BeReal and the Boiling Frog
What the latest trend means for the economics of digital surveillance
There’s an old metaphor that keeps coming into my head. It claims that if you put a frog into a pot of water that is already boiling, the frog will jump out. If, however, you put the frog in the water before turning on the stove, the frog won’t realize it is being boiled to death until it is too late. It’s been used to describe our approach to many things as a society — global warming, global pandemics, and now, digital surveillance.
Although it’s been around since 2018, BeReal has only recently taken hold in the American social media space. I only found out about it last weekend while catching up with a friend at an engagement party. We were talking about life, new towns, and her final year of law school when she suddenly stopped mid-sentence and explained that it was time for her to “Be Real”.
The premise is simple. You belong to a group of friends, and all group members are prompted at the same random time each day. All users in that group then have only a two minute window in which they have to share a glimpse into whatever it is that they’re doing in that exact moment, using both their front and back camera simultaneously. It markets itself as a raw, unfiltered social media. Without knowing when they will be prompted, users are unable to curate their posts, allowing your friends a more intimate look at your life.
“See?” she shows me her phone and scrolls through the updates that are coming in. “Everyone is just chilling.” I see pictures of people’s living rooms, dogs, partners, ceiling fans.
“Aren’t you worried about what they’re doing with that data?”
“Oh,” she shakes her head. “I’m sure they’re selling it all. That’s just how it is.”
This past spring, BeReal closed its Series B with a total valuation double that of Snapchat. The current valuation is purely speculative, based on the expectation that current and future users will eventually become monetizable. The French company, at present, makes no money. They do not charge for use of the app, nor do they serve ads.
It’s not unusual for a social media company to attempt to amass a user base before looking for revenue streams. They raise money because investors know that, as the user base grows, so grows the potential for revenue. The simplest way to convert this active user base into revenue is to serve ads – the more personalized the ads, the better. This doesn’t necessarily mean that they need to be collecting your data in order to serve you personalized ads – users can receive targeted ads on pretty much any service thanks to companies like Criteo that build profiles of users based on their online activity, tracked through cookies.
I have a hard time believing, however, that an app such as BeReal – for which the entire function has users spending 2-3 minutes per day on the app – can reach a valuation of $100 per daily active user. For context, this is over double the value per user of Snapchat and Pinterest, both of which lend themselves to users spending extended amounts of time on the app during which they can be served countless ads.
So where is their speculative valuation coming from, and why aren’t we more concerned?
A 2018 analysis of 1,700 online privacy policies found that they have an average word count of 2,610 words and a median of 1,828 words. BeReal’s privacy policy comes in at just under double the median word count, with 3,571 words. For anyone keeping score at home, that is just 900 words less than the United States Constitution. Considering the sensitivity of the data they potentially collect, this may be warranted. There are sections detailing child pornography, GDPR legalise, user rights for deletion request, etc.
There is also extensive (and at times contradictory) information about what data they collect, and what data they can sell.
“BeReal undertakes to communicate Users' Personal Data only to authorized and trusted service providers, who process it on our behalf, according to our instructions, in accordance with this Privacy Policy and in compliance with any other appropriate security and confidentiality measures.”
If you had to read it a few times, you aren’t missing anything. It’s incredibly vague. It also directly contradicts an earlier clause.
“With the exception of Content that you have licensed to us in accordance with the Terms of Use, BeReal will not disclose to third parties any information or Personal Data provided by Users.”
They finish the privacy policy with a sentence that attempts to assuage any fears.
“We will not sell your personal information or disclose your personal information for commercial purposes.”
Note the differentiation between Content and Personal Data. They are not clear about the distinction between the two. Still, let’s assume the best and say that BeReal is acting in good faith when it comes to user data. Let’s look past the vague contradictions and say that, in terms of privacy policies, it seems relatively above board. For now.
As of 2010, as its global popularity soared, Facebook’s privacy policy did technically allow users the ability to opt out of allowing Facebook to share their data with third parties (although third party sharing was turned on by default). While their approach to user privacy was never a shining example, it does paint a picture for a pattern of locking in users before flipping a policy on its head. Only two years later, in 2012, they updated their privacy policy to grant Facebook blanket rights to all materials uploaded by the user. In that time, their monthly active users (MAUs) had more than doubled. The same year, they purchased Instagram, which encourages users to opt-in to sharing all photos in their library with Instagram, including geotagging and metadata associated with each photo. In the last decade since these changes, their MAUs have increased linearly with a total growth of 200%. Their revenue, however, has increased by roughly 1500%.
Meta will still argue – technically correctly – that they do not sell your data. They simply analyze your photos, search history, post history, comments, likes, clicks, and cookies to build a complete profile of you as a person, and then sell slots on your feed such that advertisers can be assured that their ads will be seen by the exact optimal person. They collect information on the precise location your photos were taken at, the people you were with and at what time, the articles you’ve read and the amount of time you read them, the other sites you’ve visited, the purchases you’ve made, and more.
At their best, these targeting algorithms serve you a highly personalized ad, and you end up purchasing linen pants that you probably didn’t need. At their worst, they influence presidential elections, expose highly personal information, and cause the spread of massive-scale emotional manipulation and mood changes.
Their current privacy policy clocks in at 16,632 words. That’s almost four constitutions.
What started as a means to share photos and updates among friends (sound familiar?) has turned into a goliath of personal information harvesting and an example of the extreme profits to be made from the collection of sensitive data.
The bigger question here is not if or when BeReal will change their policy for the worst, but rather… will anyone even care?
A 2017 review of research on the phenomenon known as the “privacy paradox” showed the overwhelming consensus to be that while users have more concern than ever regarding the ways that companies exploit user data, the concerns are not reflected in behavior. On social media, we take actions we believe to be increasing our overall privacy – restricting who can see our photos, making our posts “private”, limiting the abilities of others to “tag” us – while ultimately showing little regard for the institutional harvesting of our data. We weigh out the risks and benefits, and ultimately most of us still make the decision to participate in systems and services that we know to be actively harmful in their exploitation of our data. For many, the decision is barely their own, as they may need to leverage social media for contact with family, operating a business, or accessing necessary resources, and simply opting out isn’t an option. For others, the societal pull directs this risk-benefit calculation, and they operate under a network of trust – if my friends use it, it’s probably safe. Companies count on users to build trust, build a habit, and bring in more users, before twisting their convoluted privacy policies for the worst.
I forgot to mention something about the story of the frog in the pot. It’s complete bullshit.
If you put a frog into a pot of boiling water, it will die before it can jump. If you put a frog in a pot of cool water and slowly raise the temperature, the frog will jump when the water gets too warm.
The water is warm, but we can still jump. BeReal faces the same set of monetization decisions that Facebook dealt with a decade ago, in an entirely different societal and political landscape.
In 2021 alone, state legislatures in the US passed 27 online privacy bills regulating the data markets and enshrining the protection of digital privacy. California’s Privacy Rights Act draws from Europe’s GDPR in introducing strict rules on consumer consent, and even stricter penalties should companies not follow best practices. Data privacy as a business sector is growing year over year. Companies such as Apple have followed the increasing consumer privacy imperative and leveraged their own approach to user privacy as a market differentiator (yes, they technically also did this so that they could increase their own adtech revenue, but this blog post is already too long).
The privacy bait-and-switch employed by Facebook over the last ten years, by which billions of users are slowly worn down by a barrage of convoluted privacy policy changes, doesn’t have to repeat itself. Personalized advertisements are here to stay, but we can demand better of the arbiters of our data marketplace.
BeReal appears to be holding true to its privacy agreement thus far. I’m not going to tell you not to download it. Here are some steps you can take if you care about the information you share on the app, and what BeReal can ultimately do with it.
Restrict the app’s privacy settings to only allow access to necessary functions. This means turning off location tracking and tracking across apps.
Do not allow access to all photos. As with Instagram, it’s likely that this blanket access includes metadata tied to all photos in your library, including geolocation and contact information of those in the photos.
Perhaps the hardest and most victim-blaming thing I’ll include: Read updates to privacy policies. At this time, BeReal has included a clause saying that users will be prompted when the terms change. Look for language involving providing data to third parties, collection and selling of personal information (geolocation, IP address, contacts, etc.), and storage terms of your data – do you have the right to request the deletion of your data? Do you have the right to request the deletion of content that you didn’t consent to being in? Can the app keep your data indefinitely?
BeReal is one of many collectors of our digital identities. Here are some of the ongoing state-level efforts to increase regulation of what data companies can extract, how they can use that information, and the consent they are required to get.
(This blog post comes in at 0.42 U.S. constitutions)