GDPR

You are currently browsing articles tagged GDPR.

If the GDPR did what it promised to do, we’d be celebrating Privmas today. Because, two years after the GDPR became enforceable, privacy would now be the norm rather than the exception in the online world.

That hasn’t happened, but it’s not just because the GDPR is poorly enforced.  It’s because it’s too easy for every damn site on the Web—and every damn business with an Internet connection—to claim compliance to the letter of GDPR while violating its spirit.

Want to see how easy? Try searching for GDPR+compliance+consent:

https://www.google.com/search?q=gdpr+compliance+consent

Nearly all of the ~21,000,000 results you’ll get are from sources pitching ways to continue tracking people online, mostly by obtaining “consent” to privacy violations that almost nobody would welcome in the offline world—exactly the kind of icky practice that the GDPR was meant to stop.

Imagine if there was a way for every establishment you entered to painlessly inject a load of tracking beacons into your bloodstream without you knowing it. And that these beacons followed you everywhere and reported your activities back to parties unknown. Would you be okay with that? And how would you like it if you couldn’t even enter without recording your agreement to accept being tracked—on a ledger kept only by the establishment, so you have no way to audit their compliance to the agreement, whatever it might be?

Well, that’s what you’re saying when you click “Accept” or “Got it” when a typical GDPR-complying website presents a cookie notice that says something like this:

That notice is from Vice, by the way. Here’s how the top story on Vice’s front page looks in Belgium (though a VPN), with Privacy Badger looking for trackers:

What’s typical here is that a publication, with no sense of irony, runs a story about privacy-violating harvesting of personal data… while doing the same. (By the way, those red sliders say I’m blocking those trackers. Were it not for Privacy Badger, I’d be allowing them.)

Yes, Google says you’re anonymized somehow in both DoubleClick and Google Analytics, but it’s you they are stalking. (Look up stalk as a verb. Top result: “to pursue or approach prey, quarry, etc., stealthily.” That’s what’s going on.)

The main problem with the GDPR is that it effectively requires that every visitor to every website opt out of being tracked, and to do so (thank you, insincere “compliance” systems) by going down stairs into the basements of website popovers to throw tracking choice toggles to “off” positions which are typically defaulted on when you get there.

Again, let’s be clear about this: There is no way for you to know exactly how you are being tracked or what is done with information gathered about you. That’s because the instrument for that—a tool on your side—isn’t available. It probably hasn’t even been invented. You also have no record of agreeing to anything. It’s not even clear that the site or its third parties have a record of that. All you’ve got is a cookie planted deep in your browser’s bowels, designed to announce itself to other parties everywhere you go on the Web. In sum, consenting to a cookie notice leaves nothing resembling an audit trail.

Oh, and the California Consumer Protection Privacy Act (CCPA) makes matters worse by embedding opt-out into law there, while also requiring shit like this in the opt-out basement of every website facing a visitor suspected of coming from that state:

CCPA notice

So let’s go back to a simple privacy principle here: It is just as wrong to track a person like a marked animal in the online world as it is in the offline one.

The GDPR and the CCPA were made to thwart that kind of thing. But they have failed. Instead, they have made the experience of being tracked online a worse one.

Yes, that was not their intent. And yes, both have done some good. But if you are any less followed online today than you were when the GDPR became enforceable two years ago, it’s because you and the browser makers have worked to thwart at least some tracking. (Though in very different ways, so your experience of not being followed is not a consistent one. Or even perceptible in many cases.)

So tracking remains worse than rampant: it’s defaulted practice for both advertising and site analytics. And will remain so until we have code, laws and enforcement to stop it.

So, nothing to celebrate. Not this Privmas.

Tags: , ,

The term “fake news” was a casual phrase until it became clear to news media that a flood of it had been deployed during last year’s presidential election in the U.S. Starting in November 2016, fake news was the subject of strong and well-researched coverage by NPR (here and here), Buzzfeed, CBS (here and here), Wired, the BBC, Snopes, CNN (here and here), Rolling Stone and others. It thus became a thing…

… until Donald Trump started using it as an epithet for news media he didn’t like. He did that first during a press conference on February 16, and then the next day on Twitter:

And he hasn’t stopped. To Trump, any stick he can whup non-Fox mainstream media with is a good stick, and FAKE NEWS is the best.

So that pretty much took “fake news,” as a literal thing, off the table for everyone other than Trump and his amen chorus.

So, since we need a substitute, I suggest decoy news. Because that’s what we’re talking about: fabricated news meant to look like the real thing.

But the problem is bigger than news alone, because advertising-funded media have been in the decoy business since forever. (Example: sensationalism in tabloids.) The difference in today’s digital world is that it’s a lot easier to fabricate a decoy story than to research and produce a real one—and it pays just as well, or even better. Let’s face it: non-journalists and algorithms churning out and/or elevating the placements of heart- and eyeball-bait (e.g. “Pope Endorses Trump”) are both cheap to run and good at producing advertising income.

When you outsource editorial judgement to machines, and those machines are rigged to bait clicks and drive engagement, and that engagement pays the publishers, you’ve got a business that can’t help prioritizing and improving decoy news. (Also one that depends of the practice of marking and tracking people. If doing that wasn’t outright wrong, we wouldn’t now have the GDPR as proof of it.)

As a result, adtech (tracking-based advertising) has compromised and marginalized actual journalism to such an extreme degree that “editorial” (which journalism produced) has been devalued and displaced by “content production” (which cheap labor and machines can produce).

We can see one tragic result in a New York Times story titled In New Jersey, Only a Few Media Watchdogs Are Left, by David Chen (@davidwchen). In it he reports that “The Star-Ledger, which almost halved its newsroom eight years ago, has mutated into a digital media company requiring most reporters to reach an ever-increasing quota of page views as part of their compensation.”

This calls to mind how “Saturday Night Live” in 1977 introduced the Blues Brothers in a skit where Paul Shaffer, playing rock impresario Don Kirshner, proudly said the Brothers were “no longer an authentic blues act, but have managed to become a viable commercial product.”

To operate a viable commercial product in our Digital Age, news has become mostly a content production business, paid for by adtech, which is entirely driven by algorithms informed by surveillance-gathered personal data. The result looks like this:

To fully grok how we got here, it is essential to understand the difference between advertising and direct marketing, and how nearly all of online advertising is now the latter. I describe the shift from former to latter in Separating Advertising’s Wheat and Chaff:

Advertising used to be simple. You knew what it was, and where it came from.

Whether it was an ad you heard on the radio, saw in a magazine or spotted on a billboard, you knew it came straight from the advertiser through that medium. The only intermediary was an advertising agency, if the advertiser bothered with one.

Advertising also wasn’t personal. Two reasons for that.

First, it couldn’t be. A billboard was for everybody who drove past it. A TV ad was for everybody watching the show. Yes, there was targeting, but it was always to populations, not to individuals.

Second, the whole idea behind advertising was to send one message to lots of people, whether or not the people seeing or hearing the ad would ever use the product. The fact that lots of sports-watchers don’t drink beer or drive trucks was beside the point, which was making brands sponsoring a game familiar to everybody watching it.

In their landmark study, “The Waste in Advertising is the Part that Works” (Journal of Advertising Research, December, 2004, pp. 375–390), Tim Ambler and E. Ann Hollier say brand advertising does more than signal a product message; it also gives evidence that the parent company has worth and substance, because it can afford to spend the money. Thus branding is about sending a strong economic signal along with a strong creative one.

Plain old brand advertising also paid for the media we enjoyed. Still does, in fact. And much more. Without brand advertising, pro sports stars wouldn’t be getting eight and nine figure contracts.

But advertising today is also digital. That fact makes advertising much more data-driven, tracking-based and personal. Nearly all the buzz and science in advertising today flies around the data-driven, tracking-based stuff generally called adtech. This form of digital advertising has turned into a massive industry, driven by an assumption that the best advertising is also the most targeted, the most real-time, the most data-driven, the most personal — and that old-fashioned brand advertising is hopelessly retro.

In terms of actual value to the marketplace, however, the old-fashioned stuff is wheat and the new-fashioned stuff is chaff. In fact, the chaff was only grafted on recently.

See, adtech did not spring from the loins of Madison Avenue. Instead its direct ancestor is what’s called direct response marketing. Before that, it was called direct mail, or junk mail. In metrics, methods and manners, it is little different from its closest relative, spam.

Direct response marketing has always wanted to get personal, has always been data-driven, has never attracted the creative talent for which Madison Avenue has been rightly famous. Look up best ads of all time and you’ll find nothing but wheat. No direct response or adtech postings, mailings or ad placements on phones or websites.

Yes, brand advertising has always been data-driven too, but the data that mattered was how many people were exposed to an ad, not how many clicked on one — or whether you, personally, did anything.

And yes, a lot of brand advertising is annoying. But at least we know it pays for the TV programs we watch and the publications we read. Wheat-producing advertisers are called “sponsors” for a reason.

So how did direct response marketing get to be called advertising ? By looking the same. Online it’s hard to tell the difference between a wheat ad and a chaff one.

Remember the movie “Invasion of the Body Snatchers?” (Or the remake by the same name?) Same thing here. Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.

It is now an article of faith within today’s brain-snatched advertising business that the best ad is the most targeted and personalized ad. Worse, almost all the journalists covering the advertising business assume the same thing. And why wouldn’t they, given that this is how advertising is now done online, especially by the Facebook-Google duopoly.

And here is why those two platforms can’t fix it: both have AI machines built to give millions of advertising customers ways to target the well-studied eyeballs of billions of people, using countless characterizations of those eyeballs.In fact, the only (and highly ironic) way they can police bad acting on their platforms is by hiring people who do nothing but look for that bad acting.

One fix is regulation. We now have that, hugely, with the General Data Protection Regulation (GDPR). It’s an EU law, but it protects the privacy of EU citizens everywhere—with potentially massive fines. In spirit, if not also in letter (which the platforms are struggling mightily to weasel around), the GDPR outlaws tracking people like tagged animals online. I’ve called the GDPR an extinction event for adtech, and the main reason brands (including the media kind) need to fire it.

The other main fixes begin on the personal side. Don Marti (@dmarti) tweets, “Build technologies to implement people’s norms on sharing their personal data, and you’ll get technologies to help high-reputation sites build ad-supported business models ABSOLUTELY FREE!” Those models are all advertising wheat, not adtech chaff.

Now here’s the key: what we need most are single and simple ways for each of us to manage all our dealings with other entities online. Having separate means, each provided by the dozens or hundreds of sites and services we each deal with, all with different UIs, login/password gauntlets, forms to fill out, meaningless privacy policies and for-lawyers-only terms of service, cannot work. All that shit may give those companies scale across many consumers, but every one of them only adds to those consumers’ relationship overhead. I explain how this will work in Giving Customers Scale, plus many other posts, columns and essays compiled in my People vs. Adtech series, which is on its way to becoming a book. I’d say more about all of it, but need to catch a plane. See you on the other coast.

Meanwhile, the least we can do is start talking about decoy news and the business model that pays for it.

[Later…] I’m on the other coast now, but preoccupied by the #ThomasFire threatening our home in Santa Barbara. Since this blog appears to be mostly down, I’m writing about it at doc.blog.

 

 

 

Tags: , ,