Big brother in big tech

The hottest trend in tech is not tech. It is privacy.

In the past two weeks, the chief executives of Google and Facebook - two tech companies that frequently track our digital habits - have made protecting user data the central theme in their conference speeches.

But experts believe there is more that tech firms can do. Similarly, consumers want an easier way to monitor if the tech firms are actually walking the talk.

At Google's annual gathering of software developers in the United States last week, its chief executive Sundar Pichai said: "We strongly believe that privacy and security are for everyone, not just a few."

At the event, called Google I/O, the company said its new mobile operating system Android Q and existing products such as YouTube and Google Maps will have new privacy features so users can be in control of their data. The bulk of such data will also remain in the users' devices rather than being collected and stored in the cloud at the firm's end.

At Facebook's annual F8 developer conference two weeks ago in the US, company chief executive Mark Zukerberg declared that "the future is private".

He vowed to do more, including extending popular messaging app WhatsApp's end-to-end encryption to other Facebook-owned private messaging platforms Messenger and Instagram Direct.

This spotlight on privacy and security comes as big tech firms suffer public backlash over how they handle users' personal information.

In January, Google was slapped with a €50 million (S$76.7 million) fine in France for breaching European Union online privacy rules. The French regulator said Google lacked transparency and clarity in how it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads.

Facebook went under intense fire after it reported early last year sharing the private information of as many as 87 million users with political consultancy firm Cambridge Analytica. The third-party firm had used users' personal data to design advertising and content to influence their votes during the 2016 United States presidential election.

REGULATORY PRESSURES

Experts say tighter regulatory scrutiny and heightened consumer awareness are two key drivers in protecting user privacy among big tech firms.

For instance, the EU's General Data Protection Regulation (GDPR), which came into force in May last year, is the biggest shake-up of data privacy laws in more than two decades. It allows users to better control their personal data and gives regulators the power to impose fines of up to 4 per cent of global revenue for violations.

The impact of the GDPR extends beyond Europe, said Ms Charmian Aw, a lawyer who specialises in information technology, privacy and data security at Reed Smith in alliance with Resource Law.

She noted that countries in the region, such as India and Thailand, are looking to adopt in their laws features that are similar to those in the GDPR. Singapore, too, has considered the GDPR to see what can be ported over to its existing law, she said.

In addition, consumers are getting more aware of issues related to data sharing and cybersecurity with the proliferation of digitalisation and all things tech, including topics such as artificial intelligence and blockchain.

"Media coverage on privacy topics is also becoming more and more prevalent," she added.

DATA SHARING

But critics have pointed out that some of the changes pledged by the tech firms are not enough to address the central issue of privacy related to data sharing.

NUS computer science professors Liang Zhenkai, Xiao Xiaokui and Reza Shokri said what is needed is a fundamental change in how user data is collected, shared and used.

"To better safeguard user privacy, it is important that user data should be carefully sanitised before leaving their devices," they said in an e-mail response.

So far, only Google and Apple have applied an advanced privacy preservation mechanism, and only in some of their data collection processes.

"Not all data collected by all vendors are protected with such a mechanism," they added.

Mr Claus Mortensen, principal analyst of Ecosystm, a technology research and advisory firm, pointed out that Facebook had only talked about the encryption of its private messaging services - Messenger and Instagram Direct. It had skirted the central issue of data sharing.

"Facebook's chequered history with regard to privacy has been its liberal use and sharing of user data... on the main Facebook platform.

"It is this data that was shared with Cambridge Analytica, with leading handset manufacturers and a number of other Internet companies without the users' knowledge or explicit consent," he said.

He did not think Facebook would walk the talk and put new privacy safeguards into effect until it comes up with a clear business strategy to wean itself off data sharing as the main revenue-generating tool.

But he said that Google, on the other hand, has taken some real steps that would help protect user privacy, including stopping the scanning of Gmail users' e-mails for ad targeting and rolling out an auto-delete feature that erases web and app activity after three or 18 months.

Ms Aw said such actions lean towards a privacy by design approach, which is to embed user privacy in product or service features. This is what tech firms need to do on top of the usual consent clauses that they present to users.

"Ultimately, the burden lies on these tech firms to demonstrate that they are accountable and compliant with the law," she added.

LACK OF OVERSIGHT

Consumers tell The Straits Times they welcome such moves by tech giants to protect their data, but it is hard for them to know if these firms are actually walking the talk.

"They tell you they are implementing new rules, but there is no oversight. How do you know what actually flows out of your computer?" said Mr Dennis Chu, 38, a business development manager at an engineering firm.

Dr Kua Shin Yii, 41, a doctor in private practice, thinks these new privacy measures are a step in the right direction, but much of her data could have been collected anyway prior to these new pledges.

"I feel Google and Facebook are feeding me information based on what I surf. And we don't know how much data has been collected already," she said.

Indeed, Mr Mortensen thinks this hints at the motivation behind these two tech giants' current initiatives.

"Google probably hasn't stopped scanning Gmail users' messages because they really want to provide them with greater levels of privacy - they have stopped because they don't need to anymore.

"They now have the capability to target ads effectively without the need for scanning the content of e-mails," he noted.

"Similarly, they don't need to know a user's app and web history for the last several years - more current behaviour is enough and often more relevant for ad targeting."

As for Facebook, it is simply not ready to cut off access yet.

"They still haven't worked out how to target and contextualise ad content without giving access to extensive user data. Once they figure it out, we will probably see very public announcements from Facebook about it," Mr Mortensen added.

This article was first published in The Straits Times. Permission required for reproduction.