Six Lines

Why Privacy Regulation Will Happen

Posted by Aaron Massey on 26 May 2017.

Privacy regulation in the United States remains domain-specific. We have separate regulations for healthcare, finance, telecommunications, and various other legal domains. What we don’t have is a single, strong privacy regulation that all corporations must abide by. I’m not sure we ever will, nor am I certain whether that’s even a good idea. However, I think I know why it will happen if it does happen.

The five companies with the largest market cap in the world are, in order, Apple, Google (technically Alphabet, the parent company of Google), Microsoft, Amazon, and Facebook. No, this is not a tech-only list; it’s based on all publicly traded companies in the world. As of a few months ago, Facebook was eighth, but they have moved up to fifth. Jon Evans makes the argument that are so dominant in their position that their only real competition is one another. This is actually why we will see strong, general privacy regulation in the United States, if we ever do see it.

The best analogy to help understand how these five companies would create a privacy regulation is sales tax. For years, Amazon was happy to sell products online without requiring customers to pay local or state sales taxes. Not doing so was a competitive advantage for them. How could the various jurisdictions collect it anyhow? But now, Amazon is essentially happy to help people pay sales tax. Why? It’s a competitive advantage. If you’re a scrappy upstart, like Jet, now you too have to build out the infrastructure to calculate and collect the various taxes that are needed all over the world. Amazon’s policy on this issue has always been determined by whichever position provided the largest competitive advantage. If privacy regulation happens, it will be driven by a similar process.

Evans’s article makes the point that each company is building their own ecosystem. If you’re an Amazon customer, then you’re using it for everything. You’ve got Amazon Prime, a Kindle, an Echo, and so on. If you’re an Apple customer, then you have an iPhone, a Mac, and you use all their associated services. Similar arrangements are setup at each of the other five companies, with the possible exception of Facebook. Each of these companies wants to make genuine competition as difficult as possible by leveraging their current access to your data as much as possible.

Strangely, this approach might be easier to understand by examining one of the possible competitors that could unseat one of the current top dogs. WeChat is effectively the dominant social network in Asia. Here’s Ben Thompson arguing WeChat is a huge problem for Apple:

The fundamental issue is this: unlike the rest of the world, in China the most important layer of the smartphone stack is not the phone’s operating system. Rather, it is WeChat. Connie Chan of Andreessen Horowitz tried to explain in 2015 just how integrated WeChat is into the daily lives of nearly 900 million Chinese, and that integration has only grown since then: every aspect of a typical Chinese person’s life, not just online but also off is conducted through a single app (and, to the extent other apps are used, they are often games promoted through WeChat).

There is nothing in any other country that is comparable: not LINE, not WhatsApp, not Facebook. All of those are about communication or wasting time: WeChat is that, but it is also for reading news, for hailing taxis, for paying for lunch (try and pay with cash for lunch, and you’ll look like a luddite), for accessing government resources, for business. For all intents and purposes WeChat is your phone, and to a far greater extent in China than anywhere else, your phone is everything.

In essence, Apple’s iPhone sales are down because a cheap Android phone with WeChat is an extremely compelling alternative ecosystem. Apple’s ecosystem isn’t enough of a pull. What can Apple do to compete against this? The more people using WeChat the harder it is to get them to switch. And this is exactly where the vast majority of small tech companies are right now with respect to the big five. This sort of data competition is a land grab, and they stopped making land a long time ago.

With this principle in mind, consider Jon Evans’s point about privacy and security:

On the one hand this surveillance-capitalism data grab (and make no mistake, that’s what it is, at least in part) feels creepy and intrusive in a deeply personal way. On the other you can actually make the compelling, if depressing, case that hey, it’s the 21st century, someone’s going to surveil you, you may as well choose the Stack that you find least untrustworthy, give all your data to them, and rely on them to keep it safe. After all, you know they don’t want to let anyone else have it. It’s valuable.

It would be disingenuous of me not to stress that the majority of Stack employees and executives really and truly want to do the right thing with this data. Apple went to the mat against the FBI for the sake of user privacy. You will never meet a more dedicated, passionate, and influential privacy/safety team than Google’s. Amazon’s single highest corporate value is customer satisfaction, and they’re clearly willing to sacrifice profits for that. Microsoft has learned better than to risk its reputation. Facebook’s CISO, Alex Stamos, is a longtime prominent privacy advocate.

Consider that Google, Facebook, and Microsoft are, as a result of privacy settlements with the FTC, being audited by third parties that report to the FTC on an ongoing basis. These companies have almost cornered the market on employees with significant privacy and security experience. I bet every one of these companies would support some for of general privacy regulation that would essentially force all of their competitors to build out a similar group. And they already have a head start in demonstrating their compliance.

For a general privacy regulation to get off the ground in the current US political environment, having the strong, vocal support of the Big Five tech companies is almost necessary. The most likely scenario is that a general regulation would simply protect existing businesses by stamping what they are currently doing as “required” for everyone else. Right now, that would actually be a huge step forward for privacy. The biggest problems we have aren’t those Big Five. It’s smaller companies taking far bigger risks with customer data. This type of regulation isn’t a “privacy” regulation in the sense that most privacy advocates want: a thoughtful, consumer-first perspective on privacy. But I don’t see a reason why that sort of privacy regulation would actually happen.