Tweet

Cory Doctorow MULTISTAKEHOLDER MENTALITY

26 Nov, 58 tweets, 14 min read

Here's the theory behind Europe's #GDPR: if an online service wants to collect, store and/or process your personal information, it has to obtain your real, informed consent for each of those activities. 1/

If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2021/11/26/ico… 2/

In theory, this should have exterminated surveillance-based "behavioral" ads. In practice, nothing of the sort has happened...yet. 3/

Let's look at the theory first. The ad-tech industry has long maintained that it obtains consent for all its data-processing. This is an obvious pretense. This "consent" consists of you wading through a garbage-novella of legalese and clicking "I agree." 4/

Worse, those "contracts" inevitably say something like, "These terms are subject to change without notice" and/or "You agree that you are not allowed to sue us if we violate these terms, and will have to take your case to an 'arbitrator' that we pay to decide if we're wrong." 5/

Based on this consent-theater, ad-tech scammers claim that they can harvest your data, retain it indefinitely, and sell or give it away to anyone they want, and that this is all totally cool with you because if wasn't, you wouldn't have "consented." 6/

Enter the GDPR. Under Europe's landmark privacy regulation, companies have to ask you a plain-language question confirming your consent to *every* piece of data they collect and *every* use they plan on making of that data. 7/

They can't punish you for refusing consent - by locking you out of a service or degrading its quality - and you can withdraw your consent at any time. 8/

This is deliberately burdensome. It takes the position that consent is a weighty and serious thing, that personal data is genuinely valuable, and that the transactions in which data is gathered and processed should be solemnized by a thoughtful, substantial ceremony. 9/

It calls ad-tech's bluff: "If you think people are really OK with all that spying you've done, let's ask them, in depth, before you do it." 10/

The reality is that there's no meaningful "consent" to an open-ended collection and processing of your data - the very premise does violence to the idea of consent itself. 11/

Companies that claim that you have consented to hundreds or even thousands of different uses of your data are obviously lying.

Consent-theater is the ideological and legal backstop for unfettered commercial surveillance. 12/

It means that data-collection and retention is essentially cost-free. Companies built their services accordingly, maximizing their data-collection and sloshing that data around with wild abandon. 13/

Under the GDPR, the cost of data-collection is shifted from users - who are expected to wade through "agreements" and somehow negotiate away the terms they find odious - to companies. 14/

Now, when a product team plans a new service, they have to factor in the loss of users who bail on a consent process that consists of hundreds or thousands of dialogs against the speculative value of the data this will let them gather and process.

pluralistic.net/2020/08/05/beh… 15/

That value is indeed speculative. "Behavioral" ads - placed dynamically based on your browsing history and other personal information - are only very slightly more effective than "contextual" ads, based on the content of the page you're looking at.

weis2019.econinfosec.org/wp-content/upl… 16/

Behavioral ads are only more profitable than context ads if all the costs of surveillance - the emotional burden of being watched; the risk of breach, identity-theft and fraud; the potential for government seizure of surveillance data - is pushed onto internet users. 17/

If companies have to bear those costs, behavioral ads are a total failure, because no one in the history of the human race would actually grant consent to all the things that gets done with our data. 18/

That's what the Dutch public broadcaster NPO learned. As a public institution, its compliance staff decided that it would strictly adhere to the letter and spirit of the GDPR when serving ads on its site.

wired.com/story/can-kill… 19/

The broadcaster quickly realized that if could only show ads to people who gave meaningful, enthusiastic consent to surveillance, then it couldn't show any ads at all. 20/

NPO switched to serving context-based ads - which didn't involve processing any personal information, and thus didn't require a consent process - and its revenues soared. 21/

It was showing ads to a *lot* more people, and those ads were about as effective as the surveillance ads it had deprecated (and it didn't have to give 30-50% of its revenues to an ad-tech company!). 22/

The GDPR holds out serious fines for noncompliance, the kind that could put even a globe-spanning Big Tech colossus out of business. 23/

In theory, every online service whose bank-account is within the reach of European enforcers should be following NPO's lead and switching to context ads.

In practice, Europeans have swapped one form of consent theater for a worse one. 24/

The EU's ad-tech sector has adopted a form of "malicious compliance" with the GDPR, in which users are presented with confusing, endless dialogs. Ignore these, and your consent is presumed. 25/

Actually, this isn't even malicious compliance, because it doesn't comply with the GDPR. It's illegal conduct, as the IAB - ad-tech's industry association - has finally admitted.

techcrunch.com/2021/11/05/iab… 26/

Nevertheless, ad-tech has shown precious little willingness to color within the lines. It's easy to see why, once you understand the GDPR's fatal flaw: the way it allows large companies to forum-shop within EU member states. 27/

#Ireland is one of the go-to jurisdictions for corporate criminals. The country operates as a tax-haven, a financial secrecy jurisdiction suitable for any corporation that wanted to hide its wealth from tax collectors in the EU and beyond. 28/

@Brian_OBoyle1

This process is documented in furious detail in "Tax Haven Ireland," a new book by @Brian_OBoyle1 and Kieran Allen:

plutobooks.com/9780745345314/…

(O'Boyle and Allen did a great interview about the book with the @TheTaxcast)

thetaxcast.com/tax-haven-irel… 29/

The conversion of Ireland into a rogue state whose economy depends on protecting corporate criminals goes beyond its tax code. 30/

Its regulators are infamously lax, too - and that includes its Information Commissioner's Office, an organization that doesn't even bother to put on trousers in the morning - it sits around all day in its jammies, eating breakfast cereal and watching cartoons. 31/

It certainly doesn't investigate GDPR claims that are brought before it.

Since Europe's sleaziest companies all fly Irish flags of convenience, the Irish ICO's King Log routine means that companies that violate the GDPR don't have to worry about facing justice. 32/

That defense may not last forever. The Irish Council for Civil Liberties has lodged a complaint against the IAB...in Germany, where the ICO's office is staffed with hungry, committed enforcers. 33/

@maxschrems

Meanwhile, @maxschrems - the activist whose legal fights inspired the GDPR in the first place - is suing Google in Austria:

pluralistic.net/2020/05/15/out… 34/

Now, there's some movement in the UK. The outgoing British Information Commissioner, Elizabeth Denham, has published an official opinion warning the ad-tech sector that surveillance advertising is doomed:

ico.org.uk/media/about-th… 35/

Denham characterizes her paper as offering "clarity" on the UK implementation of the GDPR, but that's a bit of doublespeak. In reality, all Denham is clarifying is that her successor will enforce the GDPR's plain language (finally). 36/

@Techcrunch

Writing in @Techcrunch, @riptari is justifiably cynical about this announcement. Lomas says that ad-tech is already moving away from aggressive surveillance, using fancy cryptographic math to create a non-invasive form of behavioral advertising.

techcrunch.com/2021/11/25/ico… 37/

It's true that there's a lot of movement on this and the promises sound great. But as my EFF colleague Alexis Hancock wrote in her deep-dive into #ManifestV3 (the technical initiative at the heart of this movement), the reality is a lot dimmer:

eff.org/deeplinks/2021… 38/

Not only do these techniques fail to deliver on their privacy promises, but they also actively interfere with independent browser plugins that block online tracking. To make matters worse, ManifestV3 has significant anti-competitive implications. 39/

Denham's parting shot highlights the post-Brexit tension in the UK over competition, privacy and fairness. 40/

Last summer, the UK Competition and Markets Authority published a landmark study of the ad-tech industry that painted a picture of a highly concentrated industry riddled with fraud and abuse:

gov.uk/cma-cases/onli… 41/

But while much of the CMA's report is excellent, it also goes badly awry when contemplating the relation of competition to surveillance. The CMA notes that Facebook and Google have a huge advantage in the market because they can do "attribution." 42/

That's the ad-tech euphemism for spying on you - your movements, purchases and online activity - after you see an ad to determine whether you bought anything featured in the ad. 43/

Obviously, advertisers love "attribution" and pay a premium for it, which hardens Googbook's domination of the ad-market (they alone have the surveillance tendrils in the physical and virtual world for consistent attribution). 44/

The CMA moots a solution to this: assign every British person a unique, lifelong advertising identifier that will allow other companies to spy on you, too, and thus democratize attribution. 45/

In this, the CMA has committed a category error that's as old as competition enforcement itself. Monopolies enjoy enormous power, and that power allows them to trample human rights and commit crimes with impunity. They are often very good at this. 46/

Writing a century ago, Ida M Tarbell - whose "History of the Standard Oil Company" led to the breakup of Rockefeller's oil behemoth - called this "illegitimate greatness."

doctorow.medium.com/illegitimate-g… 47/

Tarbell warned readers that the goal of competition law shouldn't be to democratize the ability of smaller firms to commit crimes, but rather to extinguish those crimes by making companies weak enough that we can force them to obey the law. 48/

In other words, we don't want competition in the field of "who can violate internet users' human rights most efficiently at scale?"

eff.org/deeplinks/2021… 49/

So here we are, with two UK top regulators examining the same question and coming to very different conclusions. The ICO is finally promising to extinguish mass surveillance, while the CMA wants to make it more efficient. 50/

Meanwhile, across the Channel, the EU just rescued the #DigitalMarketsAct by reversing a set of Big-Tech-friendly amendments and installing fierce protections for real competition and installing fresh curbs on surveillance, beyond the GDPR.

eff.org/deeplinks/2021… 51/

The UK only has an ICO because it was par of the EU when the GDPR was passed. Now, post-Brexit, the UK will be under no obligation to adopt the DMA or other rules that correct the defects in the GDPR. 52/

It'll be fascinating - and possibly terrible - to watch how the UK proceeds as the EU continues to attack Big Tech power and its risible fictions like consent-theater.

Facebook has threatened to leave the EU if they keep this up. 53/

That is not going to happen, of course, but it would be pretty wild if the UK made a bid for post-Brexit relevance by offering a new flag of convenience to Big Tech as the EU leans on Ireland to end its program of criminal enabling.

pluralistic.net/2020/09/22/unc… 54/

Image:
Matt Harrop (modified)
geograph.org.uk/photo/4451207

CC BY-SA 2.0:
creativecommons.org/licenses/by-sa…

Cryteria (modified)
commons.wikimedia.org/wiki/File:HAL9…

CC BY-SA 3.0:
creativecommons.org/licenses/by-sa… 55/

ETA: Two important corrections to this thread:

In tweet 1, I'm referring to the collection of data for surveillance-based advertising. There are other bases under GDPR that permit data-collection.

In tweet 52, I absentmindedly wrote "The UK only has an ICO because it was par of the EU when the GDPR was passed." It should read "The UK's privacy rules are what they are thanks to its membership in the EU when the GDPR was passed."