Advertisement

FTC details how streaming services, social media have become ‘mass surveillance’ machines 

A review of nine companies’ business practices found that using their services was just the beginning of vast data collection efforts.
An FTC report examining the business practices of nine tech and social media companies concluded that the services “pose unique risks to children and teens” and that tech companies’ self-regulation efforts have been a failure. (Credit Peter Cade via Getty Images)

A Federal Trade Commission inquiry found that popular social media and video streaming services engaged in “mass data collection” of their users, as well as some non-users, while also failing to implement privacy safeguards for children and teens.

The findings, contained in a report that has been unanimously endorsed by the agency’s commissioners, provides fresh insights into online video streaming’s data collection practices, which a bipartisan group of commissioners called “dangerously opaque” in 2020 when the probe began.

Specifically, the agency concluded that these services “pose unique risks to children and teens” and that tech companies’ self-regulation efforts  have been a failure. 

The report catalogs how users, and in some cases even non-users, had personal information, demographic information, interests, behaviors and activities on other parts of the internet tracked and collected across multiple devices. This information was often combined with passive inferences, data-tracking pixels and information purchased from third-party data brokers to form more complete consumer profiles before being sold to other willing buyers.

Advertisement

“America’s hands-off approach has produced an enormous ecosystem of data extraction and targeting that takes place largely out of view to consumers,” Samuel Levine, director of the Bureau of Consumer Protection, wrote in a preface to the report. “While there have been isolated instances of firms taking pro-privacy actions, those continue to be the exceptions that prove the rule. We’ve seen over and over that, when the financial interest in extracting personal information collides with the interest in protecting consumer privacy, consumers lose out.”

The report was constructed from data collected between 2019 and 2020, after the FTC ordered nine companies — Amazon, ByteDance, Discord, Facebook/Meta, Reddit, Snap, Twitter/X, WhatsApp, and YouTube — to provide information about their business practices around video streaming and social media. 

While the agency notes that some of these practices may have since changed, the companies’  answers showed how engaging with these services was often just the beginning of their data-collection enterprise, and that those efforts endured long after individuals left the sites or used other services.  

A graphic illustrating the different sources that streaming and social media firms use to collect data on consumers. [Source: FTC]

Additionally, most companies lacked safeguards for handling minors’ data, treating users aged 13-17 like adults. Some claimed no child users, citing terms preventing young children from creating accounts.

Advertisement

CyberScoop has reached out to the nine investigated companies for comment. 

Kate Sheerin, head of U.S. and Canada public policy at Discord, told CyberScoop in a statement that while the FTC’s intent and focus on consumers is important, they take issue with the way the report “inaccurately” lumps Discord’s business model with other companies who engage in expansive digital advertising.  

“Discord’s business model is very different — we are a real-time communications platform with strong user privacy controls and no feeds for endless scrolling,” Sheerin said. “At the time of the study, Discord did not run a formal digital advertising service, which is a central pillar of the report. We look forward to sharing more about Discord and how we protect our users.”

Google spokesperson José Castañeda said in a statement that the company “has the strictest privacy policies in our industry” and that “we never sell people’s personal information and we don’t use sensitive information to serve ads.”

“We prohibit ad personalization for users under 18 and we don’t personalize ads to anyone watching ‘made for kids content’ on YouTube,” he added.

Advertisement

The Interactive Advertising Bureau, a lobbying group representing tech advertisers, criticized the FTC’s conclusions and argued that Congress and states should be at the forefront of regulating digital privacy issues, not the FTC.

“While we are still digesting the report, we are disappointed with the FTC’s continued characterization of the digital advertising industry as engaged in ‘mass commercial surveillance,’” David Cohen, the organization’s CEO, said in a written statement to CyberScoop. “This charged statement suggests that the personal data of consumers is covertly collected and used for advertising purposes. Nothing could be further from the truth, as countless studies have shown that consumers understand the value exchange, and welcome the opportunity to have access to free or highly subsidized content and services.”

The report recommends tech and social media companies improve on the status quo, including by limiting  personal data collection, refraining from sharing personal data with third parties, increasing  transparency, adding  user controls, and treating existing child online safety laws like COPPA as a floor for privacy protections instead of a ceiling.

In a separate statement, FTC Commissioner Alvaro Bedoya noted that most of these companies already implement  many of these privacy protections in Europe  due to laws like the General Data Protection Act (GDPR).

“These companies could have effectively flipped a switch and offered Americans the same privacy protections as they did Europeans. Most of them chose not to,” he said.

Advertisement

This week, the House Energy and Commerce Committee approved two bills — the Kids Online Safety Act and an update to the Children’s Online Protection Privacy Rule, or COPPA 2.0 — that would place new limits on how companies could collect and share data about children and teen users. The fate of both bills remains uncertain.

Meanwhile, sponsors of the American Privacy Rights Act continue to push for Congress to tackle comprehensive data privacy legislation, even as the bill’s passage has stalled. Speaking at the Forum Global Privacy Conference this week, Sen. Maria Cantwell, D-Wash., said consumers were “growing tired” of unchecked data collection, and that pressure to address the issue will increase in the coming years.

“We have two issues: the need for technology leadership on an international basis to set standards by having privacy law, and we have consumer anxiety reaching a high-pitch fever,” Cantwell said. “Those two issues alone, in my opinion, demonstrate enough why we need to move forward on a federal privacy law, but let’s just throw another one in — the kicker for really why we are going to have to get legislation — and that is that AI puts all of this on steroids.”

Derek B. Johnson

Written by Derek B. Johnson

Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Latest Podcasts