Like Google and Amazon before it, Apple has been caught sending voice assistant recordings to contractors, who listen to snippets of your requests and conversations, without telling anyone. In response to the privacy concerns that raises, Apple says it will eventually give users control over whether their Siri data gets sent to third-party eavesdroppers, but it’s unclear whether that consent will be opt-in or opt-out. Google and Amazon offer the latter. And it’s not nearly good enough.
Letting people opt out of data collection is better than not giving them any choice at all. But for decades, that’s been the extent of the conversation. It gives too many giant tech companies plausible deniability for the rampant hoovering of your personal information and allows them to implicitly blame the victim when they overreach: Don’t get angry at us, you could have opted out this whole time. Here’s a simple suggestion: Let people opt in, instead.
It’s a simple problem to explain. An “opt out” paradigm means that data collection happens automatically, and you have to actively seek out ways to stop it. Under “opt in,” you must affirmatively grant a company the right to access that data before it can do so. You’re in control from the start.
“Not only do opt-in mechanisms serve consumers better, they serve democracy better.”
Joseph Tomain, Indiana University
Right now it’s unclear what form Apple’s Siri opt-out will take; the company has suspended its voice data collection temporarily and says only that once it resumes, “users will have the ability to choose to participate.” Apple didn’t respond to a request for more specific information.
But to illustrate the limits of opt-out options, look no further than Amazon’s Alexa, which already has a mechanism by which you can say “no thanks” to strangers listening to your commands. Ready for it? Open the Alexa app. Tap the three dots in the upper-left corner. Then go to Settings. Then go to Alexa account. Then go to Alexa privacy. Then go to Manage how your data improves Alexa. Then switch Help develop new features to off. Then set the toggle under Use messages to improve transcriptions to off. Theseus had an easier time escaping the Minotaur.
This critique applies much more broadly than to just voice assistants, of course. Facebook is the undisputed master of the art. Nor is it a new concern; dig into the WIRED archives and you’ll find headlines like “Survey: Opt-Out Is a Cop-Out” from nearly two decades ago. Take that as an indicator not of mustiness of the argument but of how long this problem has festered, and how little progress has been made.
“Not only do opt-in mechanisms serve consumers better, they serve democracy better. They do that by helping reduce the imbalance of power between companies and individual human beings,” says Joseph Tomain, a senior fellow at Indiana University’s Center for Applied Cybersecurity Research. “The information that is collected about us collects our human agency, and autonomy, and human dignity in ways we shouldn’t lose track of.”
“Opt-in incentivizes companies to come up with data practices that people would truly consent to,” says Tomain. That doesn’t seem like so much to ask.
Shifting the current opt-out framework to opt-in doesn’t solve every problem. In fact, it would create a few of its own.
“Even if you had a great, progressive list of things you had to opt into, then you have a whole game of what do the good options look like,” says Michelle Richardson, director of privacy and data at the nonprofit Center for Democracy and Technology. “Do you show them [users] all the different types of data, and have them make changes on each type of data? Do you have them make granular decisions? Do you notify them of any time of changes? It’s a lot to manage for a basic user.”
Focusing on opt-in versus opt-out ultimately puts the onus on the individual, Richardson argues, rather than the companies that abuse the data. Not only that, but your data passes through and funnels to hundreds of companies with which you have no interaction whatsoever, an underground economy of shadowy data brokers. You can’t opt out from them any more than you can punch a ghost.
Ideally, a strong privacy law will someday make the question of consent moot. “You need a privacy bill that says companies can’t keep doing these really risky things that keep harming people,” says Richardson.
Pushing for strong opt-in policies doesn’t obviate an eventual omnibus privacy law. And in some ways, the overwhelming amount of data collection you’d have to opt into underscores exactly why companies should require it. You’d finally have a sense of just how bad it is out there.
Actually implementing opt-in as a standard practice seems like a long shot. Of the various privacy bills working their way through Congress, only a handful include it, and with a focus on certain categories of sensitive information. But each time a company buries its data-gorging under layers of settings, every time Big Tech takes more than it gives, it seems less radical to suggest that the least they could do is get your explicit permission first.