When you want the truth on controversial media matters, one great place to look is the Pew Research Center, somewhat ironically located in Washington D.C. Its top Internet researcher, Lee Rainie, just completed a study about privacy, centering on Facebook. What did he find?
A lot of things, but among them: “We consistently find that there’s a paradox at the center of generalized privacy research,” Rainie told the Washington Post. “Americans, being Americans, say that it matters, but they behave in a way that doesn’t indicate that it matters."
That’s a mouthful: People don’t act like it matters. If those same people had caught a peeping Tom looking in their window at night, I can guarantee they would start closing their curtains. At least regarding privacy, then, context can be the difference between intrusion and so-what.
Not a shock. But what's shocking is that massive regulations about Internet privacy are based on research no doubt subject to the same “paradox.”
While I don’t know exactly how the EU handled the research underlying the General Data Protection Regulation (GDPR), the following is a decent hypothesis: People are asked whether they object to privacy being violated by websites. They do. Then they are asked: do they mind their data being taken by websites? Ugh, of course they do!
But the framing predisposes the answer. A survey full of loaded questions is proof of nothing. But all this nothing turns quickly into something in the hands of zealous regulators: huge fines, and huge legal bills as tech companies and publishers scramble to contain liability.
Not dangerous until weaponized
So it seems as if the GDPR, in part, sits on an assumption that is less an inconvenient truth, and more like a convenient falsehood. The falsehood is that consumers are harmed by companies gathering data about them. Harm happens after data gets weaponized, which is normally the result of data being stolen from people who collected it. The thieves are cybercriminals who aim to take money from credit cards, bank accounts, or advertisers.
Two aspects of privacy regulation impact companies the most. In one aspect, the GDPR can penalize companies who control consumer data if it gets stolen.
These companies should be penalized. Their cost optimization has put their customers at risk. Unfortunately, the only practical way to discover breaches is declaration by the party from whom the data was stolen — that is, the victim. Then the victim gets fined. Oops.
Another part of the regulation limits collection of data from websites. This part causes heart palpitations for almost every digital media company, exposing them to huge fines for something they have been doing, apparently without hurting anyone, since the inception of the web.
So, by mixing up massive corporate breaches (like the Equifax theft) with trivial record-keeping (like a server setting a cookie), the GDPR (and its U.S. copycat laws) manage to make harmless acts look scary, while allowing scary stuff to go undetected.
Investments in detection and prevention seem like obvious countermeasures, but who is motivated to make those investments?
Regarding data collection, the GDPR puts every publisher, measurement company, analytics company, etc. large and small, under the harsh gaze of EU enforcement for acts that seemingly hurt no one, while utterly failing to put into place the fundamental technologies, principles, and infrastructures required to catch and punish cybercriminals.
If someone wants to know what websites I’ve been to, it’s easy to find out, but no one bothers because it’s not worth it. “Privacy” does not mean that no one can see you do anything. It usually violates our sensibilities only when someone has intentionally thwarted an attempt to keep something private.
Politics is a technology problem —or, the opposite.
The systemic fix for web security is going to require investment in infrastructure, compromises to some freedoms (like having a driver’s license), and a vision as clear and persistent as the vision that built the internet in the first place.
How does U.S. law regard fines by the EU to U.S. companies? Are our international police powers strong enough to nail cybercriminals, quickly and efficiently, from anywhere on the planet? What is privacy in the face of universal surveillance? Are governments exempt? What if every country and US state has their own legislation?
There are more questions than answers, and that’s OK. What seems unfair is for Europe to turn American technology into a revenue stream by caveat, justified by a paradox.