Maciej Cegłowski on GDPR

Excerpts from his 15-page Pdf presented at the U.S. Senate Committee on Banking, Housing, and Urban Development:

The plain language of the GDPR is so plainly at odds with the business model of surveillance advertising that contorting the real-time ad brokerages into something resembling compliance has required acrobatics that have left essentially everybody unhappy. 

The leading ad networks in the European Union have chosen to respond to the GDPR by stitching together a sort of Frankenstein’s monster of consent, a mechanism whereby a user wishing to visit, say, a weather forecast page4 is first prompted to agree to share data with a consortium of 119 entities, including the aptly named “A Million Ads” network. The user can scroll through this list of intermediaries one by one, or give or withhold consent en bloc, but either way she must wait a further two minutes for the consent collection process to terminate before she is allowed to find out whether or not it is going to rain. 

This majestically baroque consent mechanism also hinders Europeans from using the privacy preserving features built into their web browsers, or from turning off invasive tracking technologies like third-party cookies, since the mechanism depends on their being present. 

For the average EU citizen, therefore, the immediate effect of the GDPR has been to add friction to their internet browsing experience along the lines of the infamous 2011 EU Privacy Directive (“EU cookie law”) that added consent dialogs to nearly every site on the internet. 

The GDPR rollout has also demonstrated to what extent the European ad market depends on Google, who has assumed the role of de facto technical regulatory authority due to its overwhelming market share5. Google waited until the night before the regulation went into effect to announce its intentions, leaving ad networks scrambling. 

It is significant that Google and Facebook also took advantage of the US-EU privacy shield to move 1.5 billion non-EU user records out of EU jurisdiction to servers in the United States. Overall, the GDPR has significantly strengthened Facebook and Google at the expense of smaller players in the surveillance economy. 

The data protection provisions of the GDPR, particularly the right to erase, imposed significant compliance costs on internet companies. In some cases, these compliance costs just show the legislation working as intended. Companies who were not keeping adequate track of personal data were forced to retrofit costly controls, and that data is now safer for it. 

But in other cases, companies with a strong commitment to privacy also found themselves expending significant resources on retooling. Personally identifying information has a way of seeping in to odd corners of computer systems (for example, users will sometimes accidentally paste their password into a search box), and tracking down all of these special cases can be challenging in a complex system. The requirements around erasure, particularly as they interact with backups, also impose a special burden, as most computer systems are designed with a bias to never losing data, rather than making it easy to expunge. 

A final, and extremely interesting outcome of the GDPR, was an inadvertent experiment conducted by the New York Times. Privacy advocates have long argued that intrusive third-party advertising does not provide more value to publishers than the traditional pre-internet style of advertising based off of content, but there has never been a major publisher willing to publicly run the experiment. 

The New York Times tested this theory by cutting off all ad networks in Europe, and running only direct sold ads to its European visitors. The paper found that ad revenue increased significantly, and stayed elevated into 2019, bolstering the argument that surveillance-based advertising offers no advantage to publishers, and may in fact harm them. 

The Limits of Consent 

While it is too soon to draw definitive conclusions about the GDPR, there is a tension between its concept of user consent and the reality of a surveillance economy that is worth examining in more detail. 

A key assumption of the consent model is any user can choose to withhold consent from online services. But not all services are created equal—there are some that you really can’t say no to. 

Take the example of Facebook. Both landlords and employers in the United States have begun demanding to see Facebook accounts as a condition of housing or employment7. The United States Border Patrol has made a formal request to begin collecting social media to help vet people arriving in the country8. In both those contexts, not having a Facebook account might stand out too much to be a viable option. Many schools now communicate with parents via Facebook; Facebook groups are also the locus for political organizing and online activism across the political spectrum. 

Analogous arguments can be made for social products offered by the other major tech companies. But if you can’t afford to opt out, what does it mean to consent?
Opting out can also be impossible because of how deeply the internet giants have embedded themselves in the fabric of the internet. For example, major media properties in the EU use a technology called ReCaptcha on their GDPR consent forms9. These forms must be completed before a user can access the website they are gathering consent for, but since the ReCaptcha service is run by Google, and the form cannot be submitted without completing the Google-generated challenge (which incidentally performs free image classification labor for the company), a user who refuses to give Google access to her browser will find herself denied access to a large portion of the internet. 

While this specific example may change when it comes to the attention of an EU regulator, the broader issue remains. The sheer reach of the tech oligopoly makes it impossible to avoid using their services. When a company like Google controls the market-leading browser, mobile operating system, email service and analytics suite, exercises a monopoly over search in the EU, runs the largest ad network in Europe, and happens to own many of the undersea cables that connect Europe to the rest of the world10, how do you possibly say ‘no’?
...
For example, anyone visiting the popular Tumblr blogging platform from a European IP address must first decide whether to share data with Tumblr’s 201 advertising partners, and read five separate privacy policies from Tumblr’s several web analytics providers.
Despite being a domain expert in the field, and spending an hour clicking into these policies, I am unable to communicate what it is that Tumblr is tracking, or what data of mine will be used for what purposes by their data partners (each of whom has its own voluminous terms of service). This opacity exists in part because the intermediaries have fought hard to keep their business practices and data sharing processes a secret, even in the teeth of strong European regulation. 

Organizations like the Interactive Advertising Bureau Europe (IABE) defeat the spirit of the GDPR by bundling consent and requiring it across many ad-supported properties in Europe. If regulators block the bundling in its current incarnation, it will no doubt rise from the dead in a modified form, reflecting the undying spirit of surveillance advertising. But at no point will internet users have the information they would need to make a truly informed choice (leaving aside the ridiculousness of requiring a legal education and two hours of sustained close reading in order to watch a cat video).
...
The paradigm of automatic ownership of personal data does not mesh well with a world where such private data can not only interpolated and reconstructed, but independently discovered by an algorithm! 

And if I can infer such important facts about your life by applying machine learning to public data, then I have deprived you of privacy just as effectively as I would have by direct eavesdropping. 

In order to talk meaningfully about consent in online systems, the locus of regulation will need to expand beyond data collection, to cover how those data collections, and the algorithms trained on them, are used. But to do this, we will first need far greater visibility into the workings of surveillance-dependent tech companies than they have so far been willing to grant us. 

As it stands, the consent framework exemplified in the GDPR is simply not adequate to safeguard privacy. ...