There’s an old snarky saying among privacy advocates: “If you aren’t paying for something, you are the product!” This updated version of “There’s no such thing as a free lunch” arose in the Internet age among the ever-growing list of free services and apps on the Internet funded by collecting and selling your data to advertisers. If large companies like Google and Facebook are any indication, a lot of money can be made with user data and the more data you collect, the more money you can make.
The more data = more money formula has meant that privacy on the Internet is hard to come by. There’s just too much money to be made and too little regulation and in some cases too little public will to prevent it. Many people justify the invasion of their privacy with the fact that they are at least getting something for free in return. Indeed many free phone apps or services that show ads to users also offer a paid version that removes ads (although that doesn’t necessarily mean the data collection stops).
As bad as trading your privacy in exchange for an app or service might be, there’s at least some logic and precedent to it. Yet there’s a growing trend among businesses who have realized the gold mine of data they have from their paying customers. They see all the money they are leaving on the table and few so far have been able to resist the urge to copy the business model of Big Data companies. Now that everyone is data mining, we can shorten that snarky saying to just: “You are always the product.”
Most recently T-Mobile made the news by announcing a new program that will, by default, collect and sell customer data to advertisers:
“[S]tarting April 26, 2021, T‑Mobile will begin a new program that uses some data we have about you, including information we learn from your web and device usage data (like the apps installed on your device) and interactions with our products and services for our own and 3rd party advertising, unless you tell us not to,” T-Mobile said in a privacy notice. “When we share this information with third parties, it is not tied to your name or information that directly identifies you.”
Of course T-Mobile isn’t the only cellular carrier doing this. As we mentioned when we announced our AweSIM service, all the major US carriers are working together on a unified customer identifier that according to the AT&T CEO, “would allow marketers to identify users across multiple devices and serve them relevant advertising.”
Naturally, the default these carriers pick is to collect and sell your data and the responsibility is on you to opt out. T-Mobile, like Big Tech firms, realizes that if users had to opt in to having their privacy invaded, they wouldn’t, but making users research how to opt out and go through a convoluted and sometimes confusing workflow to do so, means few people will bother.
This, by the way, is why Big Tech firms fought so hard against the provision of early drafts of the California Consumer Privacy Act (CCPA) that would require users to opt in before they could collect and sell their data. Despite the fact that we at Purism and others argued in favor of the opt in clause, ultimately Big Tech won their concession and the CCPA was weakened to opt out.
Cellular carriers aren’t the only companies double dipping. There is so much money to be made in capturing and selling user data that all companies are taking notice and if you are a publicly-traded company, you may even have a fiduciary responsibility to mine this resource. Not doing so leaves money on the table and puts a company at risk of a shareholder lawsuit for not maximizing shareholder value. Internet Service Providers, credit card companies, and even appliance manufacturers are getting in on the game to wring extra money from paying customers by harvesting their data.
The CTO of Vizio (a television manufacturer) even admitted in an interview that removing “smart TV” features would make their TVs more expensive. Why? They are making so much extra money on the side with user data they would have to make up that difference by charging more on a TV without “smart” features.
Some of the questions we get about the AweSIM service (“Q: Would you turn over customer data to law enforcement?” “A: Yes if it were a legal request.”) lead me to believe some people have assumed we created the service with law enforcement in the threat model. AweSIM doesn’t exist for people to commit crimes. Instead as we said in our product announcement we created the service for two main reasons: convenience (“just works on Librem 5 phones”) and privacy. In particular we were focused on protecting your privacy from the major cellular providers because we saw where the industry was headed.
Because we register each AweSIM number in Purism’s name, upstream cellular networks have no direct link between a phone number and one of our customers. We aren’t providing vendor-supplied Android phones loaded with spyware apps that you can’t remove. Instead are providing AweSIM for use in the US on either the Librem 5 or Librem 5 USA, running PureOS not Android, so you are in complete control of your own privacy by default.
With the Librem 5 and AweSIM, there are no pre-installed vendor apps to track what other apps are installed and there is nothing to opt out of. You even have the option of taking your privacy a step further by protecting your Internet traffic as it goes over the cellular provider’s network with a VPN service like Librem Tunnel or Tor. That way, if the cellular provider tries to associate web traffic with a particular SIM, all they will see are a steady stream of encrypted connections to a VPN or Tor node.
While companies should protect their customer’s privacy by default whether their product is free or not, it’s particularly discouraging to see that many companies out there are double dipping on their customers. First they get money from you for a product or service and then they mine your data for extra money for as long as you are a customer. In many cases customers have no idea this is even going on.
As a customer, you are empowered to do something about this. Your dollar is a vote, and when you cast your vote for a particular company, insist that they respect your privacy. There should be no double-dipping, and no data mining, especially not without your explicit, informed, consent. Vote for companies that respect your privacy.