The Unlikely Activists Who Took On Silicon Valley — and Won - The New York Times

Nytimes

-

14 серпня 2018 00:00

Image
CreditPhoto illustration by Delcan & Co.

CreditPhoto illustration by Delcan & Co.

The way Alastair Mactaggart usually tells the story of his awakening — the way he told it even before he became the most improbable, and perhaps the most important, privacy activist in America — begins with wine and pizza in the hills above Oakland, Calif. It was a few years ago, on a night Mactaggart and his wife had invited some friends over for dinner. One was a software engineer at Google, whose search and video sites are visited by over a billion people a month. As evening settled in, Mactaggart asked his friend, half-seriously, if he should be worried about everything Google knew about him. “I expected one of those answers you get from airline pilots about plane crashes,” Mactaggart recalled recently. “You know — ‘Oh, there’s nothing to worry about.’ ” Instead, his friend told him there was plenty to worry about. If people really knew what we had on them, the Google engineer said, they would flip out.

Mactaggart had spent most of his adult life in the Bay Area, running a family real estate business with his uncle. The rise of the tech industry had filled his condo developments with ambitious engineers and entrepreneurs, making Mactaggart a wealthy man. But he never really thought about how companies like Google or Facebook got so big so fast. The vast pools of data they collected and monetized were abstractions, something he knew existed but, as with plane crashes, rarely dwelt on.

Now he began to think about tech companies a lot. He started reading about online tracking and data mining. He discovered that the United States, unlike some countries, has no single, comprehensive law regulating the collection and use of personal data. The rules that did exist were largely established by the very companies that most relied on your data, in privacy policies and end-user agreements most people never actually read. Mactaggart began to scrutinize these policies closely, the way he read loan contracts and pored over offering plans. He learned that there was no real limit on the information companies could collect or buy about him — and that just about everything they could collect or buy, they did. They knew things like his shoe size, of course, and where he lived, but also roughly how much money he made, and whether he was in the market for a new car. With the spread of smartphones and health apps, they could also track his movements or whether he had gotten a good night’s sleep. Once facial-recognition technology was widely adopted, they would be able to track him even if he never turned on a smartphone.

Image
CreditPhoto illustration by Delcan & Co. Capitol Building: Travelpix Ltd/Getty

All of this, he learned, was designed to help the real customers — advertisers — sell him things. Advertisers and their partners in Silicon Valley were collecting, selling or trading every quantum of Mactaggart’s self that could be conveyed through the click of a mouse or the contents of his online shopping carts. They knew if he had driven past that Nike billboard before finally buying those Air Force 1s. A website might quote him a higher price for a hair dryer if he lived in a particular neighborhood, or less if he lived near a competitor’s store. Advertisers could buy thousands of data points on virtually every adult in America. With Silicon Valley’s help, they could make increasingly precise guesses about what you wanted, what you feared and what you might do next: Quit your job, for example, or have an affair, or get a divorce.

And no one knew more about what people did or were going to do than Facebook and Google, whose free social and search products provided each company with enormous repositories of intimate personal data. They knew what you “liked” and who your friends were. They knew not just what you typed into the search bar late on a Friday night but also what you started to type and then thought better of. Facebook and Google were following people around the rest of the internet too, using an elaborate and invisible network of browsing bugs — they had, within little more than a decade, created a private surveillance apparatus of extraordinary reach and sophistication. Mactaggart thought that something ought to be done. He began to wonder whether he should be the one to do it.

Mactaggart, who is 52 but boyish, did not think of himself as a radical. He often describes himself as a capitalist. He is the kind of man who wears chinos with a braided belt; it is easy to picture him on a sailboat. But his research on privacy had stirred something in him. “It’s like that Buddhist thing, where you walk past a mess and a mop and say, ‘Someone ought to clean up that mess,’ ” he says. “And eventually you realize you have to pick up the mop.”

Over evening walks around his neighborhood, Mactaggart batted around ideas for a new state law with his friend Rick Arney, a finance executive. But Arney, who worked in the California Legislature after business school, suggested a different approach. Instead of going through Sacramento, Arney suggested, they could put the question directly to the people of California, gathering signatures for a statewide ballot initiative. Mactaggart liked the idea. He also had the money to do something with it. Early last year, he hired a small staff, set them up in a two-room office in Oakland and began cold-calling privacy experts to figure out just what his initiative should say.

“I thought it was a joke at first, to be contacted by someone named ‘Alastair Mactaggart,’ ” says Chris Jay Hoofnagle, who teaches law at the University of California, Berkeley. Mactaggart was wary of proposing a sweeping law like the European Union’s General Data Protection Regulation, or G.D.P.R., fearing that Californians would find it mystifying and reject it. He wanted a solution that consumers would embrace and Silicon Valley could live with. “I don’t want to kill businesses — I’m a businessman,” Hoofnagle recalls Mactaggart’s telling him. “I just think the data use by these companies is out of control.”

Almost by accident, though, Mactaggart had thrust himself into the greatest resource grab of the 21st century. To Silicon Valley, personal information had become a kind of limitless natural deposit, formed in the digital ether by ordinary people as they browsed, used apps and messaged their friends. Like the oil barons before them, they had collected and refined that resource to build some of the most valuable companies in the world, including Facebook and Google, an emerging duopoly that today controls more than half of the worldwide market in online advertising. But the entire business model — what the philosopher and business theorist Shoshana Zuboff calls “surveillance capitalism” — rests on untrammeled access to your personal data. The tech industry didn’t want to give up its powers of surveillance. It wanted to entrench them. And as Mactaggart would soon learn, Silicon Valley almost always got what it wanted.

For most of its relatively brief existence, Silicon Valley has been more lightly regulated than almost any other major industry. The technology that drove the business was complex, and few lawmakers wanted to be seen as standing in the way of a new kind of wealth creation, one that seemed to carry no messy downsides like pollution or global economic collapse. Most of the biggest tech companies could simply ignore Washington — until they grew too big for Washington to ignore. When regulators finally threatened to intervene, the companies did what they were best at: They scaled up, this time not with software and servers but with phalanxes of lobbyists and lawyers.

Microsoft had virtually no Washington presence before the Justice Department filed an antitrust lawsuit against the company in the 1990s. As recently as 2003, Google retained just two outside lobbyists in Washington; over the next decade or so, as it became the world’s dominant search engine, the company became a Beltway heavyweight, hiring lobbyists, wooing regulators and funding the research behind hundreds of Google-friendly studies on competition, copyright law and other topics. By last year, Google’s parent, Alphabet, was spending more money on lobbyists than any other corporation in America.

Facebook, a decade younger than Google, built its political apparatus twice as fast, as if observing a kind of Moore’s Law of influence-peddling. When it went public in 2012, the company had 900 million users — less than half its current size — and earned a relatively modest profit of $53 million. Over the next several years, Facebook simultaneously became one of the world’s biggest collectors of personal data and a powerful presence in Washington and beyond. It acquired Instagram, a rival social media platform, and the messaging service WhatsApp, bringing Facebook access to billions of photos and other user data, much of it from smartphones; formed partnerships with country’s leading third-party data brokers, such as Acxiom, to ingest huge quantities of commercial data; and began tracking what its users did on other websites. Smart exploitation of all that data allowed Facebook to target advertising better than almost anyone, and by 2015, the company was earning $4 billion a year from mobile advertising. Starting in 2011, Facebook doubled the amount of money it spent on lobbying in Washington, then doubled it again. The company employed just 10 lobbyists in state capitals around the country in 2012, according to my analysis of data collected by the National Institute on Money in Politics. By the time Mactaggart and Arney began work on their privacy initiative, it had 67. The tech industry was particularly powerful in California, its home base, where it doled out millions in campaign contributions to state candidates and parties.

But until recently, companies like Facebook and Google also had something that Wall Street and Big Oil and the cable companies didn’t. To many people in Washington, they were the good guys. Through the Obama years, the tech industry enjoyed extraordinary cachet in Washington, not only among Republicans but also among Democrats. Partnering with Silicon Valley allowed Democrats to position themselves as pro-business and forward-thinking. The tech industry was both an American economic success story and a political ally to Democrats on issues like immigration. Google enjoyed particularly close ties to the Obama administration: Dozens of Google alumni would serve in the White House or elsewhere in the administration, and by one estimate Google representatives visited the White House an average of about once a week. But the Obama world had relationships with other firms too. Facebook’s chief operating officer, Sheryl Sandberg, served on a high-level Obama advisory council on jobs and held a fund-raiser for Obama’s re-election campaign at her home in Atherton, Calif. The founders of Twitter, LinkedIn and the app developer Zynga together contributed more than $2 million to a pro-Obama super PAC.

And increasingly, Silicon Valley had come to transform politics itself. As Mactaggart considered how to take on the data industry, he faced an American political establishment that saw the key to its future in companies like Google and Facebook — not because of whom they supported but because of what they did. The surveillance capitalists didn’t just sell more deodorant; they had built one of the most powerful tools ever invented for winning elections. Roughly the same suite of technologies helped elect Obama, a pragmatic liberal who promised racial progress and a benevolent globalism, and Trump, a strident nationalist who adeptly employs social media to stoke racial panic and has set out to demolish the American-led world order.

In Washington and in state capitals, this combination of wealth, prestige and ignorance had made the tech industry virtually unbeatable. They doled out campaign money to Republicans and Democrats alike. They had allies across the major think tanks and universities. Facebook alone belonged to more than four dozen trade associations and industry coalitions, political shields that could advance Facebook’s interests in battles that were too toxic for direct engagement. It supported the Anti-Defamation League and the American Council of the Blind, the American Conservative Union and the N.A.A.C.P. It disbursed millions of dollars in grants to tech-advocacy groups — including those that sometimes criticized them. Like the web of personal data it mined for profit, Silicon Valley’s political network was simultaneously immense, powerful and inscrutable.

Image
Alastair MactaggartCreditJessica Chou for The New York Times
Image
Ashkan SoltaniCreditJessica Chou for The New York Times
Image
Rick ArneyCreditJessica Chou for The New York Times

Last fall, Hoofnagle introduced Mactaggart to a former graduate student of his named Ashkan Soltani, a highly regarded privacy researcher and consultant. The two men quickly struck up an intense email correspondence. Soltani had devoted most of his adult life to understanding digital surveillance and privacy, and he closely observed how the tech industry exerted its will in Washington. Soltani told Mactaggart that his privacy initiative would need a lot of work if he wanted it to survive. Mactaggart decided to hire him.

Soltani knew exactly how hard Facebook and Google would fight to protect their business model, because he had watched them do it before. In February 2012, senior officials from the Obama administration unveiled what some of them hoped would become a signature initiative of President Obama’s second term: a “consumer-privacy bill of rights.” The proposal called for limits on the data that companies were collecting and more control for consumers over how it was used, and the tech industry had at least some incentive to consider it: The previous year, Facebook and Google each entered into consent decrees with the Federal Trade Commission after regulators found that the companies had deceived users about their privacy policies. Soltani, then serving as an F.T.C. technologist, worked on both investigations, and his efforts helped highlight a more pervasive problem: Most consumers simply didn’t have the time or experience to navigate the personal-data economy on their own. “Silicon Valley’s model puts the onus on the user to decide if the bargain is fair,” Soltani told me recently. “It’s like selling you coffee and making it your job to decide if the coffee has lead in it.” When it comes to privacy, he said, “we have no baseline law that says you can’t put lead in coffee.”

White House officials believed at first that many tech companies were open to the administration’s ideas. But the following year, as a team of experts at Obama’s Commerce Department worked on drafting a detailed privacy bill, The Guardian and The Washington Post began publishing an explosive series of articles about United States government surveillance programs. Relying on thousands of documents provided by Edward Snowden, a former contractor for the National Security Agency, the articles revealed how the N.S.A. was collecting rivers of personal data — emails, photos, instant-message conversations — from nine leading internet companies, including Google, Facebook, Yahoo and Microsoft. Soltani by then had left the F.T.C. and joined The Post as a consultant on the series, working on articles that showed how the N.S.A. had collected hundreds of thousands of user address books from email providers and even hacked into the private networks that companies like Google and Yahoo use to transport their data.

The Snowden scandal robbed Obama’s consumer proposal of both momentum and moral authority. Stung by the perception that it had colluded with United States spy agencies, Silicon Valley demanded that the government regulate itself instead, allying with civil liberties groups to push for legislation reining in the N.S.A. Over the next several months, scores of tech executives flew to Washington for high-level meetings with Obama, including Sandberg, who also sat with Obama’s new commerce secretary, Penny Pritzker, the Chicago billionaire who was the co-chairwoman of his re-election campaign.

In early 2014, Pritzker traveled to Silicon Valley for a highly publicized listening tour. She hailed the tech industry as a model for government — a partner, not an antagonist. Data, she proclaimed, was “the fuel of the 21st century.” Pritzker’s tour included visits to eBay, Google and the Menlo Park campus of Facebook, where she met again with Sandberg. The women discussed an array of issues, including consumer privacy and how to ensure that American tech businesses remained competitive around the world. Two former Obama administration officials told me that those conversations appeared to have shaped Pritzker’s early views on privacy. “Our goal at the Department of Commerce as a service organization is to support you, whether you are a researcher, inventor, entrepreneur, mentor or investor,” Pritzker told her audience at a start-up accelerator in Sunnyvale.

When the Obama administration finally returned to its consumer-privacy bill the following fall, Pritzker and her team voiced concerns about its sweep and scope, according to former Obama officials I spoke with. Pritzker wanted to make sure the bill could win industry support, and with it, Republican support. In January 2015, her office persuaded the White House to delay public release of the draft, which had been planned to coincide with an Obama speech at the F.T.C. Instead, her aides began previewing the bill in dozens of meetings with different business executives and lobbyists. According to the former Obama officials, the industry raised a host of objections. Facebook and Google, in particular, objected to how many kinds of data the rules covered, which included not only conventional personal information like Social Security numbers but also data linked to particular devices, which was critical to compiling the digital dossiers relied on by the advertising industry. (Facebook disputed that account.) Jim Hock, Pritzker’s chief of staff at Commerce and now a spokesman for her private investment firm, PSP Partners, says Pritzker weighed all points of view. “No one meeting was more important than another,” he says.

But when consumer advocates were finally shown the new draft, they were furious. The bill now had a welter of exceptions and carve-outs. It drastically scaled back financial penalties and did not specifically protect location data. More broadly, it seemed to retreat from the idea of consumer privacy as an inherent right. Most of the bill’s protections applied only if collecting or using a given piece of information posed a serious risk of economic or emotional harm. That March, Washington’s leading consumer-privacy groups signed an open letter criticizing the Obama proposal, arguing that it did not do nearly enough. The Internet Association, a trade group representing Google, Facebook, Amazon and other companies, also weighed in, attacking the bill as overbroad and burdensome. “The feeling was that it didn’t do much, and no one really liked it,” Soltani told me.

The White House did little to advance the draft. Obama aides were focused on a different legislative battle: That June, with backing from tech companies, Congress passed the USA Freedom Act, a major reform of N.S.A. surveillance that also positioned Silicon Valley as a champion of civil liberties. Less attention was paid when, a few days later, a working group that the administration had convened to address concerns about facial recognition collapsed. Industry representatives had refused to endorse the principle that companies would need to secure people’s consent before scanning their faces on a public street. Any notion that Washington would produce wide-ranging privacy reform was dead. Silicon Valley had won.

Soltani and Mactaggart first met in person last fall, at the offices of Mactaggart’s lawyer in Oakland. Soltani had been on a kind of sabbatical, touring the country in a van and visiting national parks: A stint at the Obama White House was cut short when Soltani was denied his security clearance. (In privacy circles, the decision was widely viewed as retribution for his work on the Snowden series.) Soltani, who is 43, wondered whether Mactaggart would turn out to be a dilettante. Yet as the two men worked to revise the proposal, Soltani found himself increasingly impressed. “I’ve worked with people who have an ax to grind, who have an agenda,” he told me. “Alastair’s agenda was: First, just do some good. And then it was: Do something about privacy. And then it was: Do something about data privacy.”

The language of the resulting ballot initiative, which Mactaggart finalized last November, reflected lessons from the painful failure of Obama privacy’s initiative. It wasn’t called a “bill of rights.” And on its face, it was not a frontal attack on the giants of Silicon Valley. Mactaggart’s proposal instead took aim at the so-called third-party market for personal data, in which companies trade and sell your information to one another, mostly without your knowing about it.

Under the proposed law, every California consumer could demand, from most large businesses, an outline of his or her digital dossier, showing what categories of personal information the company had collected. Mactaggart and Soltani included nearly every category of personal information that they could think of: not only whether the companies had collected your name and address but also if they had collected your browsing history, your fingerprints, your face scans or your location data. They would also be required to inform consumers if they were drawing “inferences,” the sophisticated guesses companies make about, say, your dating habits or your taste in convertibles. And if consumers didn’t like the deal, they could “opt out,” demanding that companies no longer sell or share any data in a given category.

The ballot initiative had significant implications for the Silicon Valley giants, however. If adopted, Mactaggart and Arney hoped, it would cripple the tech industry’s “notice and choice” consent model, where companies dictated all the terms of service up front, forcing consumers to either agree or find a different app. As more people opted out of data sharing, they believed, the rules would slowly dry up the supply of personal information that companies could buy or trade on the open market. “Third-party tracking would essentially end,” Mactaggart says. “So when you log in to Spotify, you wouldn’t be logging into, like, 100 partners. You wouldn’t have 75 percent of the websites in the world looking over your shoulder.”

Still, Mactaggart and Soltani imagined their rules to be comparatively light-touch, a way to inhibit only the most invasive and creepy kinds of commercial surveillance while leaving Silicon Valley to thrive. Imposing them in California, the beating heart of the tech industry, offered another advantage. Through California’s referendum process, they could end-run the entire tangle of interests that had stymied the Obama bill in Washington. And if they succeeded, the effect would ripple far beyond the state’s borders: Any company in the world that wanted to do business with California’s 40 million residents would need to follow California’s rules. Mactaggart liked to compare it to California’s strict auto-emissions standards, which forced the world’s automakers to develop cars that guzzle less fossil fuel.

But Soltani also knew how aggressively the tech companies used their connections in state capitals. In 2015, a Facebook user named Carlo Licata filed suit in Illinois, arguing that the company’s photo “tagging” feature, which automatically identified Facebook users in photos uploaded to the site, violated his privacy rights. Illinois is among the few states in the country with a strict law governing biometric data, the 2008 Illinois Biometric Information Privacy Act, which requires companies to obtain explicit consent before collecting fingerprints, voiceprints or a “scan of hand or face geometry.” (“Illinois only has this law because it recognized the need to protect biometrics before Silicon Valley began trying to control state legislation,” says Jay Edelson, a plaintiff’s lawyer in Chicago who represents Licata.) Other Facebook users in Illinois filed similar suits, which were consolidated and transferred to a federal court in California. Facebook argued that the Illinois law did not specifically apply to its methods for identifying people in photographs. The judge disagreed, ruling in May 2016 that the lawsuit could proceed.

Just weeks later, the original sponsor of the Illinois privacy act, a genial Chicago-area lawmaker named Terry Link, abruptly proposed an amendment to his own law. The amendment clarified that digital photographs did not count as a source of biometric information and that the law only protected facial scans conducted “in person.” A Facebook official told me that the company had provided Link with suggestions for clarifying the law, not the language itself. But in a recent interview, Link recalled that the amendment language was given to him directly by a lawyer for Facebook. (Link did not specify who, and would not comment on why he had pursued the amendment in the first place.) Indeed, the amendment, introduced with only a few days left in the year’s legislative session, seemed tailored to buttress Facebook’s arguments in the California lawsuit, leaving Facebook and other companies free to create face scans from digital pictures without consent.

Link had attached his amendment to a bill that was already sailing through the Legislature, an otherwise bland measure dealing with state procedures for unclaimed property. After national privacy groups leapt into action, Link withdrew the amendment. This April, the judge certified Licata’s case as a class action, applying to as many as eight million Facebook users in Illinois. If Facebook loses, the company could face a judgment as high as $40 billion.

Elsewhere, the tech industry has had more success fending off efforts to regulate facial recognition. Last year, at least five other states considered passing legislation regulating the commercial use of biometrics. Only one, Washington, actually passed a law — and it includes precisely the loophole that tech interests sought to carve out in Illinois, excluding “a physical or digital photograph, video or audio recording or data generated therefrom.” The exception covers facial scans and even voiceprints — the kind of technology that Amazon, based in Washington, uses to power Alexa, the virtual assistant that has a microphone in millions of American homes.

Читайте також:

Deutsche Telekom to take on telecom ops from slimmed-down T-Systems
18 вересня 2019 12:02

Almost immediately after Mactaggart and his friend Rick Arney submitted their final ballot language to the state in November, officials at Facebook and Google sent identical requests: Could they meet in person to discuss the proposal? It was the first time Mactaggart and Arney had heard from either company, and the alacrity of the response was a little intimidating. They decided to talk.