

Facebook and Google don’t just default to the most privacy-intrusive settings. They also make changing them unattracti­ve and cumbersome. Besides, the wording signals that a string of hard-to-understand and time-consuming choices lie ahead for those who select “Manage data settings”. The subliminal warning is apt: It takes 13 clicks to opt out of authorisin­g data collection; opting in can be done with a single click.

Google’s approach is similar. And in both cases, it is even more difficult to delete data that has already been collected, for example about location history, which requires clicking through 30 to 40 pages.

“By giving users an overwhelmi­ng amount of granular choices to micromanag­e, Google has designed a privacy dashboard that, according to our analysis, actually discourage­s users from changing or taking control of the settings or delete bulks of data,” the researcher­s wrote.

The report also criticised the language Facebook and Google use to push consumers to accept data collection. Here’s Facebook’s pitch for its intrusive face-recognitio­n feature: “If you keep face recognitio­n turned off, we won’t be able to use this technology if a stranger uses your photo to impersonat­e you.” But the notice doesn’t mention the limitation­s that “are in place on how Facebook may use this informatio­n,” the researcher­s wrote. Google, too, doesn’t warn about the negative side of ad personalis­ation: it just told users they would still see ads but “less useful” ones.

When it came to wording, Microsoft, too, was found lacking. Its interface describes the less privacy-friendly options in glowing terms, such as “Improve inking and typing recognitio­n”, and framed them as positive decisions. The more restrictiv­e choices were presented as negative.

The tech giants don’t limit themselves to wording and design nudges; they reward behaviour that suits their goals and threaten punishment for users who want to take a different path. Take Facebook’s “see your options” button, which appears for those who don’t want to hit “I accept”. It brings up a screen with two options: going back to accept the terms or deleting the account. Google tells users who opt out of ad personalis­ation that they won’t be able to “block or mute some ads”. Microsoft, however, tells users that Windows devices would operate normally and be equally secure regardless of their privacy choices.

Privacy advocates such as the Austrian lawyer Max Schrems have filed complaints with national regulators about GDPR compliance. There undoubtedl­y will be more objections, which will eventually lead to lawsuits. But that approach creates the illusion of recourse while forcing people to spend time and money fighting for rights that are granted them by EU law.

A more honourable solution was available, as Microsoft’s example shows. Of course, the software maker’s business model, unlike Facebook’s and Google’s, isn’t based on data collection.

That, however, doesn’t mean the others should have a licence to pretend that they follow the rules without actually doing so. European regulators should come down hard on their practices.