Doc Searls Weblog

We know more than we can tell.

That was how Michael Polanyi distinguished between tacit and explicit knowing. We may know tacitly how we form speech, ride a bike, or sense when to shake hands with someone, or hug them. But we can’t explain all the signals and mechanisms involved. Not explicitly.

In the natural world, privacy is almost entirely based on tacit understandings. Clothing, for example, is a privacy technology that both covers private regions of the body and signals what the person might or might not welcome in respect to those regions—plus much else, none of which can easily or completely be described explicitly and in detail.

The digital world, however, is entirely explicit. There is no tacit there. As users of tech, we have tacit understandings of how digital things work, but for programming to happen, for logic to operate, we need bits, bytes, and data upon which logical operations can work.

And that is the problem with privacy in the digital world. We lack ways to make our privacy requirements explicit. That’s the main reason why it has been almost impossible for marketers to resist spying on us constantly. We are naked and defenseless. In the absence of digital clothing and ways to signal personal privacy requirements, we have an entirely corporate-side “consent”-based fecosystem that manifests in shit like this:

These “agreements” do less than nothing to give us privacy, or even the faintest sense of it. Even if a site provides a choice such as this—

—we have no record of our decision to not allow tracking, and no faith that our “setting” in their system will be respected.

The status quo here is not new. It was established in the industrial age, and best explained by this guy:

Friedrich Kessler (1901-1998) was a self-described legal realist whose most widely cited work is Contracts of Adhesion—Some Thoughts About Freedom of Contract (Columbia Law Review, 1943). In it, Kessler argues that contract law is individualistic by nature, and “closely tied up with the ethics of free enterprise capitalism and the ideals of justice of a mobile society of small enterprisers, individual merchants and independent craftsmen.”

He also laments that this ideal was sidelined by giantism in the industrial age. Freedom of contract had become, he explains, “a one-sided privilege.” Specifically, “Freedom of contract enables enterprisers to legislate by contract…in a substantially authoritarian manner without using the appearance of authoritarian forms. Standard contracts in particular could thus become effective instruments in the hands of powerful industrial and commercial overlords enabling them to impose a new feudal order of their own making upon a vast host of vassals.”

The pro forma standard form contract, Kessler explained, forced the weaker party—the ordinary consumer or customer—into “subjection more or less voluntary to terms dictated by the stronger party, terms whose consequences are often understood only in a vague way, if at all.”

He called these agreements “contracts of adhesion,” and á prendre ou ai laisser (translation: “take it or leave it”). These contracts are ones the weaker party adheres to and the stronger party can change. So it’s glue for you and me, velcro for the world’s sites and services.

This industrial age convention got leveraged in spades on the Internet, where every corporate entity—not just giants—enjoyed freedom of contract while you and I could not. This status quo became so normative that Bruce Schneier was already writing about the “feudal Internet” twelve years ago.

Thanks to this status quo, our digital world today looks like this:

This is not only a locked-up hell of too many logins, passwords, and second-factor authentication gauntlets. It’s a place where we have an equal number of adhesive “agreements” that aren’t, and which the feudal lords can change while we cannot. Their velcro, our glue.

Are we stuck here? Do we have to be?

No, because there is nothing about digital technology that requires it. And digital technology gives us boundless ways to design and program a digital world that works for people as well as it works for companies—and make it better for companies as well.

Kessler says the legal realist is “constantly testing out the desirability, efficiency and fairness of inherited legal rules and institutions in terms of the present needs of society.” I submit that our most pressing present need is to move past surveillance capitalism and into an intention economy where the demand side of the marketplace can better signal its wants, needs, and ability to engage in mutually beneficial ways. If we have that, the supply side can stop spending $trillions on wasteful and unwelcome surveillance-fed guesswork. We can do that by starting with personal privacy.

I also submit that there is only one way for people to secure a measure of privacy online, and that is through contract. People need to be able to proffer their own privacy terms as first parties to sites and services performing as second parties—and to do that at scale.

And now they can, using a new standard called P7012 IEEE Draft Standard for Machine Readable Personal Privacy Terms, nicknamed MyTerms. (Much as IEEE 802.11 is nicknamed WiFi.) The IEEE approached Customer Commons with the idea for making personal privacy terms machine-readable in 2017. Today the draft is done and due to become official by early next year.

Freedom of contract can be far more useful to both customers and companies than what companies today get out of adhesive contracts and “consents” (such as the one above) that are typically written to obey the letter of privacy laws (such as the GDPR, the DMA, and the CCPA) while violating their spirit.

Here is how MyTerms works:

Lots of business can be built on top of this simple system, which at the ground level starts with service provision without surveillance or unwanted data sharing by the company with other parties. New agreements can be made on top of that, but MyTerms are where genuine and trusting (rather than today’s coerced and one-sided) relationships can be built.

When companies are open to MyTerms agreements, they don’t need cookie notices. Nor do they need 10,000-word terms and conditions or privacy policies because they’ll have contractual agreements with customers that work for both sides.

On top of that foundation, real relationships can be built by VRM systems on the customers’ side and CRM systems on the corporate side. Both can also use AI agents: personal AI for customers and corporate AI for companies. Massive businesses can grow to supply tools and services on both sides of those new relationships. These are businesses that can only grow atop agreements that customers bring to the table, and at scale across all the companies they engage.

Here are some of the possibilities that open up, and I explained at ProjectVRM:

1. CMPs—Content Management Platforms—can provide sites & services with easy ways to respond to MyTerms choices brought to the table by visitors. Let’s call this a Terms Matching Engine. The current roster of terms we’re working with at Customer Commons (abbreviated CuCo, hence the cuco.org shortcut) starts with  CC-BASE, which is “service provision only.” It says to a website, “just give me your service, and nothing more.” In other words, no tracking. Yet. Negotiation toward additional provisions comes after that. Those can be anything, but they should be in the spirit of We’re starting with personal privacy here, and the visitor sets the terms for that.
2. There is a whole new business (which, like the VPN, grammar-help, and password management businesses, people would pay for) in helping people present, manage, remember, and monitor compliance with their terms, and what additional agreements have been arrived at. This can involve browser add-ons such as the one pictured  on the ProjectVRM r-button page. CMP companies can make money there too, adding a C2B business to their B2B ones.
3. Go beyond #2 to provide real VRM. Back in the last millennium, Iain Henderson pointed out that B2B relationships tend to have hundreds or thousands of variables over which both parties need to agree. Nitin Badjatia, another CRM veteran (and a Customer Commons board member like Iain and myself), has also pointed out that companies like Oracle have long provided AI-assisted ways for B2B relationships to arrive at contractual agreements. The same can work for C2B, once the base privacy agreement is established. There can be a business here that expands on what gets started with that first agreement.
4. Verticals. There can be strong value-adds for regulated industries or companies wanting to acquire and signal accountability, or look for firmer ways to establish a privacy regime better than the called consent, which doesn’t work (except as thin ass-covering for companies fearing the GDPR and the CCPA). For example: banks, insurers, publishers, health care providers.
5. For people (not just corporate clients), CMPs could offer browser plugins or apps (mobile and/or computer) that help people choose and present their privacy terms, track who honors them, notify them of violations, and have r-buttons mean something. Or multiple things.

Here is an example of r-buttons in a browser:

Real relationships, including records of agreements, can be unpacked when a person (not a mere “user”) clicks on either the ⊂ or the ⊃ symbols. There are golden opportunities here for both VRM and CRM vendors. And, of course, companies such as Admiral and OneTrust working both sides—and being truly trusted.

So, if we want to de-enshittify the Internet—and to make it work well for all of us—the best way to start is with MyTerms.