In her latest Ars Technica story, Ashley Belanger reports that Patreon, the widely used and much-trusted monetization platform for creative folk, opposes the minimal personal privacy protections provided by a law you probably haven’t heard of until now: the Video Privacy Protection Act, or VPPA. Patreon, she writes, wants a judge to declare that law (which dates from the videotape rental age) unconstitutional because it inconveniences Patreon’s ability to share the personal data of its users with other parties.† Naturally, the EFF, the Center for Democracy & Technology, the ACLU of Northern California, and the ACLU itself all stand opposed to Patreon on this and have filed an amicus brief explaining why.
But I’m not here to talk about that. I’m here to bring up the inconvenient fact that Ars Technica is also in the surveillance business. A PageXray of Ashley’s story finds this—
- 360 adserver requests
- 259 tracking requests
- 131 other requests
—which it visualizes with this:
And that’s just one small part of it.
But will Ashley, or any reporter, grab the third rail of their employer’s participation in the tracking-based advertising business? Or visit that business’s responsibility for what was already the biggest boycott in human history way back in 2015? The odds are against it. I’ve challenged many reporters to grab that third rail, just like I’m challenging Ashley here. In every case, nothing happened.
I never challenged Farhad Manjoo, but he did come through exposing The New York Times (his employer’s) own participation in the privacy-opposed tracking-based adtech business, back in 2019. Here’s a PageXray of tracking via that piece today:
Better, but not ideal.
Five years ago this month, I wrote a column about privacy in Linux Journal with the same title as this post. Here it is again, with just a few tiny edits. Amazing how little things have changed since then—and how much worse they have become. But I do see hope. Read on.
If you think regulations are going to protect your privacy, you’re wrong. In fact, they can make things worse, especially if they start with the assumption that your privacy is provided only by other parties, most of whom are incentivized to violate it.
Exhibit A for how much worse things can get is the EU’s GDPR (General Data Protection Regulation). As soon as the GDPR went into full effect in May 2018, damn near every corporate entity on the Web put up a “cookie notice” requiring acceptance of terms and privacy policies that allow them to continue violating your privacy by harvesting, sharing, auctioning off and otherwise using your data, and data about you.
For websites and services in that harvesting business (a population that rounds to the whole commercial web), these notices provide a one-click way to adhere to the letter of the GDPR while violating its spirit.
There’s also big business in the friction that it produces. To see how big, look up GDPR+compliance on Google. You’ll get 232 million results (give or take a few dozen million).
None of those results are for you, even though you are who the GDPR is supposed to protect. See, to the GDPR, you are a mere “data subject” and not an independent and fully functional participant in the technical, social, and economic ecosystem the Internet supports by design. All privacy protections around your data are the burden of other parties.
Or at least that’s the interpretation that nearly every lawmaker, regulatory bureaucrat, lawyer, and service provider goes by. (One exception is Elizabeth Renieris @hackylawyer. Her collection of postings is required reading on the GDPR and much else.) The same goes for those selling GDPR compliance services, comprising most of those 190 million GDPR+compliance search results.
The clients of those services include nearly every website and service on Earth that harvests personal data. These entities have no economic incentive to stop harvesting, sharing, and selling personal data the usual ways, beyond fear that the GDPR might actually be enforced, which so far (with few exceptions), it hasn’t been. (See Without enforcement, the GDPR is a fail.)
Worse, the tools for “managing” your exposure to data harvesters are provided entirely by the websites you visit and the services you engage. The “choices” they provide (if they provide any at all) are between 1) acquiescence to them doing what they please and 2) a maze of menus full of checkboxes and toggle switches “controlling” your exposure to unknown threats from parties you’ve never heard of, with no way to record your choices or monitor effects.
So let’s explore just one site’s presentation, and then get down to what it means and why it matters.
Our example is https://www.mirror.co.uk. If you haven’t clicked on that site already, you’ll see a cookie notice that says,
We use cookies to help our site work, to understand how it is used, and to tailor the adverts presented on our site. By clicking “Accept” below, you agree to us doing so. You can read more in our cookie notice. Or, if you do not agree, you can click Manage below to access other choices.
They don’t mention that “tailor the adverts” really means something like this:
We open your browser to infestation by tracking beacons from countless parties in the online advertising business, plus who-knows-what-else that might be working with those parties (there is no way to tell, and if there was we wouldn’t provide it), so those parties and their “partners” can use those beacons to follow you like a marked animal everywhere you go and report your activities back to a vast marketplace where personal data about you is shared, bought and sold, much of it in real time, supposedly so your eyeballs can be hit with “relevant” or “interest-based” advertising as you travel from site to site and service to service. While we are sure there are bad collateral effects (fraud and malware, for example), we don’t care about those because it’s our business to get paid just for clicks or “impressions,” whether you’re impressed or not—and the odds that you won’t be impressed average to certain.
Okay, so now click on the “Manage” button.
Up will pop a rectangle where it says “Here you can control cookies, including those for advertising, using the buttons below. Even if you turn off the advertising-related cookies, you will still see adverts on our site, because they help us to fund it. However, those adverts will simply be less relevant to you. You can learn more about cookies in our Cookie Notice on the site.”
Under that text, in the left column, are six “Purposes of data collection”, all defaulted with little check marks to ON (though only five of them show, giving the impression that there are only those five). The right column is called “Our partners”, and it shows the first five of what turn out to be 259 companies, nearly all of which are not brands known to the world or to anybody outside the business (and probably not known widely within the business as well). All are marked ON by that little check mark. Here’s that list, just through the letter A:
- 1020, Inc. dba Placecast and Ericsson Emodo
- 1plusX AG
- 2KDirect, Inc. (dba iPromote)
- 33Across
- 7Hops.com Inc. (ZergNet)
- A Million Ads Limited
- A.Mob
- Accorp Sp. z o.o.
- Active Agent AG
- ad6media
- ADARA MEDIA UNLIMITED
- AdClear GmbH
- Adello Group AG
- Adelphic LLC
- Adform A/S
- Adikteev
- ADITION technologies AG
- Adkernel LLC
- Adloox SA
- ADMAN – Phaistos Networks, S.A.
- ADman Interactive SL
- AdMaxim Inc.
- Admedo Ltd
- admetrics GmbH
- Admotion SRL
- Adobe Advertising Cloud
- AdRoll Inc
- adrule mobile GmbH
- AdSpirit GmbH
- adsquare GmbH
- Adssets AB
- AdTheorent, Inc
- AdTiming Technology Company Limited
- ADUX
- advanced store GmbH
- ADventori SAS
- Adverline
- ADYOULIKE SA
- Aerserv LLC
- affilinet
- Amobee, Inc.
- AntVoice
- Apester Ltd
- AppNexus Inc.
- ARMIS SAS
- Audiens S.r.l.
- Avid Media Ltd
- Avocet Systems Limited
If you bother to “manage” any of this, what record do you have of it—or of all the other collections of third parties who you’ve agreed to follow you around? Remember, there are a different collection of these at every website with third parties that track you, and different UIs, each provided by other third parties.
It might be easier to discover and manage parasites in your belly than cookies in your browser.
Think I exaggerate? The long list of cookies in just one of my browsers (which I had to dig deep to find) starts with this list:
After several hundred others, my cookie list ends with:
I know what zoom.us is. The rest are a mystery to me.
To look at just that first one, 1rx.io, I have to dig way down in the basement of the preferences directory (in Chrome it’s chrome://settings/cookies/detail?site=1rx.io), where I find that its locally stored data is this:
_rxuuid
Name
_rxuuid
Content
%7B%22rx_uuid%22%3A%22RX-2b58f1b1-96a4-4e1d-9de8-3cb1ca4175b0%22%2C%22nxtrdr%22%3Afalse%7D
Domain
.1rx.io
Path
/
Send for
Any kind of connection
Accessible to script
No (HttpOnly)
Created
Wednesday, December 12, 2018 at 4:48:53 AM
Expires
Thursday, December 12, 2019 at 4:48:53 AM
I’m a somewhat technical guy, and at least half of that stuff means nothing to me.
As for “managing” those, my only choice on that page is to “Remove All”. Does that mean Remove everything on that page alone or Remove all cookies everywhere? And how can I remember what I’ve had removed?
Obviously, there is no way for anybody to “manage” this, in any meaningful sense of the word.
We also can’t fix it on the sites and services side, no matter how much those sites and services care (which most don’t) about the “customer journey”, the “customer experience” or any of the other bullshit they’re buying from marketers this week.
Even within the CRM (customer relationship management) world, the B2B customers of CRM companies use one cloud and one set of tools to create as many different “experiences” for users and customers as there are companies deploying those tools to manage customer relationships from their side. There are no corresponding tools on our side. (Though there is work going on. See here.)
So the digital world remains one where we have no common or standard way to scale our privacy and data usage tools, choices, or experiences across all sites and services. And that’s what we’ll need if we want real privacy online.
The simple place where we need to start is this: privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which lack equivalents in the digital world).
And we need to be clear that privacy is not a grace of privacy policies and terms of service that differ with every company and over which none of us have true control—especially when there is an entire industry devoted to making those companies untrustworthy, even if they are in full compliance with privacy laws.
Devon Loffreto (who coined the term self-sovereign identity and whose good work we’ll be visiting in an upcoming issue of Linux Journal) puts the issue in simple geek terms: we need root authority over our lives. Hashtag: #OwnRoot.
It is only by owning root that we can crank up agency on the individual’s side. We have a perfect base for that in the standards and protocols that gave us the Internet, the Web, email, and too little else. And we need it here too. Soon.
We (a few colleagues and I) created Customer Commons as a place for terms that individuals can proffer as first parties, just by pointing at them, much as licenses at Creative Commons can be pointed at. Sites and services can agree to those terms, and both can keep records and follow audit trails.
And there are some good signs that this will happen. For example, the IEEE approached Customer Commons last year with the suggestion that we stand up a working group for machine-readable personal privacy terms. It’s called P7012. If you’d like to join, please do.
Unless we #OwnRoot for our own lives online, privacy will remain an empty promise by a legion of violators.
One more thing. We can put the GDPR to our use if we like. That’s because Article 4 of the GDPR defines a data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” This means each of us can be our own data controller. Most lawyers dealing with the GDPR don’t agree with that. They think the individual data subject will always need a fiduciary or an intermediary of some kind: an agent of the individual, but not an individual with agency. Yet the simple fact is that we should have root authority over our lives online, and that means we should have some degree of control over our data exposures, and how our data, and data about us, is used—much as we do over how we control or moderate our privacy in the physical world. More about all that in upcoming posts.
The original version of this post was published on the Private Internet Access blog. Private Internet Access and Linux Journal at the time were both holdings of London Trust Media.
Also, check out the Privacy Manifesto at the ProjectVRM wiki. I maintain it and welcome bug fixes.
† This is an example of what Cory Doctorow calls “enshittification” and Wikipedia (at that link) more politely calls “platform decay.” It’s a big trade-away of goodwill by Patreon. Says to me they must be making an enshitload of money in the adtech fecosystem.
Leave a Reply