As the train lurches to a stop, bandits dismount from their horses and climb aboard. While some rifle through the mail and packages for valuables, others press through the aisles of the passenger carriages repeating the time-worn “your money or your life!” The mythos of the great train robbery, shrouded in guns and steam, captures our imaginations in ways few other events can.

While the obvious losses from a great train heist are the physical items that have been stolen, and the lives damaged or ruined, there is another loss we do not often think about: trust. Railroad robberies cause passengers to lose trust in the railroad company, shippers to lose trust in the shipping company, and the public to lose trust in law enforcement.

But what if you could steal something just as valuable as the contents of a lady’s handbag without anyone suspecting it and without impacting your user’s trust? What if you could take private information about millions of people, across the world, using that information to create what Shoshana Zuboff calls “behavioral surplus?” What if you could use that information to discover — and shape — people’s preferences without them even realizing it is happening? What if you could sell your user’s attention to the highest bidder?

What if you could do all of this without losing the user’s trust?

You could make millions — no, billions — of dollars.

This is precisely how social media companies operate.

How do they do this without making their users lose their trust? By transferring your trust in a friend (or family member) to the social media network.

In information technology, trust means validity. Did you really send this message? Then I can trust it. Are you really who you claim to be? Then I can trust you.

Trust does not work this way in the real world. Instead, trust relies on intent, character, and performance, and trust is assigned to people and institutions on a scale.

Consider the relationship between close friends. The longer they are friends, the more they can see of one another’s character — they show up for one another in times of pain and joy, and they always (try to) do the right thing. The longer they are friends, the more they can see one another’s intentions. They care about what is best for one another, even when that isn’t obvious to one or the other.

Trust, then, is something we give when we believe the person or institution is reliable and has goodwill toward us (or, in the case of personal relationships, loves us).

Talking To vs. Talking “Through”

Social media performs the great trust heist by convincing us we are talking to people we trust when we are really talking to (or through) the social media company. When you “private message” someone on a social media site, you think of yourself talking to the other person. If that person is someone you trust — like a close friend — then you willingly divulge details, you would never tell other people.

But the social media company, like the train robber, is sitting in the middle of the conversation. They perform a heist, taking some amount of the trust you have for people you care about and transferring it to their company.

But wait, humans at these companies do not read my private messages!

No, they don’t. In fact, if an individual human working for a social media company reads an individual private message between two users, they will (generally) be fired. So individual people are not “spying” on your conversations.

But machines are. Machines that process the private information you share with people you trust find ways to nudge you towards beliefs and actions the owners of the social media network want — like ”spend more time on social media,” “buy this product,” or “believe this,” or “vote this way.”

Just because the people are “once removed” from the data does not mean they gain less. In fact, the opposite is probably true. While keeping humans “once removed” from the data increases your sense of privacy, the real information is not in the details of individual messages or actions. Instead, the real information is in the analysis of your actions across long periods of time.

What about end-to-end encryption?

Consider the meaning of words carefully. I once drank a lot of a soda brand that proudly proclaimed “flavor aged in oak barrels.” I always thought this meant the drink was aged in an oak barrel for flavor. A friend pointed out, however, that this meant the flavoring was aged in an oak barrel. Same words, completely different meaning. 

When providers say “end-to-end encryption,” they could mean: “Your data is encrypted from device to device, and we cannot read it.” They could also mean: “Your data is encrypted from your device to our server, and we can still read it.”

Operators can also learn a lot just by observing traffic patterns and meta-data (data about the data), so encryption may not hide as much as you think it does.

Here’s the bottom line: The next time you board the social media train, think about the great trust heist. The bandits are real even if you cannot see them, and even if you think the stuff they take has no value. If its worth taking, then it’s probably worth protecting.