A Fine of Epic Proportions
The Ironic Reality of Data Privacy Protections
TLDR: Web2 corporations collect data by default, and only limit their data collection/storage when faced with regulatory pushback. Web3 flips the script by prioritising privacy as a default, introducing transparent data collection at the application layer. Regulators should embrace this approach because it prioritises consumer protection in a way that Web2 is unable to.
The Federal Trade Commission (FTC) recently fined Epic Games $520m for ‘violating children’s privacy law, changing default privacy settings, and tricking users into making unwanted charges’.
This is the largest penalty in history for violation of an FTC rule.
The Commission found:
1) that Epic Games violated privacy laws by collecting information on teen users without consent and turning on voice communications by default; and
2) used ‘dark patterns’ (hiding the cancel/unsubscribe buttons) to trick users into making purchases and charging account holders without authorisation.
Both are highly problematic, but let’s take a closer look at the first.
Privacy is ‘Important’ (Until it’s Not)
A quote from FTC Chair Lina M. Khan:
Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”
The proposed federal court order against Epic requires them to delete all personal information unless users consent to its provision. Funny, that.
Especially when the US is simultaneously pushing to eliminate privacy altogether in the cryptocurrency space. Privacy is ‘important’ to regulators, until it’s not.
The most common quip against crypto privacy is that illicit transactions and money laundering will run rife. All while Chainalysis continues to demonstrate that illicit transactions make up only 0.15% of cryptocurrency transactions (compared with as high as 5% of global GDP for fiat). Privacy-preserving features and lack of KYC are viewed as exploitative features to take advantage of the general public…
So it’s important to protect the public from online privacy invasions, especially when you can boast about the ‘largest penalty’ in history. In case you didn’t fully appreciate it the first time, they remind you three times in the same paragraph…
You may be thinking, ‘well this is different to crypto. This is personal information being collected about children, and that’s not good’. You’re right. No organisation should be collecting private information behind our backs and without consent. Especially not minors.
We’re so lucky that products like Google, Facebook, Instagram, and TikTok don’t do any of that. And we’re so lucky that they’re extremely transparent and open systems that we can audit ourselves. So lucky that the FTC is protecting personal privacy.
This isn’t a denouncement of regulatory bodies. They play an important role. It’s a statement that these problems are self-made. Web2 technology has constructed closed silos where you are the product. These companies are incentivised to collect as much data as possible, and sell it all to advertisers.
But it doesn’t have to be this way. We’ve created systems to solve this — systems which value privacy by default, with an openly auditable, transparent and immutable form. They’re called decentralised blockchains and cryptocurrencies!
These are systems which prevent centralised exploitation of personal information through default-privacy from inception. If a system doesn’t hold sensitive personal information, the risks associated with hacks decreases. If there is less sensitive information, the incentive to hack also decreases.
’Financial Transactions are a Different Beast’
I’ll argue against myself now for the sake of intellectual honesty.
An argument can be made that financial transactions in crypto, in the magnitude of up to several billions of dollars, should not be default-private. You can’t equate micropayments for Fortnite v-bucks with international money transfers of significant scale.
I agree, but this is a question of fundamental privacy values. Private sector organisations collect significant personal data by default. They only impose boundaries upon this data collection when regulators like the FTC force them to (i.e. above). Decentralised blockchains default to privacy, and collect personal information explicitly and consensually at the application layer.
Having said this, privacy is a continuum. ‘How much data is too much data?’ is almost a moral question, and can’t be definitively answered. Data collection isn’t always malicious, but there are definitely cases where it is. Epic Games should not be taking advantage of minors. That is a violation of epic proportions (haha).
Even if Epic Games was not exploiting their users internally, the mere existence of databases full of sensitive consumer information is a security risk. I’ve lost track of the number of hacks recently… Optus, Australia’s second biggest telco, was recently hacked, exposing data of almost 2.1 million people. Meta was fined $276m for a data breach involving over 533 million people. The list goes on.
We have made it socially and economically acceptable for corporations to collect our data because it improves our interactions with their services. Individuals’ concerns about data privacy are at an all time low. Anecdotally, I haven’t met a single person in their teens to mid 20’s who has refused to use TikTok on the basis of data privacy concerns. We know exploitation is happening, but we’re happy to oblige.
Crypto platforms value privacy by default. If regulators force crypto applications to collect personal information, we re-introduce the opportunity for exploitation. Good actors are good actors until they’re not. Let’s eliminate trusted systems altogether.
Until then, let’s acknowledge hypocrisy where it exists. Data privacy has been forfeited altogether in centralised institutions. Let’s proactively empower default-private systems, rather than reactively regulate and repeat mistakes of the past.
