Millions of Americans, sheltering in their homes from the coronavirus, have turned to communications platforms like Zoom, Google Hangouts and Facebook Messenger in order to work or stay connected to friends and family. Free and easy to use, the services are gobbling up record numbers of new users.
But there’s a saying in Silicon Valley: If the product is free, you are the product.
This is not business as usual, though. Americans aren’t willingly surrendering their online identities during this pandemic — many are being compelled to do so by their schools, family or work. Just as a swath of manufacturers are switching their production lines to ventilator and mask production for the greater good, corporations that normally view every new registered user as a data point to exploit need to take a pause on profiting from online data harvesting.
For those fortunate enough to have laptops and reliable broadband internet at home, it is not sufficient to simply update privacy policies or customer agreements. Americans need a guarantee that conversations held over video chat won’t be data collection events.
The videoconferencing company Zoom has been a standout brand of the pandemic, in part because its daily user numbers ballooned to 200 million in March from 10 million last year, making it one of the few buoyant stocks amid the recent sell-off.
New York State’s attorney general started an investigation into Zoom, calling on it to proactively beef up security measures, rather than just in response to negative press reports about lapses in privacy protection. And the F.B.I. warned that Zoom was susceptible to a form of digital hijacking known as “Zoombombing” following incidents where hackers joined online meetings to harass participants with racist or graphic taunts, raising the specter that personal user data might be vulnerable, too.
The New York Times also found that Zoom displayed some data from people’s LinkedIn profiles without their permission, a flaw Zoom says it has fixed.
Zoom’s chief executive, Eric Yuan, apologized for the lax security practices, including the transfer of customer data en masse to Facebook, reported by Motherboard. The company said it was halting new feature releases for three months to focus on security.
Skittish about risks to the privacy of their students, a number of school districts, including those in New York City, Pittsburgh and Clark County, Nev., home of Las Vegas, won’t allow classes to be conducted over Zoom, further interrupting the already bumpy launch of virtual learning. Officials said they were concerned that default settings allow for heightened data gathering and that parents may not have the tech savvy to disable such features.
Jeff Ericson, a father of two students in Pittsburgh, said he’d grudgingly agree to whatever terms Microsoft sets for use of its video software in the district. “Like anybody, I care about my kids’ privacy, but I also don’t want them missing out on any more time with their teacher, so what choice do I have really?” he said.
Technology companies see an opportunity in this crisis. Verily, a division of Google’s parent company, requires a Google account to find and arrange coronavirus testing and says it may share your personal health information with contractors, government agencies and other outside parties.
Video-chat tools like Zoom and Microsoft Teams are stirring concerns that they may be using data vacuuming technologies on the most vulnerable. Schools and businesses that now rely on such services often give people no choice but to accept their terms of service.
Harried parents seeking a remedy for their kids’ isolation could be forgiven for not poring over book-length privacy policies before connecting them with grandparents on video chat or entertaining them with a few hours of streaming YouTube videos.
Elizabeth Johnson, a lawyer in North Carolina who specializes in data privacy, is at a loss for a solution when her two children, ages 10 and 12, want to use videoconferencing services that she knows will harvest their data. “I have no idea what to do about it,” said Ms. Johnson. “Staying in school now is more important than an amorphous future where companies have made inferences about my children as online consumers.”
Time and again, corporations have shown that, for them, the value of huge data stores that can inform advertisers or their own product development trumps any potential embarrassment over how it was compiled. Smart home speakers record our private conversations, and smartphones track users with distressingly accurate precision.
A recent study from researchers at Northeastern University and Imperial College London found that smart speakers from Google, Apple and Amazon can accidentally activate as many as 19 times daily and record snippets of more than 40 seconds without users knowing.
Not content with having millions of Americans forced onto their platforms for work or pleasure, the tech industry is also using the pandemic as an excuse to seek the rollback of the modest privacy protections that exist.
In January, millions of Americans got the opportunity for the first time to request a detailed readout of the personal dossiers that multinational companies collect and to compel those businesses to no longer sell their data, thanks to the landmark California Consumer Privacy Act.
The results were eye-popping. The law helped expose the extent of corporations’ data collection, including logs of every tap on a Kindle e-reader, detailed credit card data, email addresses, complete lists of past purchases and inferences about customer preferences, like which movies they are most likely to watch.
Yet, as the pandemic bore down on the United States, a coalition of trade groups petitioned California’s attorney general, Xavier Becerra, to delay enforcement of the privacy law until next year. If a delay is granted, corporations will be reprieved from requirements that include disclosing personal information they collect about Californians. (The attorney general’s office has taken no action.)
Instead of trying to worm out of privacy regulations, companies providing critical connectivity services should apply that energy to limiting data collection during the national emergency to only what they need to operate and to give additional reassurances that their services comply with child protection laws.
Many companies make it exceedingly difficult to opt out of data collection, burying permissions deep on their websites or frequently changing privacy policies that dictate how and how often personal information can be harvested. Once you start using some services it can also be hard to stop, particularly if your files or photos are stored there, a desirable feature among tech companies known as lock-in.
“They understand that we as consumers are lazy,” said Alastair Mactaggart, who leads the board of Californians for Consumer Privacy. “We don’t take the precautions we should, and these companies are able to capitalize on it. So this could be a boon for them.”
It may be tempting for corporations to view their ballooning user numbers during the pandemic as a harbinger of long-term prosperity. But consumers need the option to delete user profiles after the crisis has abated, particularly if they have stored sensitive information about their children, and they deserve easy access to what has been collected.
Americans have lost control over a lot as a result of the coronavirus. At least they should be able to control what happens to their personal data.