select all

One Coffee? Your Total Is Some Personal Data.

Photo: Lane Turner/Boston Globe via Getty Images

At my college reunion this year, I found out that one of my favorite bars was replaced by Shiru Café, a coffee shop that provides free drinks to university students in exchange for personal data that they share with companies interested in hiring those students. Shiru has over 20 locations across Japan and India’s most prestigious universities, including Tokyo University and the Indian Institutes of Technology. Now, it’s come to the U.S. In addition to the Providence location, according to the café’s website, it will open locations near Amherst, Princeton, and Harvard.

The café is cashless. According to Keith Maher, the manager of Shiru’s Providence location, the only way to order anything at Shiru is by signing up with the café’s website. In order to create an account, a user needs a university ID from any school. Students get their drinks without charge, while faculty are able to sign up for $1 coffees and teas. (Maher told me that when people not affiliated with the university have come into the store, he’s had to explain that “we don’t accept cash payments or general clientele.”)

Along with name, university, ID number, and year, Shiru’s form asks for students’ “IT skills,” “previous internships,” and the size of “company the student is interested in” (categories that may not be relevant to all students).  Students are meant to drink their beverages in the café, which is outfitted with wooden tables, curved-back metal chairs, and free Wi-Fi, surrounded by screens that show ads from sponsor companies (or rather, that’s what they’ll show once Shiru recruits sponsor companies. For now, Maher says, they show ads for internship positions at Shiru itself). No company has bought into the Providence location, which has been open since February.

The student response has so far been mixed. Two Brown students lambasted the school’s reporting on the café as an uncritical promotion. They called for the university to boycott the café in opposition to the idea of recruiting students to corporations like JP Morgan. The original article notes, “Those who register using their smartphones will have access to free drinks, Wi-Fi, electrical outlets, and study spaces, along with the opportunity to connect with sponsor companies through meetups at the café.” Anecdotally, some students have told me that they find the idea of receiving free drinks that only they are eligible for distasteful, while others are concerned about the perceived privacy risk of signing up and ordering via smartphone. While the café asks that students consume their drinks in-store, several have told me that customers tend to just take their drinks — all of which are served in disposable cups — and leave. Other students are also uncomfortable with the idea of receiving ads via smartphone.

When it comes to the privacy trade-off, many presume — given how much information is already out there, and given events like Facebook’s Cambridge Analytica scandal — that they might as well go for it.

Writing on the “rise of unprofitable companies,” the New York Times’ Kevin Roose claims, “For consumers who are willing to do their research … this can be a golden age of deals … The current crop of money-losing companies may not survive forever, but as long as someone is willing to keep funding these types of gambles, there’s no reason to stop enjoying the fruits of their optimism.”

At first glance, Shiru looks pretty similar, with the patina of discomfort that comes from a business that picks its location to be close to prestigious universities and bars anyone outside of a university from even buying goods at full cost. To reject the service on symbolic or political grounds is one thing. But to reject it on the grounds of privacy may seem contradictory to a group of people who’ve grown up in an age when lack of control of one’s personal data is more and more (and depending on how you look at it, for decades) the norm.

Maher told me that Shiru collects only the data it asks for on its intake forms, and that it is shared in an anonymized form with sponsor companies. Real concerns would emerge were the store to require customers to connect to its Wi-Fi, according to Jacob Furst, a professor of computer security at DePaul University. This, he says, would give them access to a much wider range of information (as is the case with most public Wi-Fi networks). Without that, Furst points out what he calls a potential contradiction in the company’s privacy policy: “We may disclose aggregate information about our users and information that does not identify any individual without restriction.” “In practice, this is an empty assertion,” Furst told me, explaining that third-party companies can piece together seemingly anonymous data sets that have at least one thing in common. An exaggerated example: If your profile from your Netflix account includes your birthday and zip code, and so does an anonymized medical record, it wouldn’t be a stretch to match those two together.

Furst calls this more of a “possible” than “practical” concern. But as MoviePass’s attempts at dipping its toe into “email and app-based marketing” shows, the line between the two can blur. “Otherwise,” Furst says, “Shiru’s privacy policy is pretty comforting.”

Concerns about a café giving out free coffee at a university might seem uncalled for. Both because it’s apparently harmless, but also perhaps because events of the past year have highlighted how often, like it or not, the customer is the product. The Equifax security breach highlighted the lack of agency individual consumers often have over their own data and the lack of laws protecting it. Facebook’s stock, though it took a hit in the last week of July, continued to climb upward in the months after the Cambridge Analytica scandal. And, this August, the Associated Press reported that Google appears to be tracking users’ locations even when the “Location History” setting on an app is turned off. This loose constellation of data points might show what people are thinking: that, in this case, if the data’s already out there, they might as well get a free coffee out of it.

That at least seems to track with Signe Swanson, a comparative-literature student at Brown and semi-frequent Shiru customer (she usually gets a cold brew). It took her a couple of months to set foot in the store. “I just kept hearing about it as this crazy thing you had to see to believe,” she said. While she copped to being “very paranoid” about signing into the café’s Wi-Fi, she admitted to being unclear as to the company’s privacy policy. “I hate to say it, but I don’t really know enough about what they’re admitting to using our data for or disclosing to us because I don’t pay close enough attention.”

And she seems to get some enjoyment from the fact that she’s not Shiru’s target demographic: In order to sign up, Swanson, a comparative-literature major focusing on Russian translation, had to pick her intended career industry. Among the list of paths in finance, consulting, and software engineering, the only one that credibly fit was “judge.”

“It’s really creepy inside, the decorations” — she tells how the walls are lined with motivational posters, empty wooden picture frames, a giant clock — “are really off-putting,” she said.

“I guess that’s what lends itself to people being ironically interested in it. Because it has this pretense of doing good for students and the world at large and being an optimistic, empowering environment, but it’s really kind of freaky.”

But that discomfort seems to be more about what the café represents than any real or imagined abuses. It highlights a new norm rather than an aberration. If truly opting out isn’t really an option, why not get a free drink? The sale of personal consumer data has been going on for decades, long before Google and Facebook, though more colorful examples, like receiving a promotional package of baby formula shortly after a miscarriage, may make it feel like ‘someone’ is watching. In a recent JSTOR article, Eric Schewe brings up the example of the relationship between smart home and owner as a kind of “participatory surveillance.” But when it comes to data privacy, nonparticipation might not really be a choice. While, and if, the adoption of the MoviePass model catches on, it may simply highlight how much surveillance is already happening, rather than what any user is choosing to participate in, or a norm that a single company may be engaging in more flamboyantly.

So if this were an episode of Black Mirror, it probably wouldn’t end with Daniel Kaluuya staring out the window of his mansion contemplating the soulless and irrefusable bargain of commodifying his disgust toward a system that is now rewarding him for performing that disgust. It might end instead with a person sipping a matcha latte, going about their day, reaping a small, apparent benefit of a society where privacy as we might have known it has long been a thing of the past.

One Coffee? Your Total Is Some Personal Data.