Nobody loves cookies: Where the European Union General Data Protection Regulation falls short and what can be done.
The endless cookie settings that pop up for every website feel a bit like prank compliance by an internet hell-bent on not changing. It is very annoying. And it feels a little bit like revenge on regulators by the data markets, giving the General Data Protection Regulation (GDPR) a bad name and so that it might seem like political bureaucrats have, once again, clumsily interfered with the otherwise smooth progress of innovation.
The truth is, however, that the vision of privacy put forward by the GDPR would spur a far more exciting era of innovation than current-day sleaze-tech. As it stands today, however, it simply falls short of doing so. What is needed is an infrastructural approach with the right incentives. Let me explain.
The granular metadata being harvested behind the scenes
As many of us are now keenly aware of, an incessant amount of data and metadata is produced by laptops, phones and every device with the prefix “smart.” So much so that the concept of a sovereign decision over your personal data hardly makes sense: If you click “no” to cookies on one site, an email will nevertheless have quietly delivered a tracker. Delete Facebook and your mother will have tagged your face with your full name in an old birthday picture and so on.
What is different today (and why in fact a CCTV camera is a terrible representation of surveillance) is that even if you choose and have the skills and know-how to secure your privacy, the overall environment of mass metadata harvesting will still harm you.
It is not about your data, which will often be encrypted anyway, it is about how the collective metadata streams will nevertheless reveal things at a fine-grained level and surface you as a target — a potential customer or a potential suspect should your patterns of behavior stand out.
Despite what this might look like, however, everyone actually wants privacy. Even governments, corporations and especially military and national security agencies. But they want privacy for themselves, not for others. And this lands them in a bit of a conundrum: How can national security agencies, on one hand, keep foreign agencies from spying on their populations while simultaneously building backdoors so that they can pry?
Governments and corporations do not have the incentive to provide privacy
To put it in a language eminently familiar to this readership: the demand is there but there is a problem withincentives, to put it mildly. As an example of just how much of an incentive problem there is right now, an EY report valuesthe market for United Kingdom health data alone at $11 billion.
Such reports, although highly speculative in terms of the actual value of data, nevertheless produce an irresistible fear-of-missing-out, or FOMO, leading to a self-fulfilling prophecy as everyone makes a dash for the promised profits. This means that although everyone, from individuals to governments and big technology corporations might want to ensure privacy, they simply do not have strong enough incentives to do so.
The FOMO and temptation to sneak in a backdoor, to make secure systems just a little less secure, is simply too strong. Governments want to know what their (and others) populations are talking about, companies want to know what their customers are thinking, employers want to know what their employees are doing and parents and school teachers want to know what the kids are up to.
There is a useful concept from the early history of science and technology studies that can somewhat help illuminate this mess. This is affordance theory. The theory analyzes the use of an object by its determined environment, system and things it offers to people — the kinds of things that become possible, desirable, comfortable and interesting to do as a result of the object or the system. Our current environment, to put it mildly, offers the irresistible temptation of surveillance to everyone from pet owners and parents to governments.
In an excellent book, software engineer Ellen Ullman describes programming some network software for an office. She describes vividly the horror when, after having installed the system, the boss excitedly realizes that it can also be used to track the keystrokes of his secretary, a person who had worked for him for over a decade. When before, there was trust and a good working relationship.
The novel powers inadvertently turned the boss, through this new software, into a creep, peering into the most detailed daily work rhythms of the people around him, the frequency of clicks and the pause between keystrokes. This mindless monitoring, albeit by algorithms more than humans, usually passes for innovation today.
Privacy as a material and infrastructural fact
So, where does this land us? That we cannot simply put personal privacy patches on this environment of surveillance. Your devices, your friends’ habits and the activities of your family will nevertheless be linked and identify you. And the metadata will leak regardless. Instead, privacy has to be secured as a default. And we know that this will not happen by the goodwill of governments or technology companies alone because they simply do not have the incentive to do so.
The GDPR with its immediate consequences has fallen short. Privacy should not just be a right that we desperately try to click into existence with every website visit, or that most of us can only dream of exercising through expensive court cases.
No, it needs to be a material and infrastructural fact. This infrastructure has to be decentralized and global so that it does not fall into the interests of specific national or commercial interests. Moreover, it has to have the right incentives, rewarding those who run and maintain the infrastructure so that protecting privacy is made lucrative and attractive while harming it is made unfeasible.
To wrap up, I want to point to a hugely under-appreciated aspect of privacy, namely its positive potential for innovation. Privacy tends to be understood as a protective measure. But, if privacy instead simply were a fact, data-driven innovation would suddenly become far more meaningful to people. It would allow for much broader engagement with shaping the future of all things data-driven including machine learning and AI. But more on that next time.