Feb 15, 2021 8:00 AM

A Case Against the Peeping Tom Theory of Privacy

Yes, it's creepy when companies can track your every move. But that's not the only problem.

Collage of images of crowd looking at their smartphones cellular towers and a dictionary entry for privacy

In an Apple commercial that was on heavy rotation last fall, people go around telling strangers intimate information about themselves. “I browsed eight sites for divorce attorneys today,” a guy shouts to a bus full of passengers. A beautiful woman informs a passerby, “My home is in 1,000 feet.” A man in a bathroom stall announces, “I’m currently reading an article titled ‘10 Ways to Keep Sweaty Hands From Holding You Back.’” Finally, you find out what it’s selling: Apple’s privacy protections. “Some things shouldn’t be shared,” reads white text on a black background. “iPhone helps keep it that way.”

As something of a privacy enthusiast, I loved that commercial. It’s effective—more than 25 million views on YouTube—because it’s intuitive. You wouldn’t tell a coworker or a stranger on the street you looked at an embarrassing article, so why are you telling data brokers and ad tech companies?

The commercial exemplifies what I call the Peeping Tom theory of privacy, in which the essential concern is keeping creepy, voyeuristic companies, not to mention hackers and identity thieves, from knowing our secrets. Spend enough time at congressional hearings or privacy panels and you’re almost sure to hear someone raise the horrifying prospect of a targeted advertisement informing a woman, or, worse, her partner or parents, that she’s pregnant before they know themselves (a version of which actually happened in this classic 2012 New York Times story).

The pregnancy anecdote resonates because just about everyone knows what it feels like to see an online ad that seems a bit too well targeted. And yet the heavy focus on creepy marketing threatens to distract from the bigger picture. The events of the next year could go a long way toward determining how personal data is used in the US. In the private sphere, Apple and Facebook are publicly jousting over how much app developers should be allowed to track users by default. Meanwhile, more and more states introduce their own privacy bills, as Big Tech lobbyists urge Congress to pass a federal law to preempt them. The consequences of these battles go far beyond who can access your browsing history, your health records, or even your bank account.

Privacy is traditionally thought of as an individual right. “It is our purpose to consider whether the existing law affords a principle which can properly be invoked to protect the privacy of the individual,” declared Louis D. Brandeis and Samuel D. Warren in their classic 1890 essay “The Right to Privacy.” Privacy, they argued, was part of “the more general right of the individual to be let alone.” That idea still animates how privacy is thought of in the 21st century. Laws like the California Consumer Privacy Act are designed to give users more say over who is storing and selling data about them—essentially, the right to object. The fundamental unit of American data privacy laws is the individual user opt-out.

This individualistic model of privacy is simply not up to the task of regulating the modern internet, where the implications of who gets to do what with our data are fundamentally collective. This is true in a technical sense: Because everyone is so interconnected, it may be impossible for an individual to opt out of being tracked and targeted entirely. Facebook notoriously builds “shadow profiles” of people, even ones who don’t have Facebook accounts, based on information gathered from their contacts. If someone uploads a picture to social media with you in it, you can’t stop your mug from ending up in a bunch of facial-recognition databases. “We are prisoners of other people’s consent,” write Martin Tisné, the managing director of Luminate, and Marietje Schaake, the international policy director of the Cyber Policy Center. “Even if I refuse to use Facebook or Twitter or Amazon—the fact that everyone around me has joined means there are just as many data points about me to target.”

As compelling as that Apple ad is, the Peeping Tom narrative doesn’t capture the collective dimension of data privacy. The truth, as the tech analyst Ben Thompson points out, is that the companies that track our every move, or try to, generally don’t care about us as individuals. The data they gather is aggregated, fed to machine learning algorithms, and used to target advertisements to us based on our behavior. There is no human being snooping through your laundry, just a machine trying to sell you more stuff. “The entire reason their businesses are possible is precisely because they don’t know who I am, and have no need to,” Thompson writes. “And yet they can sell me exactly what I want just the same.”

The fact that the companies harvesting your data don’t care about you does not mean you get to stop caring about them, I’m afraid. It’s just that the reasons to care are not limited to the degree to which you are personally being snooped on. Consider the journalism industry. For most of modern history, the best way for advertisers to reach their target audience was to buy advertising where that audience was most likely to be watching, reading, or listening to something. If you wanted to sell baseball cards, you might place ads in Sports Illustrated. Today, advertisers can reach the same sports enthusiasts wherever they are online; instead of paying SI.com to run the ad directly, they can pay Google to target the ad to people who like sports wherever they can be reached most cheaply.

There is quite a bit of research calling into question how effective this behavioral microtargeting really is. But it is how marketers choose to spend much of their digital advertising budgets. The result is that money that used to flow to journalistic publications is diverted not only to social media platforms like Facebook and YouTube but also toward lower-quality sites and apps, including purveyors of bigotry and disinformation. Conspiratorial garbage-peddlers like the Gateway Pundit would struggle to exist without an automated, user-targeting-based ad system that doesn’t require advertisers to consciously choose to spend money there. You don’t have to be totally biased in favor of the journalism industry, as I am, to be bothered by a business model that uses your personal data to imperil its financial viability. You need only accept that journalism is necessary for democratic self-government.

The behavioral-tracking-based advertising model also shapes the incentives of social networks and social media. The reason Facebook and YouTube are so focused on keeping users “engaged” is that the more time you spend on their platforms, the more they are able to profile you and the more ads they can serve you. That powerful bias toward maximizing engagement, in turn, helps explain why platforms are caught over and over again steering users toward provocative and even radicalizing content. The Wall Street Journal reported last year, for example, that Facebook employees warned their bosses, “Our algorithms exploit the human brain’s attraction to divisiveness”—but their proposals to decrease polarization, at some cost to engagement, were blocked or watered down.

An individual opting out of being tracked and targeted doesn’t solve any of these issues. Twitter and Instagram will still try to keep you scrolling even if you turn off personalized ads; the news business will keep struggling; scam ads will keep propping up bottom-feeding websites. Because the most serious consequences of the data-driven economy are collective, your individual choices over your own data have at best a marginal impact.

The Peeping Tom theory also fails to take into account situations where the problem could be described as too much privacy. Last year, congressman David Cicilline (D–Rhode Island) introduced a bill that would have banned the targeting of political ads based on anything besides age, gender, or zip code. The point was to make sure that if false or misleading political ads were being run on social media, at least they would have to be served to a wide audience so that people could rebut it. Microtargeting political ads is particularly troublesome because, as Cicilline told me at the time, “it relates to the ability of people to get trustworthy, reliable information to make decisions in an election, which is the cornerstone of our democracy.” But the principle can be generalized. The logic of behaviorally targeted advertising pushes inexorably toward ever more personalization and segmentation. Viewed one way, that means satisfying an ever-growing diversity of consumer choice. Viewed another, it means replacing collective experiences, shared among citizens, with private transactions between corporation and individual. In this sense, what is at stake when we talk about online privacy is the continued existence of public life.

Of course there are individual rights bound up with the question of who can access and monetize our data. Last year, for example, The Wall Street Journal reported that the federal government was buying phone-location data to use for immigration and border enforcement. And on a rhetorical level, it’s much easier to get someone creeped out about tech companies exposing their embarrassing secrets than it is to explain the third-order economic consequences of cross-context behavioral microtargeting. (I’ve tried.) The danger is that we focus too much on the creepy individual-level stuff at the expense of the more diffuse, but equally urgent, collective concerns.

“I used to think privacy was about who could see I’m looking for shoes, or a sweater, or weight-loss pills,” says Alastair Mactaggart, the founder of Californians for Consumer Privacy. In other words, he started off as an anti–Peeping Tom: a real estate developer who turned into a privacy crusader after getting freaked out by how much companies like Google knew about him. That led him to finance and spearhead the ballot measure that turned into the California Consumer Privacy Act, passed in 2018, and the more aggressive California Privacy Rights Act, passed last November. In the process, his understanding of the issue evolved. “Now, because our personal information is the fuel that powers these companies, I think privacy is really about how these companies will interact with us and, eventually, with a democratic society,” he says.

This is a lot of weight for one word to bear—as Mactaggart acknowledges. “Privacy,” he says, “is the wrong word for privacy.”

Updated 2-16-2021, 9:45 am EST: Louis D. Brandeis wrote “The Right to Privacy” with Samuel D. Warren, not Oliver Wendell Holmes as previously stated.