Why personal agency matters more than personal data

When Archimedes said “Give me a place to stand and I can move the world, he was talking about agency. You have no agency on the Web if you are always the second party, agreeing to terms and policies set by websites. You are Archimedes if you are the first party, setting your own terms and policies. The scale you get with that is One 2 World. The place you stand is on the Web itself — and the Internet below it. Both were designed to give each of us whole-world leverage. We forgot that when we launched Web 1.0 and 2.0. Let’s make Web 3.0 the one that works for each of us, and not just for the sites of the world and their personal data-grabbing partners.

Lately, a lot of thought, work, and advocacy has gone into looking at personal data as a fungible commodity: one that can be made scarce and bought, sold, traded, and so on. This steers attention away from a far more critical issue it would be best to solve first: personal agency.

I see two reasons why personal agency matters more than personal data.

The first reason is that we have far too little agency in the networked world. That’s because we settled, way back in 1995 (when e-commerce and ISPs took off), on a model for websites called client-server, which should have been called calf-cow or slave-master, because by design the individual—a mere “user”—is always the weaker party.

Fortunately, the Net’s and the Web’s base protocols remain mostly peer-to-peer, by design. We can still build on those.

Perspective: it’s early. In the history of business, much less civilization, twenty-three years is not a long time. In that span we’ve had Web 1.0 (client-server, static websites) and Web 2.0 (social media, service gigantism, forests of silos with separate logins, and finally surveillance capitalism through tracking-based advertising, aka adtech). The latter is now reaching its end, thanks to the GDPR. (See GDPR will pop the adtech bubble.)

A critical start toward Web 3.0 (nicely laid out already by @matteozago in Why the Web 3.0 Matters and you should know about it), is making each of us the first party rather than the second when we deal with the sites, services, and companies and apps of the world — and doing that at scale across all of them.

Think about how much more simple and sane it will be for websites to accept our terms and our privacy policies, rather than to force each of us, all the time, to accept their terms, all expressed in their different ways, which (their terms usually say) they can change any time they like. (And think about what a pain it is for the sites and services of the world as well.)

Getting sites to agree to our own personal terms and policies is not a stretch, because that’s exactly what we have in the way we deal with each other in the physical world. For example, the clothes that we wear are privacy technologies. We also have both norms and laws that discourage others from sticking their hands inside our clothes without permission.

The fact that adtech plants tracking beacons on our naked digital selves and follows us like marked animals across the digital frontier may be a norm for now, but it is also morally wrong, massively rude, and now illegal (at least in spirit) under the GDPR.

We can easily create privacy tech, personal terms, and personal privacy policies that scale for each of us across all the entities that deal with us. This is what Customer Commons is all about. It was designed to do for personal terms what Creative Commons did for personal copyright.

And it will because personhood matters, privacy matters to every person, and the Web 1.0 and 2.0 defaults can’t respect either.

Businesses can’t give us privacy, any more than a store can clothe you in a uniform of their pleasure when you walk into it naked. And that’s exactly how websites that want to continue spying on you are dealing with the GDPR in these early days of threatened enforcement.

It is also a simple fact that none of us will get privacy, or have our personhood fully respected if we are always second parties clicking “agree” to coercive terms proffered by websites.

It also doesn’t matter how well-meaning and GDPR-compliant those businesses are. Operating as second parties is a design flaw for each of us in every “agreement” we “accept.” And we’ll correct that, starting with the digital equivalents of clothing and shelter.

The second reason agency matters more than data is that nearly the entire market for personal data today is adtech.

Adtech is plainly too dysfunctional, too corrupt, too drunk on the data it already has, and absolutely awful at doing what it harvests personal data for: so machines can guess at what we might want, and shoot “relevant” and “interest-based” ads at our tracked eyeballs.

Tracking-based ads fail to convince us to do a damn thing 99.xx+% of the time. Mostly they annoy us. If they’re perfectly targeted, they’re perfectly creepy. (Example: Woman Stalked Across 8 Websites By Obsessed Shoe Advertisement.)

Most of the time we’re also not buying something, and it's an insult to assume, as adtech does, that shopping is all we ever do.

And when we are shopping, we don’t want to be tracked and interrupted by come-ons from AI puppets programmed to see us only as “qualified leads” rather than as complete human beings who become customers only when we wish to make that clear. And when we do, we rarely want our shopping to be limited to what robots push at us.

As incentive alignments go, adtech’s failure to serve the actual natures and interests of its human targets verges on the absolute. (It’s no coincidence that by a year ago 1.7 billion people were already blocking ads online.)

And hell, what adtech does isn’t really advertising, even though it’s called that. It’s direct marketing, which gave us junk mail and is a cousin of spam. If there were a prize for massive misdirection in business, adtech might be the biggest winner of all time. (For more on why see Separating Advertising’s Wheat and Chaff.)

Privacy is personal. That means privacy is an effect of personal agency, projected by personal tech and personal expressions of intent that others can respect without working at it. We have that in the offline world. We can have it in the online world too.

Again, privacy is not something companies or governments can give us, no matter how well they do Privacy by Design or craft their regulations. Those things alone simply aren’t enough.

In the physical world, we got privacy tech and norms before we got privacy law. In the networked world, we got the law first. That’s why the GDPR has caused so much confusion. GDPR puts the regulatory cart in front of the technology horse. In the absence of privacy tech, we also failed to get the norms that would normally and naturally guide lawmaking.

So let’s get the tech horse back in front of the lawmaking cart. With the tech working, the market for personal data will be one we control. And that doesn’t mean we should want to sell it (and least of all to marketers, who have made themselves untrustworthy to an un-breachable extreme). It means we have agency over our lives in the digital world. And there is far more to our lives than what might be for sale.

If we don’t fix our agency problem—personally and socially, and not just regulatorily—adtech will stay in control. And we know how that movie goes because it’s a horror show and we’re living in it now.

Originally published at blogs.harvard.edu on June 23, 2018.