Turns out tech companies would rather not help you maintain your privacy! A report conducted during the shift over to GDPR compliance this past spring outlines how Google and Facebook give the “illusion of control” while designing software interfaces that benefit their bottom line. The report, “Deceived by Design,” was published by the Norwegian Consumer Council.
“Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process,” the report states in its introductory summary. “They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected.”
Researchers found that Facebook and Google’s default settings were intrusive, changing those settings for greater privacy was significantly more difficult than vice versa, and the more intrusive options were designed to pull focus from alternatives.
For example, here’s the report’s assessment of Facebook’s facial-recognition settings.
Face recognition entails processing biometric data, which is considered a special category of personal data under the GDPR, and requires a separate and explicit consent in order to be processed. Upon clicking through the Facebook GDPR popup, users were asked whether they consent to the use of facial recognition technologies. The technology is, according to the popup, used for purposes “such as help protect you from strangers using your photo” and “tell people with visual impairments who’s in a photo or video”.
The next screen informed the user “if you keep face recognition turned off, we won’t be able to use this technology if a stranger uses your photo to impersonate you. If someone uses a screen reader, they won’t be told when you’re in a photo unless you’re tagged”. This framing and wording nudged users towards a choice by presenting the alternative as ethically questionable or risky.
This is just one example of the standard practices for tech companies whose business model relies on monetizing user data. The software is designed to make protecting your own privacy seem like a risk, rather than the sensible option. Facebook was heavily criticized by journalists for its GDPR settings interface, and has since been sued for tricking users into blindly accepting certain settings. The lawsuit contends that Facebook showed fake red notification badges to users, requiring users to accept unfair terms in order to see what the notifications were. The icons would reportedly appear even if there was nothing waiting for the user.