The problem with privacy fanaticism
11 February 2022 (Athens, Greece) – Yesterday I posted a piece that explained why any notion of data privacy is dead. I tried to show why the regulatory state fails time and time again because it fails to understand (as do quite a few people) that technology must be seen through the lens of the reconstruction of the political economy: the ongoing shift from an industrial mode of development to an informational one. Regulatory institutions continue to struggle in the era of informational capitalism because they simply cannot understand what is happening. Regulatory processes are befuddled by the regulatory issues and problems created by information markets and networked information and communications technologies. Nor do they understand our technological dependency. So many people simply do not understand that we live in a massively intermediated, platform-based environment, with endless network effects, commercial layers, and inference data points.
My piece generated great social media metrics: a 32% open rate and an average 2.3 minute read rate. Plus about 160 email responses. I want to continue that post today with some material I had left out.
At a certain point EU privacy regulators will realize that when an EU citizen requests a U.S. internet resource, they provide a U.S. server with their IP address – an address that is is Personal Identifiable Information (PII). And the U.S. Central Intelligence Agency and the U.S. National Security Agency could record that. So it is therefore illegal to provide any internet resource to anyone in the EU under existing EU data protection schemes.
This is the problem with privacy fanaticism: the internet is not a broadcast medium. If you ban any two-way flow of data of any kind whatsoever, then you’re not protecting privacy – in fact you’ve forgotten about privacy. You’re just banning the whole concept of a network.
If you look at this issue and say that this is the EU making Facebook or Big Tech “respect privacy” then you are, politely, a fool. This has nothing to do with Facebook. It is, in principle, a demand that computers not talk to each other over networks.
And I know the argument. If I’m a U.S. company on one of the cloud providers, what’s the hardship of setting up an account in the EU directing my EU traffic to that account? Well, not quite. That might work for anonymous web traffic, but not so well for a user database. If I like your Instagram post, where is that “like” stored? Is that a meaningful question?
The legal objection ignores what the company does with the data as laid out in this piece about a German court fining an unidentified website for violating EU privacy law by … wait for it … importing a Google-hosted web font which revealed an EU IP address. The decision says IP addresses represent personal data because it’s theoretically possible to identify the person associated with an IP address, and that it’s irrelevant whether the website or Google has actually did so. And this comes on the heels of the decision by Austria’s data protection authority that found the use of Google Analytics violated the law.
SIDE NOTE: what’s especially absurd about the German font case is that the website visitor was on a “dynamic” IP address, one that might change the next time she connects. Identifying the customer requires a deep dive into the ISP’s logs. But it can be done.
But this just raises an issue I have raised time and time again: every web site these days include heaps of javascript, trackers, adverts, etc., etc., which are hosted elsewhere, everywhere. All of these collect information. As I have noted, you need special software to track all of this stuff. This all feeds into the General Data Protection Regulation (GDPR) problem over “transparency” and why EU citizens are struggling with “Data Privacy and Data Subject Access Requests” (DSARs) mandated under the GDPR: if you don’t know where your data is going, how can you ever hope to keep it private? (DSARs are a sham but data privacy vendors will not tell you that because they need to make money from their services. I detailed all of this in my monograph “The Good, the Bad and the Ugly of DSARs”).
I understand that web sites have a monetary need to track readers or viewers or participants. I understand the “need” for adverts on otherwise free web sites in quite a few (most?) cases. But does a single web site need multiple traffic analysis scripts? Before anyone answers, I already know the answer. My question is based on actual “need” not “hey, the more data the better!!” Or if you have the skill set, take a look at IBM’s very own weather.com sometime. What a clusterfuck. I counted 12 layers of redirection. For a local weather report. This is progress?
Of course, I’d also like to talk about the issue that websites (particularly e-commerce websites) are thereby creating enormously wasteful bandwidth by the sheer breadth of internet-wide resources that they require. So much website flab. Advice: if your browser will let you, toggle the accessibility options to ignore the site-specified fonts/colors and only use the system defaults. This should speed up the page load times by skipping all the attempts to load any fonts, leaving it to the browser to use the ones you’re already using.
So the mantra “be careful where you browse to” has become meaningless when apparently “safe” web sites are full of information gathering code hosted on sites that I have never directly visited. The tentacles run everywhere.
And it also leads to the bigger issue: the EU courts and regulators are defining legitimate and illegitimate purpose in ways no one on the Internet would recognise. In the above example, using Google fonts has turned out to be an illegitimate use, because Google gets an IP address – and you really don’t “need” those fonts, says the court.
BOTTOM LINE: The EU’s GDPR doctrine effectively bans U.S. companies from providing Internet services to EU citizens. It’s now a tool to penalize American tech companies at will with huge fines or banning use of their services. It’s way beyond a privacy law and is now instead a geopolitical tool.