If your privacy is the hands of others alone, you don’t have any

Posted on Dec 16, 2018 by Doc Searls

If you think regulations are going to protect your privacy, you’re wrong. In fact they can make things worse, especially if they start with the assumption that you have no privacy besides what you get from other parties.

Exhibit A for how much worse things can get is the  E.U.’s GDPR (General Data Protection Regulation). Soon as the GDPR went into full effect last May, damn near every corporate entity on the Web put up a “cookie notice” requiring acceptance of terms and privacy policies that allow them to continue with business as usual, harvesting and sharing your personal data, and data about you.

For websites and services in that harvesting business (a population that includes approximately the entire commercial Web), these notices provide a one-click way to adhere to the letter of the GDPR while violating its spirit.

There’s also big business in the friction that produces. To see how big, look up GDPR+compliance on Google. You’ll get 190 million results (give or take a few dozen million.)

None of those results are for you, even though you are who the GDPR is supposed to protect. See, to the GDPR you are a mere “data subject” and not an independent and fully functional participant in the technical, social and economic ecosystem the Internet supports by design.

Or at least that’s the interpretation that nearly every lawmaker, regulatory bureaucrat, lawyer and service provider goes by. Same for those selling GDPR compliance services, and who account for most of those 190 million results.

The clients of those services include nearly every website and service on Earth that harvests personal data. These entities have no economic incentive to stop harvesting, sharing and selling personal data the usual ways, beyond fear that the GDPR might actually be enforced, which so far (with very few exceptions) it hasn’t been. So it is easy for those sites and services to put up those notices on their websites.

Worse, for you to actively “manage” your exposure to data harvesters at each website requires entering a morass of impossibilities.

So let’s explore just one of those, and then get down to what it means and why it matters. If you wish to skip down to conclusions, go here.

Start by opening a browser to https://www.mirror.co.uk. If you haven’t clicked on that site already, you’ll see a cookie notice that says,

We use cookies to help our site work, to understand how it is used, and to tailor the adverts presented on our site. By clicking “Accept” below, you agree to us doing so. You can read more in our cookie notice. Or, if you do not agree, you can click Manage below to access other choices.

They don’t mention that “tailor the adverts” really means We open your browser to infestation by tracking beacons from countless parties in the online advertising business, plus who-knows-what-else might be working with those parties (because there is no way to tell), so those parties and their ‘partners’ can use those beacons to follow you like a marked animal everywhere and report your activities back to a vast marketplace where personal data about you is shared, bought and sold, much of it in real time, supposedly so your eyeballs can be hit with ‘relevant’ or ‘interest based’ advertising, though we are sure there are other collateral effects, but we don’t care about those because it’s our business to get paid just just for clicks or ‘impressions,’ whether you’re impressed or not.

Okay, so now click on the “Manage” button.

Up will pop a rectangle where it says Here you can control cookies, including those for advertising, using the buttons below. Even if you turn off the advertising related cookies, you will still see adverts on our site, because they help us to fund it. However, those adverts will simply be less relevant to to you. You can learn more about cookies in our Cookie Notice on the site.

Under that text, in the left column, are six “Purposes of data collection,” all defaulted with little check marks to ON (though only five of them show, giving the impression that there are only those five). The right column is called “Our partners,” and shows the first five of what turn out to be 259 companies, nearly all of which are not brands known to the world, or to anybody outside the business (and probably not known widely within the business as well). All are marked ON by that little check mark. Here’s that list, just through the letter A:

  • 1020, Inc. dba Placecast and Ericsson Emodo
  • 1plusX AG
  • 2KDirect, Inc. (dba iPromote)
  • 33Across
  • 7Hops.com Inc. (ZergNet)
  • A Million Ads Limited
  • A.Mob
  • Accorp Sp. z o.o.
  • Active Agent AG
  • ad6media
  • ADARA MEDIA UNLIMITED
  • AdClear GmbH
  • Adello Group AG
  • Adelphic LLC
  • Adform A/S
  • Adikteev
  • ADITION technologies AG
  • Adkernel LLC
  • Adloox SA
  • ADMAN – Phaistos Networks, S.A.
  • ADman Interactive SL
  • AdMaxim Inc.
  • Admedo Ltd
  • admetrics GmbH
  • Admotion SRL
  • Adobe Advertising Cloud
  • AdRoll Inc
  • adrule mobile GmbH
  • AdSpirit GmbH
  • adsquare GmbH
  • Adssets AB
  • AdTheorent, Inc
  • AdTiming Technology Company Limited
  • ADUX
  • advanced store GmbH
  • ADventori SAS
  • Adverline
  • ADYOULIKE SA
  • Aerserv LLC
  • affilinet
  • Amobee, Inc.
  • AntVoice
  • Apester Ltd
  • AppNexus Inc.
  • ARMIS SAS
  • Audiens S.r.l.
  • Avid Media Ltd
  • Avocet Systems Limited

If you bother to “manage” any of this, what record do you have of it—or of all the other collections of third parties who you’ve  agreed to follow you around? Remember, there are a different collection of these at every website with third parties that track you, and different UIs, each provided by other third parties.

It might be easier to discover and manage parasites in your belly than cookies in your browser.

Think I exaggerate? The long list of cookies in just one of my browsers (which I had to dig deep to find) starts with this list:

After several hundred others, my cookie  list ends with —

I know what zoom is. The rest are a mystery to me.

To look at just that first one, 1rx.io, I have to dig way dow in the basement of preferences directory (in Chrome it’s chrome://settings/cookies/detail?site=1rx.io), where I find that it’s locally stored data is this:

_rxuuid

Name
_rxuuid
Content
%7B%22rx_uuid%22%3A%22RX-2b58f1b1-96a4-4e1d-9de8-3cb1ca4175b0%22%2C%22nxtrdr%22%3Afalse%7D
Domain
.1rx.io
Path
/
Send for
Any kind of connection
Accessible to script
No (HttpOnly)
Created
Wednesday, December 12, 2018 at 4:48:53 AM
Expires
Thursday, December 12, 2019 at 4:48:53 AM

I’m a somewhat technical guy, and at least half of that stuff means nothing to me.

As for “managing” those,  my only choice on that page is to “Remove All.” Does that mean remove everything on that page alone or all the cookies everywhere? And how can I remember that I removed it?

Obviously there is no way for anybody to “manage” any of this, in any meaningful sense of the word. But that’s the conceit of

My point: this whole non-system is beyond broken.

We also can’t fix it on the sites & services side, no matter how much those sites and services care (which most don’t) about the “customer journey,” the “customer experience,” or any of the other bullshit they’re buying from marketers this week..

Even within the CRM (customer relationship management) world, the B2B customers of Oracle and Salesforce use one cloud and one set of tools to create as many different “experiences” for users and customers as there are companies deploying those tools to manage customer relationships from their side.  There are no corresponding tools on our side.  (Not yet anyway. See here.)

We still live in a world where  we have no common or standard way at all to scale our choices, or our experiences, across all those companies. And that’s what we’ll need if we want real privacy online.

The simple fact is that privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which lack equivalents in the digital world). Privacy is not something supplied by a grace of privacy policies and terms of service that differ with every company, and over which none of us have control. Especially when those same companies work very hard to make themselves as far from trustworthy as it’s possible to go.

We must crank up agency on the individual’s side. We did it with the standards and protocols that gave us the Net, the Web, email and too little else. And we need it here too. Soon.

This is why we (a few colleagues and I) co-founded Customer Commons as a place for terms that individuals can proffer as first parties, just by pointing at them. (Much as licenses at Creative Commons can be pointed at. Sites and services can agree too those terms, and both can keep records and follow audit trails.

And there are some good signs that this will happen. For example, the IEEE approached Customer Commons last year with the suggestion that they help its community by creating a working group for machine readable personal privacy terms. It’s called P7012. If you’d like to join, please do.

Without work like this, privacy will remain an empty promise by a legion of violators.

One more thing. We can put the GDPR to our use if we like.  That’s because Article 4 of the GDPR defines a data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”

In other words, each of us can be our own data controller. Most lawyers dealing with the GDPR don’t agree with that. They think the individual data subject will always need a fiduciary or an intermediary of some kind. But the simple fact is that we should be in control of our lives online, and that means in some degree of control over our data exposures, and how our data, and data about us, is used. More about all that in upcoming posts.