The High Price of Free
Steven McCown
Chief Architect, Applied Crypto R&D, CISM, CDPSE, Patented Inventor
Free has been a maxim of the web ever since the very first website was launched in 1991 “to give universal access to a large universe of documents”. The developers freely distributed their source code and web pages to avoid unilateral control and to encourage the adoption of the new World Wide Web. Eliminating the cost barrier was pivotal in encouraging others to build their own websites and share new information, which initiated the world’s largest network effect.
In 1993, the National Center for Supercomputing Applications released the free Mosaic web browser and made the web very user-friendly. Within 2 years, over 10,000 web servers and 10 million users were sharing and contributing free content online. Even commercial companies launched websites to promote their products.
Providing a product for free is a great way to entice interest in a new offering. Since the web was free – both in cost and in freedom of expression – price wasn’t a barrier for new users trying it out. This helped the web become a great equalizer that enabled anyone, anywhere to setup a webpage and reach a global audience simply by creating interesting content.
Monetization and advertising discover the web…
Inevitably, whether it’s sports or music or literature or gossip, when something attracts people, vendors come bringing innovations to monetize the experience. Very soon, commercial ventures started asking: What’s the web for? and How can we make money on the web?
In 1994, Joe McCambley created the first online banner ad. A far cry from today’s barrage of solicitations, this ad was helpful to users exploring the web for the first time. Visitors on hotwired.com saw an ad that helped them find new webpages for seven of the world’s most famous art museums. Sure, it was an ad, but it was a useful one.
Mind share: the ultimate goal…
Traditional broadcast media (e.g., TV and radio) can’t measure the consumption habits of everyone in their audience, so services like The Nielsen Company collect random audience samples, extrapolate trends, and produce generalized ratings that determine a show’s popularity as a representation of mind share.
To attract new customers and capture mind share, content providers gave away their creations as loss-leaders … and it worked. The web increased in size and complexity and more sophisticated interaction tools emerged to help users navigate the explosion of information. While many products were free, others were sold by commercial providers wanting to recoup development costs. During the 1990’s, various Browser Wars erupted as companies vied for user attention … and revenue. This continued until 2017 when former Mozilla CTO, Andreas Gal, announced that Google’s Chrome had won … at least for now. The ongoing race to capture mind share continues with an ever-expanding set of products and services.
Free made advertising King…
An expanding web incurred a similarly expanding costs and perpetual loss-leaders are unsustainable. People had grown accustomed to online content being free and this cultural expectation created a dilemma for commercial providers … How do you get people to start paying for a free service? The golden ticket came from advertising revenues – this let content providers make money while keeping the web free for users … all by making someone else pay.
(While any financial analyst can easily explain that nothing is free and that advertising costs get passed back to consumers by raising other costs, the average web user views this as an irrelevant detail, because the web itself is still free … to them.)
When capability meets opportunity…
Monetizing free products through advertising is improved by better knowing and identifying users, correlating online activities, extrapolating monetizable inferences, targeting friends and family, and performing enhanced analytic techniques that uncover undisclosed, private details about unsuspecting users. Many see this as ‘creepy’ but accept it … because free is attractive.
Evolving analytics supplanted early page visit counts (that can be manipulated) and introduced methods of uniquely identifying users by logging their IP address, analyzing browser fingerprints, or by monitoring tracking cookies. Interestingly, another easy method of user identification is simply to ask users for their personal data by offering freebies or discounts in exchange. Today’s users often freely divulge a myriad of personal details, such as: email address, phone number, contacts, favorite websites, and website login IDs.
Online vendors track individual user visits, record products they view, monitor shopping time, note what items users add to shopping carts, and whether they make a purchase. Information providers monitor the articles a user reads, likes, and shares. Analytics services correlate user data from numerous websites, look for patterns, and then sell the curated results. One of the biggest advancements in advertising-driven user monitoring came when search engine providers, already placing relevant ads in search results, began selling search histories to paid subscribers. User and government pushback led companies to anonymize the results, however, machine learning can often de-anonymize anonymized data, which re-introduces significant privacy risks.
When does user targeting become too invasive?
Websites that provide free content in exchange for user data often seek to maximize revenues using expansive data sets processed with sophisticated methods and tools. While responsible sites disclose this in their Terms of Service (TOS), those are usually full of confusing legal terminology and typical users unwittingly consent by clicking through. When does all the data collection, storage, analysis, and sharing pose a risk to consumers?
A 2018 study by MIT researchers found that “the growing practice of compiling massive, anonymized datasets about people’s movement patterns is a double-edged sword: While it can provide deep insights into human behavior for research, it could also put people’s private data at risk.” A key finding of this study is that combining multiple anonymized data sets can often uncover the actual identity and personal information of data subjects. One author addressed this by stating, “We need to keep thinking about the challenges in processing large-scale data, about individuals, and the right way to provide adequate guarantees to preserve privacy.”
Potential abuses of data collection and correlation include identity theft, which can happen when hackers compromise databases of collected personal data. Other abuses are more subtle, such as setting user-specific prices for products or services based on an individual’s personal attributes, location, associations, predicted analytics, or even by the tools they use.
One of the biggest dealers in personal data monetization activities is Facebook whose entire business model is based on analyzing users and their activities in order to sell access to customer intelligence. In his 2018 testimony before the U.S. Senate Judiciary Committee, Facebook’s CEO, Mark Zuckerberg, stated Facebook’s business model very simply, “Senator, we run ads”. On the surface, Zuckerberg’s response seems simple. After all, “Advertising is a marketing communication that employs an openly sponsored, non-personal message to promote or sell a product, service or idea.” (Source)
And then, governments get involved…
Despite traditional advertising’s well-established utility, online tools and scenarios have evolved it into what is sometimes referred to as surveillance capitalism, in which vast quantities of personal information are collected and sold. This is new territory for consumers, business, and governments and time will tell how far governments and societies will go in allowing or regulating the collection, analysis, and paid access of personal information.
In the U.S., a criminal investigation was recently launched by a New York grand jury, which has been tasked with scrutinizing deals that Facebook has made with over 150 companies to provide broad access to the personal information of Facebook users. While it may be the largest personal information processor, Facebook is not unique. Recently, Google was fined nearly $1.7B for ad practices that the E.U. said violated antitrust laws.
Human intelligence gathering, in the form of web user tracking and manipulation has expanded to an unprecedented scale – even to the point where foreign interests may have interfered in national democratic elections by manipulating web user perceptions. The scope and financial magnitude of user monitoring has resulted in new data privacy laws to protect users that don’t always understand the potential risks of personal data collection.
Europe’s General Data Protection Regulation (GDPR) is a sweeping legislative action meant to protect users and the data that they, knowingly or unknowingly, provide. Since Europe is a large jurisdiction with international treaties that facilitate reciprocal cross-border controls, GDPR’s scope has reaching impact far beyond Europe and has, therefore, been facetiously called the Global Data Protection Regulation. In 2018, California passed the California Consumer Privacy Act (A.B. 375), which similarly provides California residents with new legal rights regarding the control of their personal information. National and international legislation is emerging to protect user privacy, which is at risk due to some of the methods of monetizing the web, and these legislations seem to be creating de facto global standards for how personal information can be used.
So, what can the average user do?
For better or worse, data collection and monetization activities have dominated online offerings in order to capture mind share, monetize attention, and keep web offerings (mostly) free. This has resulted in very extensive advertising networks that sometimes have unknown personal privacy risks and leave many users looking for protective options.
Technical web users often use cutting-edge privacy tools, such as the Tor network or Signal Messenger in order to maintain personal privacy and protect their personal information. These tools are excellent building blocks for a strong security solution. For the average not-so-technical user, understanding and using new technical tools is often beyond their expertise or patience. For these users, below are some simple steps that can help maintain privacy:
1) Clear Browser Cache: tracking objects (e.g., cookies) are stored by web browsers and enable websites to share and correlate data with other websites. Regularly clearing cookies helps breakup this process. Firefox has some good instructions.
2) Delete Location History: map navigation apps are a tremendous resource, but they can also correlate a user’s online and offline activities. Regularly deleting the navigation history helps protect users from online-offline tracking. Here are steps for Android.
3) Limit Search Provider Access: search engines often provide other services, such as email. When browsers are signed-in to these extra services, providers are better able track user activities. Logging out of email (and clearing the cache) helps limit tracking.
4) Ad Blockers: browser plugins that block tracking ads help protect against privacy risks. Some good plugins, include: Ublock Origin, Ghostery, and Adblock Plus.
5) Anonymous Search: DuckDuckGo helps users search the web without tracking their searches. It delivers ads related to search terms without correlating them to users.
6) Virtual Private Network (VPN): connecting to free public wifi can put users in a very risky environment. Using a VPN connects users from a potentially unsafe network to a safer network, such as their work or home. PC Magazine reviews several good VPN options.
7) Limit Ad Tracking: most browser and operating systems contain an ‘advertising identifier’ that helps advertisers provide a consistent advertising experience to web users. It’s a good idea to disable or change this. Apple provides instructions for iPhone.
8) Privacy Browser: the default web browser is very familiar to users. However, sometimes using a browser specifically made for privacy (e.g., Firefox Focus or the Tor Browser) is a simpler option for enhancing a wide range of privacy settings.
9) Panopticlick: the Electronic Frontier Foundation provides a handy (albeit a bit technical) tool to help users see how vulnerable their browser is and provides some tips on fixing any discovered problems.
Going Forward
The web was built on the principles of free and freedom… and we need to preserve them. Freedom of expression lets new ideas come to market and be evaluated, enables those without a voice to be heard, and protects discussion. Free (cost) is valuable, because it helps new products compete before they can charge for their works. Traditional advertising has been very helpful for delivering free content based on a deferred monetization model.
The nature of digital technologies and online environments lends them to personalized experiences, which can be very welcome, but is also prone to abuse. Either way, online ads have evolved from “… an openly sponsored, non-personal message to promote or sell a product, service or idea” into a dual-use technology. Personalized experiences help users learn and enjoy new product offerings, but may also subject users to personally-tailored fake news that is intended to manipulate them into outrage, sympathy, or purchases. When money, influence, or power can be attained, there will be some who co-opt technology for a little extra personal gain.
Personal data and individual identity have become currencies in the evolving personal data-driven economy. Whether for personalized experiences or protecting against abuse, the key factor is to enable online users to maintain control over their personal information, which should only be available on a permissioned basis. One way to encourage responsible vendor behavior is by paying for useful apps or subscribing to insightful news services. Reverting ads to back to advertising methods for useful services will help reduce the need for ads to act as the main revenue-generating vehicle that collects personal data and puts personal privacy at risk.
Free and freedom (cost and expression) are the initial key maxims of the web, which allowed it to grow. While free is valuable, it has inadvertently led to another equally important maxim:
If you’re not paying for the product … you are the product.
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Data Privacy, Blockchains, Digital Identity, Biometrics Limit | 3D Education | Writer | Linux Trainer | Podcast Host
5 年Steven McCown Valuable thoughts on freedom and price. The concluding sentence is the cream "If you’re not paying for the product … you are the product." … I would also say "Even you are paying for a product, you may still be a product yourself" unless you adopt proper precautionary privacy and security measures.