If Your Privacy Is in the Hands of Others Alone, You Don’t Have Any
If you think regulations are going to protect your privacy, you’re wrong. In fact they can make things worse, especially if they start with the assumption that your privacy is provided only by other parties, most of whom are incentivized to violate it.
Exhibit A for how much worse things can get is the EU’s GDPR (General Data Protection Regulation). As soon as the GDPR went into full effect last May, damn near every corporate entity on the Web put up a “cookie notice” requiring acceptance of terms and privacy policies that allow them to continue violating your privacy by harvesting, sharing, auctioning off and otherwise using your personal data, and data about you.
For websites and services in that harvesting business (a population that rounds to the whole commercial web), these notices provide a one-click way to adhere to the letter of the GDPR while violating its spirit.
There’s also big business in the friction that produces. To see how big, look up GDPR+compliance on Google. You'll get 190 million results (give or take a few dozen million).*
None of those results are for you, even though you are who the GDPR is supposed to protect. See, to the GDPR, you are a mere “data subject” and not an independent and fully functional participant in the technical, social and economic ecosystem the Internet supports by design. All privacy protections around your data are the burden of other parties.
Or at least that’s the interpretation that nearly every lawmaker, regulatory bureaucrat, lawyer and service provider goes by. (One exception is Elizabeth Renieris @hackylawyer. Her collection of postings are required reading on the GDPR and much else.) Same goes for those selling GDPR compliance services, comprising most of those 190 million GDPR+compliance search results.
The clients of those services include nearly every website and service on Earth that harvests personal data. These entities have no economic incentive to stop harvesting, sharing and selling personal data the usual ways, beyond fear that the GDPR might actually be enforced, which so far (with few exceptions), it hasn’t been. (See Without enforcement, the GDPR is a fail.)
Worse, the tools for “managing” your exposure to data harvesters are provided entirely by the websites you visit and the services you engage. The "choices" they provide (if they provide any at all) are between 1) acquiescence to them doing what they please and 2) a maze of menus full of checkboxes and toggle switches "controlling" your exposure to unknown threats from parties you've never heard of, with no way to record your choices or monitor effects.
So let’s explore just one site's presentation, and then get down to what it means and why it matters.
Our example is https://www.mirror.co.uk. If you haven’t clicked on that site already, you’ll see a cookie notice that says,
We use cookies to help our site work, to understand how it is used, and to tailor the adverts presented on our site. By clicking “Accept” below, you agree to us doing so. You can read more in our cookie notice. Or, if you do not agree, you can click Manage below to access other choices.
They don’t mention that “tailor the adverts” really means something like this:
We open your browser to infestation by tracking beacons from countless parties in the online advertising business, plus who-knows-what-else that might be working with those parties (there is no way to tell, and if there was we wouldn't provide it), so those parties and their "partners" can use those beacons to follow you like a marked animal everywhere you go and report your activities back to a vast marketplace where personal data about you is shared, bought and sold, much of it in real time, supposedly so your eyeballs can be hit with "relevant" or "interest-based" advertising as you travel from site to site and service to service. While we are sure there are bad collateral effects (fraud and malware, for example), we don’t care about those because it’s our business to get paid just just for clicks or "impressions," whether you’re impressed or not—and the odds that you won't be impressed average to certain.
Okay, so now click on the “Manage” button.
Up will pop a rectangle where it says "Here you can control cookies, including those for advertising, using the buttons below. Even if you turn off the advertising related cookies, you will still see adverts on our site, because they help us to fund it. However, those adverts will simply be less relevant to to you. You can learn more about cookies in our Cookie Notice on the site."
Under that text, in the left column, are six “Purposes of data collection”, all defaulted with little check marks to ON (though only five of them show, giving the impression that there are only those five). The right column is called “Our partners”, and it shows the first five of what turn out to be 259 companies, nearly all of which are not brands known to the world or to anybody outside the business (and probably not known widely within the business as well). All are marked ON by that little check mark. Here’s that list, just through the letter A:
- 1020, Inc. dba Placecast and Ericsson Emodo
- 1plusX AG
- 2KDirect, Inc. (dba iPromote)
- 33Across
- 7Hops.com Inc. (ZergNet)
- A Million Ads Limited
- A.Mob
- Accorp Sp. z o.o.
- Active Agent AG
- ad6media
- ADARA MEDIA UNLIMITED
- AdClear GmbH
- Adello Group AG
- Adelphic LLC
- Adform A/S
- Adikteev
- ADITION technologies AG
- Adkernel LLC
- Adloox SA
- ADMAN – Phaistos Networks, S.A.
- ADman Interactive SL
- AdMaxim Inc.
- Admedo Ltd
- admetrics GmbH
- Admotion SRL
- Adobe Advertising Cloud
- AdRoll Inc
- adrule mobile GmbH
- AdSpirit GmbH
- adsquare GmbH
- Adssets AB
- AdTheorent, Inc
- AdTiming Technology Company Limited
- ADUX
- advanced store GmbH
- ADventori SAS
- Adverline
- ADYOULIKE SA
- Aerserv LLC
- affilinet
- Amobee, Inc.
- AntVoice
- Apester Ltd
- AppNexus Inc.
- ARMIS SAS
- Audiens S.r.l.
- Avid Media Ltd
- Avocet Systems Limited
If you bother to “manage” any of this, what record do you have of it—or of all the other collections of third parties who you’ve agreed to follow you around? Remember, there are a different collection of these at every website with third parties that track you, and different UIs, each provided by other third parties.
It might be easier to discover and manage parasites in your belly than cookies in your browser.
Think I exaggerate? The long list of cookies in just one of my browsers (which I had to dig deep to find) starts with this list:
After several hundred others, my cookie list ends with:
I know what zoom is. The rest are a mystery to me.
To look at just that first one, 1rx.io, I have to dig way down in the basement of the preferences directory (in Chrome it’s chrome://settings/cookies/detail?site=1rx.io), where I find that its locally stored data is this:
_rxuuid
Name
_rxuuid
Content
%7B%22rx_uuid%22%3A%22RX-2b58f1b1-96a4-4e1d-9de8-3cb1ca4175b0%22%2C%22nxtrdr%22%3Afalse%7D
Domain
.1rx.io
Path
/
Send for
Any kind of connection
Accessible to script
No (HttpOnly)
Created
Wednesday, December 12, 2018 at 4:48:53 AM
Expires
Thursday, December 12, 2019 at 4:48:53 AM
I’m a somewhat technical guy, and at least half of that stuff means nothing to me.
As for “managing” those, my only choice on that page is to “Remove All”. Does that mean remove everything on that page alone or all the cookies everywhere? And how can I remember that I removed it?
Obviously there is no way for anybody to “manage” this, in any meaningful sense of the word.
We also can’t fix it on the sites and services side, no matter how much those sites and services care (which most don’t) about the “customer journey”, the “customer experience” or any of the other bullshit they’re buying from marketers this week.
Even within the CRM (customer relationship management) world, the B2B customers of CRM companies use one cloud and one set of tools to create as many different “experiences” for users and customers as there are companies deploying those tools to manage customer relationships from their side. There are no corresponding tools on our side. (Though there is work going on. See here.)
So the digital world remains one where we have no common or standard way to scale our privacy and data usage tools, choices or experiences across all sites and services. And that’s what we’ll need if we want real privacy online.
The simple place where we need to start is this: privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which lack equivalents in the digital world).
And we need to be clear that privacy is not a grace of privacy policies and terms of service that differ with every company and over which none of us have true control—especially when there is an entire industry devoted to making those companies untrustworthy, even if they are in full compliance with privacy laws.
Devon Loffreto (who coined the term self-sovereign identity and whose good work we'll be visiting in an upcoming issue of Linux Journal) puts the issue in simple geek terms: we need root authority over our lives. Hashtag: #OwnRoot.
It is only by owning root that we can crank up agency on the individual’s side. We have a perfect base for that in the standards and protocols that gave us the Internet, the Web, email and too little else. And we need it here too. Soon.
We (a few colleagues and I) created Customer Commons as a place for terms that individuals can proffer as first parties, just by pointing at them, much as licenses at Creative Commons can be pointed at. Sites and services can agree to those terms, and both can keep records and follow audit trails.
And there are some good signs that this will happen. For example, the IEEE approached Customer Commons last year with the suggestion that we stand up a working group for machine readable personal privacy terms. It’s called P7012. If you’d like to join, please do.
Unless we #OwnRoot for our own lives online, privacy will remain an empty promise by a legion of violators.
One more thing. We can put the GDPR to our use if we like. That’s because Article 4 of the GDPR defines a data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” This means each of us can be our own data controller. Most lawyers dealing with the GDPR don’t agree with that. They think the individual data subject will always need a fiduciary or an intermediary of some kind: an agent of the individual, but not an individual with agency. Yet the simple fact is that we should have root authority over our lives online, and that means we should have some degree of control over our data exposures, and how our data, and data about us, is used—much as we do over how we control or moderate our privacy in the physical world. More about all that in upcoming posts.
The original version of this post was published on the Private Internet Access blog. Private Internet Access and Linux Journal are both holdings of London Trust Media. Also check out the Privacy Manifesto at the ProjectVRM wiki. I maintain it and welcome bug fixes. It's also new, so be gentle. :-)
*That was late in 2018. In mid-June 2019, the number more than doubled: to 388,000,000 results.