A report in The Guardian in August that lawyers who had had business before the Supreme Court gave money to an aide to Justice Clarence Thomas for a Christmas party was surprising. Just as surprising was the way the publication learned about it: from the aide’s public Venmo records. Brian X. Chen, the consumer technology writer for The Times, wrote that even he was surprised that such records of money transfers could be public.
A few years ago it became known that Alexa, Amazon’s voice device, recorded and sent private conversations to third parties, that Amazon staff members listened to recordings and kept an extensive archive of recordings by default.
Both companies responded to these startling violations of privacy by suggesting that the burden to keep this information from going public was on users, who could, they said, opt out of devices’ default settings to ensure privacy. This is often the standard industry response.
Even if you’re aware of these problems, how easy is it to protect your privacy? Chen helpfully shared instructions for opting out of Venmo’s public disclosures.
“Inside the app, click on the Me tab, tap the settings icon and select Privacy. Under default privacy settings, select Private,” he explained. “Then, under the ‘More’ section in Privacy, click ‘Past Transactions’ and make sure to set that to ‘Change All to Private.’”
Got all that? I did, and changed my settings, too, as I had also been in the dark.
The bigger problem is not the sometimes ridiculous difficulty of opting out, it’s that consumers often aren’t even aware of what their settings allow, or what it all means. If they were truly informed and actively choosing among the available options, the default setting would matter little, and be of little to no value.
But companies expect users to accept what they’re given, not know their options or not have the constant vigilance required to keep track of the available options, however limited they may be. Since the power in the industry is concentrated among few gatekeepers, and the technology is opaque and its consequences hard to foresee, default settings are some of the most important ways for companies to keep collecting and using data as they want.
So, how much are default settings worth?
In April 2021, Apple changed the default settings on iPhones and other devices so that users could not be tracked automatically via a unique identifier assigned to their Apple device. For many companies, and even for entire industries whose business models are based on tracking people online, it was a cataclysmic event. No longer would people have to opt out of such tracking by going into their settings and changing the permissions. Now the apps had to ask for and receive explicit permission before they could have access to that identifier.
In 2021, Snap, Facebook, Twitter and YouTube were estimated to have lost about $10 billion in total because of the change. In early 2022, Meta, Facebook’s parent company, said it alone stood to lose $10 billion. Industries like mobile gaming, in which revenue largely depends on tracking users, also suffered.
Another valuation of default settings became clear in the current Google antitrust trial. During the trial, Google revealed that it paid $26.3 billion in 2021 to be the default search engine on various platforms, with a substantial portion of the money going to Apple. That $26.3 billion was more than a third of the entire 2021 profit of Google’s parent company, Alphabet. That was more than the 2021 revenue of United Airlines and even of many tech companies, including Uber. An expert witness for Google testified that as part of that deal, the company was paying Apple 36 percent of its search advertising revenue to be its products’ default search engine.
Even when you might think you know what your default settings are, you can be surprised. On more than one occasion I discovered that my privacy settings had changed from what I thought they were. Help forums are full of similarly befuddled users. Sometimes it’s a bug. Other times, when I dug into it, I realized that another change I had made had surreptitiously switched me back into tracking. Sometimes I learned that there was yet another setting somewhere else that also needed to be changed.
I’m not a tech novice: I started programming in middle school, worked as a developer and study these systems academically. If professionals can be tripped up, I’d argue that an industry rife with information asymmetries and powerful, complicated technologies needs to be reined in.
Regulators can require companies to have defaults that favor privacy and autonomy, and make it easy to remain in control of them. There are already good efforts underway. California allows people to make a single opt-out or delete request to get all data brokers to delete all their information, rather than having to appeal to them one by one. Colorado also recently passed similar universal one-stop opt-out mechanisms. Other states have made similar privacy protection moves.
I would go further: Data brokers should not be allowed to amass information about people unless they first get explicit permission. But that’s not sufficient, since it is difficult for individuals to evaluate all the implications of their data — professionals, experts and the companies themselves keep getting surprised.
A few years ago, aggregate maps generated by the running app Strava, which showed where users were running, seemingly revealed the location of what could have been a secret Central Intelligence Agency annex in Mogadishu, Somalia. It appears that even the C.I.A. hadn’t anticipated this, and instructed its personnel to change the setting. If that’s the case, what chance do ordinary people have to evaluate all future implications of their data?
There need to be stronger guardrails, including for data that is legitimately collected. The default should be the most restrictive setting, with additional protections. For example, companies should have expiration dates for how long they can hold data needed for a particular service, limiting the data use to that service alone, with explicit consent required for different uses.
The process by which companies get such permissions also needs strong oversight to ensure accountability and transparency. After all, this is the industry that invented “dark patterns”: user interfaces designed to deceive customers into “opting in” to choices without fully realizing what was happening. Many apps have already been trying to get around Apple’s privacy restrictions, by carefully engineering how to get people to opt in or by figuring out other ways to fingerprint devices.
What about all the benefits we derive from services based on personalized data, including even location tracking? I use such tools all the time, but there are certainly ways to provide services and value without this level of unchecked surveillance. But it’s wishful thinking to expect companies to provide those services in a more privacy-preserving manner without regulation that forces them to do so.
I was happy to see Apple switch the defaults for tracking in 2021, but I’m not happy that it was because of a decision by one powerful company — what oligopoly giveth, oligopoly can taketh away. We didn’t elect Apple’s chief executive, Tim Cook, to be the sovereign of our digital world. He could change his mind.
Notably, Apple’s change followed years of intense public criticism of Facebook, after privacy scandals, the election of Donald Trump, Brexit and so on. None of that seemed to have made a substantial dent in Facebook’s business. A single decision by Tim Cook did, clearly demonstrating where real power over this industry lies.
It’s time that our own elected officials got smarter — and prioritized the public interest rather than cozy arrangements with the tech industry — to exercise that power. If the federal government can’t or won’t, states can follow California and Colorado’s lead. In 1966, California forged ahead alone to set high emission standards for cars, which then pulled along the rest of the nation and the industry.
If it were all as simple as people changing their settings, Google wouldn’t be forking over a sum larger than the G.D.P. of entire countries to have Apple users start with one setting rather than another. The default way the technology industry does business needs to change now.
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: [email protected].
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.