Practical privacy and simple cybersecurity.
TheNewOil.org

The Sandbox is a Lie

Regardless of how you feel about capitalism, there is one aspect of it that – to some extent – I think we can all agree is nice: the free market. Exactly how “free” the market should be is up for debate, but I think it’s safe to assume that most of my readers are in favor of a world where someone can wake up one day and say “I hate my job, I’m gonna go find another one,” or “I don’t like that company (for whatever reason), I want to shop somewhere else,” or “I want to make a website teaching data privacy and cybersecurity to beginners. Oh look, I have a second job now.” I don’t believe it’s perfect by any stretch of the imagination, but I still choose to live my personal life largely by the free market hypothesis. I hate the way Walmart treats their employees, so I shop elsewhere. Earlier this year I left one job largely because I felt I was being underpaid (spoiler: I was). On the other hand, sometimes I choose to buy name brand because the better quality justifies the price increase. Free market in action: voting with your dollars.

This ties into privacy when it comes to the argument of “just don’t use X if you don’t like it.” I get that a lot. “Just don’t use Facebook if you don’t like it.” “I don’t see the problem, just don’t use Amazon if you hate them so much.” “I like Google, but you’re free to use something else.” In the free market, there’s the idea that every company is free to institute whatever rules, policies, and business strategies they feel are best. At The New Oil, for example, I have every right to list whatever tools I want for any reason I want. In theory, the market responds accordingly: if people agree with my reasoning – or the tools I list – then they reward me by visiting, recommending the site, maybe even buying merch, donating money, or using an affiliate link to help support the project. On the other hand, if people disagree with my reasoning or tools, they can choose to go support another project such as Privacy Guides or Privacy International the same way. But what if – hypothetically – all three of those organizations were under the same umbrella company?

The Illusion of Choice is nothing new, but it has become especially problematic in recent years. Consider the infographic below. Do you prefer Dove or Axe? Doesn’t matter. Both are owned by Unilever. How about Tide vs Gain? Both owned by P&G. Oreos or Chips Ahoy? Both Kraft. Now, to be honest, I haven’t fact checked this infographic, but it’s not hard to believe. And we are facing a similar crisis with the internet, especially with Big Tech. The sandbox is a lie. “The Sandbox” in this case refers to the free market idea I mentioned a moment ago where if I don’t like the way you run your company, I can go take my business elsewhere. “Go play in another sandbox,” I’ve heard some people say. The problem is that I’m not actually in another sandbox. Just a further corner of the same sandbox.

Image
Credit: https://www.jamesgood.co.uk/blog/illusion-choice

Let’s start by talking about subsidiaries. I hate the way Amazon treats their employees (among other things). So I try my best to cut Amazon out of my life. Believe it or not, this is actually pretty easy. Most retailers offer online purchases these days, and the price difference between Amazon and other retailers is often minimal. But wait, a successful company isn’t standalone. They buy out other companies and then take a cut of the subsidiary’s profits. It’s smart to diversify. Okay, well then let me cut out all the other companies that make Amazon money. Goodbye Goodreads, IMDb, Twitch, Whole Foods, Audible, Ring, Wickr, and Roomba! Chances are some of you have some opinions on these services, and they vary. Personally I never shop at Whole Foods anyways, I don’t have that kind of money. I also get my audiobooks from the public library. But I was pretty sad to see Wickr get sold to Amazon. I actually liked Wickr. And my wife loves to watch friends stream on Twitch. She even tried to be a streamer for a while. Some people really get value out of video doorbells, so Ring is also a sad acquisition. And some people really rely on Goodreads to discover new books while cinephiles probably get tons of value out of IMDb. And honestly, this is just the start. Check out the full list of Amazon mergers and acquisitions. While you’re at it, do the same for Meta and Google (formerly known as Google).

So already we can see that this idea of “just go somewhere else” is a challenge at best. If I want to really cut Big Tech out of my life, I have to give up A LOT of things. But this is just surface level. Now we come to the really problematic part of surveillance capitalism. In the past, I wrote a blog post about how I accept that I have no expectation of privacy in public, but I do expect not to be followed around and stalked. But this is precisely what Big Tech is doing. Take for example, Google Analytics, which is used on an estimated 85% of the internet. The problem is that Google Analytics isn’t only used to tell website owners about the people who visit their site, Google collects a copy of that same data for themselves to stalk people across the web. That’s not a conspiracy theory, either. Their privacy policy straight up says so. (Note: the article I linked is from Matomo, who is a Google Analytics competitor, but they cite their sources and none of these claims are disputed or controversial.)

This is hardly a unique situation, either. The Markup found that over 30% of the top 100,000 most popular websites use the Meta Pixel, which is Meta’s (Facebook’s parent company) analytics offering. Just like Google Analytics, the Meta Pixel has been found to be sending data back to Meta, but from what we know it seems to be even more invasive than Google. The Meta Pixel has been shown to be sending back sensitive content – including stuff that should be hidden behind a login portal, like your doctor’s name and why you’re being treated (source), and your income, tax filing status, and college scholarship amounts (source).

The problem goes beyond analytics. The internet has a huge centralization and dependency issue. Consider, for example, Amazon Web Services (aka AWS), Amazon’s hosting service. With a mere 5.8% market share, AWS may not seem like a big player. But that 5.8% translates to over 9 million websites, 34% of them being in the top 100,000 most popular websites. Things get even worse when we look at Cloudlfare, a notoriously controversial company in the privacy community who offers services like reverse proxies (to defend against DDoS attacks or hide your home IP address if you’re self-hosting), which critics argue basically makes them a man-in-the-middle who can view all your traffic. Cloudlflare’s reverse proxy service alone is used on nearly 80% of the internet, and we saw how bad this centralization could get when they suffered an outage in mid-2022. While I was unable to find an exact number of how many sites were affected, various outlets confirmed that it was “large swathes” including “popular” services like Discord, DoorDash, NordVPN, Shopify, FitBit, and much more. Cloudflare suffered another, smaller outage just a few short months later in October. As noted though, this risk is two-fold: risk of outages, and privacy concerns about “what exactly can my providers see?” The answer is almost always “everything.” And in a world where surveillance capitalism rewards this collection and sale of data, there’s absolutely no reason to suspect that this isn’t happening with your provider. Google Drive – as a smaller scale example – is proven to scan your content, sometimes to flag and remove harmful content, possibly to advertise to you more effectively.

Image
Photo by Kaboompics from Pexels.com

So on any given “popular” website (defined as the top 100,000 websites out there), I have at least an 85% chance of my data ending up in the hands of Google, Meta, Amazon, or Cloudflare. And that’s just four companies, that doesn’t include the other companies who make all or most of their money from data collection and use, and it doesn’t account for the fact that each of these is a separate offering, so it’s almost a given that every single one of these top 100,000 sites is using at least one of these services, if not multiple (such as hosting on AWS while using Google Analytics).

This doesn’t even touch on the fact that “everyone” is doing this. The moral of this blog post is that you can’t escape Big Tech, but that’s not entirely true. There are services that are free of Big Tech, but to varying degrees and with varying results. Signal uses Google and AWS servers to help scale and support their massive userbase. The Mastodon instance I use was using AWS for external image storage until recently. In some cases being completely-free of Big Tech comes with usability trade-offs. Let’s take Google Drive for example and look at some of the zero-knowledge alternatives: Proton Drive – at the time of this writing – has no apps of any kind and has questionable usability for large files that likely cannot be solved until the company begins to roll out apps. Other encrypted cloud providers – like Filen and Mega – come with security questions (and to be honest I’m not even sure how many of those services – if any – are truly “Big Tech free”). In some cases you have to settle for a “less evil” alternative, but even those still frequently play the surveillance capitalism game where the service is rewarded financially for being more invasive than necessary. Twitter – out of all the large social media platforms – is regarded as the least privacy invasive, but they’re still pretty bad. I’m pretty sure I’ve mentioned my personal favorite bad example, Bookshop.org, who collects data like “device keyboard settings” (they already said they collect language settings elsewhere, so why this?), internet service provider, screen resolution, time zone, and other data. They really don’t need any of that information to sell you a book or improve the site. It’s just unnecessary. Even the smaller services out there still collect far more data than necessary because that’s what everyone’s doing. If they don’t do it, they lose a competitive edge. Maybe they store the data and figure out how to use it later. Maybe they sell it for ad space or income. Either way they have nothing to lose and everything to gain by collecting it.

This is one of those blogs posts where I have no solutions to offer you. On my site, I offer a lot of suggestions about ways to protect your privacy, like switching browsers, using VPNs, using uBlock Origin, and more. This will protect you against things like Google Analytics and certain functionalities of the Meta Pixel (and other similar tools). But these don’t change the fact that the sites you use are heavily centralized with things like AWS and Cloudflare. The fact is that there is only so much we can do ourselves as individuals, the rest must be done by the services we use, and we need to demand better of them. Unfortunately, the sandbox is large, and often misleading. We frequently think that we have left the sandbox to go play somewhere else when in reality we haven’t. Again, I don’t have solutions to offer. Just awareness. Do I think this means it doesn’t matter? Of course not! If I thought things were hopeless, I wouldn’t have started The New Oil and I wouldn’t continue to maintain it. But the first step to changing anything is knowing that there’s a problem and that change must occur. Hopefully this has helped, and next time someone tells you “just don’t use the service,” maybe this knowledge will help you explain to them why that’s much harder than it seems. Maybe someday we truly can just go somewhere else on the internet if we don’t like a service. But for now, there’s still more work to do collectively, together. Because as long as we can’t leave the sandbox, we don’t truly have freedom.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...