The asymmetry of nudges
Answering the age-old question: why do bad decisions happen to good companies?
It’s a common trope that big businesses are inherently corrupt; that there is something that happens when you incorporate in Delaware that strips you of all humanity. In fiction and in journalism, the fault almost always lies with the executives: an imagined clique of unlikable men who control every aspect of the business, and care only about profit, influence, and fame.
The narrative is alluring because it absolves us of blame: we’re good people, cut from a different cloth. But let’s for a moment posit that most founders and CEOs are good people trying to do the right thing. They mean it when they say “don’t be evil” or “focus on the user”. They take care to hire high-minded individuals and then empower them to make decisions about the company. So, how else can we explain user-hostile products and services?
Let’s have a look at a timely example: the development of the Manifest V3 API in Google Chrome. This proposal to revamp the permission model for browser extensions invited widespread condemnation from the industry. It was portrayed as a dishonest, self-serving move meant to rid the web of ad blockers that were starting to hurt the company’s bottom line.
In reality, Manifest V3 was meant to solve a real problem — and did so pretty well. I know this because about eight years ago, we set out to conduct a survey of the privacy practices of popular browsers extensions. We were appalled by what we uncovered. From antivirus to “privacy” tools, a variety of extensions hoovered up data for no discernible reason. Some went as far as sending all the URLs visited by the user — including encrypted traffic — to endpoints served over plain text. Even for well-behaved extensions, their permissions opened doors for abuse. The compromise (or the sale) of a single email account could give access to the hubs of digital lives for untold millions — exposing their banking, email, and more.
In short, the extension ecosystem matured to the point where it was a major security and privacy risk. There was no way to fix this while keeping extensions trivial to write and publish, easy to install, and capable of doing whatever the heck they want. Manifest V3 made sense from this perspective — and it wasn’t the brainchild of a sociopathic executive; it came from concerned, well-meaning engineers.
But another thing is also true: although MV3 provides robust facilities for URL-based ad filtering, it ultimately puts ad blockers at a disadvantage in the escalating arms race with content publishers. Indeed, Google threw its own hat into the ring not long after, cracking down on ad-blockers on YouTube. The ethics of ad blocking are debatable, but one has to note that it’s easier for a publisher to disrupt URL-based filters than it is to rein in an old-school content script.
In the end, MV3 wasn’t a cynical charade. It was borne out of a genuine and justified concern for user safety. The problem wasn’t that it happened; it’s that projects can only unfold one way. If you’re an engineer at Google, Facebook, Apple, or Microsoft, it’s always easier to propose architectural changes that don’t hurt the bottom line, or perhaps bolster it by accident. Conversely, if your proposal stands to wipe out a good chunk of revenue, you either self-censor and don’t bring it up — or you end up getting sucked into endless, futile arguments.
I call it the asymmetry of nudges: the implicit elimination of certain choices that skews the cumulative effect of well-intentioned, earnest changes — ultimately taking away choice or hurting the user in other ways.
For more articles about Big Tech, electronics, and tree felling, click here.
This was a bit tough to read, and I know this is not a point you were trying to make or focus on with this article, but I have a hard time taking the "well-meaning engineer" too seriously who claims to attempt to protect people's privacy, while working for an ad-agency, whose whole business is based on renting their users' whole digital identities/data/personal information/whathaveyou to whoever is willing to pay. I can only assume you felt this dichotomy while writing this. Especially as you mention the absolution of personal guilt so early on in the article.
Any plans to move to an alternative newsletter platform? I'm trying to get rid of my Substack account...