Anyone who listens to my podcast contributions is probably sick of hearing me repeat the mantra to follow the money. If you want to evaluate whether or not a given product or services is likely to present a privacy risk, you need to start by figuring out how it’s financed. Why? Because the financing sets up the incentives that will ultimately drive the provider’s behaviour. You’ll generally have a good experience with a product or service when the provider’s incentives align with your best interests, and conversely, things will almost certainly go south when the provider’s incentives are opposed to your best interests.

When you pay for a product or service things are usually straight forward â€” you are the customer, so the provider is incentivised to keep you happy so you’ll keep giving them your money. Things can of course go sour even with paid products or services when the price you pay is below the economic cost of the product or service (e.g. Amazon & Google smart speakers and TV dongles), or, when the market isn’t free, and you’re locked in to a single provider in some way (e.g. broadband in the US). But still, most of the time, if you’re both the user and the customer, your privacy is unlikely to be exploited.

Where things tend to get more complicated is when we’re not paying for products or services with money. That’s when you really need to pay close attention!

We very rarely get physical things for free, so in this post I’m only concerned with online services that are financially free to use.

We need to start by acknowledging the obvious fact that it costs money to run any online service, so if you’re not paying into the pot, someone else must be. Who ever that is, that’s who the people running the service are incentivised to keep happy. In other words, the service provider is strongly incentivised to align their actions with the interests of the people who pay them. When you figure out who that is, you can usually figure out the incentives, and whether or not they align with your best interests.

Remember, sooner or later, quickly or slowly, every organisation eventually follows the incentives acting on it. Incentives might not be fast-acting, but they are relentless, so movement is inevitable!

I want to suggest four simple categories you can group online services providers into to help you figure out the incentives at play, and whether or not they align with your best interests â€” free, freemium, free-for-now, and what I’ve decided to call freepi (pronounced like creepy). Yes, it will be an over-simplification, but that doesn’t mean it can’t be a useful lens to look at the world through. The real world may be messy and complex, but most things still approximate our crude categorisations!

Free

Let’s start with the easy stuff â€” the free business model. You don’t pay for the service in any way; not financially, not with your attention, and not with your data. The provider is not trying to sell you anything. Some services are genuinely totally free. How? They are provided by charitable foundations of some kind. These services are funded by endowments or donations, and their incentives are usually very easy to understand â€” charitable foundations strive to fulfil their mission statement. If you agree with a charity’s mission, then the chances are good that their incentives line up with your best interests.

Don’t confuse this to mean that all services provided by charitable foundations of any kind are fine to use. If you find a charity’s mission to be odious, then their incentives and your best interests don’t align, so you shouldn’t use their services!

My favourite examples of this model are Wikipedia provided by the Wikimedia Foundation, and the FireFox browser provided by the Mozilla Foundation.

Freemium

Another simple to understand model is the so-called Freemium model. This is where a for-profit company provides a tiered service where the higher-end tiers cost money, and the lower end ones are free to use. You can generally sub-divide freemium services into two groups â€“ those that try to attract you to the premium options, and those that try to drive you away from the free options.

If you want to be crude, there is good freemium, and evil freemium!

Evil freemium makes the free tiers somehow so obnoxious that you’ll feel compelled to upgrade. Games that can’t be won without paying would be the perfect example of evil freemium.

On the other hand, giving people a basic service for free can be very positive. As a company it gets people using your service, evangelising it to their friends, and suggesting it to their bosses. If a company chooses this route they are strongly incentivised to treat their free users with respect and not abuse them in any way. They want their free users to fall in love with the product or service so they’ll happily upgrade to a paid tier. If enough users choose to pay, there shouldn’t be financial pressure on the company to turn evil, so the service should be safe to use.

DropBox and GitHub are examples of this model working well.

Free-for-now

A very common Silicon Valley business model is to use venture or angel capital to intentionally run a service at a loss to attract as many users as possible, and then, to turn around and sell the company. Services like this are basically ticking time-bombs. The short-term incentives definitely align with your interests, but the long-term incentives probably don’t. Until the company sells, they are very strongly incentivised to keep their users happy, so they’re not likely to do evil things. However, once they sell, the new owners need to re-coup their investment, so they need to monetise all those users that were enticed in while the service was free. In theory they could do that by moving to a good or evil freemium model, but in reality that rarely happens. Why? Because humans hate paying for anything that was once free! A demand for money suddenly springing up out of nowhere sets off our inner injustice detectors and we recoil. That is of course utterly irrational, but hey, we’re only human!

What’s left then? Simple â€” if users won’t pay with their money they’ll pay with their privacy! The new owners will most probably either sell their users attention to advertisers (using as much profiling as they can), or they’ll simply sell their users data directly to any data brokers who’ll pay. In fact, they’ll most probably choose to do both!

If I discover that a service is running with massive operating losses and no viable business model on the horizon, I steer clear. Companies like this are almost certainly free-for-now, and things will almost inevitably go sour soon.

Instagram and WhatsApp serve as the perfect cautionary tales and illustrate the dangers of the free-for-now model.

Freepi (Rhymes with Creepy)

Yes, I just made that word up! Let me explain. The free part is obvious, so what’s the pi? Personal Information.

If a service is not run by a charitable foundation, is not freemium, and is not free-for-now, then it must be somehow profiting off your personal information. We’re basically in Sherlock Holmes territory here â€” we’ve ruled everything else out, so the only remaining option is user exploitation.

You should be particularly suspicious of financially free services run by for-profit companies that are turning a tidy annual profit. They have clearly figured out how to monetise their users, but the money is not coming directly form those users. This means that something about those users must be being sold to someone to earn all that cash!

In this case the users are not the customers. Who ever the customers are, it’s their best interests that the company is strongly incentivised to serve. That means the users’ interests are a secondary concern at best. Companies in this situation don’t have to keep their users happy, they just have to make sure they’re not so unhappy they actually leave. The more locked in the users feel, the further they can be pushed.

It is possible for for-profit companies offering free services to do so without invading their users privacy, but it’s rare. Why? Because there’s generally more profit to be had by exploiting user’s privacy in some way.

One of the rare positive examples is the privacy-protecting search engine DuckDuckGo. You might expect it to be run by a charitable foundation like the Wikimedia foundation or Let’s Encrypt, but it’s not. DuckDuckGo is run by a for-profit company that actually has a sustainable business model. How? They sell ads, but against search terms rather than user profiles. You don’t need to profile me to know what ad to serve me when I search for “USB C to USB A adaptor”!

This benevolent advertising model only works when there’s enough inherent context to allow ads to be meaningfully targeted without resorting to user profiling. Search engines obviously have huge amounts of context, but so do domain-specific news/magazine sites. Print magazines can sell ads without any ability to spy on users, how? Simple, it’s down to the inherent context provided by the magazine’s contents. If you want to sell telescopes, advertise in an astronomy magazine or on an Astronomy news website!

Sadly, here in the real world, most companies that derive a profit from a service that’s free to use choose another path â€” to a lesser or greater extent, they choose to monetise their users data at the cost of their privacy. It really does come down to selling user attention and user profiles to advertisers and/or data brokers.

The reason you need to be wary of ads is that the more detailed a profile the company selling the ad has of you, the more they can charge for your attention. This is why companies like Google and Facebook have become so expert at deducing things about us all, and have gone out of their way to track our every move in every way they can. Companies like Facebook and Google don’t just track you on their sites, they follow you around the internet as best they can, and they even follow you into the physical world when ever possible. Every time you see one of these company’s buttons on a web page you are being tracked. Many apps silently sell data on your activities to these companies without telling you, and these companies even partner with financial institutions and retail companies when ever they can so they can track you in meet-space too. And it gets even worse â€” logging out doesn’t help, because even choosing not to have an account on these services doesn’t stop them tracking you. Companies like Facebook keep and build detailed profiles of everyone based on any identifiers they can get their hands on â€” email addresses, phone numbers, credit card numbers, usernames, what ever! At first your data exists as disconnected shards, but over time the clues add up and the shards can be connected, building an ever more detailed profile of you.

Avoid the Creepy Freepi Companies!

Bottom line, the companies I worry about are the ones that are successfully making a profit with a business model built on monetising their users profiles and data. I find these companies creepy, so I steer clear of them as much as I practically can, and from now on, I’m going to start referring to them all as freepi, and I hope you will too!