Tech firms rip NSA but use same data-mining tactics

Google, Facebook and other Internet companies that have expressed outrage over the National Security Agency intercepting their users' data, pioneered mining information about customers, sometimes without their knowledge. Yet some privacy experts argue that these same companies have not been transparent with their customers about how user data are tracked and used.

Whether it's Google's Android smartphone, Apple's iPhone, Yahoo Inc.'s Internet search engine or Facebook's social media website, Silicon Valley now relies on capturing and analyzing information about users' Internet habits, locations and social media postings, some of the very information the NSA gathers. The companies profit by sending people information about products they're most likely to buy.

Companies such as Yahoo have said the NSA programs will lead to country-by-country Internet rules and damage their prospects abroad. The indignation isn't credible when the companies make money from their users' data, said Jeffrey Chester, executive director of the Center for Digital Democracy in Washington.

"They're the biggest bunch of hypocrites on the planet," Chester said. "It's a brilliant PR move on their part that they've been able to shift the focus away from themselves and point to the government as creating a privacy problem."

Each piece of data a person shares online has measurable value to the companies that collect it and marketing firms that use it, helping to build an industry that generated $156 billion in revenue in 2012, according to the Direct Marketing Association. That's more than twice the size of the budget for U.S. intelligence agencies.

Facebook, Google, Apple and Yahoo were among 15 technology companies that asked President Obama Dec. 17 to restrain spy programs exposed by former NSA contractor Edward Snowden and let them disclose the extent of government prying into their data. The agency has defended its data gathering as essential to national security.

The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the Guardian newspaper based on documents leaked by Snowden.

Business strategy

The technology companies' response to those reports revolves around a business calculation: Information they receive for free from users has a tangible value, because targeted advertising sells more products. They risk receiving less information if users move elsewhere.

A presidential review panel agreed this month with the companies' assertions that the secrecy may cost them business if users think their communications aren't secure.

"Data is one of the most important assets that these companies have, and companies protect their assets zealously," said Jim Brock, a former Yahoo executive and co-creator of PrivacyFix, a program that monitors Internet tracking.

A user's value

PrivacyFix users get real-time estimates of the monetary value of the personal data they share, derived from factors such as the number of searches they've performed on Google or the number of "likes" and photos they've posted on Facebook.

For Facebook users, the least anyone can be worth is $1.65. That value may correspond to a male user outside the U.S., Asia or Europe, who has few friends and posts infrequently, according to PrivacyFix calculations.

The most a user could be worth is $27.62, which corresponds to a female user from the U.S. who has more than 250 friends and posts more than 150 times a month. Facebook has around 1.2 billion users.

"It's very healthy for people to understand that their data has value and this value exchange is a two-way street," Brock said.

The hundreds of millions of people who have accounts with Apple generate $95 of free cash flow per person for the company, significantly more than users of Facebook, Amazon.com and eBay, Morgan Stanley analyst Katy Huberty wrote in a research note in June.

Some data collection happens with users' explicit awareness, given in such tasks as signing up for a Gmail account or clicking on an ad in Facebook.

It also occurs in indirect ways, such as viewing pages on websites that have no advertised connection to Internet companies, yet share data on users' habits with them through profit-sharing marketing arrangements.

The use of tracking cookies - small bits of computer code that are implanted in people's Internet browsers when they visit a website - allows companies to continuously update dossiers of users' behavior, even when they're not on the companies' own websites or not logged in to the services.

While Google makes more money from ads on its own sites - because there's no one to share the profits with - ads on the Google Network of affiliate sites brought in $12.5 billion in 2012, 29 percent of the company's ad revenue, according to its latest annual report.

The tracking is difficult to stop. While clearing all cookies from a browser is easy, they're placed again the next time the user logs in to a service such as Google or Facebook or visits sites affiliated with them.

Many websites require Internet users to have cookies enabled to access their pages. "One cannot really opt out," Chester said. "Are you going to use the highway or rely on dirt roads?"

The companies say their privacy policies tell users what data is collected and how it's used. They say they allow users to opt out from being tracked by disabling cookies that monitor websites viewed.

Uninformed choices

Studies published this year and last year by researchers at Carnegie Mellon University in Pittsburgh found that users may not be considering all privacy implications when they download applications on their smartphones.

"Alarmingly, we find that people are unaware of the security risks associated with mobile apps and believe that app marketplaces test and reject applications," according to one of the studies.

The value of the data transcends what the Internet companies by themselves can do with it.

Making matches

Acxiom Corp., a data brokerage company based in Arkansas, works with companies including Facebook to match user data with offline information such as retail loyalty-card purchases, to analyze ads' effectiveness.

"Large technology firms are a key client industry for Acxiom," Jennifer Barrett Glasgow, global privacy and public policy executive for the company, said in an e-mail. "We sell them our products and services and partner to help advertisers place ads on their sites, but we don't get any of their data for our own use."

Glasgow said she takes issue with accusations that the technology companies erode privacy.

"Tech companies work very hard at offering consumers all kinds of choices to satisfy all views on privacy, not just the most conservative," she said.

Consumers probably have little understanding about how their information is used by data brokerages like Acxiom, said Adi Kamdar, a privacy activist with the digital rights group Electronic Frontier Foundation in San Francisco.

"Data aggregators have large profiles of individuals, and yet consumers have no idea they exist," Kamdar said.

The NSA revelations have presented an opportunity for privacy watchdogs to push for changes in how consumers' data are used, said Chris Jay Hoofnagle, director of information privacy programs at the Berkeley Center for Law and Technology.

The Federal Trade Commission should be more aggressive in monitoring whether companies are complying with their privacy policies, and fining or taking other action against those that don't, Kamdar said.

"Strategically, the privacy advocates can get a great deal done when consumer privacy interests align with the agenda of businesses," Hoofnagle wrote in an e-mail. "That said, the underlying motivation of the Silicon Valley companies is to protect the Internet from feeling creepy."