You're paying, and you're also the product
Have you ever heard an expression similar to “If you’re not paying, you’re the product”? I have, in fact I’ve read it many times. What people mean by it is that you shouldn’t be surprised that a free service compromises your privacy, because nothing is really free and compromising your privacy creates monetary value. There’s plenty of arguments to be made against that assumption, but let’s ask one question first:
Is it true?
It’s clearly not true and it bothers me. Let me explain using a table:
| You’re paying | You’re not paying | |
|---|---|---|
| You’re the product | Microsoft Windows | Android |
| You’re not the product | Microsoft Office | Arch Linux |
The conclusion is obvious: it’s trivial to find counter-examples, which makes the adage a bad model.
Do you want it to be true?
No! I want to live in a world in which users are not ever the product. I understand the argument for trading privacy in lieu of payment for goods and services. It allows users (or should we say, customers) to compensate the provider for the costs, be it labor or material, involved with providing the service. This can be done without any interaction, without any monetary transfer and without any immediate detriment to the user. In that sense, it’s a win-win.
But it’s exactly the user friendliness that creates a problem. The user often does not know (because of ignorance or simply beacuse they are not being told) what exactly they are ‘selling’ to the provider, let alone what the consequences of that transaction are. In this age of data brokers, mass data breaches, spearphishing, and identity theft those consequences can be grave and difficult to predict.
In short, users don’t know what they’re signing up for, and often do not know what they’re signing up for. You can think that’s fair as users can inform themselves, but I don’t think it is. For one, even if you were to fully inform yourself and read all terms and conditions, the terms were fully accurate and matched what the provider did, there were no third parties with access to your data, you understood all the legalese and there were no ommissions… There would still be a chance of a data breach, making all of those kept promises useless.
Conclusion
I don’t think it’s fair to argue that people should expect free (‘as in beer’) software to compromise their privacy. Likewise, I don’t think it’s useful to suggest that a paid alternative would necessarily offer better privacy. In addition, I think that debates about which amount of privacy you should feel comfortable giving up for a given service are futile, because it is almost impossible for a layperson to put that into monetary value.