By Ahmet Akkoc, Junior Researcher
In a hurry? You can watch a video summary of this blogpost here.
> “I am a student, how am I supposed to pay for anything? Let alone privacy?”
These were the words of an interviewee when asked about the costs of their privacy. As far as the interviewee was concerned they were not paying a cent for their privacy. Sure, they utilised various digital artefacts for the sake of maintaining some semblance of online privacy, but without any apparent cost to themselves.
Now the interviewee was correct in saying that technically they did not pay for anything. But those privacy artefacts had to have come from somewhere and there was surely a latent economic system governing the production and distribution of such digital privacy artefacts. Through dialogue with the interviewee, we uncovered that the interviewee’s privacy needs stimulated some 100DKK’s worth of economic activity. Some of those privacy artefacts the interviewee employed were in fact commodities made by software and security companies, with their costs covered by family or university.
This above description provides a microcosm of the end-consumer’s experience of privacy, more specifically digital privacy, and their juxtaposition within the privacy market. Our common experiences of privacy are facilitated through complex economic processes which operate under an invisible privacy market more often between organisations rather than between individuals.
In this blogpost, I will talk about my Secrecy Sells project with Ethos Lab and how I have attempted to uncover this hidden market.
The Story So Far: What does Privacy mean to you?
Here is a refresher on Secrecy Sells Part I.
The classical definition of privacy commodification is synonymous with data commodification. Birch & Muniesa (2020) refer to the transformation of personal/private data into assets for new services and innovations as Technoscientific Capitalism. This classic model views privacy commodification as a transaction between individual and service provider. Here all individuals exhaust their privacy for receiving certain services resulting in the creation of personal data as an asset. This classical definition is what we mean by “you pay with your data” to use Facebook for free. Or also when saying that the Data Brokerage Market is expected to hit US$ 462.4 billion by 2031 (Transparency Market Research, 2022).
Yet I found this classic definition unsatisfying. Because sometimes the very sense of privacy itself, without any data extraction involved can too be commodified. My favourite example for “paid privacy” here are sunglasses: You can pay for the sunglasses to become more private and hide your face from the public. That is a transaction entirely removed from “Technoscientific Capitalism” and similar paradigms. Thus I was motivated to study a broader “Privacy Market” where goods and services were priced based on some value proposition of privacy.
Of course, being able to study “pay for privacy” required some idea of being able to identify “privacy values”. So in Part I of this project, I studied the privacy literature to uncover the different value categories people might associate with privacy. Then based on those values I engineered a survey to ask participants about their software, their communities and their online attitudes for remaining private.
What I found was that for achieving privacy, different people can have different, even contrasting goals. While a sedentary person may see their information safer on offline storage devices resting at their fingertips, an activist involved in protests with a legitimate concern of having their devices confiscated finds refuge in using cloud services. And then the contextual privacy inherent in different social media platforms such as Instagram, TikTok or LinkedIn was a deciding factor in whether or not a person felt comfortable continuing to use said platform. Indeed, privacy was to most interviewees less a quantity but a quality.
So that was Secrecy Sells: Part I, what privacy means to us. What chapter II focuses on will be mapping out the invisible Privacy Market that I keep alluding to: the underlying economic system which revolves around the buying and selling of privacy artefacts.
Research Question 1: What Commodities are associated with Privacy?
We don’t always pay so much attention to why we buy things, because there can be multiple appeals to it. This was a point that actually came up during interviews, as participants were unsure if their operating system choice was a result of privacy considerations. But we know when we buy something because you need to type out the card number, see your balance go down… It stings every time and that’s maybe why we pay a lot more attention to having bought something.
So I wanted to work from that conflict and chose my first research question to explore what commodities were associated with privacy. Here I use the word “commodity” to mean a commercial resource: something bought or sold. Then a “privacy commodity” is any commodity whose demand is based on some value of privacy. What we will wrestle with in this question is the fact that not every privacy artefact is necessarily a commodity.
During interviews, I asked participants to recount tools, modifications and products they had installed with the goal of achieving privacy. Below is a bar chart showing the most common free tools, or products reported as part of the Secrecy Sells interviews.
Commonly reported privacy artefacts included Adblockers, VPNs, Authentication Apps, Encryption Software, Anti-virus, Tracking Blockers and Password Managers.
Markedly different from most markets, prices in the privacy market are extremely volatile. It is quite possible for an end-user A to pay a $100 for a VPN while person B may use a free VPN service and person C may receive a similar service as part of something else they have paid for. Thus the delineation between “free download” and product is very difficult at the level of software. And yet, it is all too easy to track from the end-consumer’s point of view, because they remember what they have paid for and what they have received for free.
Among the reported categories, VPNs were by far the most clearly commodified products. VPNs had recognisable brands, were conceptualised as service-providers rather than purchased goods and most importantly almost always came at a cost.
Another idiosyncrasy of the privacy market relates to the source of privacy. Above is a network illustrating how different participants (P2, P3, P4 and P8) were able to make use of a VPN/Network Relay. The one participant who paid for their VPN out of pocket was P4 (illustrated by the purple arrows). P2 was sharing a VPN with a friend, P5 was sharing with family and P3 received a free network relay as part of a cloud subscription. That is to say, only one person here made a conscious purchase for their privacy’s sake, where the other three ended up obtaining the product through other means. More on this below.
As I wrote above, not every privacy thing is a privacy commodity. Adblockers were more popular than VPNs and obtained through often free downloads. Although these too came from companies, the end-consumer did not think of them as brands. Likewise many security tools, for example device-encryption and password managers, were also commonly reported. Yet, instead of being sold separately these were free services often bundled with other commodities, whether devices or software.
In summary, VPNs stood out as commodities for privacy where other privacy artefacts such as Adblockers and Security Tools straddled the line between free and commercial. Even so, whenever possible consumers sought ways to obtain these privacy artefacts for free which brings us to our next question.
Research Question 2: Who is the Customer of Privacy?
Inspired by the previous work in data commodification, I was at first interested in doing a cost benefit analysis. These cost analyses typically take the form of a psycho-economic experiment where participants are offered higher and higher rewards for disclosing some piece of personal information. Your browsing behaviour for a big mac by Carascal et al. (2013) illustrates these experiments very well.
Instead of working with hypotheticals, I thought my interviews would be able to give me real world data specifically on what costs people had for their privacy services. My hopes were soon shattered as I kept encountering the issue that my interviewees were trying their hardest to minimise costs, obtaining the services for free when possible.
The reality I faced was that the recipient of privacy was not necessarily the paying customer. Perhaps this was the underlying reason that we choose to omit privacy purchases from the wider discourse on privacy commodification. In fact, the customers of privacy were rarely private at all, they were organisations or institutions.
Through my interviews I identified 3 customer groups:
- Business: Participants 1 and 4 held jobs outside of the university. They both explained how some of their privacy and security software (cloud storage and network security) was provided by their workplaces.
- State: All universities in Denmark are public institutions, services provided to students are funded by the state as part of the university budgets. Most notably, student accounts are connected to Microsoft. (Authentication)
- Family: Participants 1 and 3 shared personal devices with partners. Participant 8 was able to relate many security tools they use to their family’s purchases.
While I as a person may not see the need to purchase something for privacy, an institution such as a workplace, university or even home might face such an organisational demand. And so far as I was able to tell, these institutions were targeted as customers rather than any specific person or demographic. And who might be those marketers doing the institutional targeting?
Research Question 3: Who are the Vendors of Privacy?
Research Question 2 showed us that privacy commodities are products meant for enterprise and organisational purchases. Then, there should be corresponding vendors who profit from the sale of these commodities.
At the forefront of these vendors are software companies. These software companies include VPN service providers (f.x. NordVPN), security companies (f.x. Tutao), browser companies (f.x. Google) and cloud providers (f.x. Apple). These companies produce software, either as downloadable files or as a recurring service, to meet the privacy demands of consumers. So f.x. a company such as Microsoft might offer an institutional account/authentication at a university-level, and their client would be the university rather than the consumers who see the benefit of the privacy afforded. But there are also grey regions, some for-profit companies such as Brave rely on advertising as their primary revenue stream, instead of pricing all of their privacy services.
The second big actor we have to cover as a vendor of privacy are operating system manufacturers. Although no participants reportedly bought devices with privacy considerations, operating systems are designed with many built-in privacy and security features. Participants received “free-of-charge” Biometric Recognition, Password Managers, Encryption Software and Internet Relays as part of their OS and subscriptions. We thus see OS manufacturers embedding privacy into their systems, and even brand, making privacy seem free even when it is paid for.
The third category of privacy vendors we have to consider are social media. Social media platforms can be considered as a kind of privacy vendor because their business models and profitability depend on endowing consumers with some degree of privacy. This is but again a grey area, because there is rarely an apparent customer here at all, with “user” being the preferred terminology. There exists an underlying fragmentation among the user-bases of these platforms, putting an inherent safe-distance between people. For example, participants 4 and 8 appreciated the different screen-names they could use and how those functioned as contextual identities which cannot be brought out into the real world. On the other hand, participant 1 liked using their real world name, but appreciated the fact that they could accept or reject connection requests which would seem rude outside of the platform. Furthermore, participants 2 and 5 described how their social media platforms had protection mechanisms against harassment and how that did protect their privacy.
As privacy vendors; software companies, operating systems manufacturers, and social media platforms all assume a vital role in safeguarding privacy through the products they bring to market. It is maybe worth pondering if these products do, in fact, empower the privacy of individuals or if they commodify what should be the inalienable right of privacy.
Conclusion: What is the Privacy Market, anyway?
In the privacy market we find that various stakeholders are at play. Consumers form the foundation of the privacy market, demanding greater control and protection of their personal information and private livelihood. One level above consumers stand institutional customers, such as businesses and schools, who have a vested interest in privacy due to regulatory compliance and protecting their members. Organisational management actively seeks robust privacy solutions to protect the sensitive data of organisational members. At the top of this pyramid are privacy vendors, developing and providing privacy tools and technologies to meet the privacy demands of consumers.
Most financial transactions take place between the privacy vendor, offering services such as account management or private networks, and an institutional customer such as a workplace or school. This renders a large portion of the market invisible to the end-consumers who benefit therefrom for virtually free. Yet the sheer diversity of the privacy vendor ecosystem allows for vendors to reach consumers directly, as is best evidenced in the case of VPNs. And yet other times privacy software may not have any customers at all, so to say, but be funded through alternative revenue streams such as advertising.
The interplay between consumers, institutions, and vendors constantly redefines and reshapes this privacy market. Yet we must wonder if in the process we have allowed our own senses of privacy to become a commodity, or I daresay a luxury.
Stay safe, and maybe think twice about staying private!
- Birch, K. & Muniesa, F. Introduction: Assetization and Technoscientific Capitalism. (2020). In Assetization. The MIT Press.
- Transparency Market Research (2022, August 1). Data Brokers Market Estimated to Reach US$ 462.4 billion by 2031, TMR Report. https://finance.yahoo.com/news/data-brokers-market-estimated-reach-143000910.html
- Carrascal, J. P. & Riederer, C. & Erramilli, V & Cherubini & de Oliveira, R. (2013) Your browsing behavior for a big mac: economics of personal information online. In Proceedings of the 22nd international conference on World Wide Web (WWW ’13). Association for Computing Machinery, New York, NY, USA, 189–200. https://doi.org/10.1145/2488388.2488406
Wow, if you’re still reading you must really be hooked!
You can click this link to go to my project report or interview dataset. I’m attaching here things I wasn’t able to fit anywhere else. It’s mostly intended for lab members, but anyone’s welcome to read through.
In addition to monetary cost, I was also interested in investigating storage space as a secondary kind of cost/budget. I even recorded data on it. The issue was that it was very difficult to fit into the overall narrative, especially given the the difficulty in comparing offline storage space (bought once) and online “cloud” storage (rented indefinitely). But there is definitely something interesting in how accumulation of data in local storage space limits certain other decisions.
Some thought also went into measuring costs in “time” or “attention” but these proved very difficult to measure without controlled experiments. Most participants weren’t well-aware of their time spent on privacy routines/rituals, let alone time spent on platforms. So that was another idea I had to drop early on.
Ethos being a feminist lab also motivated me to examine gender disparity. However, I did not so much observe a difference in the experiences between genders in my limited interviews, except for some anecdotes given. In particular, Shinigami Eyes, mentioned by a genderqueer participant stood out as a specific privacy artefact one might embrace due to their gender and identity, but irrelevant to most anyone else.
In the end, the data I collected became all too complex. So instead of exploring every possible angle I took the approach to start from perspectives to artefacts/commodities of privacy (RQ1) and then used those commodities to find customers of privacy (RQ2) who I linked to vendors of privacy (RQ3). That was a story that made sense, and now I can link to these side-tangents in post-commentary so that future research might be concerned with these questions in the future.
The biggest issue I have had with Secrecy Sells is that it is, as it stands, difficult to publish. Don’t get me wrong, I passed my independent research project with a fairly good grade; but there are some issues which make this project publication un-friendly.
I not only refused to subscribe to any of the established privacy frameworks in the literature but I went out of my way to openly challenge them. For example, I allowed participants to conflate the concepts of privacy and security when literature puts a heavy emphasis on separating the two.
This was a criticism in my grading also, I only spared a few sentence to reconcile my project with the privacy frameworks within the literature. I grounded the need for VPNs and anonymity in “indistinguishability” forms of privacy. I turn to contextual integrity when explaining how social media platforms and their communities assume a responsibility to protect the privacy of members. I also made the mistake of not including my guide for interviews, now available as an appendix at the end of my report.
My former supervisor, Pedro, is still very interested in the idea of the privacy market. VPNs which stood in the spotlight has made him suggest to rework the Secrecy Sells project to only focus on VPNs: Achieving Anonymity, Combatting Censorship, Combatting Geoblocking/Georestrictions and the price people will pay to be able to accomplish those. So stay tuned, we might actually manage to get a publication after narrowing the scope on this a bit.
A smaller problem I had that I found more bitter has been my conflict with privacy cynics. I have had friends, colleagues and internet strangers explain to me how “you are wrong about privacy”. The measure of privacy for these sorts of people is often limited to anonymity and they refuse to engage with much else. That has pushed me to a point where I now am seriously considering doing an audio book reading of Surveillance Studies: A Reader, by Monahan and Wood, to better inform the masses who -as I see it- are suffering at the hands of fear-mongering and doomsayers.
As for my own contribution to redefining privacy, I would like to claim that I have at least established some basis for the idea of a privacy market. Through presenting my work on Secrecy Sells, I have heard a few “I get it now” concessions and that satisfies me. It satisfies me to know, “okay, there is an elephant in the room even if it’s too dark to see it”. I have also coined the term Privacy Tech, in lieu of Fintech or Biotech, that I use among friends to describe those companies who I have come to know better through Research Question 3, on the vendors of privacy.
Even writing this blogpost has been quite the challenge. Life issues have gotten in the way as a few people in my family have been a bit ill. And then thesis writing, also on a privacy project. Even after graduating it’s been a real hassle finding a new house in Copenhagen and going full time at work.
What it took for me to get to properly writing was the privacy afforded to me through the course of a 3-hour flight back to my hometown and a few good days off.
I think the Secrecy Sells project has been life changing for me, if no one else. Nowadays when I’m on the metro or in public, instead of scrolling through posts on Instagram I try to move my eyes across the train to observe the private lives of people. This surely seems like a dangerous gaze to have but I have no intention of treating people like experimental subjects. On the contrary, this is my attempt to try and humanise my environment. I don’t care what people are texting each other, so much as what story we are living through today.
And as a finale to this story, I would like to end off with a few shout-outs to some privacy groups: