Privacy Is Not Dead, It Is Terminally Ill

This article was first published in Deccan Chronicle.

Earlier last week, The Verge ran a story about how health apps had permissions to change their terms of service without the user’s knowledge. If you are a former alcoholic who tracks how many days it has been since your last cigarette or a depressed professional who is keeping a record of how your days are progressing, that is horrible news. It sets the precedent that it does not matter what conditions you agreed to once you signed up to the app. Thus, your information can and likely will be sold to companies that may want to sell you alcohol or medication. The news comes as a shock to most people who read it, especially considering the personal and sensitive nature of health data.

But that is the nature of terms and conditions that technology companies set out in their agreements today. A significant source of revenue for tech products and applications is the data they sell to their clients based on your usage. And it does not make sense to keep asking you for new kinds of permissions every time they want to track or access something. Instead, it works better to have a long-form document that is widely encompassing and grants them all the permissions they might ever need, including the permission to change the terms of the agreement after you signed. After all, no one reads the privacy policies before clicking, ‘I Agree’.

This was on display earlier last year when Chaayos started facial recognition, and Nikhil Pahwa went through their privacy policy to unearth this line, “Customer should not expect, that customer’s personal information should always remain private”. The rest of the privacy policy essentially conveyed that Chaayos collects customer data but does not guarantee privacy.

And Chaayos is not the cause of an extremely exploitative attitude towards data; it is a symptom. The history of the internet and the revenue model it gave birth to, has led to this point where access to information is a paramount need. If you want a better understanding of it, the New York Times did an excellent job tracing the history of Google’s privacy policy which does serve as a history of the internet. Because of how little regulation existed in the internet space when it was a sunrise industry, the frontrunners today ran with our data on their terms.

During all of this, consent has been virtually non-existent. I use the word virtually consciously. Consent has largely been a placeholder during the internet’s rich history. There are two reasons why. Firstly, terms and conditions lead to consent fatigue. Even the best of lawyers do not go through the conditions for every app before they click accept. Secondly, let’s say you press the decline button when asked for additional permissions. Apps are known then to bypass the OS’ permission system without consent to gather that data.

But let’s say that we live in an ideal world and apps don’t do that. You manage to read a few agreements and make a conscious decision to accept. You are happy to give your consent for access to the microphone but not the location and thus, deny permission. There is a chance that is still doesn’t matter. Consents tend to be interlinked because of the nature of the internet and smartphone apps. For instance, consider the automation app, ‘If This Then That (IFTTT)’. It serves as a platform to automate functions across multiple services. For instance, it can log in every trip you take on Uber to a Google Sheet. Sounds like a helpful tip to keep track of and claim work reimbursements, doesn’t it? But if you do use that service, you are subject to three interlinked policies, Uber’s, GSuite’s and IFTTT’s. At this point, any data you generate from that automation will likely be sold for profit.

How do we tackle something like this? How do we make sure that privacy is respected more and companies cannot change their agreements once you click accept?

Google took a small step towards it by introducing in-context permissions in Android 10. The idea was that if an app wanted additional permissions, say access to your microphone, or your location, it would ask you when it needed it, and not front-load all requests. We are yet to see how effective it is going to be over time.  At their best, in-context permissions will tell you why PayTM needs access to your location (because they likely need that information in case there is a fraud), or that your SMS app has been recording your location in the background for no apparent reason. At their worst, they make consent fatigue worse.

In context permissions are likely not the only answer, but it’s a start. Google implementing it is a definite sign that privacy is not dead, just terminally ill. Given time, and combined with measures such as simplified permissions, our generation might see a day when we completely control our data.

Views are personal.