“If you’re not paying for something, you’re not the customer – you’re the product being sold.”
This adage has become a common saying in discussions of online privacy, particularly in relation to Facebook. I originally heard a version of it from Bruce Schneier in early 2010, but a later Metafilter post by Andrew Lewis is often cited as the source of this particular wording. It’s a pithy turn of phrase, making its point in a succinct and memorable way; I’ve even quoted it several times over the last few years.
But it’s wrong.
I’m not saying that simply because I’m now a Facebook employee – in fact, those who follow me on Twitter might recall that my skepticism towards the idea began before I moved to California. And in arguing against it, I’m not trying to say that Facebook and other social networking services are automatically bastions of privacy and altruism.
What I am arguing, though, is that our debates over online privacy should comprise assertions and expositions which are accurate and justified. Simplicity can be positive and very effective in communicating, but simplifying a concept or rationale carries the risk of that summary becoming simplistic. If you’re going to criticize Facebook (which I’ve also done on many occasions), I think it’s important to present a case that deals realistically with any concerns about the service. Straw-man arguments can derail a discussion, blur critical distinctions, and ultimately hinder getting problems resolved.
And in a world where we still must fight the tragic injustice of human trafficking, I’ve come to see that the rhetoric of “you are the product” can not only be unhelpful, but rather distastefully self-important: However unintentionally, it demonizes social networking services by comparing them to violators of human rights while also drawing a false equivalence between privileged users and actual slaves.
With that in mind, let’s bring some clarity to the sentiment behind “you’re the product”. After all, if you’re not paying for a service that’s expensive to operate, clearly someone is paying for something to make that happen – so what are Facebook, Google, and other commercial operators of free websites selling?
Before I give my take, I want to discuss one more inaccurate answer: Facebook, for one, is not selling your data.
Look at it this way: If Facebook is selling user data… where do you buy it? You can easily find online marketplaces that sell data, such as survey results from an online dating site aggregated by various demographics. But none of these companies sell data from Facebook, and Facebook has no data marketplace of its own.
You can, of course, buy advertisements on Facebook, and these can be highly targeted. You could argue that if a user clicks on an ad, the advertiser will then receive some data about them by implication. If I place an ad targeted for US males over 30, I know the country, gender, and general age range of anyone who clicks through. But this means a company can pay Facebook to receive certain points of data about people who voluntarily choose to interact with the company after being convinced by a message the company distributes on Facebook’s site. From my perspective, describing this flow of information as Facebook “selling your data” once again over-simplifies the situation and misrepresents to users how businesses operate on the web. If a person believes the skewed image that some marketer can simply write Facebook a check and receive some of that person’s data (a scenario readily implied by the “selling your data” assertion), any discussion of Facebook with them will be influenced by that false portrayal. That can make it easier to turn people against Facebook, but it precludes more reasonable conversations about online privacy and controls available to users.
Returning to the previous question, then, what exactly does Facebook sell? My answer: An audience. (Update: To clarify, I’m using “an audience” in the sense of “opportunity to be heard; chance to speak to or before a person or group; a hearing” rather than the actual people who hear.)
Facebook is a matchmaker of sorts: it provides companies with a chance to deliver a pitch to potential customers. Advertisers describe who they think would be best suited for their message, and Facebook knows which users match that profile based on those users’ data. But this initial connection is made without revealing anything about the user until they choose to click on an ad. So while Facebook does hold quite a bit of data about a user, nearly all of that data stays with Facebook unless a user chooses to interact with other sites and services. (The “instant personalization” feature is one example of an exception, but even then very little data is transferred, and all of it already classified as publicly available.)
Notably, selling advertisers an audience to support a free service did not begin with websites. For instance, network television has employed a similar business model for decades. If the saying about “you’re the product” were true, it would equally apply to broadcast TV – yet it only seems to be brought up in connection with online services. Part of what distinguishes the latter, though, is that sites such as Facebook tend to have far more data and much finer data about individual visitors than a TV station ever has about their viewers – and the ability to highly customize the experience of every single visitor.
Still, being sold to is quite different than being sold, and the distinction opens the door for further questions worthy of discussion – but in the context of a more accurate framework for understanding the complicated issues that can arise with online privacy. I warned earlier against oversimplification, but perhaps one could simply rephrase the opening adage this way: “If you’re not paying for something, someone still wants you to buy.”