Doc Searls Weblog

In the natural world, privacy is a social contract: a tacit agreement that we respect others’ private spaces. We guard those spaces with the privacy tech we call clothing and shelter. We use language and gestures to signal what’s okay and what’s not. “Manners” are as formal as the social contract for privacy gets, but manners are also the bedrock on which we build civilization.

We don’t have privacy online. Not when the owner of a store who would never think of planting tracking beacons inside the clothes of visiting customers does exactly that on the company website. Tracking people is business-as-usual online. And that’s a big reason why civilization online is hardly developed. It can’t be when privacy is almost entirely an insincere promise by those incentivized to violate it.

The reason we can’t have the same social contract for privacy in the online world as we do in the offline one is that the online world isn’t tacit. It can’t be. Everything there is digital: ones, zeroes, bits, bytes, and program logic. If we want privacy in the online world, we need to make it an explicit requirement.

Policy won’t do it. The GDPR, CCPA, and the DMA are just inconveniences for the $trillion-plus adtech (tracking-based advertising) fecosystem. The biggest violators look at paying a billion-euro fine as a cost of doing business.

“Consent” through cookie notices doesn’t work because you have no way of knowing if what they call “your choices” are followed. Neither does the website, because it jobs that work out to OneTrust, Admiral, or some other CMP (consent management platform). And those companies  also don’t know or much care. Their job is mostly to bias “your choices” toward agreement to keep being tracked.

Polite requests also don’t work. We tried that with Do Not Track, and by the time it finished failing, the adtech lobby had turned it into Tracking Preference Expression—as if we wanted to be tracked all along.

What we need are contracts—ones you proffer and sites and services agree to. Contracts are explicit, and the only way to make personal privacy work in the online world. They’re also backed by contract law, which has been with us since civilization began.

This is why we’ve been working for eight years on the IEEE P7012 Draft Standard for Machine Readable Personal Privacy Terms, aka MyTerms. With MyTerms, you are the first party, and the site or service is the second party.† You present an agreement chosen from a limited roster posted on the public website of a disinterested nonprofit, such as Customer Commons, which was built for exactly this purpose. When the other side agrees, you both keep an identical record. (The idea is for Customer Commons to be for privacy contracts what Creative Commons is for copyright licenses.)

MyTerms might look scary to business-as-usual. But so did the PC, the Internet, and the smartphone. All did far more for business than the incumbent systems they obsolesced. When customers and companies start relating as partners who fully respect each other and create value together, the range of what’s possible in business widens much farther than what the old tracking-based fecosystem would ever allow.

We can explore those frontiers in other posts. Right now, I just want to make clear that contract is the only way we can obtain personal privacy online. And MyTerms will get us started.

†Credit where overdue: I was first schooled on what contracts really are by Renee Lloyd, who was a fellow fellow at the Bekrman Klein Center back in the late aughts. Renee is also the one who suggested that individuals should be the first parties in dealings with organizations online.

*Intentcasting is how you let a market of qualified sellers know what you’re looking for, in ways that preserve your privacy. For why that’s much better for business than surveillance and attention-grabbing, read When Customers Set the Terms: How the Intention Economy and ‘MyTerms’ Enable the Great Unwinding: A technical and economic foundation for customer sovereignty is here, by Nitin Badjatia.