Privacy regulations are good, but without a clear understanding of them, plus enforcement, they can actually make things worse—especially if they start with the assumption that your privacy exists only as a grace only of other parties, and most of those parties are incentivized to violate it.
Exhibit A for how much worse things can get is the online advertising and publishing industry’s response to the EU’s GDPR (General Data Protection Regulation), which went into force in May of last year. Soon as that happened, websites everywhere put up “cookie notices” on the doors to their websites, requiring (or appearing to require) that visitors click “accept” to terms and privacy policies that in effect allow those entities to continue violating your privacy by harvesting, sharing, auctioning off and otherwise using your personal data, and data about you.
For websites and services in that harvesting business (a population that rounds to the whole commercial web), these notices provide a one-click way to adhere to the letter of the GDPR while violating its spirit.
There’s also big business in the friction produced by the need for cookie notices and other insincere measures for not really providing much, if any, privacy to people. To see how big that business is, look up GDPR+compliance on Google. You’ll get 212 million results (give or take a few dozen million).
None of those results are for you, even though you are who the GDPR is supposed to protect. See, to the GDPR, you are a mere “data subject” and not an independent and fully functional participant in the technical, social and economic ecosystem that the Internet supports by design. All privacy protections around you and your data are the burdens of other parties.
Or so it seems to nearly every lawmaker, regulatory bureaucrat, lawyer and service provider goes by. (One exception is Elizabeth Renieris @hackylawyer. Her collection of postings are required reading on the GDPR and much else.)
Look again at those 212 million search results and you’ll see most are hawking GDPR compliance services.The clients of those services include nearly every website and service on Earth that harvests personal data, or participates in the process. These entities have no economic incentive to stop harvesting, sharing and selling personal data the usual ways, beyond fear that the GDPR might actually be enforced, which so far (with few exceptions), it mostly hasn’t been. (See Without enforcement, the GDPR is a fail.)
Worse, the tools for “managing” your exposure to data harvesters are provided entirely by the websites you visit and the services you engage. The “choices” they provide (if they provide any at all) are between 1) acquiescence to them doing what they please and 2) a maze of menus full of checkboxes and toggle switches “controlling” your exposure to unknown threats from parties you’ve never heard of, with no way to record your choices or to monitor effects.
So let’s explore just one site’s presentation, and then get down to what it means and why it matters.
Our example is https://www.mirror.co.uk. Last I checked, the cookie notice said this:
Here is my translation of “tailor the adverts”:
We open your browser to infestation by tracking beacons from countless parties in the online advertising business, plus who-knows-what-else that might be working with those parties (there is no way to tell, and if there were a way wouldn’t provide it), so those parties and their “partners” can use those beacons to follow you like a marked animal everywhere you go and report your activities back to a vast marketplace where personal data about you is shared, bought and sold, much of it in real time, supposedly so your eyeballs can be hit with “relevant” or “interest-based” advertising as you travel from site to site and service to service. While we are sure there are bad collateral effects (fraud and malware, for example), we don’t care about those because it’s our business to get paid just just for clicks or “impressions,” whether you’re impressed or not-and the odds that you won’t be impressed average to certain.
Clicking the“Manage” button brought up a rectangle that said,“ Here you can control cookies, including those for advertising, using the buttons below. Even if you turn off the advertising related cookies, you will still see adverts on our site, because they help us to fund it. However, those adverts will simply be less relevant to to you. You can learn more about cookies in our Cookie Notice on the site.”
Under that text, in the left column, were six “Purposes of data collection”, all defaulted with little check marks to ON (though only five of them show, giving the impression that there are only those five). The right column was called “Our partners”, and it showed the first five of what turned out to be 259 companies, nearly all of which are not brands known to the world or to anybody outside the business (and probably not known widely within the business). All were marked ON by that little check mark. If you bothered to “manage” any of those by switching them to OFF, you had no record of your choices. All you had was faith that some back-end system will remember those choices when you showed up again with a browser holding the cookie they just gave you.
I just checked and the “choices” presented at the Mirror’s site are now different, though the purpose remains fully biased toward making you consent to being tracked.
Of course, there is a different collection of these “choices” at every website with third parties that track you. You’ll also find many different user interfaces, no persistence of your choices when you switch browsers, and likely a whole new presentation of “choices” when you visit again.
It’s also about as easy to “manage” cookies in your browser as it is to “manage” parasites in your tummy.
Think I exaggerate? The hundreds of cookies I just found deep in just one browser’s digestive system runs alphabetically from 1rx.io to zopim.com and includes only a few names I recognize. To investigate just that first one, I have to open my preferences directory (in Chrome it’s chrome://settings/cookies/detail?site=1rx.io), where I find that the locally stored data is this:
Does that stuff mean anything to you? Me neither.
We can’t fix this mess on the sites & services side, no matter how much those sites and services care (which most don’t) about the “customer journey”, the “customer experience” or any of the other bullshit they’re buying from marketers this week.
Even within the CRM (customer relationship management) world, the B2B customers of CRM companies use one cloud and one set of tools to create as many different “experiences” for users and customers as there are companies deploying those tools to manage customer relationships from their side. There are no corresponding tools on our side. (Though there is work going on. See here.)
Thus the digital world remains one where we have no common or standard way to scale our privacy and data usage tools, choices and experiences across all sites and services. And that’s what we’ll need if we want real privacy online. There is no other way.
It helps conceptually to start here: privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which—thus far—lack equivalents in the digital world).
We also need to be clear that personal privacy is not a grace of privacy policies and terms of service statements that differ between every company and over which none of us has true control—especially when there is an entire industry devoted to making those companies untrustworthy, even if they are in full compliance with privacy laws.
Devon Loffreto (who coined the term self-sovereign identity and whose amazing work with kids I covered recently in Linux Journal) puts the issue in simple geek terms: we need root authority over our lives. Hashtag: #OwnRoot.
It is only by owning root that we can crank up agency on the individual’s side. We have a perfect base for that in the standards and protocols that gave us the Internet, the Web, email and too little else. And we need it here too. Soon.
We (a few colleagues and I) created Customer Commons as a place for terms that individuals can proffer as first parties, just by pointing at them, much as licenses at Creative Common s can be pointed at. Sites and services can agree to those terms, and both can keep records and follow audit trails.
And there are some good signs that this will happen. For example, the IEEE approached Customer Commons last year with the up a working group for machine readable personal privacy terms. It’s called P7012 — Standard for Machine Readable Personal Privacy Terms, and it’s quite active.
Unless we #OwnRoot for our own lives online, privacy will remain an empty promise by a legion of violators.
One more thing. We can put the GDPR to our use if we like. That’s because Article 4 of the GDPR defines a data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” This means each of us can be our own data controller.
Most lawyers dealing with the GDPR don’t agree with that statement. They think the individual data subject will always need a fiduciary or an intermediary of some kind: an agent of the individual, but not an individual with agency. Yet the simple fact is that we should have root authority over our lives online, and the wording of the GDPR creates some easement for development of exactly that authority.
So let’s take advantage of that.