The NSA's Bulk Collection Is Over, but Google and Facebook Are Still in the Data Business

Private-sector data collection can reveal as much about a person as government surveillance, privacy advocates say.

Facebook CEO Mark Zuckerberg speaks at the F8 summit in San Francisco on March 25, 2015. (National Journal)

Don't be fooled: Congress may have finally passed the bill reining in the National Security Agency's bulk-surveillance programs, but your data is still being collected on the Internet.

Lost in the debate over the NSA is the fact that companies like Google and Facebook continue to vacuum up vast troves of consumer data and use it for marketing.

The private-sector tech companies that run the social networks and email services Americans use every day are relatively opaque when it comes to their data-collection and retention policies, which are engineered not to preserve national security but to bolster the companies' bottom lines.

Critics say the consumer data that private companies collect can paint as detailed a picture of an individual as the metadata that got caught up in the NSA's dragnets. Companies like Google and Facebook comb through customers' usage statistics in order to precisely tailor marketing to their users, a valuable service that advertisers pay the companies dearly to access.

"What both types of information collection show is that metadata—data about data—can in many cases be more revelatory than content," said Gabe Rottman, legislative counsel at the American Civil Liberties Union. "You see that given the granularity with which private data collection can discern very intimate details about your life."

And there's no guarantee what is collected by the private sector will stay with the private sector. "The government has a huge number of tools to get data from private companies," said Chris Calabrese, senior policy director at the Center for Democracy and Technology. "That's obviously a very difficult situation for companies to be in."

Law-enforcement agencies are looking for even more ways to access private companies' data. Some social-networking sites have begun encrypting the data that's sent through their servers, prompting the FBI to ask companies to make their data available to the agency when asked.

"We suggest, and we are imploring, Congress to help us seek legal remedies towards that as well as asking the companies to provide technological solutions to help that," said Michael Steinbach, assistant director of the FBI's counterterrorism division, at a congressional hearing Wednesday. "Privacy above all other things, including safety and freedom from terrorism, is not where we want to go."

Still, comparing NSA spying and private-sector data-gathering is "a little bit apples to oranges," Calabrese said."There's real concerns around government overreach that have to do with our constitutional values and what we care about as a nation."

Unlike the private sector, Rottman said, "government can take your life or liberty."

When users sign onto Google or Facebook, they choose to give up their personal information in order to get valuable services from the companies, which sets up a dynamic fundamentally different from government surveillance.

But more often than not, Calabrese says, user consent is not enough to justify data collection, because of the lack of transparency in the process. "People aren't always aware of the amount of information being collected about them when they surf online," he said.

"People should be voting with their feet when companies aren't supporting the most aggressive privacy policies," Rottman said. But users are often not informed voters. "You can't vote with your feet unless you know you need to vote with your feet," said Rottman.

Although the Senate's attention has been caught up lately in the debate over government surveillance, legislation introduced earlier this year aimed to bolster data privacy by placing limits on the private sector.

Sen. Ed Markey, D-Mass., is behind two such bills this year. Along with Sen. Orrin Hatch, R-Utah, Markey reintroduced legislation last month that would place security requirements on companies that deal in student data and would forbid them from using student data for advertising.

Markey also reintroduced a more general bill in March aimed at improving the accuracy of personal information stored online. It would require "data brokers"—that is, companies that collect and sell personal data—to have a system by which users can verify that their information is correct and to allow users to choose not to make their data available for marketing.

And Sen. Bernie Sanders, the Democratic presidential candidate, a longtime advocate of data privacy, has turned his trademark ire against both the government's and the private sector's data-collection policies. He calls government surveillance "Orwellian" and presents a bleak picture of agencies obsessed with tracking Americans' every movement, but his criticism is not limited to the government.

"While today we are focusing appropriately on the role of the federal government in issues of civil liberties, we must also understand that it is not just the government that is collecting information on law-abiding Americans," Sanders said in a speech last month. "In fact, the private sector's collection of information is just as intrusive and equally dangerous."

Sanders said during that speech that he will introduce legislation calling for a "comprehensive review of data collection by public and private entities and the impact that that data is having on the American people." That legislation has not yet materialized, and the senator's office remains tight-lipped about the bill.

For their part, various tech companies are paying attention to the trend.

Google on Monday unveiled a frequently asked questions page to address users' privacy concerns, answering questions like "Does Google sell my personal information?" and "How does Google keep my information safe?" It also revamped its account settings page, offering privacy and security "checkups" to walk users through steps to keep their data safe.

On the same day, Facebook announced it will offer the option to send sensitive information, like password reset links, in encrypted emails. ("New Facebook feature shows actual respect for your privacy," read a Wired headline on an article about the announcement.) Facebook already encrypts traffic to and from its site, and offers privacy fanatics—or those who fear government retribution for their actions on the social network—access to its services via the Tor browser, widely regarded as the most secure and private way to access the Internet.

The companies' changes are moves in the right direction, according to Calabrese. Although Google's announcement did not include any changes in data-collection policy, it did represent an important increase in transparency and accessibility.

"Usability really does matter," Calabrese said. "Too often, privacy controls are hard for consumers to figure out. They tend to get frustrated and not use them."