Digital privacy is a challenge. GDPR and its siblings make it worse. We need a reset. And then some serious effort to understand the problem. Something the GDPR creators never took the time to. Possibly the most expensive – and detrimental – ‘blind-leading-the-blind’ exercise of all time.
Tim O’Reilly’s article Data is the new sand was an eye-opener. A different, pragmatic and insightful angle on privacy, data, mindset and value. Without saying so, O’Reilly implies that our attempts to regulate privacy are worse than broken, even counter-productive.
To put it bluntly – and this is my take, not O’Reilly’s: What started as a quest for improved privacy is heading into a regime in which lawyers, politicians and bureaucrats compete for the right to rule, to define the rules and to protect something they don’t understand against threats they don’t understand – allegedly for our, the people’s – benefit. And to top it off, we – the people – don’t understand it either. It’s a blind leading the blind situation if we ever saw one. And it’s getting worse by the month. Every case that is litigated, regardless of location, is followed by scores of discussions, comments, analyses etc. from ‘experts’, journalists and politicians, about how bad the situation is, the need for improvement and the importance of the issue. The spiralling complexity gets another (useless) turn and no one is hitting the brakes, asking if we’re on the right track. Very few seem to have taken the time to see and understand the full picture, and those who do are conspicuously subdued.
The ‘good’ thing is – we’re creating a lot of new jobs that undoubtedly feel important to those involved. The bad is that it’s all useless, that the jobs are really ‘Bullshit Jobs‘ as defined in David Graeber’s famous bestseller. Actually, they’re even worse than useless. The regime is creating an illusion of care, protection and importance, thus defocusing any attempt to understand the real picture and find out what the real problem is and what we need to get ahead.
‘And what is that exactly’ you’re asking. What is it we really need? The answer isn’t what you’d like to hear: We don’t know yet. And until we realize and accept that we don’t know, we’re not moving forward. We’re actually moving backwards – it’s getting worse.
So let’s give it a shot. Not at solving the problem, but understanding it, which is where we have to start anyway. First of all we need to realize that privacy is a recent invention. Basically, privacy is ‘our right to have secrets’ – and didn’t exist 50 years ago. I grew up in a village with some 2000 souls in the 60s and there was no privacy. Everyone knew everything – if they cared to know. It was natural and useful – and no one questioned it because it had always been like that. The doctor knew when someone was ailing and had each person’s history – medical and otherwise – in his head. Diagnosing was easy. Not that it was always correct, but the hit rate was probably better than it is today. The teacher knew the kids, their capabilities, who had problems at home, and could handle them accordingly. The local switchboard operator knew every little detail, could answer all kinds of questions and deliver guidance whenever needed. Etcetera etcetera. The natural openness kept everyone (sort of) honest: The one with a secret was the last to realize that everyone new.
Even in cities, this regime worked fine. Until they grew out of hand, so to speak. That’s when we – our civilization – got its first taste of privacy, actually secrecy. And the ball started rolling. Laws and rules about client/lawyer privilege, doctor/patient privilege, non-disclosures and more flooded society and secrets became important. Seemingly too keep society functioning, but also creating a new set of problems. Personal ‘data’ (we called it something else at the time) – from high school scorecards via police reports to tax records and medical journals – became a commodity. Secrets became real and could be bought and sold. New business segments grew out of the need to regulate, control, enforce and litigate.
Then we got digital. Information collection, duplication and flow became became a million times easier and cheaper, and our local neighbourhood grew exponentially. Suddenly the entire world knew or could know what only the neighbour, possibly the doctor used to know. Not that the world cared, but if someone was interested there was information to be found – or bought. And we were on a roll. Not a necessarily desirable development, but what could we do?
Here’s the second fundamental – and easily forgotten – realization: Most people didn’t find the change the least threatening so most people didn’t care. Actually, even today most people don’t care. They keep sharing the most intimate (and uninteresting) things about their lives with the world, because it makes them feel good. Not everyone, but surprisingly many. 10 years after activists and authorities started their quest to put the genie back into the bottle, the world is tiktok-ing, storying, snapchating etc. 24/7, ignoring every warning and evading every trace of common sense.
Still, bureaucrats, lawyers and authorities were determined: We must bring ‘this’ under control. I don’t think they’re stupid, but I do think at least some of them, politicians in particular, are clueless. Many of them don’t really care, they’re simply creating a future for themselves, modelled after the way we did it last time, when the cities outgrew the old, open regime and enabled secrecy. They started building expensive bullshit systems with high paying bullshit jobs that most people believe are necessary and important. And it worked in the sense that most of us are falling for it. So here we are – in 2023. All these experts, all these journalists, politicians and bureaucrats working on Schrems-verdicts, GDPR analyses, amendments and explanations, corporate lawyers wasting everyone’s time explaining risks and exposures, recommending expensive remedies etc. And what seems to be their primary focus? The size of the fines and whether your data can be stored in this or that country legally.
Again, what an incredible waste. What have we achieved since GDPR was introduced in Europe and more or less copied by other regions of the world, except creating a new bullshit industry? Honestly very little in terms of data protection. Actually Apple has done a lot more in the last couple of years than any law or regulation ever, a part of the picture that is easily forgotten or overtly ignored. And an interesting element when trying to understand it all: Who really has the means, motivation and ability to deliver something that really makes a difference? Excuse me, but my faith in the experts and bureaucrats is limited. Not that I think they’re crooks, but they’re not in the game for your interests or mine, but for their own. Which is also true for Apple and other vendors moving in the same direction, but the thing is – their goals and motivations overlap mine. Partly or fully. For now. And some of them actually understand the issues.
If you’re shaking your head, you’re in good company. This is a complicated and an unstable – actually ‘evolving’ sounds better – situation. Just like our digital lives: Changing fast and demanding we change with it. Still, in order to get a reasonable understanding of the situation, we have to take a step back – or up, if you like – to get the holistic view. See the entire picture. And understand enough to be able to ask the right questions. Such as ‘if we didn’t have a problem 50 years ago, why do we have a problem now?’ That question has already been answered, at least partly, by the discussion above, and here’s the key: Value – as in monetary value. My physician 50 years ago had my data, but couldn’t sell it even if he wanted to. There was no buyer, thus no value except between the two of us, and the data stayed put. Also, even if there had been a value connected to the data, it’s unlikely that the good doctor would have sold it. There was trust, there was respect and there was dignity – elements hard to find these days, which moves us to one of the root causes of the problem: Without trust, our society breaks. All the laws and rules in the world cannot create trust, only people can. And trust is elusive. It cannot be weighed or measured. ‘Takes Years To Build, Seconds To Break And Forever To Repair’ is a worn aphorism, but everyone knows it’s true. Then again – however tempting, we’re not ready to go down that road. We need to fully understand the problem first. For now, let’s stick with the observation that trust is a fundamental property of a functional society, culture.
This is important because every step we take from here towards understanding the privacy challenge builds on that realization. If we start off with the idea that ‘zero trust’ good – and possible, we will not get anywhere because it’s based on a misunderstanding of how society works. This is one of the fundamental problems with the current regime of laws and regulations, particularly in the digital realm. They attempt to regulate, quantify, enforce trust, which is like building the proverbial house on sand. No foundation.
Before we move on, a few words about zero trust. Zero Trust is a technical concept in cyber security – and a very important one. Coined by and implemented by Google, the basic premise is ‘trust no one ever’. Which is (almost) possible, and has made a key contribution to improved cyber security all over the world. It’s both a concept, a way of thinking and a mechanism, almost physical in the sense that it can be demonstrated, tested and ‘proven’ in a technical sense. The caveat in Zero Trust’s absoluteness is that it’s technology, and technology – whether software or hardware – isn’t perfect. There will be bugs, weaknesses and situations no one could have possibly imagined. So while Zero Trust implies several levels of technology watching each other in order to reduce the chance of failure or ‘breaks’, it’s never 100%.
Back to the ‘how did we get here’ question – we’ve seen that the situation changed dramatically the day our data got value, became a commodity. It actually happened when we got computers. The change had already started when the doctor examined my tonsils 50 years ago and took a note of his findings. The findings never made it to a digital file, but other data from that same year did, including my tax records and the fact that I didn’t have any income did. I was a teenager.
From there it accelerated. That is, the amounts of data collected exploded and the ability to combine those data to build higher levels of knowledge accelerated. Still, the level of trust in the equation was significant. We trusted the IRS or whatever the local tax authorities were called. We trusted the hospitals and the school boards. Case in point: In 1989 I was involved in a project to build a comprehensive medical journal system for one of Norway’s largest hospitals. Part of the project was to get the National Population Register into the new system, which entailed converting the data (forgive the technicalities) from IBM EBCDIC fixed records to ASCII variable record format, and a bunch of numeric and date conversions. The point is this: I was the resident ‘data conversion expert’ and out of the blue two 10.5″ magnetic tape reels landed on my desk. 4.5 million records. Names, social security numbers, addresses, birth dates and much more for every single one of the country’s citizens. Conversion expected to be ready by the next day.
No problem, it was an inspiring challenge, but the point is trust: It didn’t occur to anyone that I could easily copy the tapes. And it didn’t occur to me to do so. We were concerned about security, but trust was implicitly expected – and delivered. A mindset – no trust, no business, no survival.
The story underscores the fact that the root cause of the privacy challenges isn’t the availability of digital technology, but the lack of trust. Digital technology exacerbates the situation by amplifying the value of the data (and the quantity) by orders of magnitude, thus changing the role of data in business and society in general. Not all data, as we’ve already discussed, but some. And – if there were trust, there would be no problem, right? Not only trust that data wouldn’t be abused, improperly collected, sold, bought etc., but trust in those entrusted to store and control access to the data. Of course it’s not that simple, but the assessment is useful on our path to understanding.
Of course there is still some trust left, but think about it: Do you really trust your physician to be there for you or to always have your best in mind? You may trust your neighbours intentions, but do you think the schoolteacher takes an extra 5 minutes to look after a troubled kid, instead of heading to the gym ‘on time’? It’s all over the place, the point in our context being that we evolved from the high trust, low regulation to a low trust, highly regulated society. It works, but it’s fragile and it’s (still) deteriorating. Which is why this ‘call to understanding’ is important.
So let’s be honest: Most of us have little trust left – in authorities, law enforcement, the tax man, in Facebook and Google, in Apple, Schibsted, Walmart or Amazon. Not totally gone as evidenced by the fact that most people still share all kinds of personal pictures and data on social media, in emails, text messages and many other digital channels. Although possibly more because of the ‘don’t care’ factor than trust. And admittedly, at least in my part of the world, there is some trust left in selected authorities, including (I’m serious) the tax man. Also, many, maybe most people in our parts of the world trust the big tech companies more than they trust their own politicians. An interesting ‘phenomenon’ by itself, and one for another day and time.
This brings us to the most fundamental of the challenges in the digital privacy realm: We need to redefine trust. We have already observed that without trust our society will break down. And that the changed value and role of data has all but eliminated the traditional concept of privacy. Rebuilding the old trust-concept via laws and regulations – which is what GDPR etc. tries to do – is futile and, as pointed out above, counterproductive.
A big challenge indeed, and one that may seem overwhelming. The entire world needs a new concept of trust, a new metric, on all levels. The challenge is not only to create it, but to get the world on board. Who can do that? Biden? The UN? EU? No, none of them. The challenge falls upon us, and if we’re smart, it’s not as daunting as it may seem. Small groups and individuals cause big changes all the time, probably more often that authorities and big organizations. Malala, Zelenskij, Thunberg, MLK to name a few. Individuals, groups and companies that changed the world by following their conviction. Not the least in the tech sector, and I don’t mean Bill Gates or Mark Zuckerberg but people like Linus Torvalds and Tim Berners-Lee. The Internet itself was created by a small group of people. The new concept of trust will be created and eventually enforced by us.
This redefinition of trust is ongoing and encompasses all sides of society. Going digital changes the rules all over which manifest itself in that many people trust Google and Apple more than the bank and the government. That the big companies have more money, power and clout than most countries. Blockchain based systems are redefining commerce by encapsulating transactions in unbreakable and independent (as in ‘not belonging to any party’) trust mechanisms. This process of redefinition will not move ahead unless we – you and I and the others – get on board and contribute. By understanding, acting, moving, accepting, building, challenging. Which brings us back to the point made in the first paragraph: Understanding privacy and data – the value, the role, the flow and the ‘spread’.
Let’s talk about ‘spread’ or ‘proliferation’ for a second because this is a dealbreaker as far as understanding is concerned. Before the digital age, data was data and data was valuable. Today data is everywhere: Created, consumed, processed, merged, cleaned, analyzed and discarded. A significant part of this humongous stream of bits has no value and shouldn’t have been created in the first place. Its existence is a result of sloppiness and lack of understanding plus remnants from the old attitude I just mentioned: That data is inherently valuable. Another big part of the data we create, have momentary value only and should be discarded immediately after use. Again the traditional attitude gets in the way and the garbage is stored, adding to the already incredible wastelands of data being kept for no reason at all, just laziness and incompetence. Consuming lots of energy and disturbing or delaying access to ‘real data’, data with real value.
Changing this situation is obviously critical for a number of reasons, not the least the issue at hand: Trust. There is no way we can build a new metric of trust until we’ve understood the difference between data with value and digital garbage. Which underscores the importance of the new disciplines in the data realm: Data science, data engineering, data analytics, data management and a dozen more.
The whole notion that this is about the data owned by the user is wrong in an important way, and it makes us look for solutions in the wrong place. Most of the data used in adtech is not intrinsically valuable. Facebook has a business that makes it valuable (as does Google.)
Tim O’Reilly
Easy to ignore but very important in this context is the fact that the value of data is often contextual. A dataset may in and of itself be of marginal value, while when combined with one or more other datasets, valuable knowledge can be extracted. This is also a key point in Tim O’Reilly’s ‘data is the new sand’ article, although from a different angle. He discusses the growing misconception that our personal data – any person’s data – are inherently valuable. O’Reilly points out that the exact opposite is the case. Most of our data are void of value until someone makes the (significant) investment to make them useful. Which may entail collecting huge quantities, develop algorithms, acquire resources, devise targets, goals, business processes etc. Further, and adding to the validity of this picture, is the fact that most of these data, in particular when coming from web-platforms – whether social, search, e-commerce or other, wouldn’t exist without these platforms. I.e. the data collected from you and your activities on Facebook or Google arise from services they provide to you for free. So the value proposition is much more balanced than the picture activists and pundits like to paint. Without the service provider’s investment and the attractiveness of the service, the data would not exist.
So who owns the data? That may depend on which part of the data we’re talking about. It’s almost like doing a video shot in a crowded street: Do the people who more or less accidentally happen to be there at that time, own the shot, or do you as the ‘camera owner’ have sole ownership?
The example should ring a bell for everyone, and isn’t only related to data. You’ve no doubt noticed that news footage these days is frequently blurred (‘pixelated’) – faces taken away to anonymize subjects and thus (allegedly) protect privacy. Excuse me, but this is naïvité bordering on stupidity. If someone is so afraid of being recognized in public, they should really stay at home – or at least keep away from public places. The risk of being filmed just about anywhere these days must be in the order of 50%. Not to mention the fact that creating digital anonymity via blurring doesn’t work. It may prevent a neighbour from recognizing you, but – as was demonstrated in a different context recently – advanced AI (aka GANs, Generative Adversarial Networks) can easily reverse even (seemingly) extreme blurring. There are no shortcuts.
So again, who owns the data? Privacy pundits want to change the question to ‘who controls the data’, but the difference doesn’t seem very significant. Reasonable logic would point to the platform provider – unless an agreement of sorts was entered between the user and the provider before the data were generated or submitted. And this is pretty much where the issue stands today. Various governments are enforcing variants of GDPR with minimal effect on privacy. They simply force service providers to present agreements to the users, getting their consent to do whatever they’ve always done.
From the users’ perspective, GDPR & co. have added an annoying layer of incomprehensible gobbledygook to the services, which when presented, send the users desperately looking for the OK button so they can rid of the disturbance and continue with their business. The single positive effect we observe is that the service providers have developed mechanisms for (partially) deleting data entered by (but rarely data generated by) the users.
Even worse: GDPR in general and the so-called Schrems verdicts in the EU have instilled fear in boardrooms and C-level management all over Europe for more than a year. Fearing huge fines and negative press, all kinds of projects and actions have been initiated to protect against such disasters. This may sound OK to you, but it isn’t. It takes important attention and resources away from more important issues, in particular cyber security. An already underprioritized area which is haunting Europe and the rest of the world as WW3 is commencing digitally and Russia is becoming ever more desperate in and around Ukraine.
Discrimination, not loss of privacy, is the actual harm that should be regulated. Treating loss of privacy as the harm has led the U.S. healthcare system to treat patient data as if it were toxic waste, impeding information sharing and slowing research.
Tim O’Reilly, Data is the New Sand
Bottom line – we need a new concept of trust and a new mindset to go with it. This will be the foundation of real, pragmatic digital privacy and a lot more. We will not get there, not even move in the right direction, as long as GDPR and its siblings are standing in the way, pretending to be part of the solution. They are the opposite.
The key is to understand the problem – problem solving 101, and we’re not even close. Plus – the plethora of open questions, some of them asked but not answered above, seem daunting – such as how do we define and create the new kind of trust? How do we build data regimes that work for both sides, businesses and users/individuals? And the question no one dares to ask – how do we get rid of the elephant in the room, aka GDPR?
We don’t have the answers yet. None of us have been here before. We’re building the road as we walk – and we know quite a bit about what doesn’t work. Including using history for guidance. My 50 year old trust-examples may seem enticing, but they’re only inspiration, reminders about what trust can do, not goals. What we need ahead is very different.
One thing is certain – without a new mindset, we’re not getting anywhere.