Wait Wait...Do Tell Me: Why It's Time to Start Demanding Transparency from Companies That Share Consumer Information

Nov 20, 2012
By:
Matt Cagle

Page Media

ACLU of Northern CA

Think Facebook is only interested in your online activity? Think again. The company recently announced a partnership with information broker Datalogix, which operates many of the loyalty card programs we use to get a discount at stores like CVS. The partnership — one of Facebook's three new advertising programs —allows Facebook to gauge the effectiveness of its ads by learning about the offline purchases of ad viewers. Unfortunately, Facebook has not given its users the ability to see what information is actually being shared with Datalogix or to opt out of the program from Facebook's end. Datalogix's opt-out option is not enough – these companies should allow individual users to see how their information is being watched and traded.

The mechanics of the data exchange are relatively privacy-protective. As the EFF explains, Facebook could show an ad to a group of users and then ask Datalogix to determine what proportion of the group purchased the advertised product offline. Under the agreement, Facebook can't learn for certain which products a given user purchased, although it does learn which of its users have loyalty cards provided by Datalogix. The agreement puts technical and contractual measures in place to limit the use of the data by Datalogix as well.

Unfortunately, neither Datalogix nor Facebook are letting users see what info is being tabulated and exchanged. This lack of transparency is made worse by the fact that neither Datalogix nor Facebook give users granular control over the types of information it exchanges about them. As the EFF points out, Datalogix makes an opt-out available, but there is no place where users can actually request to alter how purchase information can be shared with other entities. Facebook does not offer an opt-out for the advertising program on its own website. This all makes it impossible for users to supervise the merging of their own online and offline lives.

As companies like Facebook — and even other entities like the Obama and Romney campaigns in the recent election – continue to build more and more detailed profiles of our lives, incorporating even offline activities, it is essential that we have both the technical and legal privacy protections that seem to be in place in the Facebook-Datalogix partnership as well as the transparency and control that are lacking. In the words of another one-time presidential candidate, Ronald Reagan, we need to "trust, but verify." Having the tools to verify that our data is being used and shared as we expect — and to react if it isn't — is increasingly important as the profiles held by companies like Facebook expose more and more intimate details of our lives. Providing the ability to verify also helps companies build and maintain user trust, a key ingredient to long-term success.

Unfortunately, too many companies still prefer "just trust us" to "trust, but verify," even though empowering users with strong privacy and free speech policies increases customer trust and is good for business. The Datalogix-Facebook agreement is designed without adequate transparency or user control, leaving the companies — and not users — in control of how our online and offline lives are merged. If this concerns you, opt out of the program on the Datalogix end and tell Facebook exactly why you did so.

Matthew Cagle is a Volunteer Attorney for Technology and Civil Liberties with the ACLU of Northern California.